COBIT Case Study: Sun Microsystems 

 

Abstract

With 30,000-plus employees located in 100 countries around the world, Sun Microsystems is a leading provider of industrial-strength hardware, software and services. Because of increased board attention to optimizing the value of IT, Sarbanes-Oxley legislation and other business initiatives, Sun’s information technology (IT) department sought the use of a common framework to view and measure IT’s alignment and contribution to its overall business strategy. After researching options, Sun’s CIO recommended implementation of the Control Objectives for Information and related Technology (COBIT) framework. COBIT’s contributions to Sun’s goals were identified, and it was adopted and successfully enhanced the already effective process improvement work being accomplished with limited resources.

Background

Since its inception in 1982, a singular vision—The Network is the Computer—has propelled Sun Microsystems to its position as a leading provider of industrial-strength hardware, software and services that make the Internet work. Sun’s 30,000-plus employees are located in 100 countries around the world.

Sun’s information technology (IT) department global scope and scale includes supporting the Sun community with 600 applications, six data centers, 1,700 data center servers, 600 terabytes of data, four million internal web pages and five million e-mails per day.

Figure 1 shows the organizational structure of Sun IT in 2004. It starts with the strategy, architecture and technological direction. From there, the system development, integration and deployment are organized closely around the type of business systems being dealt with, such as demand creation systems or engineering and fulfillment systems. The IT service management group is focused on defining processes, standards and tools that bridge the development and the service delivery worlds. Application support and operations focus on service support and delivery. The governance organization focuses on budget and monitoring activities.

Sun Microsystems’ IT department was facing many issues in early 2004, including:

  • Increased pressure from the board’s audit committee to demonstrate, in a quantifiable way, that it was working on the right things in the right way, that the work was being done well and that it was adding value to the company
  • Evaluating its internal control framework related to the US Sarbanes-Oxley (SOX) Act of 2002 and the increasing awareness of the value of a broad internal control framework
  • Identifying core vs. noncore activities, as outsourcing was more seriously explored as an option to focus on core competencies and to reduce costs
  • Reevaluating the IT organization’s internal structure and alignment to be sure all areas are covered without unwanted redundancy

Some IT staff understood the value of using a common framework to view and measure Sun IT’s alignment and contribution to Sun’s overall business strategy. In fact, the CIO had said that the organization would use Control Objectives for Information and related Technology (COBIT) as the framework. Sun’s culture is built on innovation, and great value is perceived in contrarian thinking, so even though the CIO had approved the use of COBIT, actual implementation of the framework required an approach that built acceptance and adoption of the various elements of COBIT while taking into account the great process improvement work already being done in a significantly resource-constrained environment.

At the same time, the organization also expected to begin its SOX reporting at the end of its fiscal year. Sun’s finance department was driving the SOX compliance effort, and IT was actively involved. As with most organizations, significant resources were being spent on the SOX compliance effort, and that effort continued even after learning that the first official reporting requirement had been pushed further back.

The following questions needed to be answered: 

  • How should Sun leverage the new awareness of the need for adequate internal controls among IT people gained through the SOX compliance effort?
  • How should Sun demonstrate that a common framework, such as COBIT, complements rather than displaces existing process improvement methods?
  • How should Sun identify and evaluate core vs. noncore IT activities?
  • How should Sun ensure alignment of the organization’s internal IT organizational charters?

Process

Initially, IT executive support for using COBIT was limited. The CIO and the vice president for IT governance were championing the framework, but there was resistance from most of the other executives, and for good reasons. 

First, the organization had not done a thorough job at helping them understand what COBIT is and, more specifically, how it could add value.

Second, only 18 to 24 months earlier, the company had significantly transformed the Sun IT organization, moving from a distributed approach with an IT group for each business unit to one unified Sun IT for one Sun. This facilitated the creation and institutionalization of common standardized processes. Sun embraced Sigma, the IT Infrastructure Library (ITIL) and other process improvement methods. Some questions asked were, "If the organization already knows what it needs to work on, and it follows industry best practices as it makes improvements, what does COBIT give it that it doesn't already have? Does COBIT replace ITIL?"

Even those who were open-minded about using COBIT expressed concerns about the potential resource impact. Resources were already stretched thin, and the organization knew additional resources would not be available. Would the organization have the necessary resources to implement COBIT in addition to everything else it was doing?

