The document discusses a presentation given at the itSMF-NL Spring 2008 Conference on ISO/IEC 29382, the new international standard for ICT Governance. The presentation covered definitions of ICT Governance, the involvement of the itSMF in the ISO study group developing the standard, and key topics addressed in the interim report and future scope beyond the initial standard. It provided an overview of the work underway to develop a comprehensive international standard on ICT Governance.
This document provides an overview and comparison of ITIL, COBIT, and ISO27001 frameworks. ITIL is an IT service management framework that aims to align IT with business needs. COBIT is an IT governance framework that bridges control requirements, technical issues, and business risks. ISO27001 provides a framework for building an information security management system to protect information assets and achieve certification. While the frameworks have different origins and objectives, they can work together to standardize IT processes, implement controls, and manage information security.
IT Governance or Corporate governance of information technology is a subset discipline of corporate
governance, focused on information and technology (IT) and its performance and risk management.
The interest in IT Governance is due to the ongoing need within organizations to focus value creation efforts
on an organization's strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders.
EOSC Governance Session - EOSC Stakeholders Forum 2018
The document summarizes a discussion on governance for the European Open Science Cloud (EOSC). It outlines three levels of governance: institutional, executive/operational, and advisory. The panelists discussed the main purpose of EOSC governance, what should be in and out of scope, and its relation to EuroHPC governance. Crucial elements from stakeholders' perspectives include engaging the community, getting things done through an executive board and working committees, and measuring results. Key working groups for the first implementation phase and concluding remarks on success factors were also presented.
theroom will build a website that goes above and beyond to create brand recognition for your business. By considering your customers every step of the way theroom can deliver a strategic information architecture and an intuitive user experience.
This document summarizes the findings of research conducted by the IT Governance Institute on how business goals drive IT goals. An expert panel from various industries and geographic locations validated lists of 17 business goals and 18 IT goals. The top 10 most important goals were consistent across sectors and included improving customer orientation/service and managing business/IT risks in the top business goals, and ensuring reliable/secure IT services and aligning IT strategy to business strategy in the top IT goals. The research also identified priorities that varied by industry sector.
11.a descriptive analysis of the challenges facing information technology man...
1. This study examines the challenges faced by IT managers in their management practices. It analyzes the drivers of management practices adopted from an experiential leadership model, including rules, initiatives, integrity, immediate action, and emotions.
2. A mixed-methods approach was used, including focus group discussions and a survey of 149 IT managers and administrators. The survey examined how the managers perceived the importance of each driver in their work.
3. The findings showed that immediate action in response to emergencies was seen as the most important driver. Rules and commitment to rules was seen as the second most challenging impediment faced by IT managers in their work.
ICEGOV2009 - Tutorial 6 - Visions and Challenges for Leading Public Sector Tr...
This document discusses the roles of Chief Information Officers (CIOs) in government. It covers several topics:
- CIOs play an important role in leading public sector transformation for the information age and facilitating e-leadership in government.
- National legislation and policies are needed to promote e-leadership and the development of CIO systems within government.
- For CIOs to be effective, they must understand government institutional frameworks and work within national ICT policy structures.
- Developing human capacity and cross-agency coordination are also important for successful e-government initiatives led by CIOs.
Achieving Global Best Practice in ICT Sustianability_Lee_Stewart_Final_v3.1doc
Fujitsu manages over 500,000 ICT assets for customers in Australia and New Zealand, with an annual power and cooling bill of over $42 million and carbon emissions of 150,000 tonnes. Most organizations have an average ICT sustainability score of 53 out of 100, while best practice is 80. Fujitsu worked with customers like Meridian Energy and Qantas to improve their scores through benchmarking, workshops identifying improvement projects, and setting targets to achieve best practice within a year. Meridian achieved a score of 80+ through initiatives like a green IT policy, procurement standards, and executive support. Achieving best practice can save up to $16 million and reduce emissions by 60,000 tonnes annually.
Harley Davidson recognized the need to align IT with its business strategy for continued growth. It implemented an IT governance framework to unite management, IT, and audit functions while preserving company culture. The framework aligned IT decision making with business objectives, managed risks, and ensured IT resources supported business goals. This allowed Harley Davidson to sustain record growth for 20 consecutive years while effectively governing its increasing IT usage and investments.
Linking Systems to Strategy - Which system(s) and which strategy ?
This document discusses challenges facing the New Zealand health system and opportunities to improve information technology (IT) governance and implement shared services. It notes a highly complex health system with over 3,000 GPs, 82 health organizations, and IT investments accounting for over 9% of GDP. Questions are raised about coordinating change across stakeholders and leveraging scale through a common approach to services. The key barriers to shared services need to be addressed and next steps identified to make progress on this. Strong IT governance is important, clarifying decision rights, accountability, investment priorities, and architecture to encourage better coordination and outcomes from IT.
11.0002www.iiste.org call for paper. information technology management-a crit...
This document summarizes a research study on managerial impediments facing information technology (IT) managers. The study investigated five key drivers of management that can hinder IT managers' ability to implement organizational strategies and objectives: rules, initiatives, emotions, immediate action, and integrity. A survey of 147 IT managers and administrators in Canada found that emotions was the most significant obstacle, followed by rules and immediate action. While various obstacles exist, the findings suggest IT managers must address drivers like emotions and immediate issues in order to better support their competencies and job performance.
2. information technology management a critical analysis of managerial impedi...
