Like other public companies that handle credit cards, TiVo faces a double whammy: meeting the requirements of the Sarbanes Oxley Act and the Payment Card Industry data security standard. Through a savvy combination of proactive auditor relations, automation and simplification, however, the company has cut significantly the time and effort it spends dealing with compliance issues.
"We've saved two-thirds of the time and one-third the effort we used to expend dealing with audits," says TiVo Director of IT Richard Rothschild, who spoke at the recent Network World IT Roadmap Conference & Expo in California. "And that can only get better as time goes on."
Getting out in front
A key strategy for TiVo is to be more proactive during audits. Rather than waiting for the auditors to tell Rothschild's staff what they need, the staff and relevant business managers sit down with the auditors beforehand to decide upfront what the audit should cover. "This helps us limit the scope to just what the auditors need to determine whether we're compliant," he says. "It avoids a lot of creep."
In the past, auditors tended to ask a lot of questions and go down roads that led to more work but didn't necessarily help determine TiVo's compliance posture. By being more proactive, TiVo has eliminated such fishing expeditions. For example, a typical audit may need to test and verify the file-recovery system for a Network Appliance device. "We sit down and define exactly what the test is, what it means and how it should verify compliance," Rothschild says. "Then everybody is clear on where we're going to end up. It reduces the work -- and the cost -- for everybody."
Once TiVo and the auditors agree on the scope, the company saves even more time and money by automating as many back-end auditing-related processes as possible. For example, a typical SOX audit requires TiVo to prove that terminated employees no longer can access its network. In the past, proving such compliance would mean checking a list of terminated employees against Active Directory, then checking VPN logs to see if any recently terminated employees had tried to log on. The process could take a couple of staff as long as two weeks.
Now TiVo automates much of the process via homegrown scripts that send an alert when an employee leaves and kicks off tasks to remove their access universally. IT also is alerted if a terminated employee attempts to access the network. "What used to take weeks now takes just a few minutes. Right away, we can get the information and show the auditors where we're at," Rothschild says. "It's a huge savings."
Another way TiVo eases the compliance process is by keeping all its credit-card-related data on a separate network. "It reduces the scope of what the auditors have to look at and also what we have to pay special attention to," Rothschild says. "Not that we don't pay attention to the other parts, but the credit card part gets a lot of scrutiny."
On the flip side, dual environments can make overall data management more complex. "It makes it more complicated in the sense that there are more pieces now. You have your regular production and then you have your compliance production," Rothschild says. "But overall it's easier because it makes it far easier to monitor that one key area where we have to make sure everything is running exactly right."
Other storage challenges
Beyond compliance, TiVo is tackling numerous storage challenges, including how best to archive its primary SAP database. TiVo uses SAP not only for its own internal financials but also to manage its huge customer base. "A lot of our customers have been around since the beginning, seven, eight or nine years, and we still have to access their data because they're ongoing customers," Rothschild says. "It's hard for us to just archive big chunks of data." SAP runs off a single-instance database that tends to grow large and unwieldy over time.
Rather than spend money on additional servers or processors for the SAP environment, TiVo is looking to improve overall performance via archiving. The problem, Rothschild says, is striking a balance between how much data to keep in the live production environment -- which can become too slow and too costly -- and how much to put into lower-tier, cheaper storage -- where you run the risk of limiting or slowing access.
TiVo found a good compromise in EMC's ViewPoint for SAP, which lets the company archive SAP data while making it available in read-only form for production-level business needs. "It lets us archive off as much of that central instance as possible, put it onto secondary storage and still have it accessible," Rothschild says. "The business people who need to run reports can still get all the information they need to see, even for customers who are older, while we get to solve our problem, which is having too much data in our central instance and keeping our cost level down."
TiVo will be distributed in Australia next year through Channel 7 subsidiary, engin.