SlideShare a Scribd company logo
Strengthening Employee’s Responsibility to Enhance
Governance of IT – COBIT RACI Chart Case Study
Christophe Feltus
Public Research Center Henri Tudor
Luxembourg-Kirchberg, Luxembourg
PReCISE Research Centre,
Faculty of Computer Science,
University of Namur, Belgium
christophe.feltus@tudor.lu
Michaël Petit
PReCISE Research Centre,
Faculty of Computer Science,
University of Namur,
Belgium
mpe@info.fundp.ac.be
Eric Dubois
Public Research Center Henri Tudor
Luxembourg-Kirchberg,
Luxembourg
eric.dubois@tudor.lu
ABSTRACT
The ongoing financial markets debacle and the global economic
context advocate enhancing the governance of the companies and,
de facto, improving the elaboration and the understanding of
employees’ responsibilities. Furthermore, the moral aspects of the
business and the employees’ commitment have appeared as
becoming increasingly unavoidable to face emerging ethical
challenges. These arising requirements have oriented our research
toward the elaboration of an innovative responsibility model built
on the concepts of obligation/accountability, right and
commitment. This paper aims to present, validate and improve the
responsibility model on the basis of a comparison to related
concepts from the COBIT framework. In parallel to this
improvement, proposals of conceptual modification of the COBIT
framework are made and illustrated based on the RACI chart.
Categories and Subject Descriptors
K.6.1 [Management of Computing and Information Systems]:
Project and People Management – Staffing, Strategic information
systems planning, Systems analysis and design, System
development.
General Terms
Management, Reliability, Security, Human Factors, Theory.
Keywords
Responsibility Model, IT Governance, IT Management, COBIT,
RACI Chart, Business Ethic, Employee Commitment.
1. INTRODUCTION
The current crisis has highlighted the necessity for a global
rethinking of the economy. Industrial analyses as well as academic
surveys have put forward the need for improving the governance
of Information Technology (IT) such as the control, the
procurement of and the alignment with the business and the
employees’ engagement in more ethics, transparency,
accountability and commitment. All of these domains are gathered
under the Corporate Governance umbrella and are progressively
integrated in standards and norms such as ISO/IEC 38500:2008
[1] that provides principles for the corporate governance of IT,
SOX [2] that describes requirements and specific mandates for
financial reporting or Basel II [3] that defines rigorous risk and
capital management requirements for the banking sector.
In parallel to these newly arising and progressively formalized
requirements for improving the governance of IT, companies are
used to work with well-known experienced and approved
management frameworks for their day-to-day operations, IT
follow-up activities or investments. These frameworks mostly
target a well-defined activity domain or a precise technology, and
address the above listed governance’s requirements through a very
specific approach and well-defined areas, i.e. COBIT [4], a
framework that enables the development of clear policies and
good practice for IT control throughout enterprises, IT
Infrastructure Library (ITIL) [5], a public library that focuses on
IT services management for high-quality service provision,
CIMOSA [6], an enterprise architecture model to define industrial
computer system architecture or the international standard
ISO/IEC 15504 [7] a framework for the assessment of software
processes. All of them deal in one way or another with
responsibility elements and the consequence of this abundance of
frameworks is the existence of an equal amount of responsibility
models and interpretations.
Based on the assumption that all of these models are consistently
used for the elicitation of corporate rules and policies, it is
obvious that defining a common responsibility model among them
would quickly bring relevant benefits for the business. Moreover,
assuming that these rules and polices most of the time formulate
the behavior of a system [8] and of its employees, we deduce that
having these responsibility suitably defined represents a
paramount significance for the governance of companies.
Assuming the importance of the responsibility concept, the
analysis of its representation through professional standards,
norms and frameworks as well as the examination of scientific
literature highlight, that, as yet, a consensual and common
understanding of its conceptual components does not exist.
Taking that into account, our research aspires to globally improve
the IT governance mainly by advising a common responsibility
model dedicated to industrial and scientific usage. This model of
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that
copies bear this notice and the full citation on the first page. To copy
otherwise, or republish, to post on servers or to redistribute to lists,
requires prior specific permission and/or a fee.
WISG’09, November 13, 2009, Chicago, Illinois, USA.
Copyright 2009 ACM 978-1-60558-787-5/09/11...$10.00.
responsibility may later be used to refine the elicitation of
pragmatic IT policies such as the access control one.
In this paper, we present the responsibility model and explain
some of its most important components in section 2. The research
method used to develop this model is a two steps approach. In
step 1, we depict the scientific literature in the field of
responsibility to identify its main conceptual components. In step
2, we elaborate a UML responsibility model based on the
component found in step 1 and we operate successive refinements
by comparing it with existing professional management
framework.
Afterward, we introduce in section 3 the COBIT’s responsibility
elements through a synthetic UML diagram. Then we compare the
responsibility model elaborated in section 2 with the
responsibility constructs encompassed in that diagram and we
advise on some COBIT enhancements according to the most
significant responsibility concepts of our responsibility model in
section 4.
Finally, in section 5 we illustrate the improvement by analyzing
the COBIT’ Identify system owners’ action of PO4 “Define the IT
Processes, Organisation and Relationships”.
2. THE RESPONSIBILITY CONCEPT
The responsibility model (Figure 1) was elaborated through a
double activity. First, the theoretical model was constructed based
on the analysis of the responsibility conceptual components issued
from social [19], managerial [8,16,19,22], psychological
[18,24,26,27] and computer science [11,30,31] literature’s
incomes. Secondly, this theoretical model was enhanced and
validated by confrontation with industrial frameworks.
Simultaneously, improvements of these existing industrial
frameworks were proposed by adjunction of conceptual
components from the responsibility model they lack. I.e.
[9,10,12].
Figure 1. Responsibility Model UML Diagram.
The analysis of the responsibility concept [11,12] highlights that
there is a plethora of definitions of it. We may however state that
commonly accepted definitions of responsibility encompass the
idea of having the obligation to ensure that something happens.
2.1 Concept of Obligation/Accountability
Obligation is the most frequent concept that appears in literature
as well as in industrial and professional frameworks. Two types of
obligation have been defined by Dobson [13]: functional
obligation as what a role must do with respect to a state of affairs
(e.g. execute an activity) and a structural (managerial) obligation
as what a role must do in order to fulfill a responsibility such as
directing, supervising and monitoring, whenever an obligation or
a right is delegated.
Accountability and answerability are closed concepts that are
composed of one or several obligation(s) to report the
achievement, maintenance or avoidance of some given state [36]
to an authority. The difference between both concepts is that one
accountability is composed of one answerability and zero or one
sanction [13]. Stahl [14] argues that accountability describes the
structures, which have to be in place to facilitate responsibility
and that responsibility is the ascription of an object to a subject
rendering the subject answerable for the object. Stahl also focuses
on the sanction as being of central importance for responsibility.
He nuances the sanction as positive or negative. The
answerability is defined by Cholvy as “an obligation or a moral
duty to report or explain the action or someone else’s action to a
given authority” [11]. There are other definitions of
accountability. Laudon and Laudon [33] define this concept in the
following way: “Accountability is a feature of systems and social
institutions: It means that mechanisms are in place to determine
who took responsibility of actions” with the following definition:
“responsibility has to do with tracing the causes of actions and
events, of finding out who is answerable in a given situation”. For
Goodpaster and Matthews [34] accountability is a mechanism’ set
allowing such tracing of causes, actions, and events whereas for
Spinello [35], it is a necessary but not a sufficient responsibility
condition.
2.2 Concept of right
The concept of right is common but is not systematically
embedded in the frameworks. It encompasses facilities required
by an employee to fulfil his accountabilities. These facilities could
include, amongst others capabilities, authorities or the right to
delegate.
Capability describes the possession of requisite qualities, skills or
resources to perform an action. Capability is a component that is
part of all models and methods [6,36,37], and is most frequently
declined through definitions of access rights, authorizations or
permissions [38,39].
Authority describes the power or right to give orders or makes
decisions. This concept is introduced in CIMOSA [6] as the
“power” to command and control other employees and to assign
responsibilities. CIMOSA argues that responsible employees have
rights over resource in the first place and over process, action and
task in the second place. CIMOSA distinguishes resources from
their capabilities: Resources are companies’ assets required for
carrying out processes whereas capabilities are technical abilities
provided by a specific resource and are of four types (functional,
performance, object oriented or operational).
Delegation right is a type of right to transfer some part of the
responsibility to another employee that pledges commitment for it
(Cf. section 2.3). This transfer may concern the transfer of right or
of accountability or both. The delegation of an obligation may or
may not be accompanied by the delegation of right to further
delegate this same obligation [36]. This delegation of rights
depends on the right’s type (access to information, money,
time…) and on the employee’s status, function or position. This
delegation may or may also include not the transfer of obligation
as the obligation to be accountable [32].
2.3 Assignment/delegation process
Assignment is the action of linking an employee to a responsibility
and delegation process is the transfer of an employee’s
responsibility assignment to another employee.
The commitment pledged by the employee related to that
assignment or delegation process represents his moral engagement
to fulfill the action and the assurance that he does it in respect of
an ethical code. The commitment remains a virtual concept,
difficult to define as well as to integrate in a strictly formalized
framework. In [16], Meyer and Allen acknowledge that
“commitment should be conceptualized as a psychological state
concerned with how people feel about their organizational
engagements”. To bypass the integration difficulty, we propose to
integrate in the model the components that enforce the
commitment as an alternative solution. These components
traditionally called “Commitment’s antecedent” in the literature
correspond to more pragmatic variables [17].
The antecedents may take many forms depending of the type of
commitment. These forms are i.e. the characteristics and the
experiences that a person brings to the organization [18], age of
the employee and the time he is part of the organization
[19,20,21], the perception of job security [22], management
culture and style [23], the employee’s investments in time, money
and effort [24]. A scientific survey of the commitment also
highlights that “Commitment outcomes” may really influence the
quality and efficiency of the action achieved. Pfeffer in [25]
explains that “Employee commitment is argued to be critical to
contemporary organizational success”. Following list
summarized commitment outcomes:
• The employee performance [26]. Committed employees
performed better because of their high expectations of
their performance. Moreover, employees have a high
level of performance when there are committed to both
their organization and their profession.
• The retention of the employee. Many studies
demonstrate the link between the commitment and the
employee’s turnover [24,26,27].
• The citizen behavior or extra-role behavior. The
research over these outcomes remain however
inconclusive [28].
Based upon the commitment outcomes and antecedent definition,
we may assumed that being committed to the responsibility of an
action means for an employee on the one hand an increasing of
trust in the achievement of the obligation or in the accountability
attached to the responsibility, and on the other hand more
efficiency (and consequently more capabilities) for this employee
to perform the action.
3. COBIT AND THE RESPONSIBILITY
CONCEPT
COBIT Executive Overview [4] describes COBIT as follows:
COBIT is a framework and supporting tool set that allow
managers to bridge the gap with respect to control
requirements, technical issues and business risks, and
communicate that level of control to employees. COBIT
enables the development of clear policies and good practice
for IT control throughout enterprises. COBIT is continuously
kept up to date and harmonized with other standards and
guidance. Hence, COBIT has become the integrator for IT
good practices and the umbrella framework for IT governance
that helps in understanding and managing the risks and
benefits associated with IT. The process structure of COBIT
and its high-level, business-oriented approach provide an
end-to-end view of IT and the decisions to be made about IT
COBIT addresses the responsibility of all roles played by
employees involved in IT governance actions. The COBIT
responsibility model is formalized through a RACI chart matrix
attached to all 34 COBIT processes. RACI stands for Responsible,
Accountable, Consulted and Informed and explains what the
responsibilities of all employees are regarding the key activities
performance. This COBIT responsibility model differs from the
responsibility model introduced in section 2. To make the
difference between both clearer and to discuss it, we introduce a
summarized representation of the COBIT responsibility model
including its RACI chart on an UML diagram in Figure 2.
Figure 2. COBIT Responsibity UML Diagram
3.1 COBIT’s Concept of Obligation/
Accountability
COBIT introduces the obligation of employees related to their
responsibilities. I.e.: AI6 Acquire and Implement Manage
Changes requests the employee to “Set up formal change
management procedures” or DS11 Deliver and Support Manage
Data requests the implementation of physical security measures.
The meaning of the Cobit obligation is the same as the meaning of
the obligation introduced in section 2
COBIT also addresses the accountability. Accountability and
responsibility are both at the same conceptual level part of the
RACI chart and consequently, represent both a type of obligation
assignment/delegation process to an employee. COBIT defines the
accountable as the employee who provides direction and
authorizes an action whereas the responsible is the employee who
gets the action done. COBIT definitions of responsibility and
accountability are closed to the one provided in section 2 and 2.1.
However, in our responsibility model, accountability is not at the
same level as the responsibility but is a concept that composes the
responsibility.
Moreover, it is also possible to understand some other differences
and nuances between both concepts by analyzing how they are
used in the framework:
• 1st input is the sentence that defines level 2 of the
COBIT maturity model: “An individual assumes his/her
responsibility and is usually held accountable”. This
sentence means that it is possible or not to be
responsible and accountable at the same time.
• 2nd input is “IT management has the resources and
accountability needed to meet service level targets”
from DS1, Define and Manage Service level (Maturity
Model level 5). This sentence means that accountability
is also something that is possessed and as consequence,
may be seen as rather a capability (or a right) than an
accountability (or an obligation). As it appears this
sentence presents the accountability as an authority [25]
more than a duty to give account regarding an
obligation.
As Fox [14] acknowledges, accountability is partially issued from
transparency. By analyzing transparency concept in COBIT, it
appears that it is an IT or process goal for about 11 of the COBIT
controls. Transparency is however often attached to the
understanding of IT costs and to the necessity of IT governance
rather than to the individual responsibility.
The concepts of sanction and answerability do not appear in
COBIT.
3.2 COBIT’s Concept of right
Our responsibility model is composed of different types of rights
like authority, capability or delegation. In COBIT, the concept of
right does not really exist but capability, authority and delegation
are addressed. Right only appears in the sense of access right like
in DS5.3 “Identity Management” or in the sense of rights and
obligations linked to a contractual engagement like i.e. in AI5.4
“IT Resources Acquisition”.
The capability concept is defined in the framework as: “Having
the needed attributes to perform or accomplish […]”. Globally,
capability is an important concept integrated in COBIT and is
related to a process or to an employees’ responsibility.
From the process perspective, the performance of a process is
measured based on what the process has to deliver (process
outcomes), on how it delivers it (process capability) and on how
much it is applied (its coverage). The understanding of this
process capability is different from the capability addressed in our
responsibility model. The COBIT maturity model is derived from
CMMI [29] and is interpreted for IT management processes. For
instance: “To respond to the business requirements for IT, the
enterprise needs to invest in the resources required to create an
adequate technical capability (e.g., an enterprise resource
planning [ERP] system) to support a business capability (e.g.,
implementing a supply chain) resulting in the desired outcome
(e.g., increased sales and financial benefits).”
From the employee perspective, COBIT addresses the capability
