This document discusses integrating project portfolio management approaches, including Front End Loading (FEL), the Project Management Institute's Standard for Portfolio Management, and the UK government's PRINCE2 methodology.
It proposes a model for managing an IT project portfolio that uses six phases aligned with FEL: FEL I analyses organizational strategy; FEL II selects feasible projects; FEL III completes basic engineering. Projects then enter the execution and operation phases.
The model filters initiatives through these phases and gates to advance only those strategically aligned with business objectives and likely to maximize return on investment. Integrating FEL, portfolio standards, and PRINCE2 aims to strengthen portfolio management and better achieve organizational goals.
The document discusses computer game modeling of organizational structures of enterprises and industrial associations. It proposes using formalized representations of technological processes and queuing network modeling to assess temporal characteristics. This allows implementing mechanisms to model and parameterize local environments of individual processes. In addition, a Petri net was developed for compatibility of logical conditions to technological process implementation using an event approach. The methods were tested and implemented in various companies to model technological processes included in organizational management structure simulation systems.
Mathematical concepts applied to operations managementRakesh Kariholoo
Mathematical concepts applied to Operations Management.
Change and Innovative disruption are in the News whether at the societal level or in businesses. These 20 slides will show why, for businesses, process re-engineering is at the heart of the all future mutations using concepts inspired by Bernhard Riemann when he envisioned manifold theory.
A must-read for all the pioneering brains still looking for the last frontier in the business arena.
This document discusses the complexity of systems integration. It notes that while integration is when many problems are discovered, it has not received as much research attention as other phases. The document uses information from an Israeli systems integration working group to explore different integration processes used in various organizations. It finds there is no single best method and companies use diverse engineering and managerial techniques suited to their culture and projects. Integration involves combining system components while managing interdependencies between components, developers and other stakeholders.
This study concentrates on an important mathematical project management technique “Earned Value Management” in order to highlight these necessary technical skills. In the first part we give necessary concepts about project management. In the following parts we highlight methods for management of two important project constraints “time” and “cost”. “Earned Value Management” technique is highlighted in the final part.
This document discusses integrating project portfolio management approaches, including Front End Loading (FEL), the Project Management Institute's Standard for Portfolio Management, and the UK government's PRINCE2 methodology.
It proposes a model for managing an IT project portfolio that uses six phases aligned with FEL: FEL I analyses organizational strategy; FEL II selects feasible projects; FEL III completes basic engineering. Projects then enter the execution and operation phases.
The model filters initiatives through these phases and gates to advance only those strategically aligned with business objectives and likely to maximize return on investment. Integrating FEL, portfolio standards, and PRINCE2 aims to strengthen portfolio management and better achieve organizational goals.
The document discusses computer game modeling of organizational structures of enterprises and industrial associations. It proposes using formalized representations of technological processes and queuing network modeling to assess temporal characteristics. This allows implementing mechanisms to model and parameterize local environments of individual processes. In addition, a Petri net was developed for compatibility of logical conditions to technological process implementation using an event approach. The methods were tested and implemented in various companies to model technological processes included in organizational management structure simulation systems.
10 project management approach on the adaptive enterprise resource planningINFOGAIN PUBLICATION
Enterprise Resource Planning (ERP) implementation is one of key success factors for business organization’s to endorse their business strategy and goal alignment with information technology recent. In spite of its benefits, yet there are many failures in ERP implementation, whereas between 50% to 75% is categorized has failed due to lack of top level management awareness, change of business processes in project implementation, unsuitable architecture, design, and technological infrastructure. The study proposes an Adaptive ERP system that coverage both management and technology areas with the main characteristic are in visibility, flexibility, and agility. The Adaptive ERP is expected becoming as alternative approach to overcome failures in ERP implementation. The Adaptive ERP has standardized business process transitioning from Project Management (PM) into Operational Management (OM) that generally as baseline for conventional ERP. An addition, Adaptive ERP has standardized Service Oriented Architecture (SOA) in order to manage interoperability of the application services.
The document discusses different types of sales approaches. It contrasts the traditional "vendor centric" approach where salespeople try to sell products to customers with a "customer centric" approach. The customer centric approach focuses on understanding customer needs and problems, allowing customers to define their own selection criteria and make their own decisions about whether and what to purchase based on evaluating alternatives themselves. The document advocates that sales processes should be adaptive to customers rather than manipulative.
This document proposes a responsibility modeling language (ReMoLa) to align access rights with business process requirements. ReMoLa is a responsibility-centered meta-model that integrates concepts from the business and technical layers, with the concept of employee responsibility bridging the two. It incorporates four types of obligations from the COBIT framework to refine employee responsibilities and better assign access rights. ReMoLa maps responsibilities to roles in the RBAC model to leverage its advantages for access right management while ensuring responsibilities align with business tasks and employee commitment.
Charla impartida de Igor Lukic de Zendal Backup, en el I Curso de Verano de Informática Forense de la Facultad de Informática de la Universidad de A Coruña.
The document discusses embedded systems and how they have evolved over time. It describes how embedded controllers now power many everyday devices, from phones to washing machines, and how embedded technology will continue advancing to be included in more low-cost products. It promotes an open source training on embedded systems called Open.Embedded that aims to provide practical, up-to-date skills on using different microcontrollers and IDEs to develop working prototypes quickly.
I collaborated with Tamara Holmes on this story dedicated to anyone who has ever had a loved one treat them as a personal ATM. Holmes really gets the "personal" side of personal finance, which is why I entrust her with money and career related assignments again and again.
This document summarizes the capabilities of the FOCA tool for extracting metadata and hidden information from files. FOCA can analyze a wide range of file types including documents, images, and PDFs. It is able to uncover personal user data, system information, network details, device information, software versions, and more. The document provides examples of FOCA analyzing files from FBI.gov and its recursive network discovery algorithm. It concludes by noting new features in version 2.7.1 like RDP file analysis and an improved reporting module.
http://www.SmartSimpleMarketing.com Sydni Craig-Hart from Smart Simple Marketing breaks down what branding really means, what it has to do with you and how to create a compelling brand that is clear, irresistible and client attractive.
This document proposes a multi-agent architecture for incident reaction in information system security. The architecture has three layers - low level interacts directly with the infrastructure, intermediate level correlates alerts and deploys reaction actions using multi-agent systems, and high level provides supervision and manages business policies. The architecture was tested for data access control and aims to quickly and efficiently react to attacks while ensuring policy compliance. The document discusses requirements like scalability, autonomy, and global supervision. It also describes the key components of alert management, reaction decision making, and policy definition/deployment to implement the architecture using a multi-agent approach.
