Open Access is an initiative that aims to make scientific research freely available to all. To date our community has made over 100 million downloads. It’s based on principles of collaboration, unobstructed discovery, and, most importantly, scientific progression. As PhD students, we found it difficult to access the research we needed, so we decided to create a new Open Access publisher that levels the playing field for scientists across the world. How? By making research easy to access, and puts the academic needs of the researchers before the business interests of publishers.
We are a community of more than 103,000 authors and editors from 3,291 institutions spanning 160 countries, including Nobel Prize winners and some of the world’s most-cited researchers. Publishing on IntechOpen allows authors to earn citations and find new collaborators, meaning more people see your work not only from your own field of study, but from other related fields too.
To purchase hard copies of this book, please contact the representative in India:
CBS Publishers & Distributors Pvt. Ltd.
www.cbspd.com
|
customercare@cbspd.com
Many organizations spread and integrate the practices of the Information Technology Governance, Risk and Compliance (IT GRC). The problem that arises is how to choose the best practice to satisfy a precise need. This chapter concerns the study and the conception of decision-making architecture with the multi-agent system (MAS). So, the objective of this research is to build a decision-making model to satisfy a precise IT need. The proposed approach rests on four main stages to set up the decision-making model, which takes as input the strategic needs. The realized work has as objective to minimize the incoherence between the decisions taken by the stakeholders of an organization compared with the defined strategic objectives. The decision-making would contribute to legitimize the taken decision. This work is based on modeling a MAS, which rests on the idea that it is possible to represent directly the behavior and the interactions of a set of autonomous individuals evolving in a common environment. Finally, the proposed solution is part of a global platform for IT Governance, Risk and IT Compliance (EAS-IT GRC) (“EAS is the name of our team”).
Faculty of Law Economics and Social Sciences, Hassan II University, Morocco
Chergui Meriyem
Higher National School of Electricity and Mechanics, Hassan II University, Morocco
*Address all correspondence to: aziza1chakir@gmail.com
1. Introduction
The development of a strategic vision of an organization is considered as a requirement for the information systems, direction, especially with regard to its contribution to the global performance of the organization. The smooth running of the information system of an organization, their evolution and their effective improvement of the quality of services of information technology, is reasoned by the multiplicity and the diversity of the best practice and of the different methods used [1, 2]. The main actors of an organization use a set of the IT directives which can be COBIT (Control Objectives for Information and related Technology) [3], for the executive management, ITIL (Information Technology Infrastructure Library) [4, 5], for the management of information systems and the series of the standards ISO (International Organization for Standardization) 27000 for the security of information systems [6].
Many companies are trying to integrate or implement an IT framework to meet a strategic need defined by stakeholders, with regard to the global conditions and options available. The challenge is how to select good practices given the diversity of IT GRC methods, frameworks, and best practices that exist in the IT market. The managers face a strategic difficulty of choosing the adequate IT framework, to meet the stakeholders’ needs [7].
In this scientific work, we describe a correspondence between the strategic objectives of an organization and the processes of ITIL [8], PMBOK, ISO 27001, and ISO 27002 [9] by basing itself on a decision-making system to select the best framework by report a strategic objective. Furthermore, given the importance of interaction, coordination, and collaboration in information systems, we have to propose a solution that answers these essential requirements for the appropriate functioning of an organization.
The global platform of the IT GRC (EAS-IT GRC) ensures the alignment of the objectives of the organization as regards the needs defined by the stakeholders. This is illustrated by the progress strategic to a given organization and also by the taken decisions. The proposed solution supplies a high-level model for the IT GRC, which will allow the implementation of the IT GRC in an intelligent way. We give a brief description of every layer of the platform EAS-IT GRC (Figure 1) for a good understanding of the global architecture.
Figure 1.
EAS-IT GRC architecture.
The architecture consists of five layers:
Strategic layer: This layer ensures a permanent IT strategic alignment with needs defined by the stakeholders in an interactive intelligent way.
Decision-making layer: It makes a study of the strategic request to release the best adequate framework to handle the request by the processing layer.
