Sarbanes-Oxley Compliance Made Easy

Transcription

1 Sarbanes-Oxley Compliance Made Easy with Tango/04 software Document version: 2.2 Document date: February 2006 Product family: VISUAL Security Suite Product name: ALL Product version: 2.0

2 Contents Contents... 2 Executive Summary... 4 Overview of the Sarbanes-Oxley Act... 5 Introduction... 5 IT Governance: Sections 302 and COBIT... 6 Tango/04 Solutions for Business Protection... 7 iseries Security Auditing... 7 Object auditing...8 Command auditing...8 System configuration auditing...8 Action auditing...9 SQL auditing...9 Windows Security Auditing Database Auditing Central Console Audit Reports Business Impact Analysis Integration with Business Service Management Software COBIT Control Objectives AI3 Maintain Technology Infrastructure AI3.7 Use and monitoring of Systems Utilities...15 DS5 Ensure Systems Security DS5.1 Manage Security Measures...15 DS5.2 Identification, Authentication and Access...16 DS5.5 Management Review of User Accounts...16 DS5.7 Security Surveillance...16 DS5.10 Violation and Security Activity Reports...16 DS5.11 Incident Handling...16 DS13 Manage Operations DS13.3 Job Scheduling...17 DS13.4 Departures from Standard Job Schedules...17 DS13.6 Operations Logs...17 M2 Monitoring M2.1 Internal Control Monitoring...17 M2.2 Timely Operation of Internal Controls...17 M2.4 Operational Security and Internal Control...18 Further reading for IBM iseries system control Case Study: Henry Schein, Inc Summary References Improving IT Management with Tango/ Improvement of IT service levels Protection of data, applications and processes Reduction of management costs Tango/04 Computing Group Página 2

3 Increased visibility of business processes Tailoring our solutions to meet your specific needs About Tango/04 Computing Group Legal notice Tango/04 Computing Group Página 3

4 Executive Summary Not only are public companies listed on U.S. stock markets subject to SOX auditing requirements, SOX also applies to the foreign subsidiaries of these companies and to third-party companies that they do business with. "VISUAL Security Suite has allowed us to rapidly implement SOX controls, while VISUAL Message Center helps keep our IT infrastructure healthy. I love the product." Sections 302 and 404 of the Sarbanes Oxley Act have most Don Keating, IT Manager relevance for IT governance. They require that company officers Henry Schein, Inc. guarantee the accuracy of the financial reports. This in turn requires that all company data used to generate financial reports is subject to formal auditing procedures to ensure that the data cannot be incorrectly modified in any way. Security audit software from Tango/04 enables auditing on IBM iseries systems, and collects security audit information from Windows servers. Audit information gathered includes access to sensitive objects, use of specific commands, and the activities of user profiles. This auditing capability delivers some of the internal controls that are necessary for compliance with the Sarbanes-Oxley Act. By implementing effective internal controls, company officers satisfy some of the requirements for guaranteeing that the financial reports that they submit are accurate. The recommended framework for implementing compliance of SOX requirements is using the relevant COBIT control objectives. Henry Schein, Inc. (Nasdaq: HSIC) a Fortune 500 distributor of healthcare products with global operations based in Melville, New York has successfully achieved SOX-COBIT control objectives using Tango/04 software. This document details the SOX - COBIT control objectives that can be implemented using Tango/04 software. For more information on audit software solutions from Tango/04, please visit to find your local Tango/04 Business Partner or info@tango04.net. Visit our homepage to see our 30-minute Webcast and Product Demonstration Tango/04 Computing Group Página 4