Charla impartida por Pablo González, de la empresa Informática 64 para el evento Asegur@itCamp4! que tuvo lugar durante los días 26, 27 y 28 de Octubre de 2012 en El Escorial, Madrid.
Este documento presenta los resultados de una encuesta de opinión realizada en Lima Metropolitana en agosto de 2010. La encuesta midió las preferencias electorales para la alcaldía de Lima sin la candidatura de Alex Kouri, arrojando que Lourdes Flores sería la favorita con un 41.4% de la intención de voto, seguida por Susana Villarán con un 17.5%. La encuesta también incluyó información técnica como el tamaño y metodología de la muestra, los distritos incluidos, y la empresa
This document provides a preliminary literature review of policy engineering methods related to the concept of responsibility. It summarizes key access control models and discusses how they address concepts like capability, accountability, and commitment. The document also reviews engineering methods and how they incorporate responsibility considerations. The overall goal is to orient further research towards a new policy model and engineering method that more fully addresses stakeholder responsibility.
This document proposes an innovative approach called SIM (Secure Identity Management) that aims to make access management policies closer aligned with business objectives. It does this in two ways:
1) By focusing the policy engineering process on business goals and responsibilities defined in processes, using concepts from the ISO/IEC 15504 standard. This links capabilities and accountabilities to process outcomes and work products.
2) By defining a multi-agent system architecture to automate the deployment of policies across heterogeneous IT components and devices. The agents provide autonomy and ability to adapt rapidly according to context.
The approach was prototyped using open source components and aims to improve how access rights are defined according to business needs and deployed across an organization
This document proposes a context-aware solution for dynamically assigning responsibilities and access rights to agents in a critical infrastructure security architecture during a crisis. It introduces the concept of agent responsibility, which is assigned based on the crisis type and severity. Responsibilities define an agent's obligations and accountabilities for tasks, as well as the necessary rights and capabilities. The architecture enhances an existing multi-agent reaction system called ReD by integrating a mechanism for dynamically changing responsibility assignments according to the crisis context, and granting access rights based on the agents' responsibilities. This allows the architecture to quickly adapt its response by reallocating functions when agents are compromised during an attack.
This document proposes a methodological approach for specifying services and analyzing service compliance considering the responsibility dimension of stakeholders. The approach includes a product model and process model. The product model has three layers: an informational layer describing service context and concepts, an organizational layer describing business rules and roles, and a responsibility dimension layer linking the two. The process model outlines steps for service architects to identify context, define concepts and rules, specify services, and analyze compliance. The approach is illustrated with an example of managing access rights for sensitive healthcare data exchange between organizations.
This document proposes a method for constructing policy models in financial institutions to improve requirements engineering. The method defines responsibilities and ensures policies align across organizational levels from strategic to technical. It focuses on managers' responsibilities for business process outcomes and defines an ontology for policy model interoperability. The goal is to analyze policy reliability and its impact on operational reliability, which is important for governance regulations.
An ontology for requirements analysis of managers’ policies in financial inst...christophefeltus
This document proposes a method for constructing policy models in financial institutions to improve requirements engineering. The method defines responsibilities and ensures policies align across organizational levels from strategic to technical. It analyzes reliability of the policy system and its impact on business processes. The case study examines operational risk management policies in a bank to demonstrate defining policy outcomes and responsibilities for each process according to Basel II requirements.
This document discusses several security frameworks and methodologies. It describes COSO as a corporate governance framework focused on fraudulent financial reporting. CobiT is derived from COSO and deals with IT governance, providing processes and control objectives. ITIL is the most used framework for IT service management, focusing on identifying, planning, delivering and supporting IT services businesses rely on. ISO/IEC 27000 is a series of standards that outlines developing and maintaining an information security management system to help organizations manage security controls centrally.
An IT Service Reporting Framework for Effective Implementation of ITIL Contin...Nancy Ideker
This document proposes an IT service reporting framework to help organizations implement continual service improvement processes according to ISO/IEC 20000. It defines six types of reports for different operational, tactical, and strategic activities. The framework includes guidelines for automating report generation and a process for defining report templates based on organizational requirements. The six report types are: 1) Reporting routine tasks, 2) Reporting assigned tasks, 3) Reporting on events, 4) Reporting on services, 5) Reports on review meetings, and 6) Strategic reports. The reporting framework is intended to help clarify internal communications, simplify defining and monitoring KPIs and metrics, and support the continual service improvement process.
Sim an innovative business oriented approach for a distributed access managementchristophefeltus
This document proposes an innovative approach called SIM (Secure Identity Management) that aims to define access control policies in a way that is closely aligned with business objectives. It does this by linking concepts from the ISO/IEC 15504 process-based model for organizing work to concepts of responsibility. The approach also defines a multi-agent system architecture to automate the deployment of access policies across an organization's heterogeneous IT components and devices. This provides autonomy and adaptability. The goal is to improve how access rights are defined according to business needs and how those rights are deployed throughout the IT infrastructure.
Governance and risk in information technology.pdfbkbk37
This document discusses applying a governance, risk, and compliance (GRC) framework to an IT project at Al Dhafer Hospital. It instructs the reader to:
1) Convert survey questions into Google forms for distribution
2) Follow case studies and apply their methods from an attached paper on GRC strategic alignment
3) Interview three people from different positions at the hospital to get their views on GRC practices and challenges
theroom will build a website that goes above and beyond to create brand recognition for your business. By considering your customers every step of the way theroom can deliver a strategic information architecture and an intuitive user experience.
ACC 675 Final Project Guidelines and Rubric Overvie.docxnettletondevon
ACC 675 Final Project Guidelines and Rubric
Overview
The final project for this course is the creation of a case study analysis. You will use the article The SOX Compliance Journey at Trinity Industries as a resource for
this project.
Companies today must ensure that operational processes are performing efficiently and effectively in compliance with current regulations. Accountants must
adhere to domestic standards set by organizations—such as the Public Company Accounting Oversight Board and the Financial Accounting and Standards
Board—as well as global standards, such as the International Financial Reporting Standards, requiring appropriate implementation and assessment of internal
controls. Whether developing appropriate processes internally or preparing substantive testing, external auditors must be able to quickly and completely assess
the financial processes, determine weaknesses, and provide recommendations for improvement.
The ability to transcribe formalized or narrative processes into functional workflows allows an auditor to identify potential gaps in accounting systems. These
gaps can result in material audit findings necessitating changes in the company’s control structure.
