8/16/2019 ARES 2009 _ Methodology to Align Business and IT Policies, Use Case From an IT Company
1/21
Methodology to Align Business
and IT Policies :
Use Case from an IT Company
Christophe Feltus, Christophe Incoul, Jocelyn Aubert, Benjamin Gateau
Public Research Centre Henri Tudor, Luxembourg
André Adelsbach, Marc Camy
Telindus PSF, Luxembourg
8/16/2019 ARES 2009 _ Methodology to Align Business and IT Policies, Use Case From an IT Company
2/21
Context
• Governance of IT is becoming more and morenecessary
• Sarbanes-Oxley Act• Basel II
• ISO/IEC 38500:2008
• Need for more responsibility, transparency,
accountability, ethic, commitment• Existing frameworks don’t address those
requirements systematically
8/16/2019 ARES 2009 _ Methodology to Align Business and IT Policies, Use Case From an IT Company
3/21
Plan
• Introduction of the Responsibility Model
• Presentation of the methodology
• Illustration of the methodology
• Conclusions
8/16/2019 ARES 2009 _ Methodology to Align Business and IT Policies, Use Case From an IT Company
4/21
The responsibility model
Responsibility
Obligation to satisfactorily perform or complete a task
8/16/2019 ARES 2009 _ Methodology to Align Business and IT Policies, Use Case From an IT Company
5/21
8/16/2019 ARES 2009 _ Methodology to Align Business and IT Policies, Use Case From an IT Company
6/21
The responsibility model
Responsibility
Describes the quality of having the required qualities orresources to achieve a task
AccountabilityCapability
Access Right
8/16/2019 ARES 2009 _ Methodology to Align Business and IT Policies, Use Case From an IT Company
7/21
The responsibility model
Responsibility
The engagement of a stakeholder to fulfil a task taking
Capability Accountability Commitment
Affective Continuance
Antecedents Outcomes
8/16/2019 ARES 2009 _ Methodology to Align Business and IT Policies, Use Case From an IT Company
8/21
The responsibility model
Responsibility
Capability Accountability Commitment
Task Stakeholder
Accountability CommitmentCapability
8/16/2019 ARES 2009 _ Methodology to Align Business and IT Policies, Use Case From an IT Company
9/21
The methodology
• Objective : instantiate the responsibilitymodel
• The instantiation is an intermediary result to be linked with another organizational model
• 5 steps approach, starting with information
collection and closing with corporate policy
• Illustration in the field of access control
8/16/2019 ARES 2009 _ Methodology to Align Business and IT Policies, Use Case From an IT Company
10/21
Step 1 : Collect of information
Step 1 • Input:• Business case study
• Business process and procedures
• Effective practices in the enterprise
• Output :• Structured and formalized synthesis in
natural language
• Actions :• Interviews
• Analysis of existing process andreferential
Enterprise input
Nat. Language Synthesis
8/16/2019 ARES 2009 _ Methodology to Align Business and IT Policies, Use Case From an IT Company
11/21
Step 2 : Graphic diagram
Step 1 • Input:• Synthesis achieved in step 1
• Output :• Graphical representation of theresponsibility framework
• Responsibility & its components
• Links between components
• Actions :• ST1 : Responsibility
• ST2 : Capability and Accountability
• ST3 : Links between components :Delegation, Implication, Contribution,Execution
Enterprise input
Nat. Language Synthesis
Step 2
Responsibility Diagram
8/16/2019 ARES 2009 _ Methodology to Align Business and IT Policies, Use Case From an IT Company
12/21
Step 3 : Component Link
Step 1 • Input:• Resp. diagram from step 2
• Output :• Refined resp. framework
• Actions :
• ST1 : Check for unnecessary capacity• ST2 : Check for unjustified account. – No link with capability in the process
– No link with another capability
– No contribution to process outcomes
Enterprise input
Nat. Language Synthesis
Step 2
Responsibility Diagram
Step 3Resp.’s Components Diagram
8/16/2019 ARES 2009 _ Methodology to Align Business and IT Policies, Use Case From an IT Company
13/21
Step 4 : Exception Verification
Step 1 • Input:• Responsibility Component
diagram from step 3• Output :
• Refined responsibility frameworkfor Exception
• Actions :• Delegation rules
• Separation of duties