5 Overview of the Sarbanes-Oxley Act Introduction The U.S. Public Company Accounting Reform and Investor Protection Act of 2002 also known as the Sarbanes-Oxley Act, or SOX was introduced to strengthen corporate governance and improve financial reporting by public companies operating in the USA. The motivation for the law was the extensive use of improper accounting practices by officers of public companies during the stock market boom of the late 1990s. Earning and profits were inflated using offbalance sheet accounting, manipulation of revenue recognition and the use of offshore companies, to name but a few methods. On a micro-level, these distortions meant that many CEOs and CFOs earned large bonuses and stock options that did not properly reflect the value they had generated for their shareholders. When the crash arrived, many shareholders, everyday people, found the value of their investments was a fraction of what it had been just a matter of months before. On a macro-level, financial reporting is key to the efficient operation of the global economy. Capital is allocated where it delivers the highest return, and the main source of information that investors use to calculate their expected return is company financial reports. If those reports are untruthful or misleading, capital will be misallocated, and the whole economy loses efficiency. The Sarbanes-Oxley Act focuses on how CEOs, CFOs and other company officers report corporate performance to their shareholders. It includes guidelines for auditing procedures, the composition of company boards, financial reporting, and the governance of everything related to company records. It is in the areas related to the storage and processing of financial data that the Sarbanes-Oxley Act impacts the IT department. $ Accounting Practices ERP CRM Financial Reports 10K 10Q SOX is about financial reporting. It requires auditing controls to be implemented in IT systems to ensure the integrity of the data in financial reports 2006 Tango/04 Computing Group Página 5

6 IT Governance: Sections 302 and 404 From an IT standpoint, the most relevant areas of the Sarbanes Oxley Act are sections 302 and 404, which deal with the certification of annual reports, and internal controls for corporate information respectively. In particular, section 302 requires that CEOs guarantee the accuracy of financial reports. Those financial reports are produced using a company s IT systems. Therefore, the security and integrity of those IT systems is a fundamental requirement for section 302. Sarbanes-Oxley compliance requires that company CEOs guarantee the data they have used to compile their annual report is correct and has not been manipulated in any way. Auditors Company Officers COBIT IT Department Sarbanes-Oxley provides guidelines for what is required with financial reporting. However, it does not specify how those guidelines should be implemented, in particular from the Information Technology point of view. Control Objectives for Information and related Technology (COBIT) is an IT management and governance framework, developed by the Information Systems Audit and Control Association (ISACA). As a generally accepted standard for IT audit practices, COBIT has been the framework chosen by many audit firms for SOX implementation. Audit Security Policy Controls Security document Audit reports Your security policy must meet audit requirements in order to achieve SOX compliance. Once you have defined your security audit policy, Tango/04 VISUAL Security Suite can automate the controls required to manage that policy, and generate reports to demonstrate ifs effectiveness. In other words, specific requirements of SOX compliance have been interpreted to fit with COBIT control objectives. By implementing specific COBIT control objectives, you are effectively implementing SOX compliance. However, it is likely that your organization is not strictly following COBIT or any other governance framework. This document is still relevant for you though. The COBIT control objectives are very generic, and can be easily applied to any compliance project. This document provides you with best practices even if you are not implementing COBIT or any other governance framework as such Tango/04 Computing Group Página 6

7 Tango/04 Solutions for Business Protection Tango/04 software ensures the integrity of business processes and corporate data on IBM iseries and Windows systems. In particular, the VISUAL Security Suite product leverages the auditing capabilities of the IBM iseries, making auditing easier and more user friendly, and automating the production of reports for SOX audit compliance. iseries Security Auditing Configuring auditing in OS/400 is complex and involves working with many commands and system values. VISUAL Security Suite takes the complexity out of the process, insulating users from the technical details and providing an easy to use interface for working with OS/400 auditing. This includes: Filter options to reduce the amount of data collected Enrichment of auditing messages to provide more information to operators Integration with messaging console In other words, VISUAL Security Suite is a simple interface for configuring the auditing that you require on your system to effectively control sensitive files, commands, or user profiles Tango/04 Computing Group Página 7

8 A Security Officer s view of iseries data integrity and auditing controls generated using VISUAL Security Suite s SmartConsole The following is a summary of the auditing types offered by OS/400, which can be quickly implemented using VISUAL Security Suite. Object auditing Changes and access to objects, e.g. delete, copy, rename, restore, authority change, read, edit. Examples include: Delete, copy or edit database file containing financial data Read or copy spool file containing sales information Command auditing Any command line entries, e.g. Commands run by suspect user profile Use of sensitive commands System configuration auditing Creation, modification of user profiles, e.g. creation of suspicious new profile Changes to system auditing Changes to system values, e.g. changes to system date, time, security level, IPL info, action for number of failed sign-on attempts, etc. Use of DST (Dedicated Services Tools), e.g. changes to system configuration 2006 Tango/04 Computing Group Página 8