However, it is not only the process and flow of transactions that requires scrutiny. Companies evolve into sophisticated, computerized systems that require an in-
depth understanding of administrative rights, electronic process flows, and end user reporting.
In this case study, you will apply all of these skills in developing recommendations for Trinity Industries. Though the Sarbanes–Oxley Act of 2002 (SOX)
promulgated many internal control structure changes, the company is unsure as to whether they are applying too few or too many internal controls. Unnecessary
controls place added burden on staff and cost the company thousands of dollars in monitoring and maintenance.
Your role will be to provide an overview of the company and its market industry. From this you will formulate your processes into a comprehensive flowchart that
will be used to identify gaps in processes and other threats to potential audit weaknesses.
The project is divided into four milestones, which will be submitted at various points throughout the course to scaffold learning and ensure quality final
submissions. These milestones will be submitted in Modules Two, Four, Six, and Seven. The final product will be submitted in Module Nine.
In this assignment, you will demonstrate your mastery of the following course outcomes:
Transcribe formalized or verbal financial processes into both narrative and process flowcharts for identifying gaps resulting in potential material
weaknesses
Summarize advantages and disadvantages of various accounting electronic data processing systems with respect to a specific industry’s needs
http://ezproxy.snhu.edu/login?url=http://search.proquest.com/docview/963675948?accountid=3783
Perform substantive tes.
Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...IRJET Journal
The document discusses optimizing business management processes through automation using Microsoft Power Automate and artificial intelligence. It provides an overview of Power Automate's key components and features for automating workflows across various apps and services. The document then presents several scenarios applying automation solutions to common business processes like data entry, monitoring, HR, finance, customer support, and more. It estimates the potential time and cost savings from implementing automation for each scenario. Finally, the conclusion emphasizes the transformative impact of AI and automation tools on business processes and the need for ongoing optimization.
Be aers-fara-modellinginsolvency-nov2010Dodi Mulyadi
The document discusses Solvency II modeling requirements and options. It begins by depicting the complex processes and information flows required for Solvency II modeling. It then outlines the 5 options insurers can use to calculate the Solvency Capital Requirement (SCR), ranging from using the standard formula to developing a full internal model. The document also includes sections on model risk, internal model requirements, model governance, and an example of how the internal model use test could demonstrate the interaction between strategy, capital, and risk appetite.
The implementation of IT governance is important to lead and evolve the information system in agreement with stakeholders. This requirement is seriously amplified at the time of digital area considering all the new technologies that has been lunched recently (Big DATA, Artificial Intelligence, Machine Learning, Deep learning...). Thus, without a good rudder, every company risks getting lost in a sea endless and unreachable goals.
This paper aims to provide decision-making system that allow professionals to choose IT governance framework suitable to desired criteria and their importance based on a multi-criteria analysis method (WSM), we did implement a case study based on our analysis in a Moroccan company. Moreover, we present better understanding of IT Governance aspects such as standards and best practices.
Our article goes into a global objective that aims to build an integrated generated meta-model for better approach of IT Governance.
Chapter 6
Information Governance policy development
Dr. Sandra J. Reeves
ITS 833 – INFORMATION GOVERNANCE
Chapter 6
Information Governance Policy Development
Dr. Sandra J. Reeves
[email protected] J. Reeves 2018
1
1
CHAPTER GOALS AND OBJECTIVES
Know the 8 Generally Accepted Recordkeeping Principles®
What is the IG Reference Model?
What does the IGRM Diagram consist of?
What are the best practice considerations?
What is the benefits and risks of having standards?
What are the key standards relevant to IG
[email protected] J. Reeves 2018
2
2
A Review of the 8 Generally Accepted Recording Keeping Principles®
Accountability
Transparency
Integrity
Protection
Compliance
Availability
Retention
Disposition
So…what is the significance of these principles?
[email protected] J. Reeves 2018
3
3
[email protected] J. Reeves 2018
4
IG REFERENCE MODEL
Who?
ARMA International & CGOC
When?
2012
Where?
As part of the EDRM Project Verson 3.0
Why?
To foster the adoption by facilitating communication and collaboration between IG stakeholder functions, legal, records management, risk management, and business unit stakeholders.
4
HOW TO INTERPRET THE IGRM DIAGRAM
Outter Ring: Complex set of interoperable processes and implementing he procedures and structural element to put them into practice
Requirements:
Understanding of business imperatives
Knowledge of appropriate tools and infrastructure
Sensitivity to legal and regulatory obligations
[email protected] J. Reeves 2018
5
5
HOW TO INTERPRET THE IGRM DIAGRAM…continued
Inner Ring: Depicts a work-flow (life-cycle) diagram. Shows that information management is important at all stages of the lifecycle.
[email protected] J. Reeves 2018
6
6
So….How is the IGRM Diagram related to the Generally Accepted Recordkeeping Principles®?
Support the ARMA Principle by identifying the cross-functional groups of IG stakeholders
Depicts the intersecting objectives of the organization
Depicts the relationship duty, value and information assets
Used by proactive organizations as an introspective lens to facilitate visualization, understanding and discussion concerning how to apple the “Principles” to the organization.
Puts focus on the “Principles”
Provides essential context for the maturity model
[email protected] J. Reeves 2018
7
7
Considerations in IG Policy Formation?
Best Practices?
YES!
Understand that Best Practices will vary per organization
Review 25 generic Best Practices, Pages 75 and 76 of text book
[email protected] J. Reeves 2018
8
Standards?
YES!
Two types to consider
De Jure Standards-Legal standards published by standards setting bodies such as IOS, ANSI, NIST, BTS and others
De Facto Standards – Informal standards regarded by many as actual standards – arising through popular use (Example: Windows in the business world in 2001-2010). May be published by formal standards setting bo ...
A business analyst helps bridge the gap between business needs and technical solutions. They analyze an organization's structure, business models, processes and requirements. This includes strategic planning, process design, and interpreting business rules for technical systems. The business analyst ensures the technical solution meets the business goals. Key deliverables include business requirements, functional specifications, user needs documents, and traceability matrices to track requirements throughout the project. Having a business analyst involved in software projects helps clearly define needs and prevents miscommunication between stakeholders and developers.
This document provides definitions and summaries of key concepts related to control and audit information systems, including:
- Definitions of control, which is a managerial function, and audit, which is an independent examination of financial statements and records.
- Cobit is a framework for developing, implementing, monitoring and improving IT governance and management practices.