like it appears in the responsibility model introduced in section 2:
capability is linked to an employee and is necessary for him to
perform an action. I.e.:
1. ME1.5 Board and Executive Reporting: “Provide
management reports for senior management’s review of the
organization’s progress toward identified goals, […].” In
this case the management report is one capability necessary
for the senior management’s review.
2. AI4.2 Knowledge Transfer to Business Management:
”Transfer knowledge to business management to allow them
to take ownership of the system and data and exercise
responsibility for service delivery and quality, internal
control, and application administration processes[…]” In
this case the knowledge is one capability necessary for the
business management.
Authority is not explicitly defined in COBIT but some sentences
say that this concept may be perceived as a type of capability. I.e.
in the COBIT glossary, the accountability refers to the person or
group who has the authority to approve or accept the execution of
an action. It may consequently be seen as a type of right to
approved or accept an action. Moreover, authority is something
provided to the person that is responsible. I.e. the action «
Assigning sufficient authority to the problem manager” in DS10
“Deliver and Support”
Delegation exists in COBIT and this concept is presented in next
section.
3.3 COBIT’s Assignment/delegation process
Assignment as it appears on Figure 1 exists punctually and in
COBIT it is named allocation of responsibility. Due to the miss of
definition of allocation in the framework, this concept refers
indifferently to many meanings like i.e. in the attribute of the level
1 of the maturity model of PO5 “Manage the IT Investment”
where it corresponds to a type of capability necessary to perform
the management of IT actions rather than an assignment of
responsibility to an employee. Others types of allocations exist
like i.e. the allocation of resources addressed in some section like
in DS3.4 IT Resources Availability of DS3 “Manage
Performance and Capacity” or the allocation of capability that
exists punctually like i.e. the budget allocation attribute of level 4
of the maturity model of DS12 “Manage the Physical
Environment”.
Delegation process exists in COBIT but it is not clear how
different it is from allocation. According to what as been found in
COBIT, delegation concerned the delegation of responsibility like
in level 4 attribute of the maturity model of PO6 “Communicate
Management Aims and Direction” or the delegation of authority
like in PO1.6 “IT Portfolio Management”.
As highlighted in the responsibility model, commitment is an
important concept related to the delegation/assignment process.
Commitment appears in a number of controls of COBIT but it is
not dully defined. I.e.:
• In ME3, the responsibility requirement for being at level
4 is that employees are mindful of their compliance
obligations and that their responsibilities are clearly
understood. This information is interesting in that it
adds a new contribution to the responsibility model that
is the understanding of the obligation. This contribution
could be associated to a commitment antecedent that
contributes to foster the definition of the responsibility
and consequently improves the job description and the
employee’s commitment antecedents.
• In PO6 Communicate Management Aims and Direction:
The sentence “A positive, proactive information control
environment, including a commitment to quality and IT
security awareness, is established” defines the
characteristics of level 4 of the maturity model of this
control.
• In PO10 Manage Project, the PO10.4 Control Objective
is “Employee Commitment: “Obtain commitment and
participation from the affected employees in the
definition and execution of the project within the
context of the overall IT-enabled investment
programme”. Obtaining commitment according to
section 2 could be interpreted by “activating”
commitment antecedents for the employees involved in
that control. The issue of that activation is a set of
commitment outcomes necessary for the project
management.
• As explained in section 3, “responsibility and
accountability are defined and accepted” from level 3
and 4 of the Maturity Model. This notion of acceptance
is interesting because it introduces a commitment of
employees regarding their assignment
Although the commitment concept exists in the framework, it
appears selective and is explicitly required only for project
management control where it is necessary that employees affected
in the definition and execution of the project were committed.
4. ENHANCEMENT OF THE COBIT RACI
CHART
As explained in previous sections, the current representation of
responsibility in the COBIT framework may be enhanced
regarding the 3 elements that composed the responsibility model
introduced in section 2:
1. The right is an important concept in order to achieve an
action or a COBIT control but it is not automatically dully
expressed and it is often linked to the global control (like i.e. the
process input) rather than to responsibility of a precise action
itself.
2. The obligation is spread over all the responsibilities and
the accountability is in the RACI chart at the same conceptual
level as responsibility. This lack of differentiation between the
concepts could lead to misinterpretation such as: “you could be
responsible without being accountable”. That means whatever you
do, there are no consequences for you. At the opposite: “you
could be accountable without being responsible”. In this sense, it
means you might be accountable of something that you are not
responsible for.
3. The commitment appears sporadically for some controls
and in a global way regarding the engagement of some specific
employees. However, it is not adapted specifically for each action.
This issue suggests that the commitment is perceived as an
organizational commitment rather than as a personal commitment
that has to exist for each “action – employee”
assignment/delegation process.
Based upon these statements, the RACI responsibility model
could be improved by the following way (Figure 3):
Figure 3. Enhanced COBIT Responsibity Model
• The obligation, right, capability and commitment are
systematically integrated as components of
responsibility.
• The accountability is no more perceived as an attribute
that links an employee to an action and that is on the
same level as the responsibility but as a component that
composes this responsibility.
• The informed component of the RACI chart is no more
perceived as a type of allocation/assignment of “role –
action” but as a type of right for responsibility.
• The consulted component of the RACI chart is no more
seen as a type of allocation/delegation of “role – action”
but as a type of responsibility.
5. COBIT RACI CHART CASE STUDY
To illustrate the proposed improvement of the COBIT
responsibility model, the Identify system owner’s action of PO4
“Define the IT Processes, Organisation and Relationships” is
analyzed. The RACI chart that concerns this action is represented
in Table 1.
Table 1: COBIT RACI Chart of Identity system owners
Following that RACI chart: The Head Operation (HO) is
responsible; he gets the action done whereas he is not accountable
for it. The CIO is accountable; based on the explanation of the
accountability in section 3.1, he is answerable to the action and is
sanctioned according to the result. In parallel, the HO is
responsible but does not have to justify the achievement of the
action.
Based on our model, the function of the CIO and of the HO could
be clarified: the CIO could have managerial obligations like
provisioning the HO with the necessary right to achieve the
action, controlling the work of the HO, delegating this action if
requested, etc. The HO has Functional Obligations like collecting
information on the system, understanding how it is used and
affecting responsibilities to subalterns. Based upon the
identification of this dual responsibility, we may clarify the
concept of accountability: CIO is accountable for i.e. having
provided the rights to the HO and the HO is accountable for i.e.
having affected responsibilities to subalterns.
The RACI Chart highlights that CFO, Business Executive and
Business Process Owner are consulted. According to our model,
Consult is a type of responsibility and consequently may be
defined based on the corresponding concepts that are
right/capability, obligation/accountability and commitment.
Indeed, to provide the required information, the employee who is
consulted needs to have some rights like: access to some
information or the right to provide information if it is confidential
information. He also has the obligation to provide clear and
accurate data and is accountable for that. This last point means
that he is answerable and is subject to sanction if the information
that he has provided following the consultation is wrong.
Moreover, when an employee is affected as a consulted employee,
he has to be committed to this responsibility and must
consequently have commitment antecedents activated.
Finally, RACI Chart designs five peoples informed of the action.
Being informed may not be associated to a responsibility in that it
is impossible to be accountable or committed to that. Inform or
getting information on the achievement of an action is rather to be
considered as a type of right for responsibility. Indeed, in the
following case study the employee responsible for the
Compliance, Audit, Risk and Security needs to be informed of the
output of the action to performed others actions he is responsible
for like i.e. preparing the list of auditable employees for assessing
system performance.
Additionally, right is formulated for the control in a whole rather
than to a particular action or for a particular responsibility. That
means in our case study that, if we consider the control input of
the PO4 control as rights necessary to achieve the actions of the
control, these rights are automatically provided to every
employees engaged in the control without distinguishing the
action they perform. I.e.: The 10 functions identified in the RACI
chart of the Action « Identify system owners » have indifferent
access to all inputs of the control. These rules are in opposition to
other security rules like the minimum privilege [30] and
separation of duties [31].
Concerning the action Identify system owners again, ten people at
least are involved but only one could be held accountable for the
results. Our model proposed a solution to dispatch the
accountability to all employees who assume responsibilities.
We finally propose to manage the commitment of all employees
when responsibilities are affected or delegated.
6. CONCLUSIONS
Current economic context and ongoing willingness to improve
corporate and IT governance of enterprise advocate a
strengthening of the definition and acceptation of rules that
govern the behavior of a system. Simultaneously, we observe that
the responsibility concept is central to these rules but remains
whatever moderately and in an unstructured way addressed to
professional norms, standards and frameworks.
Consequently, this paper proposes an analysis of the main
concepts that compose the concept of responsibility and defines
an innovative responsibility model that tends to integrate all of the
meaningful analyzed concepts.
The responsibility model is afterwards validated by comparison
with the COBIT RACI chart and some improvements are
proposed and justified to enhanced the perception of
responsibility in this framework: Systematic integration of
obligation, right and commitment as responsibility components,
accountability is a component related to obligation and informed
a type of right, consulted is a type of responsibility and inherits of
its properties.
Finally, the Identify system owners action of PO4 “Define the IT
Processes, Organisation and Relationships” is analyzed to
illustrate the added value of our proposition in a real context.
7. ACKNOWLEDGMENTS
This research was funded by the National Research Fund of
Luxemburg in the context of TITAN (Trust-Assurance for Critical
Infrastructures in Multi-Agents Environments, FNR CO/08/IS/21)
project.
8. REFERENCES
[1] ISO/IEC 38500 (2008), International Standard for
Corporate Governance of IT.
[2] Sarbanes, P. S. and Oxley, M. (2002) “Sarbanes-Oxley Act
of 2002”
[3] Basel Committee on Banking Supervision, “International
convergence of capital measurement and capital standards”;
BIS; Basel, June 2004
[4] COBIT 4.1, Control Objectives for Information and Related
Technology, Information Systems Audit and Control
Association.
[5] ITIL (2001), IT Infrastructure Library – Service Delivery,
The Stationery Office Edition, ISBN 011 3308930.
[6] Vernadat F. B., Enterprise Modelling and Integration,
Chapman & Hall, London (1995), ISBN 0-412-60550-3
[7] ISO/IEC 15504, “Information Technology – Process
assessment”, (parts 1-5), 2003-2006.
[8] Dulay, N., Lupu, E.,. Solman, M., Damianou, N., A Policy
Deployment Model for the Ponder Language, An extended
version of paper in Proc. IEEE/IFIP International
Symposium on Integrated Network Management, Seattle,
May 2001, IEEE Press.
[9] Feltus, C., Petit, M., Building a Responsibility Model
Including Accountability, Capability and Commitment,
Fourth International Conference on Availability, Reliability
and Security, 2009, Fukuoka, Japan
[10] Feltus, C., Petit, M., Vernadat, F., Enhancement of
CIMOSA with Responsibility Concept to Conform to
Principles of Corporate Governance of IT, 13th IFAC
Symposium on Information Control Problems in
Manufacturing, 3-5/6/2009, Moscow, Russia.
[11] Cholvy, L., Cuppens, F., and Saurel, C., Towards a logical
formalization of responsibility, Sixth International
Conference on Artificial Intelligence and Law, pages 233-
242, 1997.
[12] Feltus, C., Petit, M., Ataya, G., Definition and Validation of
a Business IT Alignment Method for Enterprise Governance
Improvement in the Context of Processes Based
Organizations, 2008 Corporate Governance of IT
International Conference, 1-2/12/2008,Wellington, New
Zealand.
[13] Fox, J. A., The uncertain relationship between transparency
and accountability" (August 1, 2007). Center for Global,
International and Regional Studies. Reprint Series. Paper
CGIRS-Reprint-2007-2.
http://repositories.cdlib.org/cgirs/reprint/CGIRS-Reprint-
2007-2
[14] Stahl, B. C. & Wood, Ch. Forming IT Professionals in the
Internet Age: A Critical Case Study" In: Yoong, Pak &
Huff, Sid (eds.) (2006): Managing IT Professionals in the
Internet Age. Idea Group, Hershey, PA: 120 – 139
[15] Dobson, J. and Martin, D., “Enterprise Modeling Based on
Responsibility”, TRUST IN Technology: A Socio-Technical
Perspective, Clarke, K., Hardstone, G., Rouncefield, M. and
Sommerville, I., eds., Springer, 2006.
[16] Meyer, J.P. & Allen, N.J. (1991). ‘A three component
conceptualization of organizational commitment’. Human
Resource Management Review. 1, 61-98
[17] Vandenberghe, C., Bentein, K., Stinglhamber, F., Affective
commitment to the organization, supervisor, and work
group: Antecedents and outcomes, Journal of Vocational
Behavior, Volume 64, Issue 1, February 2004, Pages 47-71
[18] Mowday, R.T., Porter, L. W. and Steers, R. M. (1982),
Employee-Organization Linkages: The Psychology of
Commitment, Absenteeim, and Turnover. New York:
Academic Press.
[19] Buchanana, B., II. (194), Building organizational
Commitment: The Socialization of Managers in work
organizations, Administrative science Quarterly, 19, pp. 533
– 546.
[20] Hall, D. (1977), Organizational Identification as a function
of Career Pattern and Organizational Type, Administrative
Science Quarterly, 17, pp. 340 – 350.
[21] Lio, K. (1995), Professional Orientation and Organizational
Commitment among Employees: an Empirical Study of
Detention Workers, Journal of Public Administration
Research and Theory, 5, pp. 231 – 246.
[22] Niehoff, B. P., Enz, C.A., Grover, R. A. (1990), The Impact
of Top-Management Ctions on Employee Attitudes and
Perceptions, Group & Organization Studies, 15, 3, 337 –
352.
[23] Florkowski, G., Schuster, M. (1992), Support for Profit
Sharing and Organizational Commitment: A Path Analysis,
Human Relations, 45, 5, pp. 507 – 523.
[24] Blau, G. J. (1985), The measurmement and Prediction of
Career Commitment, Journal of Occupational Psychology,
58, pp. 277 – 288.
[25] Pfeffer, J. (1998). The Human Equation. Boston, MA.,
Harvard Business School Press.
[26] Meyer, J. P. Allen, N. J. (1984), Testing the ‘Side-Bet
Theory’ of Organizational Commitment: Some
Methodological Considerations, Journal of Applied
Psychology, 69, pp. 372 – 378
[27] Porter, L.W., Steers, R. M., Mowday, R. T., Boulian, P. V.
(1974), Organizational Commitment, Job Satisfaction, and
Turnover Among Psychiatric Technicians, Journal of
Applied Psychology, 59, pp. 603 – 9.
[28] Williams, E.S., Rondeau, K.V., Francescutti, L.H., Impact
of culture on commitment, satisfaction, and extra-role
behaviors among Canadian ER physicians, Leadership in
Health Services, 2007, vol. 20, Issue 3, 147-158.
[29] Chrissis, M.B., Konrad, M., Shrum, S., CMMI 2° édition -
Guide des bonnes pratiques pour l'amélioration des
processus - CMMI (r) pour le développement, version 1.2
[30] Schneider, F.B., Least privilege and more [computer
security], Security & Privacy, IEEEVolume 1, Issue 5,
Sept.-Oct. 2003 Page(s): 55 – 59
[31] Sandhu, R.,“Transaction Control Expressions for Separation
of Duties,” Proceedings of the 4th Aerospace Computer
Security Conference (December 1988), pp. 282–286.
[32] Norman, T. J. and Reed, C. 2001. Delegation and
Responsibility. In Proceedings of the 7th international
Workshop on intelligent Employees Vii. Employee theories
Architectures and Languages (July 07 - 09, 2000). C.
Castelfranchi and Y. Lespérance, Eds. Lecture Notes In
Computer Science, vol. 1986. Springer-Verlag, London,
136-149.
[33] Laudon, K.C. and Laudon, J.P. (1999), Essentials of
Management Information Systems, 4th edition London et
al., Prentics Hall.
[34] Goodpaster, K.E., Matthews, J.B.Jr., (1982), Can a
corporation have a moral conscience ? Hardvard Business
Review (Jan-Feb 1982), pp. 132 – 141.
[35] Spinello, R. (1997), Case studies in information and
computer ethics, Upper Saddle River, NJ: Prentice Hall.
[36] Ian Sommerville, Russell Lock, Tim Storer and John
Dobson, Deriving Information Requirements from
Responsibility Models, 21st International Conference,
CAiSE 2009, Amsterdam, The Netherlands, June 8-12,
2009. ISBN 978-3-642-02143-5.
[37] Yu, E. S. and Liu, L. 2001. Modelling Trust for System
Design Using the i* Strategic Actors Framework. Workshop
on Deception, Fraud, and Trust in Agent Societies Held
During the Autonomous, Eds. Lecture Notes In Computer
Science, vol. 2246. Springer-Verlag, London, 175-194.
[38] Qingfeng He, Annies I. Antón, A Framework for Privacy-
Enhanced Access Control Analysis in Requirements
Engineering, REFSQ'03, Austria, June 2003.
[39] Roeckle, H., Schimpf, G., and Weidinger, R. 2000. Process-
oriented approach for role-finding to implement role-based
security administration in a large industrial organization.
RBAC '00. ACM, New York, NY, 103-110.