9 1 2 3 View all security events at a glance in the SmartConsole, VISUAL Security Suite s easy to use graphical interface. This is where you set up alarms and automated actions for security events. The left column of the SmartConsole (1) shows all of the different events that a Security Manager might need to see grouped into Business Views. These change color when a problem arises. The right column (2) shows all the events of the selected Business View. These events can be sorted and viewed in a number of different ways. Hovering the mouse reveals detailed information about the event (3). Action auditing Authority failures, e.g. persistent failed sign-on attempts, object access denied Programs changed to adopt authority Users obtaining adopted authority Profile swapping Filters simplify event detection for all auditing types, and customization allows you to identify particular objects, user profiles, commands, etc. SQL auditing Audit the use of SQL statements in IBM iseries systems to track sensitive database access or changes by user, data modified, IP address, and more. SQL Monitoring is available for both interactive and batch processed queries Tango/04 Computing Group Página 9

10 This sample report illustrates how Tango/04 VISUAL Security Suite captures SQL queries performed. The SmartConsole s alert messages can notify auditors of attempted fraud and help to ensure data integrity. Windows Security Auditing Windows OS security events are sent to the Security Event Log, while security related applications such as anti-virus send messages to their own logs. Tango/04 software can read Windows Security Event logs, and identify key security events including configuration auditing, access, and policy violations. It can also read the logs created by other products by means of a multi-format text log analyzer. Database Auditing Auditing of specific database applications is available, for Oracle, SQL Server or DB2, including: Database availability Database performance Database security and audit, down to record-level Critical events affecting business processes that use each database 2006 Tango/04 Computing Group Página 10

11 Easy integration of database monitoring extends VISUAL Security Suite s data auditing capabilities to Oracle and SQL Server systems, in addition to DB2 UDB for iseries databases Tango/04 Computing Group Página 11

12 Central Console Tango/04's central SmartConsole consolidates security audit events from multiple systems and sources, presenting them graphically. Users can build automated actions such as alarms, alerts, or self-protecting capabilities for their systems. By centralizing control of all security and operations events in the SmartConsole, you can generate business service views that reveal the real impact of any system or security event, so that you can dedicate resources to solving the most critical issues first. All audit events can be managed from a central graphical console. Audit Reports Tango/04 includes a flexible Reporting System. Users can create and automatically generate all types of reports, with wide selection criteria and screen outputs such as HTML, Word, etc. There are a number of predefined reports, which show: Extensive list of security events Changes in user profiles Changes in system configuration Changes to folders, libraries and system objects Disconnected user profiles 2006 Tango/04 Computing Group Página 12

13 With VISUAL Security Suite, audit reports can be created instantly in PDF or HTML format to demonstrate regulatory compliance. Potentially serious security events can trigger real-time alerts via or mobile phone, to help you minimize risk. Audit trail capabilities are useful for fraud detection and regulatory compliance purposes other than SOX, including 21 CFR Part 11, HIPAA, Basel II, European Privacy Laws, etc. Business Impact Analysis Tango/04 offers top-down visibility into critical processes, prioritizing the business impact of any problem and allowing operators to easily build self-management capabilities. By taking a business-centric approach, technology management is aligned with business objectives, ensuring that resources are dedicated to resolve problems that are impacting the bottom line. This improves the IT departments productivity, increases the return on all IT investments, and ensures that IT-dependent businesses stay ahead of their competitors by providing superior service levels and availability Tango/04 Computing Group Página 13

14 Integration with Business Service Management Software Tango/04 security audit software is part of its Business Service Management software solution, VISUAL Message Center, which offers management of message, performance, application and security management. VISUAL Message Center helps IT departments reduce costs, increase service levels and protect their business processes by centralizing all systems management issues in one single package. The SmartConsole and Reporting System allow you to generate Business Views, so that you can see the impact of any security or operational event on your critical business processes. For example, you may have periodic processes that provide financial controllers with data to create your company's 10K and 10Q financial reports. With Tango/04 s Business Service Management (BSM) approach, you can monitor all the elements of that process that could potentially affect the data output: unexpected data changes, batch processing errors, untimely process completion, operating system integrity, and hardware status Tango/04 Computing Group Página 14