This document summarizes a research study on managerial impediments facing information technology (IT) managers. The study investigated five managerial drivers that can hinder IT managers' ability to implement organizational strategies and objectives: rules, initiatives, emotions, immediate action, and integrity. A mixed-methods approach was used, involving focus groups and surveys of 147 IT managers and administrators. The results found that the emotion driver was perceived as the biggest obstacle, followed by rules, immediate action, and initiatives. The study concludes that while various obstacles exist for IT managers, further research is needed to better understand how these impediments affect their competencies and job performance.
How to conduct a literature review: A literature review on knowledge manageme...
Guidelines for writing a literature review applied to the topic of Knowledge Management in SMEs.
This paper provides a systematic review of the literature on knowledge management (KM) in small and medium enterprises (SMEs) and SME networks. The main objective is to highlight the state-of-the-art of KM from the management point of view in order to identify relevant research gaps. The review highlights that in recent years the trend of papers on the topic is growing and involves a variety of approaches, methodologies and models from different research areas. The vast majority of papers analysed focus on the topic of KM in the SME while there are only few papers analysing KM in networks populated by SMEs. The content analysis of the papers highlights six areas of investigation from which were derived ten research questions concerning three perspectives: the factors affecting KM; the impact of KM on firm’s performance; the knowledge management systems.
to cite this paper: Cerchione, R., Esposito, E., Spadaro, M.R. A literature review on knowledge management in SMEs (2016) Knowledge Management Research and Practice, 14 (2), pp. 169-177.
to link to this paper: doi:10.1057/kmrp.2015.12
From IT service management to IT service governance: An ontological approach ...
Some companies have achieved better performance as a result of their IT investments, while others have not, as organizations are interested in calculating the value added by their IT. There is a wide range of literature that agrees that the best practices used by organizations promote continuous improvement in service delivery. Nevertheless, overuse of these practices can have undesirable effects and unquantified investments. This paper proposed a practical tool formally developed according to the DSR design science approach, it addresses a domain relevant to both practitioners and academics by providing IT service governance (ITSG) domain model ontology, concerned with maximizing the clarity and veracity of the concepts within it. The results revealed that the proposed ontology resolved key barriers to ITSG process adoption in organizations, and that combining COBIT and ITIL practices would help organizations better manage their IT services and achieve better business-IT alignment.
Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Multi-Agent System (MAS) monitoring solutions are designed for a plethora of usage topics. Existing approach mostly used cloned back-end architectures while front-end monitoring interface tends to constitute the real specificity of the solution. These interfaces are recurrently structured around three dimensions: access to informed knowledge, agent’s behavioural rules, and restitution of real-time states of specific system sector. In this paper, we propose prototyping a sector-agnostic MAS platform (Smart-X) which gathers in an integrated and independent platform all the functionalities required to monitor and to govern a wide range of sector specific environments. For illustration and validation purposes, the use of Smart-X is introduced and explained with a smart-mobility case study.
Joint workshop on security modeling archimate forum and security forum
This document provides an agenda and overview for a joint workshop on security modeling hosted by the ArchiMate Forum and Security Forum. The workshop aims to identify opportunities to improve the conceptual and visual modeling of enterprise information security using TOGAF and ArchiMate. The agenda includes introductions, a research spotlight on strengthening role-based access control with responsibility modeling, an open discussion on complementing TOGAF and ArchiMate with enhanced security modeling, and identifying next steps. The workshop purpose is to enable better security architecture decisions and drive usage of TOGAF and ArchiMate for security architecture.
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Aligning the business operations with the appropriate IT infrastructure is a challenging and critical activity. Without efficient business/IT alignment, the companies face the risk not to be able to deliver their business services satisfactorily and that their image is seriously altered and jeopardized. Among the many challenges of business/IT alignment is the access rights management which should be conducted considering the rising governance needs, such as taking into account the business actors' responsibility. Unfortunately, in this domain, we have observed that no solution, model and method, fully considers and integrates the new needs yet. Therefore, the paper proposes firstly to define an expressive Responsibility metamodel, named ReMMo, which allows representing the existing responsibilities at the business layer and, thereby, allows engineering the access rights required to perform these responsibilities, at the application layer. Secondly, the Responsibility metamodel has been integrated with ArchiMate® to enhance its usability and benefits from the enterprise architecture formalism. Finally, a method has been proposed to define the access rights more accurately, considering the alignment of ReMMo and RBAC. The research was realized following a design science and action design based research method and the results have been evaluated through an extended case study at the Hospital Center in Luxembourg.
Towards an innovative systemic approach of risk management
This document proposes an innovative systemic approach to risk management across interconnected sectors. It suggests using enterprise architecture models to manage cross-sector risks in Luxembourg's complex ICT ecosystem. The approach would provide regulators an overview of all players and systems, as well as models of different sectors to analyze collected data and risks at a national level, fostering accurate and reactive risk mitigation across economic domains.
Towards a hl7 based metamodeling integration approach for embracing the priva...
This document proposes extending the HL7 standard with a responsibility perspective to better manage access rights to patient health records. It presents the ReMMo responsibility metamodel, which defines actors' responsibilities and associated access rights. The paper aims to align ReMMo with the HL7-based eSanté healthcare platform model in Luxembourg to semantically enhance access controls based on users' real responsibilities rather than just roles. It will first map concepts between the two models, then evaluate the alignment through a prototype applying inference rules.
Strengthening employee’s responsibility to enhance governance of it – cobit r...