More Related Content

What's hot

Pdf中文檔 (1)
Pdf中文檔 (1)Pdf中文檔 (1)
Pdf中文檔 (1)
Dr. SURAJ KUMAR MUKTI
 
Sociotechnical Management Model for Governance of an Ecosystem
Sociotechnical Management Model for  Governance of an Ecosystem Sociotechnical Management Model for  Governance of an Ecosystem
Sociotechnical Management Model for Governance of an Ecosystem
IJMIT JOURNAL
 
3 Schools of EA
3 Schools of EA3 Schools of EA
3 Schools of EA
James Lapalme
 
Structure
StructureStructure
Structure
Tonyversity
 
Collaborative working
Collaborative workingCollaborative working
Coordination for Situated MAS: Towards an Event-driven Architecture
Coordination for Situated MAS: Towards an Event-driven ArchitectureCoordination for Situated MAS: Towards an Event-driven Architecture
Coordination for Situated MAS: Towards an Event-driven Architecture
Andrea Omicini
 
The benefitsofenterprisearchitecture.2020
The benefitsofenterprisearchitecture.2020The benefitsofenterprisearchitecture.2020
The benefitsofenterprisearchitecture.2020
CarlosRodrigues517978
 
Adoption whitepaper Change Management Microsoft Business Strategy
Adoption whitepaper  Change Management Microsoft Business StrategyAdoption whitepaper  Change Management Microsoft Business Strategy
Adoption whitepaper Change Management Microsoft Business Strategy
Ramon Costa i Pujol
 
Dit yvol3iss28
Dit yvol3iss28Dit yvol3iss28
Dit yvol3iss28
Rick Lemieux
 
BPM BA
BPM BA BPM BA
The Forum August 2010 Issue
The  Forum    August 2010  IssueThe  Forum    August 2010  Issue
The Forum August 2010 Issue
Mauricio Corona
 
