Professional Documents
Culture Documents
and IT Policies :
Use Case from an IT Company
Christophe Feltus, Christophe Incoul, Jocelyn Aubert, Benjamin Gateau
Public Research Centre Henri Tudor, Luxembourg
Context
Governance of IT is becoming more and more
necessary
Sarbanes-Oxley Act
Basel II
ISO/IEC 38500:2008
Plan
Soft
Answerability
Accountability
Hard
Sanction
Capability
Accountability
Access Right
Capability
Accountability
Affective
Continuance
Commitment
Antecedents Outcomes
Capability
Accountability
Stakeholder
Commitment
The methodology
Objective : instantiate the responsibility
model
The instantiation is an intermediary result to
be linked with another organizational model
5 steps approach, starting with information
collection and closing with corporate policy
Illustration in the field of access control
Step 1
Nat. Language Synthesis
Input:
Business case study
Business process and procedures
Effective practices in the enterprise
Output :
Structured and formalized synthesis in
natural language
Actions :
Interviews
Analysis of existing process and
referential
Step 1
Nat. Language Synthesis
Step 2
Responsibility Diagram
Input:
Synthesis achieved in step 1
Output :
Graphical representation of the
responsibility framework
Responsibility & its components
Links between components
Actions :
ST1 : Responsibility
ST2 : Capability and Accountability
ST3 : Links between components :
Delegation, Implication, Contribution,
Execution
Step 1
Nat. Language Synthesis
Input:
Step 1
Nat. Language Synthesis
Step 2
Responsibility Diagram
Step 3
Resp.s Components Diagram
Step 4
Exceptions Verified Diagram
Input:
Responsibility Component
diagram from step 3
Output :
Refined responsibility framework
for Exception
Actions :
Delegation rules
Separation of duties
Cardinality constraints
Step 1
Nat. Language Synthesis
Step 2
Responsibility Diagram
Step 3
Resp.s Components Diagram
Step 4
Exceptions Verified Diagram
Step 5
Context Dependant Policy
Input:
Refined responsibility framework for
exception from step 4
Output :
Context dependant policy
Actions :
ST1 : Responsibility is assigned to a role
ST2 : Role are instantiated by stakeholders
ST3 : Translation of the diagram in a policy
format I.e. in XACML
Case study
Enterprise input
Step 1
Nat. Language Synthesis
Step 2
Responsibility Diagram
Step 3
Resp.s Components Diagram
Step 4
Exceptions Verified Diagram
Step 5
Context Dependant Policy
Telindus Luxembour Sa
ICT company
IT services in telecom and IS
ISO 9001
Analyse of the Customer
Complaints Process
Step 1
Nat. Language Synthesis
Step 2
Responsibility Diagram
Step 3
Resp.s Components Diagram
Step 4
Exceptions Verified Diagram
Step 5
Context Dependant Policy
Step 1
Nat. Language Synthesis
Step 2
Responsibility Diagram
Delegation Link
Implication Link
Step 3
Resp.s Components Diagram
Step 4
Exceptions Verified Diagram
Step 5
Context Dependant Policy
Contribution Link
Execution Link
The
Implication,
Register
capability
Accountability
the the
complaint
read
responsible
access
validation
accountability
right
for is
the
ofneeded
customer
thecontributes
complaint
for follow
the accountability
toofup
assign
the
needthe
to
responsibility
be informed
complain
verify
creation
ofaccountability
thethe
complain
evolution
of complaint
closure
of of
thethe
report
same
from
complaint
responsibility
the
is delegated
responsibility
to the
responsible confirmation
resolution acknowledgment
/ validation of the complain
Step 1
Nat. Language Synthesis
Step 2
Responsibility Diagram
Step 3
Resp.s Components Diagram
Step 4
Exceptions Verified Diagram
Step 5
Context Dependant Policy
Step 1
Nat. Language Synthesis
Step 2
Responsibility Diagram
Step 3
Resp.s Components Diagram
Step 4
Exceptions Verified Diagram
Step 5
Context Dependant Policy
Step 1
Nat. Language Synthesis
Step 2
Responsibility Diagram
Step 3
Resp.s Components Diagram
Step 4
Exceptions Verified Diagram
Step 5
Context Dependant Policy
Conclusions
Importance of improving ICT governance
Innovative responsibility model to be linked
to another framework
The methodology
Enhanced and validated using Customer
Complaints process of Telindus SA