At the same time that the executives were weighing their personal support for COBIT, the organization had begun intensive preparation for SOX. At that time the expected requirement for the initial SOX 404 compliance was June 2004.

The IT internal control framework was developed before the organization had a good understanding of COBIT in general and how COBIT applies to Sun IT specifically. At present, there are only controls related to financial reporting in the formal IT internal control framework, but the organization sees it expanding beyond that, as acceptance and adoption of COBIT continue to grow. The organization’s general controls cover 22 processes with 194 controls. When those 194 controls are localized, the number grows to 1,114. The application controls cover approximately 125 applications with seven general categories of controls. Those categories are:

  • Data security classification
  • System-granted access control
  • Role-based segregation of duties
  • Event-driven authorizations
  • Data validation
  • Interfaces
  • Batch processing

Sun’s SOX compliance effort put this initial compliance framework in place and has been instrumental in introducing the concept of internal controls to a broad IT audience. 

Factors Influencing Adoption and Acceptance of COBIT

At the same time, the decision was made to look at IT activities that might be candidates for potential outsourcing. This was a great opportunity to reintroduce COBIT to the IT executives. Very quickly they saw the value of having a common framework that generically described what IT-related work is done in an organization. They decided to take an end-to-end look at the Sun IT processes and activities using the COBIT Management Guidelines and Control Objectives to ensure coverage of all processes. The most senior IT executives did this themselves, and the result was called the Sun IT/COBIT Activities Listing, which maps Sun IT processes and activities to COBIT. Figure 2 is an example from this mapping, showing the Monitor and Evaluate domain.

Figure 2—Extract from Activities Listing
Domain: Monitor and Evaluate (M) Sun IT Processes/Activities  
 

 
# Name Activity Description

MI Monitor the process  

1.1 Operational dashboard (executive Sun IT dashboard) The definition of the executive-level Sun IT dashboards, used to measure and manage the comple teset of services that are delivered by Sun IT to the company
 

1.2 Customer metrics/survey Defining the complete set of customer metrics required by Sun IT to assess performance and customer satisfaction. This includes definition of surveys, analyzing the data and working with the customers of Sun IT to identify areas for improvement. See COBIT Control Objectives, page 127, for details. This maps to SBS PLC’s sustain phase.
 

1.3 Collect monitoring data Actual collection of data for overall Sun IT metrics, including internal and external benchmarks, at regular intervals.See COBIT Control Objectives, page 127, for details. Maps to SBS PLC’s sustain phase.
 

M2 Assess internal control adequacy Ensure the internal controls in place, including those for SOX, meet the needs of the business. Includes timely operation of internal controls and error correction, and regular reporting to function or BU management. See COBIT Control Objectives, page 129, for details. Maps to SBS PLC’s sustain phase.
 

M3 Obtain independent assurance Obtain independent assurance of security and internal control, evaluation of effectiveness, and assurance of compliance with laws and regulatory requirements and contractual commitments. It applies to internally provided IT services and third-party service providers, both prior to implementing/using critical new IT services and recertification/reaccreditation on a routine cycle after implementation. See COBIT Control Objectives, page 131, for details. It maps to SBS PLC’s plan customer acceptance and sustain phases.
 

M4 Provide for independent audit Ensure regular and independent audit of the effectiveness, efficiency and economy of security and internal control procedures, and management’s ability to control IT function activities. It includes the establishment of the audit charter, ensuring independence and adherence to professional ethics and auditing standards, and assuring technical competence and appropriate supervision of auditors. See COBIT Control Objectives, page 133, for details. It maps to SBS PLC’s sustain phase.
 
Note: SBS PLC stands for Sun Business Systems Product Life Cycle, Sun’s implementation of a system development life cycle (SDLC).

This mapping was extremely valuable when a cross-organizational team was asked to review the alignment of the internal IT organizations. Here again the organization took the opportunity to introduce COBIT to this team and help them understand COBIT’s value. With that understanding in place, the decision to use the mapping prepared by the senior IT executives was readily accepted.

The Sun IT/COBIT activities were then mapped to existing organizational activities, and redundancies, gaps and joint activities were called out. Finally, organizational owners were added to the Sun IT/COBIT activities listing, and their work was validated with the IT executives. Figure 3 provides a high-level view of the revised listing for the Plan and Organize domain with the organization owners identified. The abbreviated organization names relate to the organizations shown in figure 1.

