SureWest makes the call on SOX compliance

In almost a century of business, SureWest has morphed from a traditional ILEC to a provider of a full range of telephony, video and data services for customers across metropolitan Sacramento, Calif. Since the Sarbanes-Oxley Act has passed, section 404 in particular, SureWest has worked hard to ensure that its compliance has kept pace with the demands of the rapidly changing telecommunications market.

"We see SOX as a way to heighten the confidence of our investors in the financial information we are providing them," says Tim Dotson, executive director of information technology solutions at the company. "We've had formal policies in place for quite some time, but we had to make significant changes and improvements to those policies as a function of SOX." SureWest tightened its password controls in response to SOX. Rules about how passwords were handled and the frequency with which they must be changed were not sufficient. "SOX had us get very explicit about the standards we used for each application," Dotson says. SOX mandated that an auditor must be able to easily determine the frequency of the rotation to test its controls. SureWest used domain-level controls like (those in) Windows Active Directory, integrating them into application-access routines when possible.

"SOX would say you need to ensure that logical access to your systems is adequately controlled [and protected against unauthorized use]," he added. Policy-wise, as with the password-change rules, the details of how these safeguards are put in place must be readily available to an auditor.

Meanwhile, Dotson has put in security monitoring tools to alert him of critical system file changes. Outside scans are important as well, to verify undetected network vulnerabilities.

"The first scan revealed a number of problems in our network," he says, adding that the company devised a five-point scale to rank minor problems. "Now, there are very few items detected" during the semiannual scans, he says. SOX section 404 is part of the precedent for the scans, but so are requirements SureWest faces from state agencies, banks and other organizations.

With time, Dotson and the IT team have been able to work more efficiently on SOX. "In our first year, 11% of all staff hours were spent on SOX-related activity," Dotson says. "In the second year, we brought it down to 5%, and we want to reduce it further."

Overall, Dotson estimates that SureWest has expended about 150 staff hours developing technology to attain SOX compliance -- developing standards for SOX key-control design, developing and implementing automated logging and notification scripts for various system and security events or potential incidents, developing automated SOX testing scripts and developing and implementing automated document management systems.

Even when it's most onerous, working toward SOX compliance has yielded some unexpected positive outcomes, Dotson reflects. "It has forced us to do a better job on documenting procedures."

"It has been expensive, and it's been a scramble to get things done, but all in all, we are better off for it."

About the Author:
Diana Kelley, Senior Analyst, Burton Group, is also a contributor editor for Information Security magazine and SearchSecurity.com.

This article originally appeared in Information Security magazine.

Rate this Tip To rate tips, you must be a member of SearchFinancialSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Security Architecture Insider Proper preparation necessary for successful penetration test Vulnerability assessments: Steps to success How to easily integrate managed email security services Integrating firewalls into your financial enterprise systems Steps to secure your remote users How to integrate network behavior anomaly detection into enterprise systems Establishing a practical routine for reviewing security logs How to get the most out of a SIM Security information management finally arrives, thanks to enhanced features Best practices in managing privileged access VoIP and telephony security in financial institutions VoIP security considerations Can VoIP ever be as secure as Ma Bell's creation? VoIP: Is anyone responsible for security? Plentiful VoIP exploits demand careful consideration SOX financial reporting compliance Survey: Life back on track at financial firms after SOX Five steps for SOX compliance Keeping SOX 404 under control(s) Some Things SOX Doesn't Say: SOX Myths Sarbanes-Oxley testing cuts could mean cost cuts RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary SOX Section 404  (SearchFinancialSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.