It's Bill Vass here. Most of you know me as the CIO of Sun Microsystems, but as loyal readers can attest, I am also the executive sponsor of the Inner Circle newsletter, and I regularly publish this letter to offer CIO-level insights on Sun and the latest industry trends.

This month Inner Circle is sporting a new, redesigned look, as well as some great new features. To coincide with the redesign we are also welcoming new readers from the Inside Sun newsletter. Aside from the new look and expanded readership, faithful readers can expect more of the same insight, as I plan to continue to use this forum to offer my views on the technology and business issues influencing Sun and the industry as a whole.

Before I dive into this month's topic, I thought I would review the previous topics we covered over the last few months. In the previous four issues of Sun Inner Circle, I discussed some important technology initiatives here at Sun:

• In December of last year, I wrote about how the chip multithreading (CMT) processors dramatically improve throughput and promote Web- and application-tier consolidation.
• To kick off the new year, I sat down with Ross Altman, the CTO of Business Integration Platforms at Sun, to discuss the role middleware and the Java Integration Suite play in helping to ease the challenges of integration.
• In March of this year, I focused on the meteoric rise of open source software and Sun's open source approach with the Solaris OS.
• Most recently, I discussed the three-chip server strategy here at Sun and how each chip forms the foundation for a server that addresses specific data center challenges.

Over the next months, I'll focus on how you can use the great technology from Sun to solve real world business challenges. First, we turn our attention the challenge and opportunity — yes, that's right, I said opportunity — posed by Sarbanes-Oxley (SOX) and business compliance.

If your enterprise is doing any business in the U.S., chances are you're going through seemingly endless audits to ensure compliance with SOX. Even if your enterprise doesn't do business in the states, non-U.S. companies are increasingly stepping up to SOX as a model of good governance. That's because companies worldwide realize that good governance offers the opportunity for financial visibility and control over everyday business processes.

To help enterprises tackle the burden of SOX, I am inviting Bob Worrall, vice president of Information Systems Governance at Sun, to guest write this month's letter. Bob is working tirelessly to ensure Sun's compliance with Sarbanes-Oxley, and in his letter he will share the inside-Sun perspective, including:

• How Sun scoped the SOX challenge
• How Sun technology eased the compliance effort
• How these efforts are actually paying dividends as Sun confronts other regulatory and certification processes

So, without further ado, take it away Bob!

Bill Vass
CIO
Sun Microsystems, Inc.
cio@sun.com

Thanks, Bill. I am glad to kick off the inaugural issue of the newly redesigned and revamped Inner Circle. I'll do my best to live up to the high bar you've set over the past few issues.

Understanding SOX and Controls

Let's first take a moment to discuss SOX and some of its more pressing requirements. The Sarbanes-Oxley Act of 2002 aims to improve financial visibility and reporting. To do so, it places new audit requirements on publicly traded companies to foster accounting oversight, auditor independence, and corporate responsibility. Three main provisions of SOX dramatically affect the compliance environment: Section 302 requires quarterly reporting and disclosure of significant matters relative to internal controls, Section 404 mandates that management report on the effectiveness of internal controls, and Section 802 covers the greater need for records retention and document destruction. In all three instances, IT plays a critical role in compliance.

Before we get into the role of technology, it might be instructive to define a word — control — frequently used in conversations about SOX. In the context of SOX, a control is anything that helps ensure that a company can accurately report its financial statements. For instance, with regards to user access and identity management, controls might govern who can access general ledger or accounts receivable systems. Or, in the data center, controls might be put in place to make sure that a company is properly operating its servers because the failure to do so might impact its ability to report financial earnings.

When it comes to SOX, controls are largely focused on the ability to report, protect, and secure anything that has to do with financial information across the company — and, if that seems broad, then you are beginning to see why SOX is such a monumental piece of legislation.

Lesson Learned from Sun's Past SOX Compliance Efforts

Initially, there was a lot of confusion about what exactly SOX compliance entailed. When faced with such a sweeping regulation, it is difficult to define the boundaries of the effort required. And, indeed, when we first set about our compliance efforts, it appeared that SOX would be Y2K-scale event, consuming an inordinate amount of resources across the company.

At first, Sun spent a lot of time working with its internal auditors to understand and narrow the scope of SOX and translate that to Sun's internal controls environment. To a large extent this came down to questions of priority. After a year of looking at the legislation and working with the finance team, as well as external auditors, Sun began to narrow the scope of SOX compliance by focusing on the controls and applications that represented the largest concerns.

With the controls prioritized, Sun set about addressing its most pressing SOX compliance concerns — user access and identity control. This should come as little surprise because user access and identity management are the top concerns and the chief control deficiencies at most companies. Luckily, there are a lot of great technologies at Sun that proved incredibly helpful in developing and testing controls around user access and identity management.

Sun relied heavily on the Sun Identity Management Suite to help provision new accounts, manage passwords, and control access to information and systems. The Identity Management Suite helps organizations use, share, and manage identity information, including directory services, access management, provisioning, and federation. And it proved invaluable in providing a broad IT framework around user access and identity management to help address SOX compliance requirements.