This document presents a study that aims to develop and validate a responsibility model to improve IT governance. It analyzes concepts of responsibility from literature and frameworks like COBIT. The researchers developed a responsibility model with key concepts like obligation, accountability, right, and commitment. They then compare this model to COBIT's representation of responsibility to identify areas for potential enhancement, like adding concepts that COBIT lacks. The document illustrates how the responsibility model could be used to refine COBIT's process for identifying system owners and their responsibilities.
ISO/IEC 38500 provides a framework of principles for corporate governance of information technology, while ISO/IEC 27000 standards address information security management. ISO/IEC 38500 covers responsibilities, planning, acquisition, performance, conformity, and human factors of IT use. ISO/IEC 27000 overlaps with areas like risk management, legal compliance, performance, and management responsibility. A new IT governance standard should account for similarities to prevent inconsistencies, especially for combined auditing against governance and information security standards.
GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001IJNSA Journal
In this paper, after giving a brief definition of Information Security Management Systems (ISMS), ISO 27001, IT governance and COBIT, pros and cons of implementing only COBIT, implementing only IS0 27001 and implementing both COBIT and ISO 27001 together when governing information security in enterprises will be issued.
This document discusses IT governance and provides an overview of key concepts. It defines IT governance as consisting of leadership, structures, and processes to ensure IT supports business strategies and objectives. The document outlines five areas of focus for IT governance: strategic alignment, value delivery, resource management, risk management, and performance measurement. It also discusses why IT governance is important, who benefits, common frameworks that can be used, as well as advantages and disadvantages.
This document provides an overview and comparison of ITIL, COBIT, and ISO27001 frameworks. ITIL is an IT service management framework that aims to align IT with business needs. COBIT is an IT governance framework that bridges control requirements, technical issues, and business risks. ISO27001 provides a framework for building an information security management system to protect information assets and achieve certification. While the frameworks have different origins and objectives, they can work together to standardize IT processes, implement controls, and manage information security.
IT Governance or Corporate governance of information technology is a subset discipline of corporate
governance, focused on information and technology (IT) and its performance and risk management.
The interest in IT Governance is due to the ongoing need within organizations to focus value creation efforts
on an organization's strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders.
EOSC Governance Session - EOSC Stakeholders Forum 2018EOSCpilot .eu
The document summarizes a discussion on governance for the European Open Science Cloud (EOSC). It outlines three levels of governance: institutional, executive/operational, and advisory. The panelists discussed the main purpose of EOSC governance, what should be in and out of scope, and its relation to EuroHPC governance. Crucial elements from stakeholders' perspectives include engaging the community, getting things done through an executive board and working committees, and measuring results. Key working groups for the first implementation phase and concluding remarks on success factors were also presented.
theroom will build a website that goes above and beyond to create brand recognition for your business. By considering your customers every step of the way theroom can deliver a strategic information architecture and an intuitive user experience.
This document summarizes the findings of research conducted by the IT Governance Institute on how business goals drive IT goals. An expert panel from various industries and geographic locations validated lists of 17 business goals and 18 IT goals. The top 10 most important goals were consistent across sectors and included improving customer orientation/service and managing business/IT risks in the top business goals, and ensuring reliable/secure IT services and aligning IT strategy to business strategy in the top IT goals. The research also identified priorities that varied by industry sector.
11.a descriptive analysis of the challenges facing information technology man...Alexander Decker
1. This study examines the challenges faced by IT managers in their management practices. It analyzes the drivers of management practices adopted from an experiential leadership model, including rules, initiatives, integrity, immediate action, and emotions.
2. A mixed-methods approach was used, including focus group discussions and a survey of 149 IT managers and administrators. The survey examined how the managers perceived the importance of each driver in their work.
3. The findings showed that immediate action in response to emergencies was seen as the most important driver. Rules and commitment to rules was seen as the second most challenging impediment faced by IT managers in their work.
ICEGOV2009 - Tutorial 6 - Visions and Challenges for Leading Public Sector Tr...ICEGOV
This document discusses the roles of Chief Information Officers (CIOs) in government. It covers several topics:
- CIOs play an important role in leading public sector transformation for the information age and facilitating e-leadership in government.
- National legislation and policies are needed to promote e-leadership and the development of CIO systems within government.
- For CIOs to be effective, they must understand government institutional frameworks and work within national ICT policy structures.
- Developing human capacity and cross-agency coordination are also important for successful e-government initiatives led by CIOs.
Achieving Global Best Practice in ICT Sustianability_Lee_Stewart_Final_v3.1docLee Stewart
Fujitsu manages over 500,000 ICT assets for customers in Australia and New Zealand, with an annual power and cooling bill of over $42 million and carbon emissions of 150,000 tonnes. Most organizations have an average ICT sustainability score of 53 out of 100, while best practice is 80. Fujitsu worked with customers like Meridian Energy and Qantas to improve their scores through benchmarking, workshops identifying improvement projects, and setting targets to achieve best practice within a year. Meridian achieved a score of 80+ through initiatives like a green IT policy, procurement standards, and executive support. Achieving best practice can save up to $16 million and reduce emissions by 60,000 tonnes annually.
Harley Davidson recognized the need to align IT with its business strategy for continued growth. It implemented an IT governance framework to unite management, IT, and audit functions while preserving company culture. The framework aligned IT decision making with business objectives, managed risks, and ensured IT resources supported business goals. This allowed Harley Davidson to sustain record growth for 20 consecutive years while effectively governing its increasing IT usage and investments.
