Who Governs my Responsibilities ?

SIM: a Methodology to Align Business and IT Policies

in the Industrial Field
Christophe Feltus, Christophe Incoul, Jocelyn Aubert, Benjamin Gteau
Public Research Centre Henri Tudor

A cyclic approach for policy management

Information Systems and right management are becoming more and more complex. This is mainly due to: firstly, the
generalization of open system, heterogeneous, distributed and dynamic environment and secondly, the multiplication
and the diversity of available solutions. In that context, defining and exploiting an IT or access control policy that takes
care at the same time of the diversity of the stakeholders statute (worker, employee or manager) and of the criticality
of the resources to protect (public, secret, confidential) at the same time is challenging. This challenge is moreover
complicated due to the perpetual evolution of the organization structure, the business strategy, the employees
responsibilities, and even due to the legal requirement in effect.
Our approach is based on methodological and technological innovative ideas. From the methodological point of view,
the approach aims to tackle the problem from several angles (organizational, logical and technical): formalizing the
organization with a responsibility model, transforming the business responsibilities into IT Policies and automating the
deployment and auditing those policies in order to facilitate the maintenance of the system.
At a technical level, the solution of the control of access rights is based on the use of multi-agents system to update
and monitor, in real time, the rights on the physical devices (rights over systems, networks and applications). The use
of open source has been favored.

Step 1 : Engineering of business policy Step 2 : Transformation of business policy into IT

based on a process approach policy based on the XACML format

Policy Policy
engineering Transformation

Policy Policy
Audit Deployment

Step 4: Continuous alignment of Step 3 : Deployment IT policies

business policy against IT policies on open networks based on a multi-agent platform

Business oriented or IT focussed ? Toward a policy elicitation method gathering both

To engineer policies that take business requirements as well as IT constraints into account, a five steps
method has been developed in the framework of the SIM project. This methodology is based on the (retro-)
engineering of employees responsibilities with the objective to be aligned with arising corporate IT
governance principles. It procures many advantages like having a clear definition of accountabilities, a precise
list of necessary capabilities and an enhancement of the employees commitment.

Collection of information
The first step has for objective to define the context and to collect each
component that will be formalized in the policy.

Elaboration of the responsibility diagram

This second step aims to define the responsibility model, the related
accountabilities and capabilities and the links between those different
components.

Verification of the links consistency

This third step consists on firstly detect and solve unnecessary
capabilities and secondly make sure that all accountabilities are
provided and exist in the model.

Management of exceptions
This fourth step aims to detect and correct conflict and inconsistency
according to specific rules : separation of duty and cardinality
constraints.

Elicitation of the policy

This fifth step aims to translate the responsibility diagram into a specific
policy format.

Contact
Public Research Centre Henri Tudor Christophe Incoul [christophe.incoul@tudor.lu], Christophe Feltus [christophe.feltus@tudor.lu]
Centre For IT Innovation (CITI) Jocelyn Aubert [jocelyn.aubert@tudor.lu], Benjamin Gteau [benjamin.gateau@tudor.lu]
29, Avenue John F. Kennedy, L-1855 Luxemburg Kirchberg
+352-42.59.91.1, www.tudor.lu