Processing layer: It sets up the various reference tables, and it makes the treatment of the strategic request by the system that corresponds to the chosen platform. This layer arranges intelligent systems that translate the handled reference tables.
Communication layer: All communications between the various layers is supported by this layer. It prepares messages exchanged according to formats required by the other layers. This layer spreads numerous mechanisms to make an exchange in real time.
Updater layer: This layer ensures the adaptation of the new practices in the platform EAS-IT GRC by defining policies of change to integrate these new practices regarding information system.
The IT GRC market has expanded from a tactical focus on statutory compliance to a strategic focus on enterprise risk management. Many companies are trying to integrate or implement best practices to address a strategic need identified by stakeholders.
The challenge is how to select good practices given the diversity of IT GRC methods, standards, frameworks, and best practices that exist in the IT market. So the diversity of best practices poses a strategic challenge for companies to choose the right IT GRC best practice. As a result, our approach aims at choosing a good IT practice in an effective way by estimating IT frameworks with regard to the IT objectives.
The model of decision-making, DML, receives as input the IT service prepared and sent by the communication layer; this layer makes a good treatment of the IT service in an intelligent way. It has two levels, the first level generates the choice of the best reference table according to the strategic need and the second level is going to allow us to ensure the satisfaction of the chosen solution by basing itself on performance indicators communicated after every treatment made.
The following plan illustrates the proposed model of decision (Figure 2):
Figure 2.
The model of decision-making DML.
3.1 Level 1: framework IT decision
The first level set up two layers, every layer has a precise function to achieve.
The first layer is “MAS sequencing” based on MAS; it ensures that these sub-problems are scheduled according to the environment variables (the type of organization, the priority of one IT requirement over another, etc.), and also it has three sub layers “Categorization decision 1.1”, and “Sequencing.”
The second layer is “MAS evaluation collective” based on MAS; it formalizes each sub-problem by taking into consideration the versions of the references, the certification or not of the employers of the organization, and it also takes other performance indicators into consideration.
The following plan schematizes the details of level 1 (Figure 3):
Figure 3.
Level 1 “Framework IT decision.”
3.1.1 MAS sequencing
3.1.1.1 Algorithm: categorization Decision 1.1
The first sub layer “Categorization Decision 1.1” has as objective to make the connection between the strategic needs expressed by COBIT and the IT matrix to produce a reduced matrix, which will be handled by the second sub layer of the model of decision-making (Figure 4).
Figure 4.
Graph of resolution of the algorithm “Categorization Decision 1.1.”
The categorization was made according to a strategy of selection of IT framework. The following graph shows the sequence of the stages of the generation of the categorized IT request.
3.1.1.2 Algorithm: categorization Decision 1.2
The second sub layer “Categorization Decision 1.2” takes as input the matrix produced by the first one under layer, the type of activity of the organization, and the IT matrix we allocate a weight to every reference table which can answer a strategic need.
The second categorization was made according to a strategy of evaluation of the IT objectives with regard to every IT framework. The following graph shows the chain of the stages of the regeneration of the categorized IT request (Figure 5).
Figure 5.
Graph of resolution of the algorithm “Categorization Decision 1.2.”
3.1.1.3 Algorithm: sequencing
The strategic need expressed by the stakeholders is seen as a set of IT objectives, the selection of which is managed by a particular algorithm. This algorithm makes the sequencing of the IT objectives to be treated (Figure 6).
Figure 6.
Graph of resolution of the algorithm “Sequencing.”
3.1.2 MAS evaluation collective
The second layer “MAS evaluation collective” takes as input the matrix produced by the first layer, that present the list of the IT objectives, after it treats each IT objective as an under IT problem. In an intelligent way, this layer generates the best choice of the IT GRC practice to treat the IT need expressed as input. It takes as input the IT matrix, the versions of reference tables, the certification of organization’s employers, and the performance indicators based on the logging of treatments made by all the layer of the platform EAS-ITGRC.