- COBIT 5 builds on previous versions of COBIT and other frameworks, providing updated guidance while allowing organizations to continue work from earlier versions. It focuses more on enablers, has a new process reference model, and new assessment approaches.
A Framework For Information Security Risk Management CommunicationJustin Knight
This document proposes a framework called the Bornman Framework for Information Security Risk Management Communication (BFIC) to help organizations effectively communicate information security risk information between different management levels. The BFIC is made up of three groups of indicators - core indicators related to key risk management processes, indicators that support the identification and control processes, and overarching indicators related to risk management program support. The framework is designed to provide concise yet meaningful information on an organization's information security risk management program to ensure strategic management has the information needed for proper governance and oversight.
A Model Supporting Business Continuity Auditing And Planning In Information S...Cynthia King
This document presents a model and tool to support business continuity planning (BCP) auditing for information systems. The tool allows IT personnel to estimate and validate Recovery Time Objectives (RTOs) set for business processes based on dependencies between IT assets. The model represents the IT infrastructure as a graph of entities and their dependencies. It can estimate how incidents affecting different entities may propagate through the system and impact business processes. The goal is to determine whether the system can comply with Maximum Tolerable Periods of Disruption (MTPDs) set for each business process.
Modern CFO in control with integrated software CPM-GRCMario Halfhide
The document discusses the increasing need for organizations to integrate corporate performance management (CPM) and governance, risk, and compliance (GRC) reporting on a single software platform. It notes that studies show CFOs want this integration to have better control over the reporting process. The document then defines CPM and GRC and trends in software merging these functions. It provides a business case example of an insurance company that integrated its various financial and risk reporting systems onto a unified platform, allowing for improved standardized reporting that incorporates risk management. The conclusion is that laws require organizations to have full control over reporting, and a unified CPM and GRC platform allows accurate and consistent reporting to meet these demands.
The document provides guidance for assessing the scope of IT general controls based on risk for compliance with Sarbanes-Oxley Section 404. It establishes four principles for defining the relevance of IT infrastructure elements and processes to financial reporting integrity. It then provides a methodology for applying a top-down, risk-based approach to scope IT general controls and identify key controls within relevant IT processes. The goal is to develop widely accepted guidance that auditors and management can use to properly scope IT general controls work for financial reporting.
Teahcing material for the Business Process Management course at ITU 2018, that regard to Business Process Compliance, analysis, modelling, checking, monitoring, and auditing.
The document discusses the requirements of the Sarbanes-Oxley Act of 2002 for establishing internal control systems at companies whose stocks trade on US markets. It outlines the key components an internal control system must have according to COSO guidelines, including control environment, risk assessment, control activities, information and communication, and monitoring. It also discusses automating internal control systems using integrated business process management software to help companies efficiently comply with Sarbanes-Oxley requirements.
Similar to Improving operational risk management systems by formalizing the basel ii regulation with goal models and the isoiec 15504 approach (20)
Multi-Agent System (MAS) monitoring solutions are designed for a plethora of usage topics. Existing approach mostly used cloned back-end architectures while front-end monitoring interface tends to constitute the real specificity of the solution. These interfaces are recurrently structured around three dimensions: access to informed knowledge, agent’s behavioural rules, and restitution of real-time states of specific system sector. In this paper, we propose prototyping a sector-agnostic MAS platform (Smart-X) which gathers in an integrated and independent platform all the functionalities required to monitor and to govern a wide range of sector specific environments. For illustration and validation purposes, the use of Smart-X is introduced and explained with a smart-mobility case study.
This document provides an agenda and overview for a joint workshop on security modeling hosted by the ArchiMate Forum and Security Forum. The workshop aims to identify opportunities to improve the conceptual and visual modeling of enterprise information security using TOGAF and ArchiMate. The agenda includes introductions, a research spotlight on strengthening role-based access control with responsibility modeling, an open discussion on complementing TOGAF and ArchiMate with enhanced security modeling, and identifying next steps. The workshop purpose is to enable better security architecture decisions and drive usage of TOGAF and ArchiMate for security architecture.
Aligning the business operations with the appropriate IT infrastructure is a challenging and critical activity. Without efficient business/IT alignment, the companies face the risk not to be able to deliver their business services satisfactorily and that their image is seriously altered and jeopardized. Among the many challenges of business/IT alignment is the access rights management which should be conducted considering the rising governance needs, such as taking into account the business actors' responsibility. Unfortunately, in this domain, we have observed that no solution, model and method, fully considers and integrates the new needs yet. Therefore, the paper proposes firstly to define an expressive Responsibility metamodel, named ReMMo, which allows representing the existing responsibilities at the business layer and, thereby, allows engineering the access rights required to perform these responsibilities, at the application layer. Secondly, the Responsibility metamodel has been integrated with ArchiMate® to enhance its usability and benefits from the enterprise architecture formalism. Finally, a method has been proposed to define the access rights more accurately, considering the alignment of ReMMo and RBAC. The research was realized following a design science and action design based research method and the results have been evaluated through an extended case study at the Hospital Center in Luxembourg.
This document proposes an innovative systemic approach to risk management across interconnected sectors. It suggests using enterprise architecture models to manage cross-sector risks in Luxembourg's complex ICT ecosystem. The approach would provide regulators an overview of all players and systems, as well as models of different sectors to analyze collected data and risks at a national level, fostering accurate and reactive risk mitigation across economic domains.
This document proposes extending the HL7 standard with a responsibility perspective to better manage access rights to patient health records. It presents the ReMMo responsibility metamodel, which defines actors' responsibilities and associated access rights. The paper aims to align ReMMo with the HL7-based eSanté healthcare platform model in Luxembourg to semantically enhance access controls based on users' real responsibilities rather than just roles. It will first map concepts between the two models, then evaluate the alignment through a prototype applying inference rules.
This document presents a study that aims to develop and validate a responsibility model to improve IT governance. It analyzes concepts of responsibility from literature and frameworks like COBIT. The researchers developed a responsibility model with key concepts like obligation, accountability, right, and commitment. They then compare this model to COBIT's representation of responsibility to identify areas for potential enhancement, like adding concepts that COBIT lacks. The document illustrates how the responsibility model could be used to refine COBIT's process for identifying system owners and their responsibilities.
This document discusses integrating responsibility aspects into service engineering for e-government. It proposes a multi-layered approach including an ontological layer defining legal concepts, an organizational layer describing roles and stakeholders, an informational layer representing data structures and integrity constraints, and a technical layer representing IT components. A responsibility meta-model is also introduced to align responsibilities across these layers and facilitate interoperability between services that share data. The approach aims to ensure service compliance and manage risks associated with e-government services.
