Abstract

With 30,000-plus employees located in 100 countries around the world, Sun Microsystems is a leading provider of industrial-strength hardware, software and services. Because of increased board attention to optimizing the value of IT, Sarbanes-Oxley legislation and other business initiatives, Suns information technology (IT) department sought the use of a common framework to view and measure ITs alignment and contribution to its overall business strategy. After researching options, Suns CIO recommended implementation of the Control Objectives for Information and related Technology (COBIT) framework. COBITs contributions to Suns goals were identified, and it was adopted and successfully enhanced the already effective process improvement work being accomplished with limited resources.

Background
Since its inception in 1982, a singular visionThe Network is the Computerhas propelled Sun Microsystems to its position as a leading provider of industrial-strength hardware, software and services that make the Internet work. Suns 30,000-plus employees are located in 100 countries around the world. Suns information technology (IT) department global scope and scale includes supporting the Sun community with 600 applications, six data centers, 1,700 data center servers, 600 terabytes of data, four million internal web pages and five million e-mails per day. Figure 1 shows the organizational structure of Sun IT in 2004. It starts with the strategy, architecture and technological direction. From there, the system development, integration and deployment are organized closely around the type of business systems being dealt with, such as demand creation systems or engineering and fulfillment systems. The IT service management group is focused on defining processes, standards and tools that bridge the development and the service delivery worlds. Application support and operations focus on service support and delivery. The governance organization focuses on budget and monitoring activities.

Sun Microsystems IT department was facing many issues in early 2004, including:

Increased pressure from the boards audit committee to demonstrate, in a quantifiable way,
that it was working on the right things in the right way, that the work was being done well and that it was adding value to the company Evaluating its internal control framework related to the US Sarbanes-Oxley (SOX) Act of 2002 and the increasing awareness of the value of a broad internal control framework Identifying core vs. noncore activities, as outsourcing was more seriously explored as an option to focus on core competencies and to reduce costs Reevaluating the IT organizations internal structure and alignment to be sure all areas are covered without unwanted redundancy Some IT staff understood the value of using a common framework to view and measure Sun ITs alignment and contribution to Suns overall business strategy. In fact, the CIO had said that the organization would use Control Objectives for Information and related Technology (COBIT) as the framework. Suns culture is built on innovation, and great value is perceived in contrarian thinking, so even though the CIO had approved the use of COBIT, actual implementation of the framework required an approach that built acceptance and adoption of the various elements of COBIT while taking into account the great process improvement work already being done in a significantly resource-constrained environment. At the same time, the organization also expected to begin its SOX reporting at the end of its fiscal year. Suns finance department was driving the SOX compliance effort, and IT was actively involved. As with most organizations, significant resources were being spent on the SOX compliance effort, and that effort continued even after learning that the first official reporting requirement had been pushed further back. The following questions needed to be answered:

 How should Sun leverage the new awareness of the need for adequate internal controls among
IT people gained through the SOX compliance effort?

How should Sun demonstrate that a common framework, such as COBIT, complements rather
than displaces existing process improvement methods?

How should Sun identify and evaluate core vs. noncore IT activities? How should Sun ensure alignment of the organizations internal IT organizational charters?

Process
Initially, IT executive support for using COBIT was limited. The CIO and the vice president for IT governance were championing the framework, but there was resistance from most of the other executives, and for good reasons. First, the organization had not done a thorough job at helping them understand what C OBIT is and, more specifically, how it could add value. Second, only 18 to 24 months earlier, the company had significantly transformed the Sun IT organization, moving from a distributed approach with an IT group for each business unit to one unified Sun IT for one Sun. This facilitated the creation and institutionalization of common standardized processes. Sun embraced Sigma, the IT Infrastructure Library (ITIL) and other process improvement methods. Some questions asked were, "If the organization already knows what it needs to work on, and it follows industry best practices as it makes improvements, what does C OBIT give it that it doesn't already have? Does COBIT replace ITIL?" Even those who were open-minded about using COBIT expressed concerns about the potential resource impact. Resources were already stretched thin, and the organization knew additional resources would not be available. Would the organization have the necessary resources to implement COBIT in addition to everything else it was doing? At the same time that the executives were weighing their personal support for COBIT, the organization had begun intensive preparation for SOX. At that time the expected requirement for the initial SOX 404 compliance was June 2004. The IT internal control framework was developed before the organization had a good understanding of COBIT in general and how COBIT applies to Sun IT specifically. At present, there are only controls related to financial reporting in the formal IT internal control framework, but the organization sees it expanding beyond that, as acceptance and adoption of C OBIT continue to grow. The organizations general controls cover 22 processes with 194 controls. When those 194 controls are localized, the number grows to 1,114. The application controls cover approximately 125 applications with seven general categories of controls. Those categories are:

Data security classification System-granted access control Role-based segregation of duties Event-driven authorizations Data validation Interfaces Batch processing

Suns SOX compliance effort put this initial compliance framework in place and has been instrumental in introducing the concept of internal controls to a broad IT audience.

Factors Influencing Adoption and Acceptance of COBIT

At the same time, the decision was made to look at IT activities that might be candidates for potential outsourcing. This was a great opportunity to reintroduce COBIT to the IT executives. Very quickly they saw the value of having a common framework that generically described what IT-related work is done in an organization. They decided to take an end-to-end look at the Sun IT processes and activities using the COBIT Management Guidelines and Control Objectives to ensure coverage of all processes. The most senior IT executives did this themselves, and the result was called the Sun IT/COBIT Activities Listing, which maps Sun IT processes and activities to COBIT. Figure 2 is an example from this mapping, showing the Monitor and Evaluate domain. Figure 2Extract from Activities Listing Domain: Monitor and Evaluate (M) Sun IT Processes/Activities

# Name

Activity Description

MI Monitor the process

1.1Operational The definition of the executive-level Sun IT dashboards, used to measure and dashboard (executive manage the comple teset of services that are delivered by Sun IT to the Sun IT dashboard) company

1.2Customer metrics/survey

Defining the complete set of customer metrics required by Sun IT to assess performance and customer satisfaction. This includes definition of surveys, analyzing the data and working with the customers of Sun IT to identify areas for improvement. See COBIT Control Objectives, page 127, for details. This maps to SBS PLCs sustain phase.

1.3Collect monitoring data

Actual collection of data for overall Sun IT metrics, including internal and external benchmarks, at regular intervals.See COBIT Control Objectives, page 127, for details. Maps to SBS PLCs sustain phase.

M2Assess internal control adequacy

Ensure the internal controls in place, including those for SOX, meet the needs of the business. Includes timely operation of internal controls and error correction, and regular reporting to function or BU management. See C OBIT Control Objectives, page 129, for details. Maps to SBS PLCs sustain phase.

M3Obtain independent Obtain independent assurance of security and internal control, evaluation of assurance effectiveness, and assurance of compliance with laws and regulatory requirements and contractual commitments. It applies to internally provided IT services and third-party service providers, both prior to implementing/using critical new IT services and recertification/reaccreditation on a routine cycle after implementation. See COBIT Control Objectives, page 131, for details. It maps to SBS PLCs plan customer acceptance and sustain phases.

M4Provide for independent audit

Ensure regular and independent audit of the effectiveness, efficiency and economy of security and internal control procedures, and managements ability to control IT function activities. It includes the establishment of the audit charter, ensuring independence and adherence to professional ethics and auditing standards, and assuring technical competence and appropriate supervision of auditors. See COBIT Control Objectives, page 133, for details. It maps to SBS PLCs sustain phase.

Note: SBS PLC stands for Sun Business Systems Product Life Cycle, Suns implementation of a system development life cycle (SDLC). This mapping was extremely valuable when a cross-organizational team was asked to review the alignment of the internal IT organizations. Here again the organization took the opportunity to introduce COBIT to this team and help them understand COBITs value. With that understanding in place, the decision to use the mapping prepared by the senior IT executives was readily accepted. The Sun IT/COBIT activities were then mapped to existing organizational activities, and redundancies, gaps and joint activities were called out. Finally, organizational owners were added to the Sun IT/C OBIT activities listing, and their work was validated with the IT executives. Figure 3 provides a high-level view of the revised listing for the Plan and Organize domain with the organization owners identified. The abbreviated organization names relate to the organizations shown in figure 1. Figure 3High-level Mapping With Organizational Owners COBIT Domain: Plan and Organize (PO) The Plan and Organize domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. Furthermore, the realization of the strategic vision needs to be planned, communicated and managed for different perspectives. Finally, a proper organization, as well as technology infrastructure, must be put in place. # Sun IT Process Name Owner(s)/Breakdown