Fcn dec 2015 choosing the right comm model
Fcn dec 2015 choosing the right comm modelFcn dec 2015 choosing the right comm model
Fcn dec 2015 choosing the right comm model
Federal Communicators Network
 
Complexity & Interaction: Blurring Borders between Physical, Computational, a...
Complexity & Interaction: Blurring Borders between Physical, Computational, a...Complexity & Interaction: Blurring Borders between Physical, Computational, a...
Complexity & Interaction: Blurring Borders between Physical, Computational, a...
Andrea Omicini
 
Learning Environment for IT Management
Learning Environment for IT ManagementLearning Environment for IT Management
Learning Environment for IT Management
olvegam
 
CREATING AND SHARING KNOWLEDGE THROUGH A CORPORATE SOCIAL NETWORKING SITE: TH...
CREATING AND SHARING KNOWLEDGE THROUGH A CORPORATE SOCIAL NETWORKING SITE: TH...CREATING AND SHARING KNOWLEDGE THROUGH A CORPORATE SOCIAL NETWORKING SITE: TH...
CREATING AND SHARING KNOWLEDGE THROUGH A CORPORATE SOCIAL NETWORKING SITE: TH...
Julio Figueroa
 
From Coordination to Semantic Self-Organisation: A Perspective on the Enginee...
From Coordination to Semantic Self-Organisation: A Perspective on the Enginee...From Coordination to Semantic Self-Organisation: A Perspective on the Enginee...
From Coordination to Semantic Self-Organisation: A Perspective on the Enginee...
Andrea Omicini
 
(4) Essay «About Networks, Networked And Network Centric Organizations»
(4) Essay «About Networks, Networked And Network Centric Organizations»(4) Essay «About Networks, Networked And Network Centric Organizations»
(4) Essay «About Networks, Networked And Network Centric Organizations»
Vadim Salnikov
 
Next Generation Enterprise Architecture
Next Generation Enterprise ArchitectureNext Generation Enterprise Architecture
Next Generation Enterprise Architecture
Richard Veryard
 
Complexity & Interaction: Blurring Borders between Physical, Computational, a...
Complexity & Interaction: Blurring Borders between Physical, Computational, a...Complexity & Interaction: Blurring Borders between Physical, Computational, a...
Complexity & Interaction: Blurring Borders between Physical, Computational, a...
Andrea Omicini
 
Group 7 course work presentation
Group 7 course work presentationGroup 7 course work presentation
Group 7 course work presentation
Okello George Patrick
 

What's hot (20)

Pdf中文檔 (1)
Pdf中文檔 (1)Pdf中文檔 (1)
Pdf中文檔 (1)
 
Sociotechnical Management Model for Governance of an Ecosystem
Sociotechnical Management Model for  Governance of an Ecosystem Sociotechnical Management Model for  Governance of an Ecosystem
Sociotechnical Management Model for Governance of an Ecosystem
 
3 Schools of EA
3 Schools of EA3 Schools of EA
3 Schools of EA
 
Structure
StructureStructure
Structure
 
Collaborative working
Collaborative workingCollaborative working
Collaborative working
 
Coordination for Situated MAS: Towards an Event-driven Architecture
Coordination for Situated MAS: Towards an Event-driven ArchitectureCoordination for Situated MAS: Towards an Event-driven Architecture
Coordination for Situated MAS: Towards an Event-driven Architecture
 
The benefitsofenterprisearchitecture.2020
The benefitsofenterprisearchitecture.2020The benefitsofenterprisearchitecture.2020
The benefitsofenterprisearchitecture.2020
 
Adoption whitepaper Change Management Microsoft Business Strategy
Adoption whitepaper  Change Management Microsoft Business StrategyAdoption whitepaper  Change Management Microsoft Business Strategy
Adoption whitepaper Change Management Microsoft Business Strategy
 
Dit yvol3iss28
Dit yvol3iss28Dit yvol3iss28
Dit yvol3iss28
 
BPM BA
BPM BA BPM BA
BPM BA
 
The Forum August 2010 Issue
The  Forum    August 2010  IssueThe  Forum    August 2010  Issue
The Forum August 2010 Issue
 
Fcn dec 2015 choosing the right comm model
Fcn dec 2015 choosing the right comm modelFcn dec 2015 choosing the right comm model
Fcn dec 2015 choosing the right comm model
 
Complexity & Interaction: Blurring Borders between Physical, Computational, a...
Complexity & Interaction: Blurring Borders between Physical, Computational, a...Complexity & Interaction: Blurring Borders between Physical, Computational, a...
Complexity & Interaction: Blurring Borders between Physical, Computational, a...
 
Learning Environment for IT Management
Learning Environment for IT ManagementLearning Environment for IT Management
Learning Environment for IT Management
 
CREATING AND SHARING KNOWLEDGE THROUGH A CORPORATE SOCIAL NETWORKING SITE: TH...
CREATING AND SHARING KNOWLEDGE THROUGH A CORPORATE SOCIAL NETWORKING SITE: TH...CREATING AND SHARING KNOWLEDGE THROUGH A CORPORATE SOCIAL NETWORKING SITE: TH...
CREATING AND SHARING KNOWLEDGE THROUGH A CORPORATE SOCIAL NETWORKING SITE: TH...
 
From Coordination to Semantic Self-Organisation: A Perspective on the Enginee...
From Coordination to Semantic Self-Organisation: A Perspective on the Enginee...From Coordination to Semantic Self-Organisation: A Perspective on the Enginee...
From Coordination to Semantic Self-Organisation: A Perspective on the Enginee...
 
(4) Essay «About Networks, Networked And Network Centric Organizations»
(4) Essay «About Networks, Networked And Network Centric Organizations»(4) Essay «About Networks, Networked And Network Centric Organizations»
(4) Essay «About Networks, Networked And Network Centric Organizations»
 
Next Generation Enterprise Architecture
Next Generation Enterprise ArchitectureNext Generation Enterprise Architecture
Next Generation Enterprise Architecture
 
Complexity & Interaction: Blurring Borders between Physical, Computational, a...
Complexity & Interaction: Blurring Borders between Physical, Computational, a...Complexity & Interaction: Blurring Borders between Physical, Computational, a...
Complexity & Interaction: Blurring Borders between Physical, Computational, a...
 
Group 7 course work presentation
Group 7 course work presentationGroup 7 course work presentation
Group 7 course work presentation
 

Viewers also liked

Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
Luxembourg Institute of Science and Technology
 
EAC PowerPoint - Presented 11 04 2014
EAC PowerPoint - Presented 11 04 2014EAC PowerPoint - Presented 11 04 2014
EAC PowerPoint - Presented 11 04 2014
David Rushing
 
Culinary Curling
Culinary Curling Culinary Curling
Culinary Curling
Brad Flatoff
 
Burning of the Door of Janabe Zahra (s.a.)
Burning of the Door of Janabe Zahra (s.a.)Burning of the Door of Janabe Zahra (s.a.)
Burning of the Door of Janabe Zahra (s.a.)
Asif Shakir
 
Product reengineering solution for a global web services enterprise.
Product reengineering solution for a global web services enterprise.Product reengineering solution for a global web services enterprise.
Product reengineering solution for a global web services enterprise.
Mindtree Ltd.
 
Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...
Luxembourg Institute of Science and Technology
 
Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...
Luxembourg Institute of Science and Technology
 
Διεθνές και Εξαγωγικό Μάρκετινγκ (Country of Origin Effect)
Διεθνές και Εξαγωγικό Μάρκετινγκ (Country of Origin Effect)Διεθνές και Εξαγωγικό Μάρκετινγκ (Country of Origin Effect)
Διεθνές και Εξαγωγικό Μάρκετινγκ (Country of Origin Effect)
Fay Tsolis
 
Minamb ii recaudos estudio de impacto ambiental y socio cultural
Minamb ii   recaudos estudio de impacto ambiental y socio culturalMinamb ii   recaudos estudio de impacto ambiental y socio cultural
Minamb ii recaudos estudio de impacto ambiental y socio cultural
martinserrano
 
Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...
Luxembourg Institute of Science and Technology
 
Responsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e governmentResponsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e government
Luxembourg Institute of Science and Technology
 
Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT R...
Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT R...Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT R...
Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT R...
Luxembourg Institute of Science and Technology
 
On the road of theoretical imagination: Reflections on alternative communicat...
On the road of theoretical imagination: Reflections on alternative communicat...On the road of theoretical imagination: Reflections on alternative communicat...
On the road of theoretical imagination: Reflections on alternative communicat...
chsb
 
Service specification and service compliance how to consider the responsibil...
Service specification and service compliance  how to consider the responsibil...Service specification and service compliance  how to consider the responsibil...
Service specification and service compliance how to consider the responsibil...
Luxembourg Institute of Science and Technology
 
Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk management
Luxembourg Institute of Science and Technology
 
Mitos (1)
Mitos (1)Mitos (1)
Mitos (1)
ticparasonreir
 
Medicina preventiva y ocupacional mepro - rodelu consultores tecnológicos
Medicina preventiva y ocupacional   mepro - rodelu consultores tecnológicosMedicina preventiva y ocupacional   mepro - rodelu consultores tecnológicos
Medicina preventiva y ocupacional mepro - rodelu consultores tecnológicos
Antonio Garin Rodríguez
 
Electronic-star.sk - predstavenie
Electronic-star.sk - predstavenieElectronic-star.sk - predstavenie
Electronic-star.sk - predstavenie
electronic-star a.s.
 
Trece colonias
Trece coloniasTrece colonias
Trece colonias
patapon2
 

Viewers also liked (20)

Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
 
Wendy Smith 2015
Wendy Smith 2015Wendy Smith 2015
Wendy Smith 2015
 
EAC PowerPoint - Presented 11 04 2014
EAC PowerPoint - Presented 11 04 2014EAC PowerPoint - Presented 11 04 2014
EAC PowerPoint - Presented 11 04 2014
 
Culinary Curling
Culinary Curling Culinary Curling
Culinary Curling
 
Burning of the Door of Janabe Zahra (s.a.)
Burning of the Door of Janabe Zahra (s.a.)Burning of the Door of Janabe Zahra (s.a.)
Burning of the Door of Janabe Zahra (s.a.)
 
Product reengineering solution for a global web services enterprise.
Product reengineering solution for a global web services enterprise.Product reengineering solution for a global web services enterprise.
Product reengineering solution for a global web services enterprise.
 
Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...
 
Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...
 
Διεθνές και Εξαγωγικό Μάρκετινγκ (Country of Origin Effect)
Διεθνές και Εξαγωγικό Μάρκετινγκ (Country of Origin Effect)Διεθνές και Εξαγωγικό Μάρκετινγκ (Country of Origin Effect)
Διεθνές και Εξαγωγικό Μάρκετινγκ (Country of Origin Effect)
 
Minamb ii recaudos estudio de impacto ambiental y socio cultural
Minamb ii   recaudos estudio de impacto ambiental y socio culturalMinamb ii   recaudos estudio de impacto ambiental y socio cultural
Minamb ii recaudos estudio de impacto ambiental y socio cultural
 
Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...
 
Responsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e governmentResponsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e government
 
Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT R...
Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT R...Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT R...
Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT R...
 
On the road of theoretical imagination: Reflections on alternative communicat...
On the road of theoretical imagination: Reflections on alternative communicat...On the road of theoretical imagination: Reflections on alternative communicat...
On the road of theoretical imagination: Reflections on alternative communicat...
 