1) The document proposes a dynamic approach for assigning functions and responsibilities to agents in a multi-agent system for critical infrastructure management.
2) The approach uses an agent's reputation, which is based on past performance, to determine which agents receive which responsibilities as crisis situations change over time.
3) Assigning responsibilities dynamically based on reputation allows the system to continue operating effectively if an agent becomes isolated or has reduced capabilities during a crisis.
The document describes the NOEMI assessment methodology, which was developed as part of a research project to help very small enterprises (VSEs) improve their IT practices. The methodology aims to assess VSEs' IT capabilities in order to facilitate collaborative IT management across organizations. It was designed to be aligned with common IT standards like ISO/IEC 15504 and ITIL, but adapted specifically for VSEs. The methodology has been tested through several case studies with VSEs in Luxembourg, with promising results.
This document proposes an extension of the ArchiMate enterprise architecture framework to model multi-agent systems for critical infrastructure governance. The authors develop a responsibility-driven policy concept and metamodel layers to represent agent behavior and organizational policies across technical, application, and organizational layers. The approach is illustrated through a case study of a financial transaction processing system.
This document summarizes an experimental prototype of the OpenSST protocol for secured electronic transactions. OpenSST was developed to achieve high security, simplicity in software engineering, and compatibility with existing standards. The prototype uses OpenSST for the authorization portion of electronic payments in an e-business clearing solution. It describes the OpenSST message format and types, and discusses how OpenSST is implemented in the prototype's three-element architecture of an OpenSST proxy, reverse proxy, and server.
This document proposes an automatic reaction strategy for critical infrastructure SCADA systems. It defines a three-layer metamodel for modeling SCADA components and two types of policies (cognitive and permissive) that govern component behavior. It then presents a two-phase method for identifying these policies from the SCADA architecture and formalizing them to support an automatic reaction strategy. This strategy is modeled as an integral part of the SCADA architecture using the defined metamodel and policy identification method. It includes organizational and application layers with main actors, strategies, and components that realize the reaction policies based on expected automation levels.
This document discusses the NOEMI model, a collaborative management model for ICT processes in SMEs. The model was developed by the Centre Henri Tudor and tested with a cluster of 8 partner SMEs. Key aspects of the model include defining ICT activities across 5 domains, assessing each SME's capabilities, and having an operational team manage activities for the cluster under a coordination committee. The experiment showed improved cost control, management, and partner satisfaction compared to alternatives like outsourcing or hiring individual IT staff. The research is now ready for market transfer as the successful model is adopted long-term by participating SMEs.
The document proposes an agent-based architecture for multi-level security incident reaction in distributed telecommunication networks. The architecture has three levels: a low level interface with the infrastructure, an intermediate level using multi-agent systems to correlate alerts and deploy reactions across domains, and a high level for global supervision and policy management. The architecture was designed based on requirements like scalability, availability, autonomy, and robust reaction and alert management across distributed systems. It was successfully tested for implementing data access control policies.
This document proposes a methodology for aligning business and IT policies using a responsibility model. The methodology is a five-step approach consisting of collecting information, defining capabilities, accountabilities and commitments, linking responsibilities to processes, validating the model, and defining policies. It is illustrated with a case study from an IT company where they define an access control policy using this methodology and responsibility model. The responsibility model defines three components - capabilities, accountabilities, and commitments - to clarify roles and responsibilities for policy definition.
This document proposes a metamodel for modeling reputation-based multi-agent systems using an adaptation of the ArchiMate enterprise architecture modeling framework. It describes a case study applying this metamodel to model an electrical distribution critical infrastructure system. Key elements of the metamodel include:
- Representing agents and their behaviors through policies that integrate both behavior and trust components
- Modeling trust relationships between agents using a reputation-based trust model
- Illustrating the metamodel layers and components on a system that detects weather alerts and broadcasts messages to the public through various channels like SMS or social media
More from Luxembourg Institute of Science and Technology (20)
This an presentation about electrostatic force. This topic is from class 8 Force and Pressure lesson from ncert . I think this might be helpful for you. In this presentation there are 4 content they are Introduction, types, examples and demonstration. The demonstration should be done by yourself
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
just download it to see!
Dalghren, Thorne and Stebbins System of Classification of AngiospermsGurjant Singh
The Dahlgren, Thorne, and Stebbins system of classification is a modern method for categorizing angiosperms (flowering plants) based on phylogenetic relationships. Developed by botanists Rolf Dahlgren, Robert Thorne, and G. Ledyard Stebbins, this system emphasizes evolutionary relationships and incorporates extensive morphological and molecular data. It aims to provide a more accurate reflection of the genetic and evolutionary connections among angiosperm families and orders, facilitating a better understanding of plant diversity and evolution. This classification system is a valuable tool for botanists, researchers, and horticulturists in studying and organizing the vast diversity of flowering plants.
Transmission Spectroscopy of the Habitable Zone Exoplanet LHS 1140 b with JWS...Sérgio Sacani
LHS 1140 b is the second-closest temperate transiting planet to the Earth with an equilibrium temperature low enough to support surface liquid water. At 1.730±0.025 R⊕, LHS 1140 b falls within
the radius valley separating H2-rich mini-Neptunes from rocky super-Earths. Recent mass and radius
revisions indicate a bulk density significantly lower than expected for an Earth-like rocky interior,
suggesting that LHS 1140 b could either be a mini-Neptune with a small envelope of hydrogen (∼0.1%
by mass) or a water world (9–19% water by mass). Atmospheric characterization through transmission
spectroscopy can readily discern between these two scenarios. Here, we present two JWST/NIRISS
transit observations of LHS 1140 b, one of which captures a serendipitous transit of LHS 1140 c. The
combined transmission spectrum of LHS 1140 b shows a telltale spectral signature of unocculted faculae (5.8 σ), covering ∼20% of the visible stellar surface. Besides faculae, our spectral retrieval analysis
reveals tentative evidence of residual spectral features, best-fit by Rayleigh scattering from an N2-
dominated atmosphere (2.3 σ), irrespective of the consideration of atmospheric hazes. We also show
through Global Climate Models (GCM) that H2-rich atmospheres of various compositions (100×, 300×,
1000×solar metallicity) are ruled out to >10 σ. The GCM calculations predict that water clouds form
below the transit photosphere, limiting their impact on transmission data. Our observations suggest
that LHS 1140 b is either airless or, more likely, surrounded by an atmosphere with a high mean molecular weight. Our tentative evidence of an N2-rich atmosphere provides strong motivation for future
transmission spectroscopy observations of LHS 1140 b.