Figure 3—High-level Mapping With Organizational Owners
COBIT Domain: Plan and Organize (PO)
The Plan and Organize domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. Furthermore, the realization of the strategic vision needs to be planned, communicated and managed for different perspectives. Finally, a proper organization, as well as technology infrastructure, must be put in place.
# Sun IT Process Name Owner(s)/Breakdown

1 Define a strategic IT plan ITSTAR

2 Define the business systems and information architecture ITSTAR
 

3 Determine technological architecture and direction CTO—Determine technological direction
 
ITSTAR—Determine technological architecture

4 Define the IT organization and relationships ITGOV—Overall and customer briefings
 
IMB/EMG—IT business account managers (CEM)

ITSTAR—Sun on Sun program management and reference architecture creation management

5 Manage the IT investment ITGOV

6 Communicate management aims and direction ITGOV—Communication and policy creation and policy management
   

7 Manage human resources All Org Mgrs—Manage Sun-badged human resources
 
ITSM—Resource management (framework)

ITGOV—Strategic planning of human resources

8 Ensure compliance with external requirements ITGOV
   

9 Assess risks ITGOV—Overall and integrated process risk framework and assess portfolio risks
 
ITSTAR—Assess architectural risks and assess security risks

ITSM—Assess process risks and assess program risks

CTO—Assess risks in technical direction

10 Manage projects ITSM—Project management framework and acquistion integration

11  Manage quality ITSM—Develop/maintain standards and SunSigma process consulting (blackbelts, etc.) and develop/maintain plans
 

ITGOV—SunSigma program ownership for IT and develop/maintain metrics

Because this mapping was developed by the organization’s IT executives and senior management, it has proven very helpful in building acceptance and adoption of COBIT. Still, this did not eliminate concerns about resource constraints and the impact on ongoing process improvement efforts.

The organization decided to first look at how the initial SOX-spawned internal controls framework could be expanded to include controls not related to financial reporting. This had to be accomplished in a way that took into account the resource constraints and the experience gained through the SOX compliance effort. The Sigma methodology was used to ensure that the views of control assessment process participants and, in particular, key stakeholders were taken into account.

The result is an IT compliance framework that has two components: a formal internal control framework for SOX and selected other controls, and a less formal component based in part on COBIT process maturity model assessments. Figure 4 shows the end-to-end elements of the process.  

The element titled “Establish Scope of IT Compliance Framework” is the part of the process where the organization moved beyond simply meeting SOX objectives to embracing COBIT more fully. The steps identified in this subprocess are:

  1. Map Sun IT processes to COBIT framework.
  2. Map SOX controls to Sun IT processes and identify gaps.
  3. Assess Sun IT process maturity using COBIT.
  4. Assess risks associated with gaps.
  5. Assess costs and ease to implement controls that bridge gaps.
  6. Assess business benefit of enforcing the controls.
  7. Prioritize work (based on previous steps).
  8. Obtain management decision on inclusion in formal internal control framework.

The assessments (steps 3 through 6) automatically become part of the IT compliance framework. Steps 7 and 8 are there to determine if any of the processes warrant a promotion to the formal component of the framework. If a process is made part of the formal controls framework, it is subject to all the formal documentation and testing requirements the same as any controls related to financial reporting.

Figure 5 is an example of the organization’s compliance framework process assessment worksheet. It is meant to be used in a 90-minute facilitated session with process experts and the IT executive who owns the process to give them a high-level subjective (but expert) assessment of the process.

Figure 5—Example Assessment Worksheet
Compliance Framework Process Assessment Workshop
Process
Process/Activity Description
Name
PO1 Define a strategic IT plan Defining a strategic IT plan satisfies the business requirement to strike an optimum balance of information technology opportunities and IT business requirements as well as ensure its further accomplishment. This activity is enabled by a strategic planning process undertaken at regular intervals giving rise to long-term plans, which are periodically translated into operational plans setting clear and concrete short-term goals. Components of the IT strategy include the IT operational model, the applications development model, the enterprise architecture and all of its components, the sourcing strategy, the governance model and the service delivery model. See COBIT Control Objectives, page 32, for details.
1. Maturity assessment (see page 25 of the COBIT Management Guidelines).
  Record “as is” and “must be” states (between 0.00 and 5.00). AS IS = 2.5
Nonexistent
Initial
Repeatable
Defined
Managed
Optimized
MUST BE = 2.75
0
1
2
3
4
5
 
