"We see SOX as a way to heighten the confidence of our investors in the financial information we are providing them," says Tim Dotson, executive director of information technology solutions at the company. "We've had formal policies in place for quite some time, but we had to make significant changes and improvements to those policies as a function of SOX." SureWest tightened its password controls in response to SOX. Rules about how passwords were handled and the frequency with which they must be changed were not sufficient. "SOX had us get very explicit about the standards we used for each application," Dotson says. SOX mandated that an auditor must be able to easily determine the frequency of the rotation to test its controls. SureWest used domain-level controls like (those in) Windows Active Directory, integrating them into application-access routines when possible.
"SOX would say you need to ensure that logical access to your systems is adequately controlled [and protected against unauthorized use]," he added. Policy-wise, as with the password-change rules, the details of how these safeguards are put in place must be readily available to an auditor.
"The first scan revealed a number of problems in our network," he says, adding that the company devised a five-point scale to rank minor problems. "Now, there are very few items detected" during the semiannual scans, he says. SOX section 404 is part of the precedent for the scans, but so are requirements SureWest faces from state agencies, banks and other organizations.
With time, Dotson and the IT team have been able to work more efficiently on SOX. "In our first year, 11% of all staff hours were spent on SOX-related activity," Dotson says. "In the second year, we brought it down to 5%, and we want to reduce it further."
Overall, Dotson estimates that SureWest has expended about 150 staff hours developing technology to attain SOX compliance -- developing standards for SOX key-control design, developing and implementing automated logging and notification scripts for various system and security events or potential incidents, developing automated SOX testing scripts and developing and implementing automated document management systems.
Even when it's most onerous, working toward SOX compliance has yielded some unexpected positive outcomes, Dotson reflects. "It has forced us to do a better job on documenting procedures."
"It has been expensive, and it's been a scramble to get things done, but all in all, we are better off for it."
About the Author:
Diana Kelley, Senior Analyst, Burton Group, is also a contributor editor for Information Security magazine and SearchSecurity.com.
This article originally appeared in Information Security magazine.
This was first published in January 2008