Deploying DAPHNE Computational Intelligence on EuroHPC Vega for Benchmarking ...University of Maribor
Slides from talk:
Aleš Zamuda, Mark Dokter:
Deploying DAPHNE Computational Intelligence on EuroHPC Vega for Benchmarking Randomised Optimisation Algorithms.
2024 International Conference on Broadband Communications for Next Generation Networks and Multimedia Applications (CoBCom), 9--11 July 2024, Graz, Austria
https://www.cobcom.tugraz.at/
A slightly oblate dark matter halo revealed by a retrograde precessing Galact...Sérgio Sacani
The shape of the dark matter (DM) halo is key to understanding the
hierarchical formation of the Galaxy. Despite extensive eforts in recent
decades, however, its shape remains a matter of debate, with suggestions
ranging from strongly oblate to prolate. Here, we present a new constraint
on its present shape by directly measuring the evolution of the Galactic
disk warp with time, as traced by accurate distance estimates and precise
age determinations for about 2,600 classical Cepheids. We show that the
Galactic warp is mildly precessing in a retrograde direction at a rate of
ω = −2.1 ± 0.5 (statistical) ± 0.6 (systematic) km s−1 kpc−1 for the outer disk
over the Galactocentric radius [7.5, 25] kpc, decreasing with radius. This
constrains the shape of the DM halo to be slightly oblate with a fattening
(minor axis to major axis ratio) in the range 0.84 ≤ qΦ ≤ 0.96. Given the
young nature of the disk warp traced by Cepheids (less than 200 Myr), our
approach directly measures the shape of the present-day DM halo. This
measurement, combined with other measurements from older tracers,
could provide vital constraints on the evolution of the DM halo and the
assembly history of the Galaxy.
Possible Anthropogenic Contributions to the LAMP-observed Surficial Icy Regol...Sérgio Sacani
This work assesses the potential of midsized and large human landing systems to deliver water from their exhaust
plumes to cold traps within lunar polar craters. It has been estimated that a total of between 2 and 60 T of surficial
water was sensed by the Lunar Reconnaissance Orbiter Lyman Alpha Mapping Project on the floors of the larger
permanently shadowed south polar craters. This intrinsic surficial water sensed in the far-ultraviolet is thought to be
in the form of a 0.3%–2% icy regolith in the top few hundred nanometers of the surface. We find that the six past
Apollo Lunar Module midlatitude landings could contribute no more than 0.36 T of water mass to this existing,
intrinsic surficial water in permanently shadowed regions (PSRs). However, we find that the Starship landing
plume has the potential, in some cases, to deliver over 10 T of water to the PSRs, which is a substantial fraction
(possibly >20%) of the existing intrinsic surficial water mass. This anthropogenic contribution could possibly
overlay and mix with the naturally occurring icy regolith at the uppermost surface. A possible consequence is that
the origin of the intrinsic surficial icy regolith, which is still undetermined, could be lost as it mixes with the
extrinsic anthropogenic contribution. We suggest that existing and future orbital and landed assets be used to
examine the effect of polar landers on the cold traps within PSRs
This an presentation about electrostatic force. This topic is from class 8 Force and Pressure lesson from ncert . I think this might be helpful for you. In this presentation there are 4 content they are Introduction, types, examples and demonstration. The demonstration should be done by yourself
ScieNCE grade 08 Lesson 1 and 2 NLC.pptxJoanaBanasen1
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it................
just download it..............
SCIENTIFIC INVESTIGATIONS – THE IMPORTANCE OF FAIR TESTING.pptxJoanaBanasen1
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
SCIENTIFIC INVESTIGATIONS – THE IMPORTANCE OF FAIR TESTING.pptx
Improving operational risk management systems by formalizing the basel ii regulation with goal models and the isoiec 15504 approach
1. Improving Operational Risk Management Systems
by Formalizing the Basel II Regulation with
Goal Models and the ISO/IEC 15504 Approach
André Rifaut1 and Christophe Feltus1
1
Centre de Recherche Public Henri Tudor, 29, Avenue John F.Kennedy,
L-1855 Luxembourg-Kirchberg, Luxembourg
{Andre.Rifaut, Christophe.Feltus}@tudor.lu
http://www.tudor.lu
Abstract. The bankruptcy of financial institutions shows the rapid changes in
the risks profiles of financial systems and processes. Although financial institu-
tions have always managed the operational risks, the profile of this kind of risks
is changing due to the increasing international competitive pressure and the
evolution of the financial institutions’ operational systems relying more and
more on IT systems. This paper reports the results of the joint research with the
CSSF [1] focusing on the formalization of both the Basel II Accord and com-
pliant operational risk management (ORM) systems implementations. This for-
malization uses concepts of the ISO/IEC 15504 process assessment standard
and the concepts of strategy and policy. This structure of the model ensures the
traceability between the Basel II Accord and compliant ORM systems imple-
mentations, improves the formal validation of those systems and is more ade-
quate to represent all organizational levels of financial institutions.
1 Introduction
In Luxemburg, the stability of the financial system is at the core of the economic
stability of the country. The CSSF [1], which is the official authority for financial
institutions supervision, has the responsibility to define financial regulations and en-
sure their fulfillment. This task is not easy because more and more international regu-
lations are introduced, such as the IFRS [2], Sarbanes-Oxley Act (SoX) [2] and the
Basel II Accord [3]. Audit managers, risk managers (including security managers),
and compliance managers have developed standards addressing those regulations. For
instance, Coso [2], CobIT [2], ITIL [18] and ERM [2] are governance and risk man-
agement standards. However, up to now there is nearly no integration between the
regulations themselves and also between those standards. A joint research with the
CSSF aims at defining a method for ensuring a correct implementation of financial
systems compliant to Basel II regulation. The results [20,5] are based on quality
methods and techniques, mainly goal-based models and analyses used in goal-
oriented requirements engineering (GORE) [4]. The originality of the work lies in the
formalization of the Basel II Accord and Operational Risk Management (ORM) sys-
tems by using concepts of the ISO/IEC 15504 process assessment standard [6] and
the concepts of strategy and policy. This gives an adequate structure of the models at
Page 1 of 7
2. all organizational levels of financial institutions, ensures the formal traceability be-
tween the Basel II Accord and ORM systems, and improves their formal validation.
