Tip

SureWest makes the call on SOX compliance

In almost a century of business, SureWest has morphed from a traditional ILEC to a provider of a full range of telephony, video and data services

    Requires Free Membership to View

for customers across metropolitan Sacramento, Calif. Since the Sarbanes-Oxley Act has passed, section 404 in particular, SureWest has worked hard to ensure that its compliance has kept pace with the demands of the rapidly changing telecommunications market.

"We see SOX as a way to heighten the confidence of our investors in the financial information we are providing them," says Tim Dotson, executive director of information technology solutions at the company. "We've had formal policies in place for quite some time, but we had to make significant changes and improvements to those policies as a function of SOX." SureWest tightened its password controls in response to SOX. Rules about how passwords were handled and the frequency with which they must be changed were not sufficient. "SOX had us get very explicit about the standards we used for each application," Dotson says. SOX mandated that an auditor must be able to easily determine the frequency of the rotation to test its controls. SureWest used domain-level controls like (those in) Windows Active Directory, integrating them into application-access routines when possible.

"SOX would say you need to ensure that logical access to your systems is adequately controlled [and protected against unauthorized use]," he added. Policy-wise, as with the password-change rules, the details of how these safeguards are put in place must be readily available to an auditor.

Meanwhile, Dotson has put in security monitoring tools to alert him of critical system file changes. Outside scans are important as well, to verify undetected network vulnerabilities.

"The first scan revealed a number of problems in our network," he says, adding that the company devised a five-point scale to rank minor problems. "Now, there are very few items detected" during the semiannual scans, he says. SOX section 404 is part of the precedent for the scans, but so are requirements SureWest faces from state agencies, banks and other organizations.

With time, Dotson and the IT team have been able to work more efficiently on SOX. "In our first year, 11% of all staff hours were spent on SOX-related activity," Dotson says. "In the second year, we brought it down to 5%, and we want to reduce it further."

Overall, Dotson estimates that SureWest has expended about 150 staff hours developing technology to attain SOX compliance -- developing standards for SOX key-control design, developing and implementing automated logging and notification scripts for various system and security events or potential incidents, developing automated SOX testing scripts and developing and implementing automated document management systems.

Even when it's most onerous, working toward SOX compliance has yielded some unexpected positive outcomes, Dotson reflects. "It has forced us to do a better job on documenting procedures."

"It has been expensive, and it's been a scramble to get things done, but all in all, we are better off for it."

About the Author:
Diana Kelley, Senior Analyst, Burton Group, is also a contributor editor for Information Security magazine and SearchSecurity.com.

This article originally appeared in Information Security magazine.

This was first published in January 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.