15 COBIT Control Objectives The best way to understand how Tango/04 solutions specifically address SOX issues is through the COBIT control objectives that have been identified by the Information Systems Audit and Control Association (ISACA) as relevant to SOX. The following is a list of the SOX COBIT control objectives that are relevant to Tango/04 software, and thus move you towards SOX compliance. Below each COBIT control objective, there is a description of how Tango/04 software helps achieve the control objective. This list is not exhaustive: there are further COBIT control objectives that are relevant to SOX and are not included. For a complete list of the COBIT controls, visit It is likely that your organization is not strictly following COBIT or any other governance framework. This documentation is still relevant for you though. The COBIT control objectives are very generic, and can be easily interpreted in any compliance project context. AI3 Maintain Technology Infrastructure AI3.7 Use and monitoring of Systems Utilities Policies and techniques should be implemented for using, monitoring and evaluating the use of system utilities. Responsibilities for using sensitive software utilities should be clearly defined and understood by developers, and the use of the utilities should be monitored and logged. Tango/04: use of specific programs or system service tools can be monitored and logged using Tango/04 software. Any violations of security policy produce instant alerts. Audit reports reveal usage patterns. DS5 Ensure Systems Security DS5.1 Manage Security Measures IT security should be managed such that security measures are in line with business requirements. This includes: Translating risk assessment information to the IT security plans Implementing the IT security plan Updating the IT security plan to reflect changes in the IT configuration Assessing the impact of change requests on IT security Monitoring the implementation of the IT security plan Aligning IT security procedures to other policies and procedures Tango/04: Periodic security audit reports reveal data access risks, and help ongoing monitoring of the security plan. The use of Business Views within Tango/04 software aligns security auditing to specific business processes Tango/04 Computing Group Página 15

16 DS5.2 Identification, Authentication and Access The logical access to and use of IT computing resources should be restricted by the implementation of adequate identification, authentication and authorization mechanisms, linking users and resources with access rules. Such mechanisms should prevent unauthorized personnel, dial-up connections and other system (network) entry ports from accessing computer resources and minimize the need for authorized users to use multiple sign-ons. Procedures should also be in place to keep authentication and access mechanisms effective (e.g., regular password changes). Tango/04: Procedures to keep authentication and access mechanisms effective include ongoing reporting of user profile creation, changes, and management of passwords. Reports from Tango/04 software provide this information to security officers. DS5.5 Management Review of User Accounts Management should have a control process in place to review and confirm access rights periodically. Periodic comparison of resources with recorded accountability should be made to help reduce the risk of errors, fraud, misuse or unauthorized alteration. Tango/04: User profile monitoring and reporting allows easy tracking of access rights for all iseries system users. DS5.7 Security Surveillance IT security administration should ensure that security activity is logged and any indication of imminent security violation is reported immediately to all who may be concerned, internally and externally, and is acted upon in a timely manner. Tango/04: The real-time auditing functionality provides instant alerts and actions to prevent iseries security violations. DS5.10 Violation and Security Activity Reports IT security administration should ensure that violation and security activity is logged, reported, reviewed and appropriately escalated on a regular basis to identify and resolve incidents involving unauthorized activity. The logical access to the computer resources accountability information (security and other logs) should be granted based upon the principle of least privilege, or need-to-know. Tango/04: Periodic audit reports provide full information on potential violations, and specific issues, for example, use of security officer user profiles, or access to sensitive objects. DS5.11 Incident Handling Management should establish a computer security incident handling capability to address security incidents by providing a centralized platform with sufficient expertise and equipped with rapid and secure communication facilities. Incident management responsibilities and procedures should be established to ensure an appropriate, effective and timely response to security incidents. Tango/04: The central console provides a consolidated view of all systems and logical partitions, allowing incidents to be handled instantly via alerts, escalation, etc Tango/04 Computing Group Página 16