This paper summarizes and extends the results of the joint research with the CSSF,
focusing on the formalization of both Basel II Accord and compliant (ORM) systems
implementations. More information on the research results, the ISO/IEC 15504 stan-
dard, the Basel II Accord, and other standards such as ITIL are freely available on the
CSSF website [1]. The next section presents the main goals of this research and the
preliminary results. Section 3 shows the technique that has been created in the context
of the real case study concerning the Basel II Accord regulation and its implementa-
tion in financial institution. The last section summarizes the main results of this pro-
ject and presents the future works that will be done within the follow-up research
projects.
2 The Implementation of ORM Systems compliant to Basel II.
The Basel Committee has defined the operational risk as follows: it is the risk of loss
resulting from inadequate or failed internal processes, people and systems or from
external events. (§644 in [1]). As such, the operational risk encompasses all risks oc-
curring at the operational and technical levels (see Fig. 1), in particular, all risks of
the IT Software Engineering Processes (risks that concern project management, re-
quirements analysis, design, security, ...). The methods used in IT Software Engineer-
ing (e.g. for safety and security analyses) do not cover the analysis of this very broad
scope of risks.
The need for practical techniques is critical in order to help business units’ man-
ager to efficiently implement the core business processes that are under their respon-
sibility. Indeed, not only the Basel II Accord is imposing constraints on those core
financial processes, but also the other regulations (e.g. SoX, IFRS) are interfering on
the same processes. Moreover, each regulation stresses the importance on a different
but inter-related aspect. For instance, SoX stresses the importance on the reporting
system also concerned by the ORM of Basel II Accord. In addition to that decisions
about ORM system implementation must be made at the strategic, tactical, opera-
tional and technical levels. This increases the complexity of modeling and implement-
ing ORM systems, taking into account also that operational risks exist in every busi-
ness processes implying their strong relationships with new ORM systems. Last but
not least, those regulations are hard to understand due to their lack of structure and
lack of completeness. For instance, in the Basel II Accord there is no definition of
important concepts such as “ORM system”, “loss”, “loss event”, “expected loss”,
“unexpected loss”, ...
Page 2 of 7
3. Requirements engineering and goal-oriented methods. The GORE methods can
overcome the difficulties presented in the preceding section by formalizing the Basel
II Accord and the implementation of ORM systems. These methods can be used to
analyze and model systems at all organizational level, from Business Models up to
architectures [4]. Goal-oriented modeling languages are appropriate for that broad
range of models and they support formal analyses. However, in the case of the ORM
system, it is difficult to manage all of those large models and complex analyses.
Moreover, for validation purposes, it is important to refer to the concepts used in
organizations, such as strategic objectives, strategies and plans, key indicators, poli-
cies, SLAs, ... Within the Basel II Accord context, additional structuring mechanisms
has to be created on top of the usual goal-oriented concepts.
Technicallevel
Operationallevel
Tacticallevel
Strategiclevel
E.g. in the IT domain:
applications, components, …Procedures
Business
processes
Business
value
Objectives
Indicators
StrategiesPolicies
Goals
Indicators
StrategiesPolicies
Goals
Indicators
StrategiesPolicies
Standard view of
organizational layers
Concepts
and artifacts of
organizational layers
Goals
Indicators
StrategiesPolicies
Goals
Indicators
StrategiesPolicies
Goals
Indicators
StrategiesPolicies
Goals
Indicators
StrategiesPolicies
Technicallevel
Operationallevel
Tacticallevel
Strategiclevel
E.g. in the IT domain:
applications, components, …Procedures
Business
processes
Business
value
Technicallevel
Operationallevel
Tacticallevel
Strategiclevel
Technicallevel
Operationallevel
Tacticallevel
Strategiclevel
E.g. in the IT domain:
applications, components, …Procedures
Business
processes
Business
value
E.g. in the IT domain:
applications, components, …Procedures
Business
processes
Business
value
Objectives
Indicators
StrategiesPolicies
Goals
Indicators
StrategiesPolicies
Goals
Indicators
StrategiesPolicies
Standard view of
organizational layers
Concepts
and artifacts of
organizational layers
Goals
Indicators
StrategiesPolicies
Goals
Indicators
StrategiesPolicies
Goals
Indicators
StrategiesPolicies
Goals
Indicators
StrategiesPolicies
Fig. 1. The pyramid is used in management methods (e.g. [7]). The lowest 4 artifacts are de-
fined with GORE models [4].
3 Formalizing Basel II and ORM with goal models and the
ISO/IEC 15504 approach
The general framework given in the Figure 1, represented by the pyramid, is a stan-
dard view of the organization [7] used in financial institutions (and other institutions).
The four organizational layers [8] – strategic, tactical, operational and technical levels
– use concepts adapted to handle decisions at their corresponding abstraction level –
that are mainly (respectively) business value [9], business processes, procedures and
technical artifacts ([10]) such as IT applications in the IT domain.
Page 3 of 7
4. ISO/IEC 15504 process assessment model. A first part of the structure is given by
separating the description of the core activities of the business processes from the
activities related to the capabilities of the business process (e.g. planning, work
product control, process documentation, performance measurement, performance
improvement, ...). As explained in [5], the benefits of this separation of concerns has
proven to be very useful during the verification and the validation of the goal models.
When describing process models with the ISO/IEC 15504 standard this separation of
concerns is imposed. This new standard has been designed to be applicable for any
business processes and is no longer limited to software engineering processes [20].
Objectives, strategies, policies and indicators. Those concepts (bottom of Figure 1)
detail complementary aspects needed for designing business processes, procedures
and technical artifacts. They are similar to organizational concepts needed in order to
structure and formalize the links between each of the organizational levels [11].
When designing lower-level artifacts from higher level ones and when verifying
the link between two organizational levels, one has to distinguish between the main
objectives to be fulfilled, the strategy describing the approach to fulfill these objec-
tives, the roles and responsibilities (policies) of the resources that will implement the
strategies. Indicators are defined when there is a need for some monitoring, control,
supervision or measurement concerning objectives, strategies or policies. Strategies
and policies must be complementary and consistent with each other and they must
fulfill the objectives.
Page 4 of 7
5. Fig. 2. Basel II ORM (left side) partially implemented (right side). Upside-down arrows shows
that the implementation contributes to the each level of ORM.
The formal definition of those 4 concepts uses goal-oriented techniques [4,5]. For
the indicators, our work is based on the Goal-Question-Metric method (GQM) [12].