• Cardinality constraints
Enterprise input
Nat. Language Synthesis
Step 2
Responsibility Diagram
Step 3Resp.’s Components Diagram
Step 4Exceptions Verified Diagram
8/16/2019 ARES 2009 _ Methodology to Align Business and IT Policies, Use Case From an IT Company
14/21
Step 5 : Policy Elicitation
Step 1• Input:
• Refined responsibility framework for
exception from step 4• Output :
• Context dependant policy
• Actions :• ST1 : Responsibility is assigned to a role
• ST2 : Role are instantiated by stakeholders
• ST3 : Translation of the diagram in a policyformat – I.e. in XACML
Enterprise input
Nat. Language Synthesis
Step 2
Responsibility Diagram
Step 3Resp.’s Components Diagram
Step 4Exceptions Verified Diagram
Step 5Context Dependant Policy
8/16/2019 ARES 2009 _ Methodology to Align Business and IT Policies, Use Case From an IT Company
15/21
Case study
Step 1• Telindus Luxembour Sa
• ICT company
• IT services in telecom and IS
• ISO 9001
• Analyse of the CustomerComplaints Process
Enterprise input
Nat. Language Synthesis
Step 2
Responsibility Diagram
Step 3Resp.’s Components Diagram
Step 4Exceptions Verified Diagram
Step 5Context Dependant Policy
8/16/2019 ARES 2009 _ Methodology to Align Business and IT Policies, Use Case From an IT Company
16/21
Step 1 : Collect of information
Step 1
Enterprise input
Nat. Language Synthesis
Step 2
Responsibility Diagram
Step 3Resp.’s Components Diagram
Step 4Exceptions Verified Diagram
Step 5Context Dependant Policy
Step 1
Enterprise input
Nat. Language Synthesis
8/16/2019 ARES 2009 _ Methodology to Align Business and IT Policies, Use Case From an IT Company
17/21
Step 2
Responsibility Diagram
Nat. Language Synthesis
Step 2 : Graphic diagram
Step 1
Enterprise input
Nat. Language Synthesis
Step 2
Responsibility Diagram
Step 3Resp.’s Components Diagram
Step 4Exceptions Verified Diagram
Step 5Context Dependant Policy
Delegation Link Implication Link
Contribution Link Execution Link
Accountability “validation of the complaint” of the
responsibility “creation of complaint report” is delegated to the
responsible “confirmation / validation of the complain”
Implication, the responsible for the customer follow up need to
be informed of the complain closure from the responsibility
“resolution acknowledgment”
Register the complaint accountability contributes to assign the
complain accountability of the same responsibility
The capability read access right is needed for the accountability
verify the evolution of the complaint
8/16/2019 ARES 2009 _ Methodology to Align Business and IT Policies, Use Case From an IT Company
18/21
Responsibility Diagram
Step 3Resp.’s Components Diagram
Step 4Exceptions Verified Diagram
Step 5Context Dependant Policy
Step 3 : Component Link
Step 1
Enterprise input
Nat. Language Synthesis
Step 2
Responsibility Diagram
Step 3Resp.’s Components Diagram
•ST1 : Check for unnecessary capability
•Access to the customer database
•Request for training
•ST2 : Check for unnecessary account
•Many accountability for customersatisfaction
8/16/2019 ARES 2009 _ Methodology to Align Business and IT Policies, Use Case From an IT Company
19/21
Step 4Exceptions Verified Diagram
Step 5Context Dependant Policy
Step 4 : Exception Verification
Step 1
Enterprise input
Nat. Language Synthesis
Step 2
Responsibility Diagram
Step 3Resp.’s Components Diagram
Step 4Exceptions Verified Diagram
8/16/2019 ARES 2009 _ Methodology to Align Business and IT Policies, Use Case From an IT Company
20/21
Exceptions Verified Diagram
Step 5Context Dependant Policy
Step 5 : Policy Elicitation
Step 1
Enterprise input
Nat. Language Synthesis
Step 2
Responsibility Diagram
Step 3Resp.’s Components Diagram
Step 4Exceptions Verified Diagram
Step 5Context Dependant Policy
8/16/2019 ARES 2009 _ Methodology to Align Business and IT Policies, Use Case From an IT Company
21/21
Conclusions
• Importance of improving ICT governance
• Innovative responsibility model to be linked
to another framework• The methodology
• Enhanced and validated using “CustomerComplaints” process of Telindus SA
• Potential improvement of the process
• Improvement and extension of the methodology :Iterative refinement
Top Related