17 DS13 Manage Operations DS13.3 Job Scheduling IT management should ensure that the continuous scheduling of jobs, processes and tasks is organized into the most efficient sequence, maximizing throughput and utilization, to meet the objectives set in service level agreements. The initial schedules as well as changes to these schedules should be appropriately authorized. Tango/04: Tango/04 automatically tunes iseries job priorities to ensure maximum system throughput. A log is kept of all system resource usage, for SLA reporting. DS13.4 Departures from Standard Job Schedules Procedures should be in place to identify, investigate and approve departures from standard job schedules. Tango/04: System monitoring identifies any departures from standard job schedules, alerting system operators for investigation. DS13.6 Operations Logs Management controls should guarantee that sufficient chronological information is being stored in operations logs to enable the reconstruction, review and examination of the time sequences of processing and the other activities surrounding or supporting processing. Tango/04: system monitoring captures all job start and finish information on the iseries (QHST) for operations logging. Tango/04 Data Monitor for iseries provides record-level audit trail capabilities. M2 Monitoring M2.1 Internal Control Monitoring Management should monitor the effectiveness of internal controls in the normal course of operations through management and supervisory activities, comparisons, reconciliations and other routine actions. Deviations should evoke analysis and corrective action. In addition, deviations should be communicated to the individual responsible for the function and also at least one level of management above that individual. Serious deviations should be reported to senior management. Tango/04: any potential security control violation is identified and can be analyzed through audit reports or even instant alerts. M2.2 Timely Operation of Internal Controls Reliance on internal controls requires that controls operate promptly to highlight errors and inconsistencies, and that these are corrected before they impact production and delivery. Information regarding errors, inconsistencies and exceptions should be kept and systematically reported to management Tango/04 Computing Group Página 17

18 Tango/04: any potential security control violation is identified and can be analyzed through audit reports or even instant alerts. In particular, the alerting capabilities ensure any security issue is identified before serious damage can occur. M2.4 Operational Security and Internal Control Operational security and internal control assurance should be established and periodically repeated, with self-assessment or independent audit to examine whether or not the security and internal controls are operating according to the stated or implied security and internal control requirements. Ongoing monitoring activities by management should look for vulnerabilities and security problems. Tango/04: any potential security control violation is identified and can be analyzed through audit reports or even instant alerts. Security audit reports can also be provided to external auditors. Further reading for IBM iseries system control You may also wish to consult the White Paper An IT Executives View of the Sarbanes-Oxley Act of 2002 available from This includes a deeper discussion of the Sarbanes-Oxley Act from an IT point of view, and includes guidelines for using change management software to implement other COBIT control objectives relevant to Sarbanes-Oxley Tango/04 Computing Group Página 18

19 Case Study: Henry Schein, Inc. Henry Schein, Inc. (Nasdaq, HSIC), is a Fortune 500 distributor of healthcare products based in Melville, New York, that uses VISUAL Security Suite to implement SOX audit controls in its iseries environment. The IT department uses it to obtain instant reports of *SECOFR user profile activity, changes to system value and network attributes, the use of Dedicated Service Tools, and access to sensitive objects. Instant alerts are generated to any potentially suspicious activity. Henry Schein also uses Tango/04 VISUAL Message Center to ensure the operational health of its IT infrastructure. Security, performance, and operations events are controlled from the same central graphical console. "VISUAL Security Suite has allowed us to rapidly implement SOX controls, while VISUAL Message Center helps keep our IT infrastructure healthy. I love the product," says Don Keating, IT Manager at Henry Schein Tango/04 Computing Group Página 19

20 Summary Tango/04 security software enables auditing on IBM iseries systems, and collects security audit information from Windows servers. Audit information gathered includes access to sensitive objects, use of specific commands and the activity of user profiles. This auditing capability offers the internal controls that are necessary for compliance with the Sarbanes- Oxley Act of 2002, specifically the sections 302 and 404, which are most relevant to IT governance. By ensuring internal system controls, company officers are guaranteeing that the financial reports that they submit are accurate. The recommended framework for implementing compliance of Sarbanes-Oxley requirements is using the COBIT control objectives that are relevant to Sarbanes-Oxley. This document describes the SOX - COBIT control objectives that can be implemented using Tango/04 software. Beyond security auditing, Tango/04 s software offers management of business services, helping IT departments align IT management to business objectives. For more information on audit software solutions from Tango/04, please visit to find your local Tango/04 Business Partner or info@tango04.net. Visit our homepage to see our 30-minute Webcast and Product Demonstration. References The following documents and sources have been used in compiling this report: COBIT Control Objectives, 3rd Edition; IT Governance Institute IT Control Objectives for Sarbanes-Oxley; IT Governance Institute 2006 Tango/04 Computing Group Página 20