3.2 Level 2: decision-making treatment
The second level ensures the satisfaction or the dissatisfaction of the choice by basing itself on a set of performance indicators, for example on the success rate—thus, if the success rate is greater than a threshold, the choice is good and if it is not the case, we have to reformulate the strategic needs by the user, or send back the second choice to the communication layer.
The following plan illustrates both levels in detail (Figure 7).
The IT GRC remains an emergent subject in the world of information technology (IT). However, to this day, there is a lack of research on a selective approach of IT framework with regard to the IT objectives.
4.1.1 Principle of functioning
The first version of our approach describes the correspondence between the processes IT of COBIT and the processes of ITIL, PMBOK, ISO27001, and ISO27002 to investigate into the coexistence of the links between the processes IT of COBIT and the processes IT by basing itself on the synthesis of the positioning of surrounding areas of the information technologies.
The following table illustrates the link between the IT objectives and the IT matrix (Table 1).
Table 1.
IT matrix.
In this scientific work, we make the link between the IT processes of COBIT and the handled frameworks (ITIL, ISO 27001, ISO 27002 and PMBOK) by affecting two values (the first value corresponds to the key points that the IT framework will can treaties, and the second value corresponds to the classification of an IT framework by report the others) if there is a link between both and if it is not the case we affect the value “Null“.
4.1.2 Example
For handling the objective “Define a strategic IT plan,” we have two IT frameworks: ITIL and PMBOK.
For ITIL, we have for weights: IT evolution, 2
For PMBOK, we have for weights: IT evolution, 1 and business evolution, 1
PMBOK covers more aspects than ITIL, thus we choose PMBOK.
The best framework is PMBOK.
4.1.3 Limitations
According to the proposed approach, the best IT framework for the IT objective “Define a strategic IT plan” is PMBOK and according to the IT expert the best reference table to handle the objective, thus we notice well that this approach does not present the best proposal.
4.2 Method proposed in version 2
To make the generated decision more efficient, we have to integrate the five pillars of IT governance in our decision-making model. The IT governance’s pillars are the value creation, the strategic alignment, the measure of performance of the processes, the resource management and skills and the management of the IT risk.
This method generates the decision of the adequate IT framework IT on two levels.
4.2.1 Principle of functioning
4.2.1.1 Stage 1: the IT objectives and the axes of the IT governance
For each of the COBIT IT processes (the 34 processes), a description is provided, with objectives and key indicators in the form of a cascade [3, 10].
This scientific research is based on the coexistence of links between IT objectives (COBIT processes) and the axes of the IT governance [11] by indicating the type of relation as “primary” (P or 2) or “secondary” (S or 1) [12, 13].
We apply the same treatment for the set of the IT processes and obtain the matrix below (Table 2) [12].
Table 2.
The evaluation of IT objectives to IT axes.
4.2.1.2 Stage 2: the IT objectives and the IT frameworks
The second phase consists in estimating the link between the IT objectives (the processes of COBIT) and IT framework by basing itself on aspects approached by every IT framework (Table 3) [12].
Table 3.
The relation between the framework COBIT and the other IT framework.
4.2.2 Objective function
In our research, we do not give a favorable opinion of one of the IT methods; we define an objective function of maximization based on five selection criteria, to select the best IT methods to treat the strategic need.
The proposed function is defined as follows:
x: It corresponds to the axes of the IT governance, it belongs to {Strategic Alignment, Value Delivery, Risk Management, Resource Management, Performance measurement}
val (xi): It is the value of criteria “xi” compared with the IT objective.
g(framework): It is the function that turns the value of one IT method by reporting an IT objective.
val (framework): It is the value of framework “frameworki” compared with the IT Objective.
4.2.3 Example
Let us suppose that an organization wishes to manage its third services and she wants to set up an IT framework to realize this IT objective.
To select the best IT framework, we apply the function f. The IT objective is “Manage third-party services” (DS5)
and
g(ITIL) = 3; g(PMBOK) = 2; g(ISO27001) = 2; g(ISO27002) = 3. Then, f(Manage third-party services) = Max (18, 12, 12, 18) = 18. Then the best reference table to realize this objective is ITIL or ISO 27002.