2. Assess key risks associated with not closing the gap. (Take no more than 15 minutes to complete this section.)
Number
Key Risk Description Severity (1-5) Probability (1-5) Detectability (1-5) Total (SxPxD)

Totals converted to score between 0 and 10:

1.28

1
First Risk 2 1 3 6
2

Second Risk

2 2 2 8  
Etc.
Third Risk 1 1 2 2
3. Estimate the cost to mitigate the key risks in #2 above on a scale of 0 to 10.
Consider such things as head count, system hardware and software for process and improvements.
$ Equivalent:
$0
$125K
>$250K
Rating = 1
Rating:
0
5
10
 
4. Estimate the ease to implement the mitigation of the key risks in #2 above on a scale of 0 to 10.
Consider such things as availability, of resources, scope and duration of work.
$ Equivalent:
Easily Doable
Moderately Difficult
Very Difficult
Rating = 1
Rating:
0
5
10
5. Estimate the business benefit of improving the key controls associated with the key risks in #2 above on a scale of 0 to 10.
Consider the likely impact on one or more of our five company priorities.
Impact:
None
Moderate
High
Rating = 9
Rating:
0
5
10
6. Estimate the completeness and quality of current process documentationon a scale of 0 to 10.
Are all components of the process documented? Could those unfamiliar with the process understand the flow?
Quality:
Poor
Moderate
High
Rating = 2
Rating:
0
5
10
Process documentation location (i.e., URL)  
7. Describe the measures used to determine process performance and goal achievement.
Performance Indicators: Goal Indicators:
Estimated annual overhead* for adding a single process to the formal intenal controls framework: 2 work months
(*Overhead includes such things as the cost of documenting the IT process to the standard required by the internal control assessment process, periodically testing and retesting the control for effectiveness, annual sign-off and the program management overhead.)

The elements in the assessment worksheet are based on feedback from senior IT management and reflect the key data they felt were needed to make an informed decision on inclusion of a process in the formal controls framework. Additionally, a summary is needed to present multiple process assessment results. Figure 6 is an example of the compliance framework process assessment summary. It includes maturity model assessment results in a radar-style chart. The cost element on the four-quadrant chart is a composite of the “cost” and “ease to implement” components of the assessment worksheet.

Steps to Maintain Momentum

With acceptance growing, the organization set out to build on that momentum with a three-pronged approach:

  • Get the word out in a meaningful way. The organization is linking COBIT presentations to specific events whenever possible to increase the relevance of the information. It is also participating in presentations to targeted audiences with material customized to their specific interests.
  • Demonstrate links among COBIT and process refinement methodologies that the organization has adopted. 
    • For example, the organization has an internal product called Helios that is part service catalog and part configuration management database. Its development was influenced by the ITIL service level management and configuration management processes. It shows graphically that the COBIT Deliver and Support domain provides the generic what is to be done with suggested measures, ITIL provides the generic how it should be done, and the Helios product provides the specific implementation.
    • Another way the organization shows the linkage is overlaying its major process/activity names on a one-page representation of the COBIT framework. This has proven to be a powerful way to help people quickly see how COBIT is more inclusive and serves a different purpose than process improvement methods. Figure 7 is an example of this representation.

  • Consult with process owners to map their efforts to COBIT so that a common language is used across processes. For example, the organization has worked to help those working on enterprise architecture, portfolio management and strategic planning fit their work into the common framework and language.

Conclusion

Moving forward, Sun will continue with these future-thinking activities. The organization expects that by conducting compliance framework process assessments, it will further extend the acceptance and adoption of COBIT. By exposing all process owners to COBIT in a meaningful setting, the assessment will help them see the value of adopting elements of COBIT whether or not their process is added to the formal controls framework.

Implementing COBIT at Sun Microsystems has been possible because senior IT management was open-minded about using it in specific situations where the value was absolutely clear. Senior management’s growing use and acceptance of COBIT is filtering throughout the organization and encouraging others to look at how COBIT's components can add value to their IT work.