This document discusses challenges facing the New Zealand health system and opportunities to improve information technology (IT) governance and implement shared services. It notes a highly complex health system with over 3,000 GPs, 82 health organizations, and IT investments accounting for over 9% of GDP. Questions are raised about coordinating change across stakeholders and leveraging scale through a common approach to services. The key barriers to shared services need to be addressed and next steps identified to make progress on this. Strong IT governance is important, clarifying decision rights, accountability, investment priorities, and architecture to encourage better coordination and outcomes from IT.
11.0002www.iiste.org call for paper. information technology management-a crit...Alexander Decker
This document summarizes a research study on managerial impediments facing information technology (IT) managers. The study investigated five key drivers of management that can hinder IT managers' ability to implement organizational strategies and objectives: rules, initiatives, emotions, immediate action, and integrity. A survey of 147 IT managers and administrators in Canada found that emotions was the most significant obstacle, followed by rules and immediate action. While various obstacles exist, the findings suggest IT managers must address drivers like emotions and immediate issues in order to better support their competencies and job performance.
2. information technology management a critical analysis of managerial impedi...Alexander Decker
This document summarizes a research study on managerial impediments facing information technology (IT) managers. The study investigated five managerial drivers that can hinder IT managers' ability to implement organizational strategies and objectives: rules, initiatives, emotions, immediate action, and integrity. A mixed-methods approach was used, involving focus groups and surveys of 147 IT managers and administrators. The results found that the emotion driver was perceived as the biggest obstacle, followed by rules, immediate action, and initiatives. The study concludes that while various obstacles exist for IT managers, further research is needed to better understand how these impediments affect their competencies and job performance.
How to conduct a literature review: A literature review on knowledge manageme...Roberto Cerchione
Guidelines for writing a literature review applied to the topic of Knowledge Management in SMEs.
This paper provides a systematic review of the literature on knowledge management (KM) in small and medium enterprises (SMEs) and SME networks. The main objective is to highlight the state-of-the-art of KM from the management point of view in order to identify relevant research gaps. The review highlights that in recent years the trend of papers on the topic is growing and involves a variety of approaches, methodologies and models from different research areas. The vast majority of papers analysed focus on the topic of KM in the SME while there are only few papers analysing KM in networks populated by SMEs. The content analysis of the papers highlights six areas of investigation from which were derived ten research questions concerning three perspectives: the factors affecting KM; the impact of KM on firm’s performance; the knowledge management systems.
to cite this paper: Cerchione, R., Esposito, E., Spadaro, M.R. A literature review on knowledge management in SMEs (2016) Knowledge Management Research and Practice, 14 (2), pp. 169-177.
to link to this paper: doi:10.1057/kmrp.2015.12
From IT service management to IT service governance: An ontological approach ...IJECEIAES
Some companies have achieved better performance as a result of their IT investments, while others have not, as organizations are interested in calculating the value added by their IT. There is a wide range of literature that agrees that the best practices used by organizations promote continuous improvement in service delivery. Nevertheless, overuse of these practices can have undesirable effects and unquantified investments. This paper proposed a practical tool formally developed according to the DSR design science approach, it addresses a domain relevant to both practitioners and academics by providing IT service governance (ITSG) domain model ontology, concerned with maximizing the clarity and veracity of the concepts within it. The results revealed that the proposed ontology resolved key barriers to ITSG process adoption in organizations, and that combining COBIT and ITIL practices would help organizations better manage their IT services and achieve better business-IT alignment.
Similar to Iso iec 29382 the new standard for ict governance christophe feltus (20)
Multi-Agent System (MAS) monitoring solutions are designed for a plethora of usage topics. Existing approach mostly used cloned back-end architectures while front-end monitoring interface tends to constitute the real specificity of the solution. These interfaces are recurrently structured around three dimensions: access to informed knowledge, agent’s behavioural rules, and restitution of real-time states of specific system sector. In this paper, we propose prototyping a sector-agnostic MAS platform (Smart-X) which gathers in an integrated and independent platform all the functionalities required to monitor and to govern a wide range of sector specific environments. For illustration and validation purposes, the use of Smart-X is introduced and explained with a smart-mobility case study.
This document provides an agenda and overview for a joint workshop on security modeling hosted by the ArchiMate Forum and Security Forum. The workshop aims to identify opportunities to improve the conceptual and visual modeling of enterprise information security using TOGAF and ArchiMate. The agenda includes introductions, a research spotlight on strengthening role-based access control with responsibility modeling, an open discussion on complementing TOGAF and ArchiMate with enhanced security modeling, and identifying next steps. The workshop purpose is to enable better security architecture decisions and drive usage of TOGAF and ArchiMate for security architecture.
Aligning the business operations with the appropriate IT infrastructure is a challenging and critical activity. Without efficient business/IT alignment, the companies face the risk not to be able to deliver their business services satisfactorily and that their image is seriously altered and jeopardized. Among the many challenges of business/IT alignment is the access rights management which should be conducted considering the rising governance needs, such as taking into account the business actors' responsibility. Unfortunately, in this domain, we have observed that no solution, model and method, fully considers and integrates the new needs yet. Therefore, the paper proposes firstly to define an expressive Responsibility metamodel, named ReMMo, which allows representing the existing responsibilities at the business layer and, thereby, allows engineering the access rights required to perform these responsibilities, at the application layer. Secondly, the Responsibility metamodel has been integrated with ArchiMate® to enhance its usability and benefits from the enterprise architecture formalism. Finally, a method has been proposed to define the access rights more accurately, considering the alignment of ReMMo and RBAC. The research was realized following a design science and action design based research method and the results have been evaluated through an extended case study at the Hospital Center in Luxembourg.