4.2.4 Limitations
According to the proposed approach, the best IT framework to handle the objective “Manage third-party services” can be ITIL or ISO 27002 so we have two generated decision. Thus we notice that the taken decision is not the best one.
4.3 Method proposed in version 3
The improvement of the taken decision requires the addition of performance indicators at the end to consider the environment of the organization that wishes to implement an objective IT.
This proposal is enriched by an expert system that is going to allow us to reproduce the reasoning and to deduce new knowledge, exploiting the performance of data warehousing.
4.3.1 Principle of functioning
4.3.1.1 Data warehouse
The basic function of using a decision-making system is to manage the journaling of data. So for our approach we integrate the datawarehousing as a decision-making system to evaluate the process of choosing the best practice by defining a set of performance indicators, which are [14]:
Estimated rate: it is the time considered for treating an IT request.
Use rate corresponds to the execution of an IT framework.
Resolution rate corresponds to the time when an IT framework answered well to an IT request.
We proposed the following dimensions: Organization, Decision, IT Objective, IT service, Reference table, and Time.
4.3.1.2 Expert system
For good exploitation of data stored in the multidimensional base, we have set up a system with knowledge, expert system. This system has as purpose the modeling of the knowledge and the reasoning of an expert in the field of IT GRC.
For that purpose, three main actors should present their contribution to the development of expert system, which are worth knowing: the end user, the IT expert, and the engineer of knowledge.
The interaction between these three actors is used to develop the expert system, which consists of a knowledge base, a facto base, and an interference engine.
The inference rules that we proposed are:
Let “Ai” be the IT framework and “O” the IT Objective
Rule 1:
R1: Weight (Ai) > Weight (Aj) → Ai
Rule 2:
R2: Certification (organization, Ai) = true and Ai ∈ selected IT frameworks →Ai
Rule 3:
R3: Estimated rate (Ai) < Estimated rate (Aj) → Ai
Rule 4:
A4: Use rate (Ai) > Use rate (Aj) → Ai
Rule 5:
R5: Resolution rate (Ai) > Resolution rate (Aj) → Ai
Rule 6:
A6: Data warehouse (O) = true and IT Matrix (O) = Aj and Data warehouse (O) = Ai →Ai (Data warehouse (O) = true equivalent the objective (O) exists in the data warehouse)
Rule 7:
R7: IT Matrix (O) = Aj and Data warehouse (O) = {Ai, Ak} and Version-Organization-IT framework (Ak) = V1 and Data warehouse-versioning (O, Ak) = V1 → Ak
Rule 8:
R8: Data warehouse (O) = false and IT Matrix (O) = Ai →Ai.
The latest version of our architecture decision-making model is as follows (Figure 8).
Figure 8.
The detailed model of decision-making DML.
4.4 Case study
The following table shows a comparative study between the proposed approaches and the improvement of our model of decision-making, which is going to receive as input the following IT objectives (Table 4):
Objective 1: Define a strategic IT plan
Objective 2: Ensure compliance with external obligations
Objective 3: Manage third-party services
Table 4.
Comparative study.
The second line shows the opinion of an IT expert who gives the best IT framework by IT objective. For objective 1 (Define a strategic IT plan), the best IT framework is ITIL; for objective 2 (Ensure compliance with external obligations), the best IT framework is ISO 27001; and for objective 3 (Manage third-party services), the best IT framework is ISO 27002.
The third line shows the limitations of the first version of the proposed approach, taking the case of objective 1; it gave as results the IT framework PMBOK and it is not the best IT framework. The fourth line shows the limitations of the second version of the proposed approach, taking the case of objective 3; it gave as results the two IT frameworks ITIL and ISO27002 and they are not the best IT framework.
For the third version of our decision-making model, which corresponds to the fifth line, the results for the first objective give ITIL, for the second objective give ISO27001, and for the third objective give ISO27002.
