Methodology to Align Business

and IT Policies :
Use Case from an IT Company
Christophe Feltus, Christophe Incoul, Jocelyn Aubert, Benjamin Gateau
Public Research Centre Henri Tudor, Luxembourg

Andr Adelsbach, Marc Camy

Telindus PSF, Luxembourg

Context
Governance of IT is becoming more and more
necessary
Sarbanes-Oxley Act
Basel II
ISO/IEC 38500:2008

Need for more responsibility, transparency,

accountability, ethic, commitment
Existing frameworks dont address those
requirements systematically

Plan

Introduction of the Responsibility Model

Presentation of the methodology
Illustration of the methodology
Conclusions

The responsibility model

Responsibility

Obligation to satisfactorily perform or complete a task

The responsibility model

Responsibility

Soft

Answerability
Accountability

Hard

Sanction

The state of being answerable about the achievement of a task

The responsibility model

Responsibility

Capability

Accountability

Access Right

Describes the quality of having the required qualities or

resources to achieve a task

The responsibility model

Responsibility

Capability

Accountability

Affective

Continuance

Commitment

Antecedents Outcomes

The engagement of a stakeholder to fulfil a task taking

The responsibility model

Task
Responsibility

Capability

Accountability

Stakeholder

Commitment

The methodology
Objective : instantiate the responsibility
model
The instantiation is an intermediary result to
be linked with another organizational model
5 steps approach, starting with information
collection and closing with corporate policy
Illustration in the field of access control

Step 1 : Collect of information

Enterprise input

Step 1
Nat. Language Synthesis

Input:
Business case study
Business process and procedures
Effective practices in the enterprise

Output :
Structured and formalized synthesis in
natural language

Actions :
Interviews
Analysis of existing process and
referential

Step 2 : Graphic diagram

Enterprise input

Step 1
Nat. Language Synthesis

Step 2
Responsibility Diagram

Input:
Synthesis achieved in step 1

Output :
Graphical representation of the
responsibility framework
Responsibility & its components
Links between components

Actions :
ST1 : Responsibility
ST2 : Capability and Accountability
ST3 : Links between components :
Delegation, Implication, Contribution,
Execution

Step 3 : Component Link

Enterprise input

Step 1
Nat. Language Synthesis

Input:

Resp. diagram from step 2

Responsibility Diagram
Output :
Step 3
Refined resp. framework
Resp.s Components Diagram
Actions :
Step 2

ST1 : Check for unnecessary capacity

ST2 : Check for unjustified account.
No link with capability in the process
No link with another capability
No contribution to process outcomes

Step 4 : Exception Verification

Enterprise input

Step 1
Nat. Language Synthesis

Step 2
Responsibility Diagram

Step 3
Resp.s Components Diagram

Step 4
Exceptions Verified Diagram

Input:
Responsibility Component
diagram from step 3

Output :
Refined responsibility framework
for Exception

Actions :
Delegation rules
Separation of duties
Cardinality constraints

Step 5 : Policy Elicitation

Enterprise input

Step 1
Nat. Language Synthesis

Step 2
Responsibility Diagram

Step 3
Resp.s Components Diagram

Step 4
Exceptions Verified Diagram

Step 5
Context Dependant Policy

Input:
Refined responsibility framework for
exception from step 4

Output :
Context dependant policy

Actions :
ST1 : Responsibility is assigned to a role
ST2 : Role are instantiated by stakeholders
ST3 : Translation of the diagram in a policy
format I.e. in XACML

Case study
Enterprise input

Step 1
Nat. Language Synthesis

Step 2
Responsibility Diagram

Step 3
Resp.s Components Diagram

Step 4
Exceptions Verified Diagram

Step 5
Context Dependant Policy

Telindus Luxembour Sa
ICT company
IT services in telecom and IS
ISO 9001
Analyse of the Customer
Complaints Process

Step 1 : Collect of information

Enterprise input

Step 1
Nat. Language Synthesis

Step 2
Responsibility Diagram

Step 3
Resp.s Components Diagram

Step 4
Exceptions Verified Diagram

Step 5
Context Dependant Policy

Step 2 : Graphic diagram

Enterprise input

Step 1
Nat. Language Synthesis

Step 2
Responsibility Diagram

Delegation Link

Implication Link

Step 3
Resp.s Components Diagram

Step 4
Exceptions Verified Diagram

Step 5
Context Dependant Policy

Contribution Link

Execution Link

The
Implication,
Register
capability
Accountability
the the
complaint
read
responsible
access
validation
accountability
right
for is
the
ofneeded
customer
thecontributes
complaint
for follow
the accountability
toofup
assign
the
needthe
to
responsibility
be informed
complain
verify
creation
ofaccountability
thethe
complain
evolution
of complaint
closure
of of
thethe
report
same
from
complaint
responsibility
the
is delegated
responsibility
to the
responsible confirmation
resolution acknowledgment
/ validation of the complain

Step 3 : Component Link

Enterprise input

Step 1
Nat. Language Synthesis

Step 2
Responsibility Diagram

Step 3
Resp.s Components Diagram

Step 4
Exceptions Verified Diagram

Step 5
Context Dependant Policy

ST1 : Check for unnecessary capability

Access to the customer database

Request for training
ST2 : Check for unnecessary account
Many accountability for customer
satisfaction

Step 4 : Exception Verification

Enterprise input

Step 1
Nat. Language Synthesis

Step 2
Responsibility Diagram

Step 3
Resp.s Components Diagram

Step 4
Exceptions Verified Diagram

Step 5
Context Dependant Policy

Step 5 : Policy Elicitation

Enterprise input

Step 1
Nat. Language Synthesis

Step 2
Responsibility Diagram

Step 3
Resp.s Components Diagram

Step 4
Exceptions Verified Diagram

Step 5
Context Dependant Policy

Conclusions
Importance of improving ICT governance
Innovative responsibility model to be linked
to another framework
The methodology
Enhanced and validated using Customer
Complaints process of Telindus SA

Potential improvement of the process

Improvement and extension of the methodology :
Iterative refinement