Who Governs my Responsibilities ? Who Governs my Responsibilities ?

SIM: a Methodology to Align Business and IT Policies SIM: a Methodology to Align Business and IT Policies
in the Industrial Field
Christophe Feltus, Christophe Incoul, Jocelyn Aubert, Benjamin Gteau
Public Research Centre Henri Tudor
in the Industrial Field
Public Research Centre Henri Tudor
A cyclic approach for policy management
Information Systems and right management are becoming more and more complex. This is mainly due to: firstly, the
generalization of open system, heterogeneous, distributed and dynamic environment and secondly, the multiplication
and the diversity of available solutions. In that context, defining and exploiting an IT or access control policy that takes
Our approach is based on methodological and technological innovative ideas. From the methodological point of view,
the approach aims to tackle the problem from several angles (organizational, logical and technical): formalizing the
organization with a responsibility model, transforming the business responsibilities into IT Policies and automating the and the diversity of available solutions. In that context, defining and exploiting an IT or access control policy that takes
care at the same time of the diversity of the stakeholders statute (worker, employee or manager) and of the criticality
of the resources to protect (public, secret, confidential) at the same time is challenging. This challenge is moreover
complicated due to the perpetual evolution of the organization structure, the business strategy, the employees
responsibilities, and even due to the legal requirement in effect.
organization with a responsibility model, transforming the business responsibilities into IT Policies and automating the
deployment and auditing those policies in order to facilitate the maintenance of the system.
At a technical level, the solution of the control of access rights is based on the use of multi-agents system to update
and monitor, in real time, the rights on the physical devices (rights over systems, networks and applications). The use
of open source has been favored. responsibilities, and even due to the legal requirement in effect. of open source has been favored.
Step 1 : Engineering of business policy
Step 2 : Transformation of business policy into IT
Step 1 : Engineering of business policy
based on a process approach
Step 2 : Transformation of business policy into IT
policy based on the XACML format
Policy Policy Policy
Transformation
Policy
engineering
Policy
Policy
Policy
Deployment
Policy
Audit
Step 4: Continuous alignment of
business policy against IT policies
Step 3 : Deployment IT policies
on open networks based on a multi-agent platform business policy against IT policies on open networks based on a multi-agent platform
Business oriented or IT focussed ? Toward a policy elicitation method gathering both
To engineer policies that take business requirements as well as IT constraints into account, a five steps
method has been developed in the framework of the SIM project. This methodology is based on the (retro-)
Business oriented or IT focussed ? Toward a policy elicitation method gathering both
method has been developed in the framework of the SIM project. This methodology is based on the (retro-)
engineering of employees responsibilities with the objective to be aligned with arising corporate IT
governance principles. It procures many advantages like having a clear definition of accountabilities, a precise
list of necessary capabilities and an enhancement of the employees commitment.
Collection of information
The first step has for objective to define the context and to collect each
component that will be formalized in the policy.
Elaboration of the responsibility diagram
This second step aims to define the responsibility model, the related This second step aims to define the responsibility model, the related
accountabilities and capabilities and the links between those different
components.
Verification of the links consistency Verification of the links consistency
This third step consists on firstly detect and solve unnecessary
capabilities and secondly make sure that all accountabilities are
provided and exist in the model. provided and exist in the model.
Management of exceptions
This fourth step aims to detect and correct conflict and inconsistency This fourth step aims to detect and correct conflict and inconsistency
according to specific rules : separation of duty and cardinality
constraints.
Elicitation of the policy Elicitation of the policy
This fifth step aims to translate the responsibility diagram into a specific
policy format.
Contact
Christophe Incoul [christophe.incoul@tudor.lu], Christophe Feltus [christophe.feltus@tudor.lu]
Public Research Centre Henri Tudor
Christophe Incoul [christophe.incoul@tudor.lu], Christophe Feltus [christophe.feltus@tudor.lu]
Jocelyn Aubert [jocelyn.aubert@tudor.lu], Benjamin Gteau [benjamin.gateau@tudor.lu]
Public Research Centre Henri Tudor
Centre For IT Innovation (CITI)
29, Avenue John F. Kennedy, L-1855 Luxemburg Kirchberg
+352-42.59.91.1, www.tudor.lu