This document proposes an innovative systemic approach to risk management across interconnected sectors. It suggests using enterprise architecture models to manage cross-sector risks in Luxembourg's complex ICT ecosystem. The approach would provide regulators an overview of all players and systems, as well as models of different sectors to analyze collected data and risks at a national level, fostering accurate and reactive risk mitigation across economic domains.
This document proposes extending the HL7 standard with a responsibility perspective to better manage access rights to patient health records. It presents the ReMMo responsibility metamodel, which defines actors' responsibilities and associated access rights. The paper aims to align ReMMo with the HL7-based eSanté healthcare platform model in Luxembourg to semantically enhance access controls based on users' real responsibilities rather than just roles. It will first map concepts between the two models, then evaluate the alignment through a prototype applying inference rules.
This document presents a study that aims to develop and validate a responsibility model to improve IT governance. It analyzes concepts of responsibility from literature and frameworks like COBIT. The researchers developed a responsibility model with key concepts like obligation, accountability, right, and commitment. They then compare this model to COBIT's representation of responsibility to identify areas for potential enhancement, like adding concepts that COBIT lacks. The document illustrates how the responsibility model could be used to refine COBIT's process for identifying system owners and their responsibilities.
This document proposes an innovative approach called SIM (Secure Identity Management) that aims to make access management policies closer aligned with business objectives. It does this in two ways:
1) By focusing the policy engineering process on business goals and responsibilities defined in processes, using concepts from the ISO/IEC 15504 standard. This links capabilities and accountabilities to process outcomes and work products.
2) By defining a multi-agent system architecture to automate the deployment of policies across heterogeneous IT components and devices. The agents provide autonomy and ability to adapt rapidly according to context.
The approach was prototyped using open source components and aims to improve how access rights are defined according to business needs and deployed across an organization
This document proposes a methodological approach for specifying services and analyzing service compliance considering the responsibility dimension of stakeholders. The approach includes a product model and process model. The product model has three layers: an informational layer describing service context and concepts, an organizational layer describing business rules and roles, and a responsibility dimension layer linking the two. The process model outlines steps for service architects to identify context, define concepts and rules, specify services, and analyze compliance. The approach is illustrated with an example of managing access rights for sensitive healthcare data exchange between organizations.
This document discusses integrating responsibility aspects into service engineering for e-government. It proposes a multi-layered approach including an ontological layer defining legal concepts, an organizational layer describing roles and stakeholders, an informational layer representing data structures and integrity constraints, and a technical layer representing IT components. A responsibility meta-model is also introduced to align responsibilities across these layers and facilitate interoperability between services that share data. The approach aims to ensure service compliance and manage risks associated with e-government services.
1) The document proposes a dynamic approach for assigning functions and responsibilities to agents in a multi-agent system for critical infrastructure management.
2) The approach uses an agent's reputation, which is based on past performance, to determine which agents receive which responsibilities as crisis situations change over time.
3) Assigning responsibilities dynamically based on reputation allows the system to continue operating effectively if an agent becomes isolated or has reduced capabilities during a crisis.
This document proposes a responsibility modeling language (ReMoLa) to align access rights with business process requirements. ReMoLa is a responsibility-centered meta-model that integrates concepts from the business and technical layers, with the concept of employee responsibility bridging the two. It incorporates four types of obligations from the COBIT framework to refine employee responsibilities and better assign access rights. ReMoLa maps responsibilities to roles in the RBAC model to leverage its advantages for access right management while ensuring responsibilities align with business tasks and employee commitment.
The document describes the NOEMI assessment methodology, which was developed as part of a research project to help very small enterprises (VSEs) improve their IT practices. The methodology aims to assess VSEs' IT capabilities in order to facilitate collaborative IT management across organizations. It was designed to be aligned with common IT standards like ISO/IEC 15504 and ITIL, but adapted specifically for VSEs. The methodology has been tested through several case studies with VSEs in Luxembourg, with promising results.
This document provides a preliminary literature review of policy engineering methods related to the concept of responsibility. It summarizes key access control models and discusses how they address concepts like capability, accountability, and commitment. The document also reviews engineering methods and how they incorporate responsibility considerations. The overall goal is to orient further research towards a new policy model and engineering method that more fully addresses stakeholder responsibility.
This document proposes an extension of the ArchiMate enterprise architecture framework to model multi-agent systems for critical infrastructure governance. The authors develop a responsibility-driven policy concept and metamodel layers to represent agent behavior and organizational policies across technical, application, and organizational layers. The approach is illustrated through a case study of a financial transaction processing system.
This document summarizes an experimental prototype of the OpenSST protocol for secured electronic transactions. OpenSST was developed to achieve high security, simplicity in software engineering, and compatibility with existing standards. The prototype uses OpenSST for the authorization portion of electronic payments in an e-business clearing solution. It describes the OpenSST message format and types, and discusses how OpenSST is implemented in the prototype's three-element architecture of an OpenSST proxy, reverse proxy, and server.
This document proposes an automatic reaction strategy for critical infrastructure SCADA systems. It defines a three-layer metamodel for modeling SCADA components and two types of policies (cognitive and permissive) that govern component behavior. It then presents a two-phase method for identifying these policies from the SCADA architecture and formalizing them to support an automatic reaction strategy. This strategy is modeled as an integral part of the SCADA architecture using the defined metamodel and policy identification method. It includes organizational and application layers with main actors, strategies, and components that realize the reaction policies based on expected automation levels.