1 Define a strategic IT plan ITSTAR

2 Define the business systems and information ITSTAR architecture

3 Determine technological CTODetermine technological direction architecture and direction

ITSTARDetermine technological architecture

4 Define the IT organization and relationships

ITGOVOverall and customer briefings

IMB/EMGIT business account managers (CEM)

ITSTARSun on Sun program management and reference architecture creation management

Manage the IT investment

ITGOV

6 Communicate management aims and direction

ITGOVCommunication and policy creation and policy management

7 Manage human resources

All Org MgrsManage Sun-badged human resources

ITSMResource management (framework)

ITGOVStrategic planning of human resources

8 Ensure compliance with ITGOV external requirements

Assess risks

ITGOVOverall and integrated process risk framework and assess portfolio risks

ITSTARAssess architectural risks and assess security risks

ITSMAssess process risks and assess program risks

CTOAssess risks in technical direction

10Manage projects

ITSMProject management framework and acquistion integration

11Manage quality ITSMDevelop/maintain standards and SunSigma process consulting (blackbelts, etc.) and develop/maintain plans

ITGOVSunSigma program ownership for IT and develop/maintain metrics Because this mapping was developed by the organizations IT executives and senior management, it has proven very helpful in building acceptance and adoption of C OBIT. Still, this did not eliminate concerns about resource constraints and the impact on ongoing process improvement efforts. The organization decided to first look at how the initial SOX-spawned internal controls framework could be expanded to include controls not related to financial reporting. This had to be accomplished in a way that took into account the resource constraints and the experience gained through the SOX compliance effort. The Sigma methodology was used to ensure that the views of control assessment process participants and, in particular, key stakeholders were taken into account.

The result is an IT compliance framework that has two components: a formal internal control framework for SOX and selected other controls, and a less formal component based in part on C OBIT process maturity model assessments. Figure 4 shows the end-to-end elements of the process.

The element titled Establish Scope of IT Compliance Framework is the part of the process where the organization moved beyond simply meeting SOX objectives to embracing COBIT more fully. The steps identified in this subprocess are: 1. 2. 3. 4. 5. 6. 7. 8. Map Sun IT processes to COBIT framework. Map SOX controls to Sun IT processes and identify gaps. Assess Sun IT process maturity using COBIT. Assess risks associated with gaps. Assess costs and ease to implement controls that bridge gaps. Assess business benefit of enforcing the controls. Prioritize work (based on previous steps). Obtain management decision on inclusion in formal internal control framework.

The assessments (steps 3 through 6) automatically become part of the IT compliance framework. Steps 7 and 8 are there to determine if any of the processes warrant a promotion to the formal component of the framework. If a process is made part of the formal controls framework, it is subject to all the formal documentation and testing requirements the same as any controls related to financial reporting. Figure 5 is an example of the organizations compliance framework process assessment worksheet. It is meant to be used in a 90-minute facilitated session with process experts and the IT executive who owns the process to give them a high-level subjective (but expert) assessment of the process. Figure 5Example Assessment Worksheet Compliance Framework Process Assessment Workshop # Process Name Process/Activity Description Defining a strategic IT plan satisfies the business requirement to strike an optimum balance of information technology opportunities and IT business requirements as well as ensure its further accomplishment. This activity is enabled by a strategic planning process undertaken at regular intervals giving rise to long-term plans, which are periodically translated into operational plans setting clear and concrete short-term goals. Components of the IT strategy include the IT operational model, the applications development model, the enterprise architecture and all of its components, the sourcing strategy, the governance model and the service delivery model. See C OBIT Control Objectives, page 32, for details.