21 Improving IT Management with Tango/04 Improvement of IT service levels Dynamic system performance tuning Automatic problem resolution Real-time and historic reporting of SLA achievement Protection of data, applications and processes Real-time security audit Self-protection of IT assets Historical analysis and risk management Regulatory compliance (Sarbanes-Oxley, 21 CFR Part 11, HIPAA, Basel II, etc.) Reduction of management costs Automation IT operations tasks Prioritization of IT incidents according to business impact More effective user support Increased visibility of business processes Assessment of business impact of technology problems Cross-platform integration of operational status Generation of high-level management reports 2006 Tango/04 Computing Group Página 21

22 Tailoring our solutions to meet your specific needs Our SafeDeploy methodology helps our Business Partners implement tailored solutions that meet the specific needs of our customers. It takes advantage of a collection of best practices and provides a framework for the reuse of real-life-proven solutions by our consultants. SafeDeploy consists of four stages, each consisting of professional services that deliver a number of products. By working closely with our consultants, IT staff members, IT managers, and supervisors at other company departments, can take a close look at the tangible results they can expect before the solution is fully deployed. This first-hand experience with the solution provides valuable information that can help in justifying the need and benefits of the project in front of the CFO, the CEO, or other non-technical decision makers Tango/04 Computing Group Página 22

23 About Tango/04 Computing Group Tango/04 Computing Group is one of the leading developers of systems management and automation software. Tango/04 software helps companies maintain the operating health of all their business processes, improve service levels, increase productivity, and reduce costs through intelligent management of their IT infrastructure. Founded in 1991 in Barcelona, Spain, Tango/04 is an IBM Business Partner and a key member of IBM s Autonomic Computing initiative. Tango/04 has more than a thousand customers who are served by over 35 authorized Business Partners around the world. Product focus System and Application Event Management Performance Management Security Management Business Data Monitoring Application Development and Support Alliances IBM Premier Business Partner IBM PartnerWorld for Developers Advanced Member IBM Autonomic Computing Business Partner IBM ISV Advantage Agreement IBM Early code release and Direct Technical Liaison IBM ServerProven Solution Microsoft Developer Network Microsoft Early code release Awards Search400.com Product of the Year, 2003 IBM All Star Award for Product Excellence, 1997-date Midrange Computing Showcase Product Excellence, 2001 IBM iseries Magazine Honor Roll, Tango/04 Computing Group Página 23

24 Legal notice The information in this document was created using certain specific equipment and environments, and it is limited in application to those specific hardware and software products and version and releases levels. Any references in this document regarding Tango/04 Computing Group products, software or services do not mean that Tango/04 Computing Group intends to make these available in all countries in which Tango/04 Computing Group operates. Any reference to a Tango/04 Computing Group product, software, or service may be used. Any functionally equivalent product that does not infringe any of Tango/04 Computing Group s intellectual property rights may be used instead of the Tango/04 Computing Group product, software or service Tango/04 Computing Group may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. The information contained in this document has not been submitted to any formal Tango/04 Computing Group test and is distributed AS IS. The use of this information or the implementation of any of these techniques is a customer responsibility, and depends on the customer s ability to evaluate and integrate them into the customer s operational environment. Despite the fact that Tango/04 Computing Group could have reviewed each item for accurateness in a specific situation, there is no guarantee that the same or similar results will be obtained somewhere else. Customers attempting to adapt these techniques to their own environments do so at their own risk. Tango/04 Computing Group shall not be liable for any damages arising out of your use of the techniques depicted on this document, even if they have been advised of the possibility of such damages. This document could contain technical inaccuracies or typographical errors. Any pointers in this publication to external web sites are provided for your convenience only and do not, in any manner, serve as an endorsement of these web sites. Microsoft, SQL Server, Windows, Windows NT, Windows XP and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and/or other countries. UNIX and UnixWare, used under an exclusive license, are registered trademarks of The Open Group in the United States and other countries. Oracle is a registered trademark of Oracle Corporation. Henry Schein is a registered trademark of Henry Schein, Inc. Other company, product, and service names may be trademarks or service marks of other companies. For more information on audit software solutions from Tango/04, please visit to find your local Tango/04 Business Partner or info@tango04.net. Visit our homepage to see our 30-minute Webcast and Product Demonstration 2006 Tango/04 Computing Group Página 24