More from Luxembourg Institute of Science and Technology (20)
On designing automatic reaction strategy for critical infrastructure scada sy...
Iso iec 29382 the new standard for ict governance christophe feltus
1. itSMF-NL Spring 2008 Conference
"Best Practices in IT Management:
BEYOND ITIL, BEYOND CONTROL"
April 22, 2008 Hotel & Congrescentrum De Reehorst , Ede , Nederland
ISO/IEC 29382 - the new standard
for ICT Governance
Christophe Feltus
Member of the ISO Study Group on ICT Governance
Public Research Centre Henri Tudor,
29, Rue John F. Kennedy
L-1855 Luxembourg
christophe.feltus@tudor.lu
July 21, 2010 1
2. Outline
ICT Governance definitions
SG on ICT Governance
itSMF involvement
Interim Report
Beyond ISO 29382
Scope
Application
Objectives
6 principles
Model for Corporate Governance of ICT
Conclusions
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 2
3. Outline
ICT Governance definitions
SG on ICT Governance
itSMF involvement
Interim Report
Beyond ISO 29382
Scope
Application
Objectives
6 principles
Model for Corporate Governance of ICT
Conclusions
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 3
4. Some definitions
AS 8015 – Australian National Standards
Corporate Governance of ICT is the system by which the current and
future use of ICT is directed and controlled. It involves evaluating and
directing the plans for the use of ICT to support the organization and
monitoring this use to achieve plans. It includes the strategy and policies
for using ICT within an organization. (Corporate Governance of
Information and Communication Technology; January 2005).
OECD Corporate Governance
Corporate governance involves a set of relationships between a
company‘s management, its board, its shareholders and other
stakeholders. Corporate governance also provides the structure through
which the objectives of the company are set, and the means of attaining
those objectives and monitoring performance are determined. Good
corporate governance should provide proper incentives for the board and
management to pursue objectives that are in the interests of the company
and its shareholders and should facilitate effective monitoring. (OECD
Code on Corporate Governance)
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 4
5. Some definitions
ITGI (IT Governance Institute)
IT Governance is the responsibility of the board of directors and executive
management. It is an integral part of enterprise governance and consists
of the leadership and organisational structures and processes that ensure
that the organisation‘s IT sustains and extends the organisation‘s
strategies and objectives. (Board Briefing, 2nd edition; 2003).
World Bank Definition of Corporate Governance
Corporate governance refers to the structures and processes for the
direction and control of companies. Corporate governance concerns the
relationships among the management, the Board of Directors, the
controlling shareholders and other stakeholders. Good corporate
governance contributes to sustainable economic development by
enhancing the performance of companies and increasing their access to
outside capital.
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 5
6. Some definitions
MIT Sloan Center for Information Systems Research :
IT Governance is specifying the decision rights and accountability
framework to encourage desirable behaviour in the use of IT. (MIT CISR
Working Paper No. 326; April 2002).
University of Tasmania
The survey of the literature by academics from the University of Tasmania
(Webb, Phyl, Pollard, Carol, and Ridley, Gail (2006), Attempting to Define
IT Governance: Wisdom or Folly?, Proceedings of the 39th Hawaii
International Conference on Systems Sciences) brings out the ‗elements‘
that are common to a range of suggested definitions. The elements are:
strategic alignment, delivery of business values, performance
management, risk management, policies and procedures, and control and
accountability. Their resultant definition is : IT Governance is the
strategic alignment of IT with the business such that maximum
business value is achieved through the development and
maintenance of effective IT control and accountability, performance
management and risk management.
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 6
7. Outline
ICT Governance definitions
SG on ICT Governance
itSMF involvment
Interim Report
Beyond ISO 29382
Scope
Application
Objectives
6 principles
Model for Corporate Governance of ICT
Conclusions
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 7
8. Study Group in ISO
JTC1 : Information Technology Standards
JTC1 / SC7 : Software and System Engineering
JTC1 / SC7 / WG25 : IT Operations (service management)
Basically : Study Group in WG25
Study Group Chair : Alison Holt (New Zeland)
Co-Chair : Ed Lewis (Australia)
Yoshiyuki Hirano, Japan
Members : Alwyn Smit, South Africa
K.T. Hwang, Korea
Melanie Cheong, South Africa
Bill Powell, United States
Jyrki Lahnalahti, Finland
Dennis Ravenelle, itSMFI
Craig Pattison, itSMFI/New Zealand
Hella Shrader, United Kingdom
Darcie Destito, United States
Mark Toomey, Australia
Gargi Keeni, India
Mikhail Pototsky, Russian Federation/itSMFI
Sushil Chatterji, ISACA/ITGI
Max Shanahan, ISACA/ITGI
Brian Cusack, New Zealand
Luis Rosa, Spain
Christophe Feltus, Luxembourg
Jenny Dugmore, UK.
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 8
9. Study Group in ISO
In Seoul (2006) :
Reduce – if not remove – the confusion in the professional and the
academic literature about the topic
Resolutions :
- New SG
- 1st report
- Fast Track
In Moscow (May 2007) :
Preparation of 1st report
Definition of ICT Governance
What is ICT Governance ?