Service specification and service compliance how to consider the responsibil...
Service specification and service compliance  how to consider the responsibil...Service specification and service compliance  how to consider the responsibil...
Service specification and service compliance how to consider the responsibil...
 
Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk management
 
Mitos (1)
Mitos (1)Mitos (1)
Mitos (1)
 
Medicina preventiva y ocupacional mepro - rodelu consultores tecnológicos
Medicina preventiva y ocupacional   mepro - rodelu consultores tecnológicosMedicina preventiva y ocupacional   mepro - rodelu consultores tecnológicos
Medicina preventiva y ocupacional mepro - rodelu consultores tecnológicos
 
Electronic-star.sk - predstavenie
Electronic-star.sk - predstavenieElectronic-star.sk - predstavenie
Electronic-star.sk - predstavenie
 
Trece colonias
Trece coloniasTrece colonias
Trece colonias
 

Similar to Strengthening employee’s responsibility to enhance governance of it – cobit raci chart case study

Methodology to align business and it policies use case from an it company
Methodology to align business and it policies   use case from an it companyMethodology to align business and it policies   use case from an it company
Methodology to align business and it policies use case from an it company
christophefeltus
 
An agent based framework for identity management the unsuspected relation wit...
An agent based framework for identity management the unsuspected relation wit...An agent based framework for identity management the unsuspected relation wit...
An agent based framework for identity management the unsuspected relation wit...
christophefeltus
 
An agent based framework for identity management the unsuspected relation wit...
An agent based framework for identity management the unsuspected relation wit...An agent based framework for identity management the unsuspected relation wit...
An agent based framework for identity management the unsuspected relation wit...
Luxembourg Institute of Science and Technology
 
Building a responsibility model using modal logic
Building a responsibility model using modal logicBuilding a responsibility model using modal logic
Building a responsibility model using modal logic
christophefeltus
 
Building a responsibility model using modal logic
Building a responsibility model using modal logicBuilding a responsibility model using modal logic
Building a responsibility model using modal logic
Luxembourg Institute of Science and Technology
 
Conceptualizing a responsibility based approach for elaborating and verifying...
Conceptualizing a responsibility based approach for elaborating and verifying...Conceptualizing a responsibility based approach for elaborating and verifying...
Conceptualizing a responsibility based approach for elaborating and verifying...
Luxembourg Institute of Science and Technology
 
Conceptualizing a responsibility based approach for elaborating and verifying...
Conceptualizing a responsibility based approach for elaborating and verifying...Conceptualizing a responsibility based approach for elaborating and verifying...
Conceptualizing a responsibility based approach for elaborating and verifying...
christophefeltus
 
Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
christophefeltus
 
Re mola responsibility model language to align access rights with business pr...
Re mola responsibility model language to align access rights with business pr...Re mola responsibility model language to align access rights with business pr...
Re mola responsibility model language to align access rights with business pr...
christophefeltus
 
Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...
Luxembourg Institute of Science and Technology
 
Building a responsibility model including accountability capability and commi...
Building a responsibility model including accountability capability and commi...Building a responsibility model including accountability capability and commi...
Building a responsibility model including accountability capability and commi...
Luxembourg Institute of Science and Technology
 
Building a responsibility model including accountability capability and commi...
Building a responsibility model including accountability capability and commi...Building a responsibility model including accountability capability and commi...
Building a responsibility model including accountability capability and commi...
christophefeltus
 
Enhancement of business it alignment by including responsibility components i...
Enhancement of business it alignment by including responsibility components i...Enhancement of business it alignment by including responsibility components i...
Enhancement of business it alignment by including responsibility components i...
Luxembourg Institute of Science and Technology
 
Enhancement of business it alignment by including responsibility components i...
Enhancement of business it alignment by including responsibility components i...Enhancement of business it alignment by including responsibility components i...
Enhancement of business it alignment by including responsibility components i...
christophefeltus
 
State of the art of agile governance a systematic review
State of the art of agile governance a systematic reviewState of the art of agile governance a systematic review
State of the art of agile governance a systematic review
ijcsit
 
Preliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methodsPreliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methods
christophefeltus
 
Preliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methodsPreliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methods
Luxembourg Institute of Science and Technology
 
From IT service management to IT service governance: An ontological approach ...
From IT service management to IT service governance: An ontological approach ...From IT service management to IT service governance: An ontological approach ...
From IT service management to IT service governance: An ontological approach ...
IJECEIAES
 
Organization And Technical Aspects Of The Workflow
Organization And Technical Aspects Of The WorkflowOrganization And Technical Aspects Of The Workflow
Organization And Technical Aspects Of The Workflow
Michelle Singh
 
New England CollegeFI6315 Managerial FinanceSummer I 2019P.docx
New England CollegeFI6315 Managerial FinanceSummer I 2019P.docxNew England CollegeFI6315 Managerial FinanceSummer I 2019P.docx
New England CollegeFI6315 Managerial FinanceSummer I 2019P.docx
vannagoforth
 

Similar to Strengthening employee’s responsibility to enhance governance of it – cobit raci chart case study (20)

Methodology to align business and it policies use case from an it company
Methodology to align business and it policies   use case from an it companyMethodology to align business and it policies   use case from an it company
Methodology to align business and it policies use case from an it company
 
An agent based framework for identity management the unsuspected relation wit...
An agent based framework for identity management the unsuspected relation wit...An agent based framework for identity management the unsuspected relation wit...
An agent based framework for identity management the unsuspected relation wit...
 
An agent based framework for identity management the unsuspected relation wit...
An agent based framework for identity management the unsuspected relation wit...An agent based framework for identity management the unsuspected relation wit...
An agent based framework for identity management the unsuspected relation wit...
 
Building a responsibility model using modal logic
Building a responsibility model using modal logicBuilding a responsibility model using modal logic
Building a responsibility model using modal logic
 
Building a responsibility model using modal logic
Building a responsibility model using modal logicBuilding a responsibility model using modal logic
Building a responsibility model using modal logic
 
Conceptualizing a responsibility based approach for elaborating and verifying...
Conceptualizing a responsibility based approach for elaborating and verifying...Conceptualizing a responsibility based approach for elaborating and verifying...
Conceptualizing a responsibility based approach for elaborating and verifying...
 
Conceptualizing a responsibility based approach for elaborating and verifying...
Conceptualizing a responsibility based approach for elaborating and verifying...Conceptualizing a responsibility based approach for elaborating and verifying...
Conceptualizing a responsibility based approach for elaborating and verifying...
 
Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
 
Re mola responsibility model language to align access rights with business pr...
Re mola responsibility model language to align access rights with business pr...Re mola responsibility model language to align access rights with business pr...
Re mola responsibility model language to align access rights with business pr...
 
Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...
 
Building a responsibility model including accountability capability and commi...
Building a responsibility model including accountability capability and commi...Building a responsibility model including accountability capability and commi...
Building a responsibility model including accountability capability and commi...
 
Building a responsibility model including accountability capability and commi...
Building a responsibility model including accountability capability and commi...Building a responsibility model including accountability capability and commi...
Building a responsibility model including accountability capability and commi...
 
Enhancement of business it alignment by including responsibility components i...
Enhancement of business it alignment by including responsibility components i...Enhancement of business it alignment by including responsibility components i...
Enhancement of business it alignment by including responsibility components i...
 
Enhancement of business it alignment by including responsibility components i...
Enhancement of business it alignment by including responsibility components i...Enhancement of business it alignment by including responsibility components i...
Enhancement of business it alignment by including responsibility components i...
 
State of the art of agile governance a systematic review
State of the art of agile governance a systematic reviewState of the art of agile governance a systematic review
State of the art of agile governance a systematic review
 
Preliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methodsPreliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methods
 
Preliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methodsPreliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methods
 
From IT service management to IT service governance: An ontological approach ...
From IT service management to IT service governance: An ontological approach ...From IT service management to IT service governance: An ontological approach ...
From IT service management to IT service governance: An ontological approach ...
 
Organization And Technical Aspects Of The Workflow
Organization And Technical Aspects Of The WorkflowOrganization And Technical Aspects Of The Workflow
Organization And Technical Aspects Of The Workflow
 
New England CollegeFI6315 Managerial FinanceSummer I 2019P.docx
New England CollegeFI6315 Managerial FinanceSummer I 2019P.docxNew England CollegeFI6315 Managerial FinanceSummer I 2019P.docx
New England CollegeFI6315 Managerial FinanceSummer I 2019P.docx
 

More from Luxembourg Institute of Science and Technology

Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-TopicsSmart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Luxembourg Institute of Science and Technology
 
Joint workshop on security modeling archimate forum and security forum
Joint workshop on security modeling archimate forum and security forumJoint workshop on security modeling archimate forum and security forum
Joint workshop on security modeling archimate forum and security forum
Luxembourg Institute of Science and Technology
 
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Luxembourg Institute of Science and Technology
 
Modeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate languageModeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate language
Luxembourg Institute of Science and Technology
 
Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...
Luxembourg Institute of Science and Technology
 
Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...
Luxembourg Institute of Science and Technology
 
Organizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructureOrganizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructure
Luxembourg Institute of Science and Technology
 
Open sst based clearing mechanism for e business
Open sst based clearing mechanism for e businessOpen sst based clearing mechanism for e business
Open sst based clearing mechanism for e business
Luxembourg Institute of Science and Technology
 
On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...
Luxembourg Institute of Science and Technology
 
Noemi, a collaborative management for ict process improvement in sme experien...
Noemi, a collaborative management for ict process improvement in sme experien...Noemi, a collaborative management for ict process improvement in sme experien...
Noemi, a collaborative management for ict process improvement in sme experien...
Luxembourg Institute of Science and Technology
 
Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...
Luxembourg Institute of Science and Technology
 
Multi agents based architecture for is security incident reaction
Multi agents based architecture for is security incident reactionMulti agents based architecture for is security incident reaction
Multi agents based architecture for is security incident reaction
Luxembourg Institute of Science and Technology
 
Metamodel for reputation based agents system – case study for electrical dist...
Metamodel for reputation based agents system – case study for electrical dist...Metamodel for reputation based agents system – case study for electrical dist...
Metamodel for reputation based agents system – case study for electrical dist...
Luxembourg Institute of Science and Technology
 
Industry program panel
Industry program panelIndustry program panel
Improving operational risk management systems by formalizing the basel ii reg...
Improving operational risk management systems by formalizing the basel ii reg...Improving operational risk management systems by formalizing the basel ii reg...
Improving operational risk management systems by formalizing the basel ii reg...
Luxembourg Institute of Science and Technology
 
If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...
Luxembourg Institute of Science and Technology
 
Financial critical infrastructure a mas trusted architecture for alert detect...
Financial critical infrastructure a mas trusted architecture for alert detect...Financial critical infrastructure a mas trusted architecture for alert detect...
Financial critical infrastructure a mas trusted architecture for alert detect...
Luxembourg Institute of Science and Technology
 
Evaluation de la qualité des processus informatiques en petites et moyennes e...
Evaluation de la qualité des processus informatiques en petites et moyennes e...Evaluation de la qualité des processus informatiques en petites et moyennes e...
Evaluation de la qualité des processus informatiques en petites et moyennes e...
Luxembourg Institute of Science and Technology
 
Enterprise architecture enhanced with responsibility to manage access rights ...
Enterprise architecture enhanced with responsibility to manage access rights ...Enterprise architecture enhanced with responsibility to manage access rights ...
Enterprise architecture enhanced with responsibility to manage access rights ...
Luxembourg Institute of Science and Technology
 

More from Luxembourg Institute of Science and Technology (19)

Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-TopicsSmart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
 
Joint workshop on security modeling archimate forum and security forum
Joint workshop on security modeling archimate forum and security forumJoint workshop on security modeling archimate forum and security forum
Joint workshop on security modeling archimate forum and security forum
 
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
 
Modeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate languageModeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate language
 
Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...
 
Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...
 
Organizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructureOrganizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructure
 
Open sst based clearing mechanism for e business
Open sst based clearing mechanism for e businessOpen sst based clearing mechanism for e business
Open sst based clearing mechanism for e business
 
On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...
 
Noemi, a collaborative management for ict process improvement in sme experien...
Noemi, a collaborative management for ict process improvement in sme experien...Noemi, a collaborative management for ict process improvement in sme experien...
Noemi, a collaborative management for ict process improvement in sme experien...
 
Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...
 
Multi agents based architecture for is security incident reaction
Multi agents based architecture for is security incident reactionMulti agents based architecture for is security incident reaction
Multi agents based architecture for is security incident reaction
 
Metamodel for reputation based agents system – case study for electrical dist...
Metamodel for reputation based agents system – case study for electrical dist...Metamodel for reputation based agents system – case study for electrical dist...
Metamodel for reputation based agents system – case study for electrical dist...
 
Industry program panel
Industry program panelIndustry program panel
Industry program panel
 
Improving operational risk management systems by formalizing the basel ii reg...
Improving operational risk management systems by formalizing the basel ii reg...Improving operational risk management systems by formalizing the basel ii reg...
Improving operational risk management systems by formalizing the basel ii reg...
 
If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...
 
Financial critical infrastructure a mas trusted architecture for alert detect...
Financial critical infrastructure a mas trusted architecture for alert detect...Financial critical infrastructure a mas trusted architecture for alert detect...
Financial critical infrastructure a mas trusted architecture for alert detect...
 
Evaluation de la qualité des processus informatiques en petites et moyennes e...
Evaluation de la qualité des processus informatiques en petites et moyennes e...Evaluation de la qualité des processus informatiques en petites et moyennes e...
Evaluation de la qualité des processus informatiques en petites et moyennes e...
 
Enterprise architecture enhanced with responsibility to manage access rights ...
Enterprise architecture enhanced with responsibility to manage access rights ...Enterprise architecture enhanced with responsibility to manage access rights ...
Enterprise architecture enhanced with responsibility to manage access rights ...
 

Recently uploaded

AlgaeBrew project - Unlocking the potential of microalgae for the valorisatio...
AlgaeBrew project - Unlocking the potential of microalgae for the valorisatio...AlgaeBrew project - Unlocking the potential of microalgae for the valorisatio...
AlgaeBrew project - Unlocking the potential of microalgae for the valorisatio...
Faculty of Applied Chemistry and Materials Science
 
Plant Kingdom BioHack class 11 neet ....
Plant Kingdom BioHack class 11 neet ....Plant Kingdom BioHack class 11 neet ....
Plant Kingdom BioHack class 11 neet ....
anushkakharat13
 
A NICER VIEW OF THE NEAREST AND BRIGHTEST MILLISECOND PULSAR: PSR J0437−4715
A NICER VIEW OF THE NEAREST AND BRIGHTEST MILLISECOND PULSAR: PSR J0437−4715A NICER VIEW OF THE NEAREST AND BRIGHTEST MILLISECOND PULSAR: PSR J0437−4715
A NICER VIEW OF THE NEAREST AND BRIGHTEST MILLISECOND PULSAR: PSR J0437−4715
Sérgio Sacani
 
SCIENCEgfvhvhvkjkbbjjbbjvhvhvhvjkvjvjvjj.pptx
SCIENCEgfvhvhvkjkbbjjbbjvhvhvhvjkvjvjvjj.pptxSCIENCEgfvhvhvkjkbbjjbbjvhvhvhvjkvjvjvjj.pptx
SCIENCEgfvhvhvkjkbbjjbbjvhvhvhvjkvjvjvjj.pptx
WALTONMARBRUCAL
 
How Does TaskTrain Integrate Workflow and Project Management Efficiently.pdf
How Does TaskTrain Integrate Workflow and Project Management Efficiently.pdfHow Does TaskTrain Integrate Workflow and Project Management Efficiently.pdf
How Does TaskTrain Integrate Workflow and Project Management Efficiently.pdf
Task Train
 
MARIGREEN PROJECT - overview, Oana Cristina Pârvulescu
MARIGREEN PROJECT - overview, Oana Cristina PârvulescuMARIGREEN PROJECT - overview, Oana Cristina Pârvulescu
MARIGREEN PROJECT - overview, Oana Cristina Pârvulescu
Faculty of Applied Chemistry and Materials Science
 
Potential of Marine Renewable and Non renewable energy.pptx
Potential of Marine Renewable and Non renewable energy.pptxPotential of Marine Renewable and Non renewable energy.pptx
Potential of Marine Renewable and Non renewable energy.pptx
J. Bovas Joel BFSc
 
THE ESSENCE OF CHANGE CHAPTER ,energy,conversion,life is easy,laws of physics
THE ESSENCE OF CHANGE CHAPTER ,energy,conversion,life is easy,laws of physicsTHE ESSENCE OF CHANGE CHAPTER ,energy,conversion,life is easy,laws of physics
THE ESSENCE OF CHANGE CHAPTER ,energy,conversion,life is easy,laws of physics
Dr. sreeremya S
 
Rapid pulse drying of marine biomasses - Sigurd Sannan
Rapid pulse drying of marine biomasses - Sigurd SannanRapid pulse drying of marine biomasses - Sigurd Sannan
Rapid pulse drying of marine biomasses - Sigurd Sannan
Faculty of Applied Chemistry and Materials Science
 
SOFIA/HAWC+ FAR-INFRARED POLARIMETRIC LARGE-AREA CMZ EXPLORATION (FIREPLACE) ...
SOFIA/HAWC+ FAR-INFRARED POLARIMETRIC LARGE-AREA CMZ EXPLORATION (FIREPLACE) ...SOFIA/HAWC+ FAR-INFRARED POLARIMETRIC LARGE-AREA CMZ EXPLORATION (FIREPLACE) ...
SOFIA/HAWC+ FAR-INFRARED POLARIMETRIC LARGE-AREA CMZ EXPLORATION (FIREPLACE) ...
Sérgio Sacani
 
Biochar impregnation as slow release fertilizer - Violeta Alexandra Ion
Biochar impregnation as slow release fertilizer - Violeta Alexandra IonBiochar impregnation as slow release fertilizer - Violeta Alexandra Ion
Biochar impregnation as slow release fertilizer - Violeta Alexandra Ion
Faculty of Applied Chemistry and Materials Science
 
Celebrity Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl S...
Celebrity Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl S...Celebrity Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl S...
Celebrity Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl S...
bellared2
 
Composting blue materials - Joshua Cabell
Composting blue materials - Joshua CabellComposting blue materials - Joshua Cabell
Composting blue materials - Joshua Cabell
Faculty of Applied Chemistry and Materials Science
 
Bioconversion of sago waste and oil cakes into biobutanol using Environmental...
Bioconversion of sago waste and oil cakes into biobutanol using Environmental...Bioconversion of sago waste and oil cakes into biobutanol using Environmental...
Bioconversion of sago waste and oil cakes into biobutanol using Environmental...
Dr NEETHU ASOKAN
 
ellipticytescausesprognosistreatment-240622051139-23d50b05.pptx
ellipticytescausesprognosistreatment-240622051139-23d50b05.pptxellipticytescausesprognosistreatment-240622051139-23d50b05.pptx
ellipticytescausesprognosistreatment-240622051139-23d50b05.pptx
muralinath2
 
Phytoremediation: Harnessing Nature's Power with Phytoremediation
Phytoremediation: Harnessing Nature's Power with PhytoremediationPhytoremediation: Harnessing Nature's Power with Phytoremediation
Phytoremediation: Harnessing Nature's Power with Phytoremediation
Gurjant Singh
 
Lunar Mobility Drivers and Needs - Artemis
Lunar Mobility Drivers and Needs - ArtemisLunar Mobility Drivers and Needs - Artemis
Lunar Mobility Drivers and Needs - Artemis
Sérgio Sacani
 
Adjusted NuGOweek 2024 Ghent programme flyer
Adjusted NuGOweek 2024 Ghent programme flyerAdjusted NuGOweek 2024 Ghent programme flyer
Adjusted NuGOweek 2024 Ghent programme flyer
pablovgd
 
Traditional, current and future use of fish and seaweed for fertilisation - ...
Traditional, current and future use of fish and seaweed for fertilisation -  ...Traditional, current and future use of fish and seaweed for fertilisation -  ...
Traditional, current and future use of fish and seaweed for fertilisation - ...
Faculty of Applied Chemistry and Materials Science
 
BIOPHYSICS Interactions of molecules in 3-D space-determining binding and.pptx
BIOPHYSICS Interactions of molecules in 3-D space-determining binding and.pptxBIOPHYSICS Interactions of molecules in 3-D space-determining binding and.pptx
BIOPHYSICS Interactions of molecules in 3-D space-determining binding and.pptx
alishyt102010
 

Recently uploaded (20)

AlgaeBrew project - Unlocking the potential of microalgae for the valorisatio...
AlgaeBrew project - Unlocking the potential of microalgae for the valorisatio...AlgaeBrew project - Unlocking the potential of microalgae for the valorisatio...
AlgaeBrew project - Unlocking the potential of microalgae for the valorisatio...
 
Plant Kingdom BioHack class 11 neet ....
Plant Kingdom BioHack class 11 neet ....Plant Kingdom BioHack class 11 neet ....
Plant Kingdom BioHack class 11 neet ....
 
A NICER VIEW OF THE NEAREST AND BRIGHTEST MILLISECOND PULSAR: PSR J0437−4715
A NICER VIEW OF THE NEAREST AND BRIGHTEST MILLISECOND PULSAR: PSR J0437−4715A NICER VIEW OF THE NEAREST AND BRIGHTEST MILLISECOND PULSAR: PSR J0437−4715
A NICER VIEW OF THE NEAREST AND BRIGHTEST MILLISECOND PULSAR: PSR J0437−4715
 
SCIENCEgfvhvhvkjkbbjjbbjvhvhvhvjkvjvjvjj.pptx
SCIENCEgfvhvhvkjkbbjjbbjvhvhvhvjkvjvjvjj.pptxSCIENCEgfvhvhvkjkbbjjbbjvhvhvhvjkvjvjvjj.pptx
SCIENCEgfvhvhvkjkbbjjbbjvhvhvhvjkvjvjvjj.pptx
 
How Does TaskTrain Integrate Workflow and Project Management Efficiently.pdf
How Does TaskTrain Integrate Workflow and Project Management Efficiently.pdfHow Does TaskTrain Integrate Workflow and Project Management Efficiently.pdf
How Does TaskTrain Integrate Workflow and Project Management Efficiently.pdf
 
MARIGREEN PROJECT - overview, Oana Cristina Pârvulescu
MARIGREEN PROJECT - overview, Oana Cristina PârvulescuMARIGREEN PROJECT - overview, Oana Cristina Pârvulescu
MARIGREEN PROJECT - overview, Oana Cristina Pârvulescu
 
Potential of Marine Renewable and Non renewable energy.pptx
Potential of Marine Renewable and Non renewable energy.pptxPotential of Marine Renewable and Non renewable energy.pptx
Potential of Marine Renewable and Non renewable energy.pptx
 
THE ESSENCE OF CHANGE CHAPTER ,energy,conversion,life is easy,laws of physics
THE ESSENCE OF CHANGE CHAPTER ,energy,conversion,life is easy,laws of physicsTHE ESSENCE OF CHANGE CHAPTER ,energy,conversion,life is easy,laws of physics
THE ESSENCE OF CHANGE CHAPTER ,energy,conversion,life is easy,laws of physics
 
Rapid pulse drying of marine biomasses - Sigurd Sannan
Rapid pulse drying of marine biomasses - Sigurd SannanRapid pulse drying of marine biomasses - Sigurd Sannan
Rapid pulse drying of marine biomasses - Sigurd Sannan
 
SOFIA/HAWC+ FAR-INFRARED POLARIMETRIC LARGE-AREA CMZ EXPLORATION (FIREPLACE) ...
SOFIA/HAWC+ FAR-INFRARED POLARIMETRIC LARGE-AREA CMZ EXPLORATION (FIREPLACE) ...SOFIA/HAWC+ FAR-INFRARED POLARIMETRIC LARGE-AREA CMZ EXPLORATION (FIREPLACE) ...
SOFIA/HAWC+ FAR-INFRARED POLARIMETRIC LARGE-AREA CMZ EXPLORATION (FIREPLACE) ...
 
