GRC 360 interviews Edmund Glover, Senior Director at Sun Microsystems responsible for the Sun IT Compliance Program. Mr. Glover discusses some of the unique aspects of managing IT compliance for Sun Microsystems—an organization that runs its infrastructure on its own technology—an approach they call “Sun on Sun."
GRC360: How are you spending your time these days?
Mr. Glover: I run the Information Technology (IT) Sarbanes-Oxley Project Management Office (PMO) for Sun Microsystems and that takes up about 80% of my time. Of course IT controls for financial reporting are not managed in a vacuum and I spend the rest of my time working on other areas of IT governance and compliance.
GRC360: Has your approach to 404 compliance differed from non-technology companies or other technology companies?
Mr. Glover: I don’t think our approach is all that unique. We have taken a consistent approach—documentation, assessment, testing, gap identification and resolution, and so on. Our approach to the IT controls was to leverage COBIT from ISACA to express key controls and then adapt those controls across national boundaries and across audit and operational boundaries beyond financial reporting.
GRC360: So you are able to leverage your 404 work beyond SOX?
Mr. Glover: Yes. We are aggressively rolling this out beyond financial controls—change management, backup and recovery and other facets of our operations that may not always have material effects on financial reporting—but are obviously important to our operations—need to share common processes and appropriate technologies. We are building consistent and increasingly automated approaches across all functions to streamline operations and improve performance.
GRC360: What do you know now that you wish you knew “then?”
Mr. Glover: We have a clearer picture of requirements we need to have in contracts and service level agreements (SLAs) for outsource and other types of partners. Defining expectations and requirements for all players in the extended “compliance team” and then developing focused training materials and effective training channels to keep continuous training coming are all activities we could have baked into our processes earlier. Basic concepts about good and bad evidence, evolving processes, standards, etc. should also be communicated early and often. Our business environment is changing rapidly and we need to ensure that those changes come with training and guidance.
Contractual agreements with partners and training materials for the broadest set of compliance stakeholders are two clear examples where all regulatory concepts and obligations must be integrated so that they can be conveyed clearly, quickly and consistently. All of this, combined with a sense of what the consequences for failure can be, is essential to ensuring that you will never be another CNN-moment.
GRC360: What is the genesis of the term “Sun on Sun?”—is this a marketing term?
Mr Glover: I don’t know if it’s an official term or not. I have been working at Sun Microsystems for 11 years and we have always run our infrastructure this way. Sun on Sun is just the way we do things and it works extremely well for us.