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 9
10. Study Group in ISO
Montreal (November 2007)
Fast Track on Australian Standard on ICT Governance
Accepted in July
Resolution of comments on Fast Track : 149
Canada : 2
Spain : 1
France : 5
Italy : 10
Japan : 10
Korea : 1
Luxembourg : 46
New Zealand : 6
UK : 4
Sweden : 9
USA : 15
South Africa : 40
1st report
NWI
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 10
11. Outline
ICT Governance definitions
SG on ICT Governance
itSMF involvement
Interim Report
Beyond ISO 29382
Scope
Application
Objectives
6 principles
Model for Corporate Governance of ICT
Conclusions
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 11
12. ISO – itSMF liaison (by WG)
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 12
13. ISO – itSMF liaison (by WG)
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 13
14. Link with ISO 20000
ISO 20000 - The standard describes the controls needed to effectively
deliver services that meet the needs of the customer and business
requirements.
The processes described in ISO 20000 underpin an effective
governance framework and therefore need to be closely aligned to
any proposed ICT Governance standard.
All reviewed standards have a relationship with ICT Governance
and many sections overlap not only in comparison to ISO/IEC
38500 standard but also amongst the individual reviewed
standards. Any drafting of a new international ICT
Governance standard needs to take the above existing
standards into account and ensure that a) there are no
conflicts and b) all governance related sections are covered.
A weakness of all reviewed standards is around the need for
strategic direction and the implementation of controls to
support and manage this area.
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 14
15. Advisory Board Paper
The formal description it offers is:
“Governance is the collective set of procedures, policies, roles
and responsibilities, and organizational structures required
to support an effective decision-making process”.
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 15
16. Advisory Board Paper
Benefits of Governance : (Key words)
Achieving business objectives by ensuring that each element of the mission and
strategy are assigned and managed with a clearly understood and transparent
decisions rights and accountability framework.
Defining and encouraging desirable behavior in the use of IT and in the execution
of IT outsourcing arrangements.
Implementing and integrating the desired business processes into the organization.
Providing stability and overcoming the limitations of organizational structure.
Improving customer, business and internal relationships and satisfaction, and
reducing internal territorial strife by formally integrating the customers, business
units, and external IT providers into a holistic IT governance framework.
Enabling effective and strategically aligned decision making for the IT Principles
that define the role of IT, IT Architecture, IT Infrastructure, Application Portfolio and
Frameworks, Service Portfolio, Information and Competency Portfolios and IT
Investment & Prioritization.
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 16
17. Outline
ICT Governance definitions
SG on ICT Governance
itSMF involvement
Interim Report
Beyond ISO 29382
Scope
Application
Objectives
6 principles
Model for Corporate Governance of ICT
Conclusions
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 17
18. Interim Report
A review of national governance activities
The identification of a set of guiding principles for the development of an ICT
Governance standard to meet market requirements
The identification of the ICT governance needs to be addressed in the
standard
An assessment of where ICT governance sits within JTC1
A review of elements of ICT governance in existing SC7 standards
Analysis to determine the level of standard required to sit above existing
frameworks and methodologies without replacing or displacing existing
material. Identification of the sort of ―standard‖ required - TR, code of
practice or guidelines
Analysis of what would need to be added to AS 8015 to meet these needs
Analysis of whether a maturity framework could be included from the outset
Liaison Relationships: Contributions requested from existing bodies of
knowledge
Call to action dependent on AS 8015 fast tack result (which is now known)
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 18
19. Review of the status of ICT
Governance across different nations
Written and oral reports were presented to the ICT Study
Group reviewing the state of different ICT Standards
environments within the different jurisdictions.
A general movement towards compliance frameworks was
reported in terms of legislation, Standards adoption and
control framework adoption (eg. CobiT, ITIL, and so on).
Several reports noted that regulatory requirements were
pending and that there is considerable momentum gathering
for comprehensive directives (both explicit and implicit). The
importance of ICT Governance and the current opportune
moment in time for ICT Governance advancement was
reported in each case.
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 19
20. What is ICT Governance?
The Working Group should establish a Glossary of governance
terms. The Glossary especially should include definitions that help
to establish the difference between Governance and Management.
The definitions must be compatible with those in existing ISO
Standards
Director
Member of the most senior governing body of an organization.
Includes owners, board members, partners, senior executives or
similar, and officers authorized by legislation or regulation.
Management
Management is the process of controlling the activities required to
achieve the strategic objectives set by the organisation's governing
body. Management is subject to the policy guidance and
monitoring set through corporate governance.
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 20
21. What is ICT Governance?
The objective of governance is to determine and cause the desired
behavior and results to achieve the strategic impact of IT.
The system in which directors monitor, evaluate and direct IT management to
ensure effectiveness, accountability and compliance of IT
The active distribution of decision-making rights and accountabilities
among different stakeholders in an organization and the rules and
procedures for making and monitoring those decisions to determine and
achieve desired behaviors and results .
who makes directing, controlling and executing decisions
how the decisions will be made
what information is required to make the decisions
what decision-making mechanisms should be required
how exceptions will be handled
how the governance results should be reviewed and improved
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 21
22. Outline
ICT Governance definitions
SG on ICT Governance
itSMF involvement
Interim Report
Beyond ISO 29382
Scope
Application
Objectives
6 principles
Model for Corporate Governance of ICT
Conclusions
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 22
23. Beyond ISO 29382 : scope
The objective of this Standard is to provide a framework of principles
for Directors to use when evaluating, directing and monitoring the
use of information technology (IT) in their organizations.