Policies give a description of the roles and responsibilities (in accordance with [13]
and policy management [14,15,16]) and allow detailing the authorizations, obliga-
tions (and their delegations), accountabilities, and separations of duties. Strategies
give a description of the main approach or steps to fulfill given objectives. Our work
follows [17] where strategies are integrated with goal-oriented analysis. For the sake
of separation of concerns, responsibilities (and related aspects) are not defined in
strategies but only in policies. Note that in financial institutions, the description of
policies recalls its related objectives and strategies. This is also sometimes the case of
strategies that gives a short description of their corresponding policies (i.e. descrip-
tion of roles and responsibilities). However, it is found essential to separate those
descriptions when designing and analyzing those policies and strategies.
For instance, in the Figure 2, the diagram shows the model of the strategic level
(topmost) and operational level (bottom). Only objectives are shown for those two
levels. In between, at the tactical level, the objectives and indicators of business proc-
esses are shown. The left part of the diagram shows the Basel II Accord formalization
of ORM. The right part presents a partial ORM system implementation using ITIL
[18]. The links between the two models are formally analyzed [5].
Page 5 of 7
6. 4 Conclusions and Future Works
Building upon a method that has been defined within the setting of a real-case
study in financial institutions, the Basel II Accord, new results are presented in this
paper aiming at giving a simple but integrated set of concepts – goals, indicators,
policies and strategies – which can be used to design financial systems compliant to
regulations and structure their analysis in relationship with the artifacts commonly
used in financial institutions – business models, business processes models, proce-
dures and more technical artifacts. The formalization of goals, indicators, policies and
strategies independently from each other allows analyzing and recording the design
decisions across all organizational levels, making easier the link with the regulation.
The main advantage of this method is that it keeps the structuring power of the
ISO/IEC 15504 capability model that can be used to discover weaknesses and opera-
tional risks in the business process implementation with the method explained in [19].
Based on the same techniques as in [15], a prototype implementation is under devel-
opment.
The current and future works of the authors focus on a constructive method aiming
at giving an effective support for financial business process design (compliant to
regulations), establishment, assessment, improvement, governance and benchmarking
[5]. In particular, a risk and value analysis method is under development adapted to
process assessment, improvement and governance. Some support is also given to an-
other research made by experts in DPM [21]. The aim of those experts is to ground
digital policy management in sound non-federated distributed IT systems that en-
forces policies fulfillment even outside the traditional IS frontier of each institution.
Finally, the current project with the CSSF is still in progress with results that are ex-
tended to the IFRS [2] concerning the management of unquoted assets (IFRS-IAS39)
[2]. In addition to model this regulation and the systems compliant to it, the relation-
ship between IFRS-IAS 39 and Basel II can be analyzed and alternative compliant
implementations of integrated systems can also be designed.
References
1. CSSF: Commission de Surveillance du Secteur Financier. The firsts results of the joint pro-
ject are freely downloadable at http://www.cssf.lu/index.php?id=130 .
2. IFRS: International Financial Reporting Standards, IASCF, USA. SoX: Sarbanes Oxley Act
of 2002, USA. COSO: Internal Control – Integrated Framework, CSOTC, USA. CobiT®:
Control Objectives for Information and related Technology, ISACA, USA. ERM: Enterprise
Risk Management – Integrated Framework, CSOTC, USA.
3. Basel Committee on Banking Supervision, “International Convergence of Capital Measure-
ment and Capital Standards”; BIS; Basel, June 2004.
4. A. van Lamsweerde, "Goal-Oriented Requirements Engineering: A Guided Tour". Invited
minitutorial, Proc. RE'01 - International Joint Conference on Requirements Engineering,
Toronto, IEEE, August 2001, pp.249-263.
5. André Rifaut, “Goal-Driven Requirements Engineering for Supporting the ISO 15504 As-
sessment Process”, EuroSPI 2005, Budapest
6. ISO/IEC 15504, “Information Technology – Process assessment”, (parts 1-5), 2003-2006
(see website [1] for details about this standard).
Page 6 of 7
7. 7. Anthony, R. N. Planning and Control Systems: A Framework for Analysis. Harward Univer-
sity, Boston, USA, 1965
8. Henderson, J. and Venkatraman, N., “Strategic alignment: Leveraging technology for trans-
forming organizations”. IBM Systems Journal, 1999, 38.
9. Osterwalder and Pigneur. An Ontology for e-business models. In “Value Creation from E-
Business Models”, Wendy Currie ed., Butterworth-Heinenmann. Apr 2005.
10. Robson W, Strategic Management and Information Systems, Pitman, 1997.
11. Chaffey et al. (2005) - Business Information Systems: Technology, Development and Man-
agement for the E-business, Prentice Hall.
12. Van Solingen, “The Goal/Question/Metric Method: A Practical Guide For Quality Im-
provement of Software Development”, McGraw-Hill, Jan. 1999
13. René Wies, “Using a Classification of Management Policies for Policy Specification and
Policy Transformation”. In Proc. ISINM '95, Santa Barbara, California, May 1995.
14. N. Damianou, N. Dulay, E. Lupu, and M. Sloman, “The ponder policy specification lan-
guage” In Morris Sloman, (ed), Proc. of Policy Worshop, 2001, Bristol UK, January 2001.
15. A. Schaad and J. Moffett. “Delegation of obligations.” In IEEE Policy Workshop, 2002
16. Qingfeng He and Annie I. Antón, “Deriving Access Control Policies from Requirements
Specifications and Database Designs”, ICSE 2005.
17. Rolland C., N. Prakash, A. Benjamen, “A multi-model view of process modelling.” Re-
quirements Engineering Journal, p. 169-187,1999.
18. ITIL: IT Infrastructure Library – Service Support, Service Delivery, published by OGC,
London. (see website [1] for details about this standard).
19. A. Rifaut, M. Picard and B. Di Renzo, “ISO/IEC 15504 Process Improvement to Support
Basel II Compliance of Operational Risk Management in Financial Institu-
tions”,International Conference SPiCE 2006.
20. B. Di Renzo, M. Hillairet, M. Picard, A. Rifaut, C. Bernard, D. Hagen, P. Maar, D. Re-
inard, “Operational Risk management in Financial Institutions: Process Assessment in Con-
cordance with Basel II”, International Conference SPiCE 2005.
21. J.-H. Morin and M. Pawlak, “Towards a Global Framework for Corporate and Enterprise
Digital Policy Management”, SoftWars conference, Las Vegas, USA, Dec 11, 2005.
Page 7 of 7