We noticed that there is a correspondence between the results generated by our decision-making model and IT frameworks chosen by the IT expert.
The objective of our research is to build a model of decision-making to satisfy a precise IT need. The proposed approach integrates two disciplinary aspects, which are the data warehousing and the practices of the IT GRC to make the best decision.
We plan to add an extra layer that keeps the efficiency of the taken decisions by handling the factors influencing the quality of data [15, 16], or rather the moderating factors influencing the quality of basic data processed by a data warehouse [17].
We also plan to propose a generic approach that can integrate any IT methods and incorporate more performance indicators to make the appropriate choice for every organization.
References
1.Kooper MN, Maes R, Roos Lindgreen EEO. On the governance of information: Introducing a new concept of governance to support the management of information. The International Journal of Information Management. 2011;31(3):195-200. http://www.ibimapublishing.com/journals/CIBIMA/c
2.Pereira R, da Silva MM. Governance implementation: The determinant factors. Communications of the IBIMA. 2012;2012:970363. 16p
3.COBIT® 4.1. IT Governance Institute®. Available from: http://www.isaca.org/
4.Väyrynen H. Improving IT service of delivering the field service management service and device for users in Company X [thesis]; 2019
5.Alastair B, Kevin J, Salah K, Maureen T, Adrie S. ITIL adoption in South African: A capability maturity view. The e-Skills for Knowledge Production and Innovation Conference; 2014
6.Wilai S, Vasin C. A benchmarking study of standard frameworks for information technology governance. The Second Asian Conference on Information Systems. ACIS; 2013
7.Nicolas R, Edgar Weippl, Andreas Seufert “A process model for integrated IT governance, risk, and compliance management”. Proceedings of the Ninth International Baltic Conference on Databases and Information Systems (DB&IS 2010). Riga: University of Latvia Press; 2010. pp. 155-170
8.Günther LC et al. Data quality assessment for improved decision-making: A methodology for small and medium-sized enterprises. Procedia Manufacturing. 2019;29:583-591
9.Maico G. Combining ITIL, COBIT and ISO/IEC 27002 for structuring comprehensive information technology for management in organizations. Navus-Revista de Gestão e Tecnologia. 2012;2(2):66-77
10.IT Governance Institute, editor. COBIT Mapping: Overview of International IT Guidance. 2nd ed. IT Governance Institute COBIT®; 2006. https://www.sox-expert.com/uploads/files/COBIT%20Mapping%202nd%20Edition.pdf
11.Chadi A, Savanid V, Yang C. IT Governance Framework Adoption: Establishing success factors. International Working Conference on Transfer and Diffusion of IT. Australia: University of Technology Sydney; 2011. Available from: https://link.springer.com/chapter/10.1007/978-3-642-24148-2_15
12.Aziza C, Chergui M, Medromi H, Sayouti A. An approach to select effectively the best IT framework according to the IT governance axes, to handle and to set up an IT objective. Third World Conference on Complex Systems (WCCS). IEEE. Marrakech: WCCS15; Novembre 2015
13.Ramlaoui S, Semma A. Comparative study of COBIT with other IT governance frameworks. International Journal of Computer Science Issues. 2014;11(6):1
14.Silva J et al. Intelligent and distributed data warehouse for Student’s academic performance analysis. In: International Symposium on Neural Networks. Cham.: Springer; 2019. pp. 190-199
15.Azeroual O, Saake G, Abuosba M. Data quality measures and data cleansing for research information systems. arXiv preprint arXiv:1901.06208; 2019
16.Cécile F, Fadila B, Omar B. Maintenance de charge pour l’optimisation des entrepôts de données évolutifs: aide à l’administrateur. In: EDA. 2008. p. 115-122
17.Accerboni F, Sartor M. ISO/IEC 27001. In: Quality Management: Tools, Methods, and Standards. Emerald Publishing Limited; 2019. pp. 245-264
Written By
Chakir Aziza and Chergui Meriyem
Submitted: 13 November 2019Reviewed: 30 January 2020Published: 11 April 2020
Open access peer-reviewed chapter