Sun also relied heavily on the Solaris 10 OS and its role-based access control features to manage user access to key information and applications. Borrowing from the battle-tested Solaris OS, Solaris 10 offers unique User Rights Management (also known as Role-Based Access Control) and Process Rights Management (also known as Privileges). These technologies help form the basis for user access and identity management controls by granting users and applications only the minimum capabilities needed to perform their duties.

Finally, Sun Java Card Technology helped round out our security model for SOX by providing a reliable means for network authentication. Users must first authenticate themselves to the network with a Java Card and PIN before they can access any applications. Together with Identify Manager, Java Card gives us confidence that only authorized individuals are accessing key applications and data — all of which help to ensure a reliable controls environment.

What's more, because Sun understands that most companies have heterogeneous environments, the enabling Sun technologies work not just with Sun products, but also on the platforms offered by pretty much every vendor, including Microsoft, SuSe, RedHat, HP-UX, AIX, as well as business applications like Oracle and SAP.

Sun's Current Compliance Efforts Focus on Application Consolidation

With more than a year of SOX compliance efforts under its belt, Sun has made great strides toward developing controls around user access and identity management. This year, Sun is turning its attention to application consolidation to streamline SOX controls testing. Beginning this year, Sun kicks off a three-year initiative called Integrated Business Information Solution (IBIS) that aims to create a single consolidated ERP system company-wide.

As part of IBIS, Sun is performing a giant consolidation onto a single Oracle instance to support all applications throughout the company. While Sun has consolidated its database infrastructure twice in the past, last year the company purchased SeeBeyond and StorageTek, so Sun is now going through the new systems it inherited and reconciling on a single Oracle instance. Why? Because like most every other organization, Sun is dependent on controls that are baked into the legacy applications it inherits.

By performing the consolidation and using an off-the-shelf Oracle deployment, Sun can dramatically reduce the number of controls it needs to test. That's because Oracle and its auditors have already certified the controls. And, from an audit and SOX perspective, if Sun can rely on the controls that are part of a standard Oracle deployment, then the company doesn't have to retest them.

This is but one instance — albeit a dramatic one — where application consolidation can help organizations save money. It's probably no exaggeration to say that all CIOs want to consolidate because many have witnessed growth, mergers, or acquisitions that have led to application sprawl. Aside from complicating the controls environment with redundancies, application sprawl also impinges on user access and identity management efforts because, for example, if someone leaves a company it is a lot more challenging to make sure they no longer have access to hundreds of applications than one application.

In other words, while consolidation is typically a good idea, it also plays a vital role in making Sun's compliance with SOX viable.

Continuing to Narrow the Scope of Controls in the Future

As part of its effort to use IT to streamline SOX compliance, Sun continues to look for ways to narrow the scope of the controls development and testing effort. Even this year — after spending all of last year narrowing the scope of compliance — Sun believes it can remove another 20 percent to 30 percent of the controls that need to be tested, while maintaining the integrity of its SOX certification.

Sun also plans to pay increased attention to the role of outsourcers. As with many companies, Sun has outsourced much application development and maintenance, as well as data center operations, and it is critical that Sun works with outsource partners to see how they enforce controls. As in other areas, industry standards (such as the SAS70 audit methodology) help make it possible to review, assess, and ultimately rely on outsourcers' controls.

At the same time, Sun is working hard to build internal, lasting competencies in IT around SOX compliance. One of the key lessons learned thus far is that it is hard to take IT professionals and turn them into auditors. Instead, Sun takes the approach of hiring finance and audit professionals — who inherently understand controls, how they are measured and defined, and what success looks like to an external auditor — and training them in the necessary IT skills. With a staff of 12 employees who oversee the controls environment, Sun is committed to training and maintaining a full-time SOX staff for the foreseeable future.

The Upside of SOX Compliance

As Bill mentioned, SOX compliance isn't just a challenge — it's an opportunity. The opportunity is that lessons learned from SOX compliance efforts may be extended to other areas to help streamline other regulatory and certification processes.

The added discipline that SOX introduces in IT organizations helps many firms address a breadth of audit issues and other regulatory standards in a more comprehensive manner. In fact, many companies that don't do business in the U.S. are stepping up to the SOX bar as a way to help ensure a well-run organization. Just as many U.S. companies have discovered, overseas and international companies realize that the SOX effort can lead to dramatically improved financial visibility and control over critical business processes.

SOX is a learning process. Understanding the critical controls that need to be tested and deployed is a natural first step. Once the scope is identified, appropriate technologies can be implemented to ease the burden of compliance. And, as companies develop SOX competencies and select enabling technologies, they will continue to find new ways to streamline compliance efforts.

Thankfully, however, all of the effort is not for naught, for as companies travel down the road towards SOX compliance, they will begin to reap the benefits of a better managed organization.

Bob Worrall
Vice President of Information Systems Governance
Sun Microsystems, Inc.