Biochar impregnation as slow release fertilizer - Violeta Alexandra Ion
Biochar impregnation as slow release fertilizer - Violeta Alexandra IonBiochar impregnation as slow release fertilizer - Violeta Alexandra Ion
Biochar impregnation as slow release fertilizer - Violeta Alexandra Ion
 
Celebrity Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl S...
Celebrity Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl S...Celebrity Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl S...
Celebrity Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl S...
 
Composting blue materials - Joshua Cabell
Composting blue materials - Joshua CabellComposting blue materials - Joshua Cabell
Composting blue materials - Joshua Cabell
 
Bioconversion of sago waste and oil cakes into biobutanol using Environmental...
Bioconversion of sago waste and oil cakes into biobutanol using Environmental...Bioconversion of sago waste and oil cakes into biobutanol using Environmental...
Bioconversion of sago waste and oil cakes into biobutanol using Environmental...
 
ellipticytescausesprognosistreatment-240622051139-23d50b05.pptx
ellipticytescausesprognosistreatment-240622051139-23d50b05.pptxellipticytescausesprognosistreatment-240622051139-23d50b05.pptx
ellipticytescausesprognosistreatment-240622051139-23d50b05.pptx
 
Phytoremediation: Harnessing Nature's Power with Phytoremediation
Phytoremediation: Harnessing Nature's Power with PhytoremediationPhytoremediation: Harnessing Nature's Power with Phytoremediation
Phytoremediation: Harnessing Nature's Power with Phytoremediation
 
Lunar Mobility Drivers and Needs - Artemis
Lunar Mobility Drivers and Needs - ArtemisLunar Mobility Drivers and Needs - Artemis
Lunar Mobility Drivers and Needs - Artemis
 
Adjusted NuGOweek 2024 Ghent programme flyer
Adjusted NuGOweek 2024 Ghent programme flyerAdjusted NuGOweek 2024 Ghent programme flyer
Adjusted NuGOweek 2024 Ghent programme flyer
 
Traditional, current and future use of fish and seaweed for fertilisation - ...
Traditional, current and future use of fish and seaweed for fertilisation -  ...Traditional, current and future use of fish and seaweed for fertilisation -  ...
Traditional, current and future use of fish and seaweed for fertilisation - ...
 
BIOPHYSICS Interactions of molecules in 3-D space-determining binding and.pptx
BIOPHYSICS Interactions of molecules in 3-D space-determining binding and.pptxBIOPHYSICS Interactions of molecules in 3-D space-determining binding and.pptx
BIOPHYSICS Interactions of molecules in 3-D space-determining binding and.pptx
 

Strengthening employee’s responsibility to enhance governance of it – cobit raci chart case study

