Camp Cupcake may sound like the type of place everybody wants to go.

That's not the way computer scientist Hal Berghel of the University of Nevada, Las Vegas, sees it.

Berghel, in Lincoln to discuss the implications for technology professionals of recently passed federal laws, uses the term "Camp Cupcake" to refer to minimum security prisons that await those who fail to take proper steps in preventing corporate fraud.

Berghel, who also works as a technology consultant to businesses, said his job in that field is to "keep C-level executives out of jail."

That'd be the chief of anything officers.

The Sarbanes-Oxley Act of 2002 requires CEOs and chief financial officers to sign pledges to regulators that the financial statements of their companies are true, and that, among other things, due diligence has been done to ensure that the company's computer systems and networks are secure.

The executives can't, under Sarbanes-Oxley, plead ignorance and go unpunished.

While the law intended to make CEOs and CFOs more accountable to shareholders, Berghel said, chief information officers, too, are now at risk. Not only can executives who sign off on filings be sent to jail if fraud is later uncovered, they can also be held personally responsible for paying back investors' losses.

There's a simple way to avoid Camp Cupcake: establish a set of procedures and practices that address technology security and continually use them.

Berghel brought up two recent examples of the type of fraud that Sarbanes-Oxley aims to eliminate: Two Cisco Systems accountants improperly raised their network privileges to where they could illegally issue $8 million in company stock. And An AOL employee collected millions of customer addresses and sold them to spammers.

Berghel said the people who committed those deeds were prosecuted, but their bosses would also be in trouble had Sarbanes-Oxley been in effect, for failing to implement security policies that would have prevented the breaches.

"The only chance for successful compliance is eternal vigilance," he said.

While following Sarbanes-Oxley is the law for publicly traded companies, Berghel said he advises all his clients to keep a watch on security.

Especially important is protecting revenue-side financial data, proprietary data and customer records.

Berghel said he'd recommend that businesses follow one or more globally recognized standards such as ISO 17799.

He said some encryption programs, such as those that "protect" WiFi wireless communications, are too easily broken for executives who use them to sign off on security. He conducted a demonstration for several dozen people at the Nebraska Union Auditorium on hand for his presentation.

Using a program similar to the type a hacker might use, he showed that access to a network can be had within a minute or so.

"If you're starting to cringe in your seat and you're a C-level executive or you report to one, that's what Sarbanes-Oxley is about," he said. "Get a policy in place or plan on meeting Martha (Stewart) at Camp Cupcake."

Matt Fitzgerald of American Express said he found the presentation useful. He said he works with the governing board to make sure the company's e-commerce Web sites are secure.

"It's good to have more of a lay perspective on the Sarbanes-Oxley legislation," Fitzgerald said.

He said American Express has seen the problems with WiFi and made appropriate policy decision.

"Within our company, we have policies against even using the technology," he said.

Reach Rodd Cayton at 473-7107 or rcayton@journalstar.com.