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 23
24. Beyond ISO 29382 : scope
Governance is distinct from management, and for the avoidance of
confusion, the two concepts are clearly defined in the standard.
…the members of the governing body may also occupy the key roles
in management.
It provides guidance to those advising, informing, or assisting
directors. They include:
• Senior managers.
• Members of groups monitoring the resources within the organization.
• External business or technical specialists, such as legal or accounting
specialists, retail associations, or professional bodies.
• Vendors of hardware, software, communications and other IT products.
• Internal and external service providers (including consultants).
• IT auditors.
The standard is applicable for all organizations, from the smallest, to
the largest, regardless of purpose, design and ownership structure.
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 24
25. Outline
ICT Governance definitions
SG on ICT Governance
itSMF involvement
Interim Report
Beyond ISO 29382
Scope
Application
Objectives
6 principles
Model for Corporate Governance of ICT
Conclusions
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 25
26. Beyond ISO 29382 : application
This standard is applicable to all organizations, including public and
private companies, government entities, and not-for-profit
organizations.
The standard is applicable to organizations of all sizes from the
smallest to the largest, regardless of the extent of their use of IT.
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 26
27. Outline
ICT Governance definitions
SG on ICT Governance
itSMF involvement
Interim Report
Beyond ISO 29382
Scope
Application
Objectives
6 principles
Model for Corporate Governance of ICT
Conclusions
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 27
28. Beyond ISO 29382 : objectives
The purpose of this Standard is to promote effective, efficient, and
acceptable use of IT in all organizations by:
assuring stakeholders (including consumers, shareholders, and
employees) that, if the standard is followed, they can have
confidence in the organization’s corporate governance of IT;
informing and guiding directors in governing the use of IT in their
organization; and
providing a basis for objective evaluation of the corporate
governance of IT.
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 28
29. Outline
ICT Governance definitions
SG on ICT Governance
itSMF involvement
Interim Report
Beyond ISO 29382
Scope
Application
Objectives
6 principles
Model for Corporate Governance of ICT
Conclusions
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 29
30. Beyond ISO 29382 : 6 principles
Principle 1: Establish clearly understood responsibilities for IT
Principle 2: Plan IT to best support the organization
Principle 3: Acquire IT validly
Principle 4: Ensure that IT performs well, whenever required
Principle 5: Ensure IT conforms with formal rules
Principle 6: Ensure IT use respects human factors
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 30
31. Outline
ICT Governance definitions
SG on ICT Governance
itSMF involvement
Interim Report
Beyond ISO 29382
Scope
Application
Objectives
6 principles
Model for Corporate Governance of ICT
Conclusions
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 31
32. Beyond ISO 29382 : Model for
Corporate Governance of ICT
Directors should govern ICT through three main tasks:
(a) Evaluate the use of ICT.
(b) Direct preparation and implementation of plans and policies.
(c) Monitor conformance to policies, and performance against the plans.
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 32
33. Evaluate
Directors should examine and make judgement on the current and
future use of IT, including strategies, proposals and supply
arrangements (whether internal, external, or both).
In evaluating the use of IT, directors should consider the pressures
acting upon the business, such as technological change, economic
and social trends, and political influences.
Directors should also take account of both current and future
business needs — the current and future organizational objectives
that they must achieve, such as maintaining competitive
advantage, as well as the specific objectives of the strategies and
proposals they are evaluating.
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 33
34. Direct
Directors should assign responsibility for, and direct preparation
and implementation of plans and policies. Plans should set the
direction for investments in IT projects and IT operations. Policies
should establish sound behaviour in the use of IT.
Directors should ensure that the transition of projects to
operational status is properly planned and managed, taking into
account impacts on business and operational practices and
existing IT systems and infrastructure.
Directors should encourage a culture of good governance of IT in
their organization by requiring managers to provide timely
information, to comply with direction and to conform with the six
principles of good governance.
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 34
35. Monitor
To complete the cycle, directors should monitor, through
appropriate measurement systems, the performance of IT use.
They should reassure themselves that performance is in
accordance with plans, particularly with regard to business
objectives.
They should also make sure that the use of IT conforms with
external obligations (regulatory, legislation, common law,
contractual) and internal work practices. If necessary, directors
should direct the submission of proposals for approval to address
identified needs.
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 35
36. Outline
ICT Governance definitions
SG on ICT Governance
itSMF involvement
Interim Report
Beyond ISO 29382
Scope
Application
Objectives
6 principles
Model for Corporate Governance of ICT
Conclusions
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 36
37. Conclusions and Future Works
Review the use of the Plan, Do, Check Act (PDCA) lifecycle versus Evaluate,
Direct Monitor (EDM). Show mapping of EDM versus PDCA.
Incorporate human behavioural aspects to the chosen lifecycle.
Produce a diagram demonstrating the inter-relation of principles.
Develop derivative material to cover:
· Clarification on the risks of poor governance and decision making;
· Analysis on the benefits of Governance across the IT lifecycle; and
· The explanation of each principle.
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 37
38. Conclusions and Future Works
Determine market requirements and then determine the coverage of future
standards for example IT Projects, IT Operations, IT Use or some other
frameworks.
Development of a TR2 for CIOs and executives to assist them in explaining
the rationale and implications (risks and benefits) of the principles.
Development of a TR2 for guidelines for the use of the standard by Public
Sector organizations
itSMF-NL Spring 2008 Conference
July 21, 2010 "Best Practices in IT Management: BEYOND ITIL, BEYOND CONTROL" 38