Define a PO1 strategic IT plan

1. Maturity assessment (see page 25 of the COBIT Management Guidelines). Record as is and must be states (between 0.00 and 5.00). AS IS =

2.5 Nonexistent Initial Repeatable 0 1 2 Defined 3 Managed 4 MUST Optimized BE = 2.75 5

2. Assess key risks associated with not closing the gap. (Take no more than 15 minutes to complete this section.) Totals Number Key Risk Description Severity (1- Probability 5) (1-5) Total Detectability (1-5) (SxPxD) converted to score between 0 and 10: 1 First Risk 2 1 3 6 1.28

2 Etc.

Second Risk

2 1

2 1

2 2

8 2

Third Risk

3. Estimate the cost to mitigate the key risks in #2 above on a scale of 0 to 10. Consider such things as head count, system hardware and software for process and improvements. $ Equivalent: Rating: $0 0 $125K 5 >$250K 10 Rating = 1

4. Estimate the ease to implement the mitigation of the key risks in #2 above on a scale of 0 to 10. $ Consider such things as Equivalent: availability, of resources, scope and duration of work. Rating: Easily Doable 0 Moderately Difficult 5 Very Difficult 10 Rating = 1

5. Estimate the business benefit of improving the key controls associated with the key risks in #2 above on a scale of 0 to 10. Consider the likely impact on one or more of our five company priorities. Impact: Rating: None 0 Moderate 5 High 10 Rating = 9

6. Estimate the completeness and quality of current process documentationon a scale of 0 to 10. Are all components of the process documented? Could those unfamiliar with the process understand the flow? Process documentation location (i.e., URL) 7. Describe the measures used to determine process performance and goal achievement. Performance Indicators: Goal Indicators: Quality: Rating: Poor 0 Moderate 5 High 10 Rating = 2

Estimated annual overhead* for adding a single process to the formal intenal controls framework: 2 work months (*Overhead includes such things as the cost of documenting the IT process to the standard required by the internal control assessment process, periodically testing and retesting the control for effectiveness, annual sign-off and the program management overhead.) The elements in the assessment worksheet are based on feedback from senior IT management and reflect the key data they felt were needed to make an informed decision on inclusion of a process in the formal controls framework. Additionally, a summary is needed to present multiple process assessment results. Figure 6 is an example of the compliance framework process assessment summary. It includes

maturity model assessment results in a radar-style chart. The cost element on the four-quadrant chart is a composite of the cost and ease to implement components of the assessment worksheet.

Steps to Maintain Momentum

With acceptance growing, the organization set out to build on that momentum with a three-pronged approach:

Get the word out in a meaningful way. The organization is linking COBIT presentations to
specific events whenever possible to increase the relevance of the information. It is also participating in presentations to targeted audiences with material customized to their specific interests. Demonstrate links among COBIT and process refinement methodologies that the organization has adopted. o For example, the organization has an internal product called Helios that is part service catalog and part configuration management database. Its development was influenced by the ITIL service level management and configuration management processes. It shows graphically that the COBIT Deliver and Support domain provides the generic what is to be done with suggested measures, ITIL provides the generic how it should be done, and the Helios product provides the specific implementation. o Another way the organization shows the linkage is overlaying its major process/activity names on a one-page representation of the COBIT framework. This has proven to be a powerful way to help people quickly see how COBIT is more inclusive and serves a different purpose than process improvement methods. Figure 7 is an example of this representation.

 Consult with process owners to map their efforts to COBIT so that a common language is used
across processes. For example, the organization has worked to help those working on enterprise architecture, portfolio management and strategic planning fit their work into the common framework and language.

Conclusion
Moving forward, Sun will continue with these future-thinking activities. The organization expects that by conducting compliance framework process assessments, it will further extend the acceptance and adoption of COBIT. By exposing all process owners to COBIT in a meaningful setting, the assessment will help them see the value of adopting elements of COBIT whether or not their process is added to the formal controls framework. Implementing COBIT at Sun Microsystems has been possible because senior IT management was open-minded about using it in specific situations where the value was absolutely clear. Senior managements growing use and acceptance of COBIT is filtering throughout the organization and encouraging others to look at how COBIT's components can add value to their IT work.