TiVo records big savings in compliance

Like other public companies that handle credit cards, Alviso, Calif.-based TiVo faces a double whammy: meeting the requirements of the Sarbanes Oxley Act and the Payment Card Industry data security standard. Through a savvy combination of proactive auditor relations, automation and simplification, however, the company has cut significantly the time and effort it spends dealing with compliance issues.

Read about TiVo’s disaster recovery plan

“We’ve saved two-thirds of the time and one-third the effort we used to expend dealing with audits,” says TiVo Director of IT Richard Rothschild, who spoke at the recent Network World IT Roadmap Conference & Expo in Santa Clara, Calif. “And that can only get better as time goes on.”

View a podcast of our interview with TiVo's Richard Rothschild from IT Roadmap.

Getting out in front

A key strategy for TiVo is to be more proactive during audits. Rather than waiting for the auditors to tell Rothschild’s staff what they need, the staff and relevant business managers sit down with the auditors beforehand to decide upfront what the audit should cover. “This helps us limit the scope to just what the auditors need to determine whether we’re compliant,” he says. “It avoids a lot of creep.”

In the past, auditors tended to ask a lot of questions and go down roads that led to more work but didn’t necessarily help determine TiVo’s compliance posture. By being more proactive, TiVo has eliminated such fishing expeditions. For example, a typical audit may need to test and verify the file-recovery system for a Network Appliance device. “We sit down and define exactly what the test is, what it means and how it should verify compliance,” Rothschild says. “Then everybody is clear on where we’re going to end up. It reduces the work — and the cost — for everybody.”

Once TiVo and the auditors agree on the scope, the company saves even more time and money by automating as many back-end auditing-related processes as possible. For example, a typical SOX audit requires TiVo to prove that terminated employees no longer can access its network. In the past, proving such compliance would mean checking a list of terminated employees against Active Directory, then checking VPN logs to see if any recently terminated employees had tried to log on. The process could take a couple of staff as long as two weeks.

Now TiVo automates much of the process via homegrown scripts that send an alert when an employee leaves and kicks off tasks to remove their access universally. IT also is alerted if a terminated employee attempts to access the network. “What used to take weeks now takes just a few minutes. Right away, we can get the information and show the auditors where we’re at,” Rothschild says. “It’s a huge savings.”

Another way TiVo eases the compliance process is by keeping all its credit-card-related data on a separate network. “It reduces the scope of what the auditors have to look at and also what we have to pay special attention to,” Rothschild says. “Not that we don’t pay attention to the other parts, but the credit card part gets a lot of scrutiny.”