ARES 2009 _ Methodology to Align Business and IT Policies, Use Case From an IT Company

8/16/2019 ARES 2009 _ Methodology to Align Business and IT Policies, Use Case From an IT Company

1/21

Methodology to Align Business

and IT Policies :

Use Case from an IT Company

Christophe Feltus, Christophe Incoul, Jocelyn Aubert, Benjamin Gateau

Public Research Centre Henri Tudor, Luxembourg

André Adelsbach, Marc Camy

Telindus PSF, Luxembourg


2/21

Context

• Governance of IT is becoming more and morenecessary

• Sarbanes-Oxley Act• Basel II

• ISO/IEC 38500:2008

• Need for more responsibility, transparency,

accountability, ethic, commitment• Existing frameworks don’t address those

requirements systematically


3/21

Plan

• Introduction of the Responsibility Model

• Presentation of the methodology

• Illustration of the methodology

• Conclusions


4/21

The responsibility model

Responsibility

Obligation to satisfactorily perform or complete a task


5/21


6/21


Responsibility

Describes the quality of having the required qualities orresources to achieve a task

AccountabilityCapability

Access Right


7/21


Responsibility

The engagement of a stakeholder to fulfil a task taking

Capability Accountability Commitment

Affective Continuance

Antecedents Outcomes


8/21


Responsibility

Capability Accountability Commitment

Task Stakeholder

Accountability CommitmentCapability


9/21

The methodology

• Objective : instantiate the responsibilitymodel

• The instantiation is an intermediary result to be linked with another organizational model

• 5 steps approach, starting with information

collection and closing with corporate policy

• Illustration in the field of access control


10/21

Step 1 : Collect of information

Step 1 • Input:• Business case study

• Business process and procedures

• Effective practices in the enterprise

• Output :• Structured and formalized synthesis in

natural language

• Actions :• Interviews

• Analysis of existing process andreferential

Enterprise input

Nat. Language Synthesis


11/21

Step 2 : Graphic diagram

Step 1 • Input:• Synthesis achieved in step 1

• Output :• Graphical representation of theresponsibility framework

• Responsibility & its components

• Links between components

• Actions :• ST1 : Responsibility

• ST2 : Capability and Accountability

• ST3 : Links between components :Delegation, Implication, Contribution,Execution

Enterprise input


Step 2

Responsibility Diagram


12/21

Step 3 : Component Link

Step 1 • Input:• Resp. diagram from step 2

• Output :• Refined resp. framework

• Actions :

• ST1 : Check for unnecessary capacity• ST2 : Check for unjustified account. – No link with capability in the process

– No link with another capability

– No contribution to process outcomes

Enterprise input


Step 2


Step 3Resp.’s Components Diagram


13/21

Step 4 : Exception Verification

Step 1 • Input:• Responsibility Component

diagram from step 3• Output :

• Refined responsibility frameworkfor Exception

• Actions :• Delegation rules

• Separation of duties

• Cardinality constraints

Enterprise input


Step 2



Step 4Exceptions Verified Diagram


14/21

Step 5 : Policy Elicitation

Step 1• Input:

• Refined responsibility framework for

exception from step 4• Output :

• Context dependant policy

• Actions :• ST1 : Responsibility is assigned to a role

• ST2 : Role are instantiated by stakeholders

• ST3 : Translation of the diagram in a policyformat – I.e. in XACML

Enterprise input


Step 2




Step 5Context Dependant Policy


15/21

Case study

Step 1• Telindus Luxembour Sa

• ICT company

• IT services in telecom and IS

• ISO 9001

• Analyse of the CustomerComplaints Process

Enterprise input


Step 2






16/21

Step 1 : Collect of information

Step 1

Enterprise input


Step 2





Step 1

Enterprise input



17/21

Step 2



Step 2 : Graphic diagram

Step 1

Enterprise input


Step 2





Delegation Link Implication Link

Contribution Link Execution Link

Accountability “validation of the complaint” of the

responsibility “creation of complaint report” is delegated to the

responsible “confirmation / validation of the complain”

Implication, the responsible for the customer follow up need to

be informed of the complain closure from the responsibility

“resolution acknowledgment”

Register the complaint accountability contributes to assign the

complain accountability of the same responsibility

The capability read access right is needed for the accountability

verify the evolution of the complaint


18/21





Step 3 : Component Link

Step 1

Enterprise input


Step 2



•ST1 : Check for unnecessary capability

•Access to the customer database

•Request for training

•ST2 : Check for unnecessary account

•Many accountability for customersatisfaction


19/21



Step 4 : Exception Verification

Step 1

Enterprise input


Step 2





20/21

Exceptions Verified Diagram


Step 5 : Policy Elicitation

Step 1

Enterprise input


Step 2






21/21

Conclusions

• Importance of improving ICT governance

• Innovative responsibility model to be linked

to another framework• The methodology

• Enhanced and validated using “CustomerComplaints” process of Telindus SA

• Potential improvement of the process

• Improvement and extension of the methodology :Iterative refinement

ARES 2009 _ Methodology to Align Business and IT Policies, Use Case From an IT Company

Documents