  • 1. Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT RACI Chart Case Study Christophe Feltus Public Research Center Henri Tudor Luxembourg-Kirchberg, Luxembourg PReCISE Research Centre, Faculty of Computer Science, University of Namur, Belgium christophe.feltus@tudor.lu Michaël Petit PReCISE Research Centre, Faculty of Computer Science, University of Namur, Belgium mpe@info.fundp.ac.be Eric Dubois Public Research Center Henri Tudor Luxembourg-Kirchberg, Luxembourg eric.dubois@tudor.lu ABSTRACT The ongoing financial markets debacle and the global economic context advocate enhancing the governance of the companies and, de facto, improving the elaboration and the understanding of employees’ responsibilities. Furthermore, the moral aspects of the business and the employees’ commitment have appeared as becoming increasingly unavoidable to face emerging ethical challenges. These arising requirements have oriented our research toward the elaboration of an innovative responsibility model built on the concepts of obligation/accountability, right and commitment. This paper aims to present, validate and improve the responsibility model on the basis of a comparison to related concepts from the COBIT framework. In parallel to this improvement, proposals of conceptual modification of the COBIT framework are made and illustrated based on the RACI chart. Categories and Subject Descriptors K.6.1 [Management of Computing and Information Systems]: Project and People Management – Staffing, Strategic information systems planning, Systems analysis and design, System development. General Terms Management, Reliability, Security, Human Factors, Theory. Keywords Responsibility Model, IT Governance, IT Management, COBIT, RACI Chart, Business Ethic, Employee Commitment. 1. INTRODUCTION The current crisis has highlighted the necessity for a global rethinking of the economy. Industrial analyses as well as academic surveys have put forward the need for improving the governance of Information Technology (IT) such as the control, the procurement of and the alignment with the business and the employees’ engagement in more ethics, transparency, accountability and commitment. All of these domains are gathered under the Corporate Governance umbrella and are progressively integrated in standards and norms such as ISO/IEC 38500:2008 [1] that provides principles for the corporate governance of IT, SOX [2] that describes requirements and specific mandates for financial reporting or Basel II [3] that defines rigorous risk and capital management requirements for the banking sector. In parallel to these newly arising and progressively formalized requirements for improving the governance of IT, companies are used to work with well-known experienced and approved management frameworks for their day-to-day operations, IT follow-up activities or investments. These frameworks mostly target a well-defined activity domain or a precise technology, and address the above listed governance’s requirements through a very specific approach and well-defined areas, i.e. COBIT [4], a framework that enables the development of clear policies and good practice for IT control throughout enterprises, IT Infrastructure Library (ITIL) [5], a public library that focuses on IT services management for high-quality service provision, CIMOSA [6], an enterprise architecture model to define industrial computer system architecture or the international standard ISO/IEC 15504 [7] a framework for the assessment of software processes. All of them deal in one way or another with responsibility elements and the consequence of this abundance of frameworks is the existence of an equal amount of responsibility models and interpretations. Based on the assumption that all of these models are consistently used for the elicitation of corporate rules and policies, it is obvious that defining a common responsibility model among them would quickly bring relevant benefits for the business. Moreover, assuming that these rules and polices most of the time formulate the behavior of a system [8] and of its employees, we deduce that having these responsibility suitably defined represents a paramount significance for the governance of companies. Assuming the importance of the responsibility concept, the analysis of its representation through professional standards, norms and frameworks as well as the examination of scientific literature highlight, that, as yet, a consensual and common understanding of its conceptual components does not exist. Taking that into account, our research aspires to globally improve the IT governance mainly by advising a common responsibility model dedicated to industrial and scientific usage. This model of Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. WISG’09, November 13, 2009, Chicago, Illinois, USA. Copyright 2009 ACM 978-1-60558-787-5/09/11...$10.00.
  • 2. responsibility may later be used to refine the elicitation of pragmatic IT policies such as the access control one. In this paper, we present the responsibility model and explain some of its most important components in section 2. The research method used to develop this model is a two steps approach. In step 1, we depict the scientific literature in the field of responsibility to identify its main conceptual components. In step 2, we elaborate a UML responsibility model based on the component found in step 1 and we operate successive refinements by comparing it with existing professional management framework. Afterward, we introduce in section 3 the COBIT’s responsibility elements through a synthetic UML diagram. Then we compare the responsibility model elaborated in section 2 with the responsibility constructs encompassed in that diagram and we advise on some COBIT enhancements according to the most significant responsibility concepts of our responsibility model in section 4. Finally, in section 5 we illustrate the improvement by analyzing the COBIT’ Identify system owners’ action of PO4 “Define the IT Processes, Organisation and Relationships”. 2. THE RESPONSIBILITY CONCEPT The responsibility model (Figure 1) was elaborated through a double activity. First, the theoretical model was constructed based on the analysis of the responsibility conceptual components issued from social [19], managerial [8,16,19,22], psychological [18,24,26,27] and computer science [11,30,31] literature’s incomes. Secondly, this theoretical model was enhanced and validated by confrontation with industrial frameworks. Simultaneously, improvements of these existing industrial frameworks were proposed by adjunction of conceptual components from the responsibility model they lack. I.e. [9,10,12]. Figure 1. Responsibility Model UML Diagram. The analysis of the responsibility concept [11,12] highlights that there is a plethora of definitions of it. We may however state that commonly accepted definitions of responsibility encompass the idea of having the obligation to ensure that something happens. 2.1 Concept of Obligation/Accountability Obligation is the most frequent concept that appears in literature as well as in industrial and professional frameworks. Two types of obligation have been defined by Dobson [13]: functional obligation as what a role must do with respect to a state of affairs (e.g. execute an activity) and a structural (managerial) obligation as what a role must do in order to fulfill a responsibility such as directing, supervising and monitoring, whenever an obligation or a right is delegated. Accountability and answerability are closed concepts that are composed of one or several obligation(s) to report the achievement, maintenance or avoidance of some given state [36] to an authority. The difference between both concepts is that one accountability is composed of one answerability and zero or one sanction [13]. Stahl [14] argues that accountability describes the structures, which have to be in place to facilitate responsibility and that responsibility is the ascription of an object to a subject rendering the subject answerable for the object. Stahl also focuses on the sanction as being of central importance for responsibility. He nuances the sanction as positive or negative. The answerability is defined by Cholvy as “an obligation or a moral
  • 3. duty to report or explain the action or someone else’s action to a given authority” [11]. There are other definitions of accountability. Laudon and Laudon [33] define this concept in the following way: “Accountability is a feature of systems and social institutions: It means that mechanisms are in place to determine who took responsibility of actions” with the following definition: “responsibility has to do with tracing the causes of actions and events, of finding out who is answerable in a given situation”. For Goodpaster and Matthews [34] accountability is a mechanism’ set allowing such tracing of causes, actions, and events whereas for Spinello [35], it is a necessary but not a sufficient responsibility condition. 2.2 Concept of right The concept of right is common but is not systematically embedded in the frameworks. It encompasses facilities required by an employee to fulfil his accountabilities. These facilities could include, amongst others capabilities, authorities or the right to delegate. Capability describes the possession of requisite qualities, skills or resources to perform an action. Capability is a component that is part of all models and methods [6,36,37], and is most frequently declined through definitions of access rights, authorizations or permissions [38,39]. Authority describes the power or right to give orders or makes decisions. This concept is introduced in CIMOSA [6] as the “power” to command and control other employees and to assign responsibilities. CIMOSA argues that responsible employees have rights over resource in the first place and over process, action and task in the second place. CIMOSA distinguishes resources from their capabilities: Resources are companies’ assets required for carrying out processes whereas capabilities are technical abilities provided by a specific resource and are of four types (functional, performance, object oriented or operational). Delegation right is a type of right to transfer some part of the responsibility to another employee that pledges commitment for it (Cf. section 2.3). This transfer may concern the transfer of right or of accountability or both. The delegation of an obligation may or may not be accompanied by the delegation of right to further delegate this same obligation [36]. This delegation of rights depends on the right’s type (access to information, money, time…) and on the employee’s status, function or position. This delegation may or may also include not the transfer of obligation as the obligation to be accountable [32]. 2.3 Assignment/delegation process Assignment is the action of linking an employee to a responsibility and delegation process is the transfer of an employee’s responsibility assignment to another employee. The commitment pledged by the employee related to that assignment or delegation process represents his moral engagement to fulfill the action and the assurance that he does it in respect of an ethical code. The commitment remains a virtual concept, difficult to define as well as to integrate in a strictly formalized framework. In [16], Meyer and Allen acknowledge that “commitment should be conceptualized as a psychological state concerned with how people feel about their organizational engagements”. To bypass the integration difficulty, we propose to integrate in the model the components that enforce the commitment as an alternative solution. These components traditionally called “Commitment’s antecedent” in the literature correspond to more pragmatic variables [17]. The antecedents may take many forms depending of the type of commitment. These forms are i.e. the characteristics and the experiences that a person brings to the organization [18], age of the employee and the time he is part of the organization [19,20,21], the perception of job security [22], management culture and style [23], the employee’s investments in time, money and effort [24]. A scientific survey of the commitment also highlights that “Commitment outcomes” may really influence the quality and efficiency of the action achieved. Pfeffer in [25] explains that “Employee commitment is argued to be critical to contemporary organizational success”. Following list summarized commitment outcomes: • The employee performance [26]. Committed employees performed better because of their high expectations of their performance. Moreover, employees have a high level of performance when there are committed to both their organization and their profession. • The retention of the employee. Many studies demonstrate the link between the commitment and the employee’s turnover [24,26,27]. • The citizen behavior or extra-role behavior. The research over these outcomes remain however inconclusive [28]. Based upon the commitment outcomes and antecedent definition, we may assumed that being committed to the responsibility of an action means for an employee on the one hand an increasing of trust in the achievement of the obligation or in the accountability attached to the responsibility, and on the other hand more efficiency (and consequently more capabilities) for this employee to perform the action. 3. COBIT AND THE RESPONSIBILITY CONCEPT COBIT Executive Overview [4] describes COBIT as follows: COBIT is a framework and supporting tool set that allow managers to bridge the gap with respect to control requirements, technical issues and business risks, and communicate that level of control to employees. COBIT enables the development of clear policies and good practice for IT control throughout enterprises. COBIT is continuously kept up to date and harmonized with other standards and guidance. Hence, COBIT has become the integrator for IT good practices and the umbrella framework for IT governance that helps in understanding and managing the risks and benefits associated with IT. The process structure of COBIT and its high-level, business-oriented approach provide an end-to-end view of IT and the decisions to be made about IT COBIT addresses the responsibility of all roles played by employees involved in IT governance actions. The COBIT responsibility model is formalized through a RACI chart matrix attached to all 34 COBIT processes. RACI stands for Responsible, Accountable, Consulted and Informed and explains what the responsibilities of all employees are regarding the key activities performance. This COBIT responsibility model differs from the
  • 4. responsibility model introduced in section 2. To make the difference between both clearer and to discuss it, we introduce a summarized representation of the COBIT responsibility model including its RACI chart on an UML diagram in Figure 2. Figure 2. COBIT Responsibity UML Diagram 3.1 COBIT’s Concept of Obligation/ Accountability COBIT introduces the obligation of employees related to their responsibilities. I.e.: AI6 Acquire and Implement Manage Changes requests the employee to “Set up formal change management procedures” or DS11 Deliver and Support Manage Data requests the implementation of physical security measures. The meaning of the Cobit obligation is the same as the meaning of the obligation introduced in section 2 COBIT also addresses the accountability. Accountability and responsibility are both at the same conceptual level part of the RACI chart and consequently, represent both a type of obligation assignment/delegation process to an employee. COBIT defines the accountable as the employee who provides direction and authorizes an action whereas the responsible is the employee who gets the action done. COBIT definitions of responsibility and accountability are closed to the one provided in section 2 and 2.1. However, in our responsibility model, accountability is not at the same level as the responsibility but is a concept that composes the responsibility. Moreover, it is also possible to understand some other differences and nuances between both concepts by analyzing how they are used in the framework: • 1st input is the sentence that defines level 2 of the COBIT maturity model: “An individual assumes his/her responsibility and is usually held accountable”. This sentence means that it is possible or not to be responsible and accountable at the same time. • 2nd input is “IT management has the resources and accountability needed to meet service level targets” from DS1, Define and Manage Service level (Maturity Model level 5). This sentence means that accountability is also something that is possessed and as consequence, may be seen as rather a capability (or a right) than an accountability (or an obligation). As it appears this sentence presents the accountability as an authority [25] more than a duty to give account regarding an obligation. As Fox [14] acknowledges, accountability is partially issued from transparency. By analyzing transparency concept in COBIT, it appears that it is an IT or process goal for about 11 of the COBIT controls. Transparency is however often attached to the understanding of IT costs and to the necessity of IT governance rather than to the individual responsibility. The concepts of sanction and answerability do not appear in COBIT. 3.2 COBIT’s Concept of right Our responsibility model is composed of different types of rights like authority, capability or delegation. In COBIT, the concept of right does not really exist but capability, authority and delegation are addressed. Right only appears in the sense of access right like in DS5.3 “Identity Management” or in the sense of rights and obligations linked to a contractual engagement like i.e. in AI5.4 “IT Resources Acquisition”. The capability concept is defined in the framework as: “Having the needed attributes to perform or accomplish […]”. Globally,
  • 5. capability is an important concept integrated in COBIT and is related to a process or to an employees’ responsibility. From the process perspective, the performance of a process is measured based on what the process has to deliver (process outcomes), on how it delivers it (process capability) and on how much it is applied (its coverage). The understanding of this process capability is different from the capability addressed in our responsibility model. The COBIT maturity model is derived from CMMI [29] and is interpreted for IT management processes. For instance: “To respond to the business requirements for IT, the enterprise needs to invest in the resources required to create an adequate technical capability (e.g., an enterprise resource planning [ERP] system) to support a business capability (e.g., implementing a supply chain) resulting in the desired outcome (e.g., increased sales and financial benefits).” From the employee perspective, COBIT addresses the capability like it appears in the responsibility model introduced in section 2: capability is linked to an employee and is necessary for him to perform an action. I.e.: 1. ME1.5 Board and Executive Reporting: “Provide management reports for senior management’s review of the organization’s progress toward identified goals, […].” In this case the management report is one capability necessary for the senior management’s review. 2. AI4.2 Knowledge Transfer to Business Management: ”Transfer knowledge to business management to allow them to take ownership of the system and data and exercise responsibility for service delivery and quality, internal control, and application administration processes[…]” In this case the knowledge is one capability necessary for the business management. Authority is not explicitly defined in COBIT but some sentences say that this concept may be perceived as a type of capability. I.e. in the COBIT glossary, the accountability refers to the person or group who has the authority to approve or accept the execution of an action. It may consequently be seen as a type of right to approved or accept an action. Moreover, authority is something provided to the person that is responsible. I.e. the action « Assigning sufficient authority to the problem manager” in DS10 “Deliver and Support” Delegation exists in COBIT and this concept is presented in next section. 3.3 COBIT’s Assignment/delegation process Assignment as it appears on Figure 1 exists punctually and in COBIT it is named allocation of responsibility. Due to the miss of definition of allocation in the framework, this concept refers indifferently to many meanings like i.e. in the attribute of the level 1 of the maturity model of PO5 “Manage the IT Investment” where it corresponds to a type of capability necessary to perform the management of IT actions rather than an assignment of responsibility to an employee. Others types of allocations exist like i.e. the allocation of resources addressed in some section like in DS3.4 IT Resources Availability of DS3 “Manage Performance and Capacity” or the allocation of capability that exists punctually like i.e. the budget allocation attribute of level 4 of the maturity model of DS12 “Manage the Physical Environment”. Delegation process exists in COBIT but it is not clear how different it is from allocation. According to what as been found in COBIT, delegation concerned the delegation of responsibility like in level 4 attribute of the maturity model of PO6 “Communicate Management Aims and Direction” or the delegation of authority like in PO1.6 “IT Portfolio Management”. As highlighted in the responsibility model, commitment is an important concept related to the delegation/assignment process. Commitment appears in a number of controls of COBIT but it is not dully defined. I.e.: • In ME3, the responsibility requirement for being at level 4 is that employees are mindful of their compliance obligations and that their responsibilities are clearly understood. This information is interesting in that it adds a new contribution to the responsibility model that is the understanding of the obligation. This contribution could be associated to a commitment antecedent that contributes to foster the definition of the responsibility and consequently improves the job description and the employee’s commitment antecedents. • In PO6 Communicate Management Aims and Direction: The sentence “A positive, proactive information control environment, including a commitment to quality and IT security awareness, is established” defines the characteristics of level 4 of the maturity model of this control. • In PO10 Manage Project, the PO10.4 Control Objective is “Employee Commitment: “Obtain commitment and participation from the affected employees in the definition and execution of the project within the context of the overall IT-enabled investment programme”. Obtaining commitment according to section 2 could be interpreted by “activating” commitment antecedents for the employees involved in that control. The issue of that activation is a set of commitment outcomes necessary for the project management. • As explained in section 3, “responsibility and accountability are defined and accepted” from level 3 and 4 of the Maturity Model. This notion of acceptance is interesting because it introduces a commitment of employees regarding their assignment Although the commitment concept exists in the framework, it appears selective and is explicitly required only for project management control where it is necessary that employees affected in the definition and execution of the project were committed. 4. ENHANCEMENT OF THE COBIT RACI CHART As explained in previous sections, the current representation of responsibility in the COBIT framework may be enhanced regarding the 3 elements that composed the responsibility model introduced in section 2:
  • 6. 1. The right is an important concept in order to achieve an action or a COBIT control but it is not automatically dully expressed and it is often linked to the global control (like i.e. the process input) rather than to responsibility of a precise action itself. 2. The obligation is spread over all the responsibilities and the accountability is in the RACI chart at the same conceptual level as responsibility. This lack of differentiation between the concepts could lead to misinterpretation such as: “you could be responsible without being accountable”. That means whatever you do, there are no consequences for you. At the opposite: “you could be accountable without being responsible”. In this sense, it means you might be accountable of something that you are not responsible for. 3. The commitment appears sporadically for some controls and in a global way regarding the engagement of some specific employees. However, it is not adapted specifically for each action. This issue suggests that the commitment is perceived as an organizational commitment rather than as a personal commitment that has to exist for each “action – employee” assignment/delegation process. Based upon these statements, the RACI responsibility model could be improved by the following way (Figure 3): Figure 3. Enhanced COBIT Responsibity Model • The obligation, right, capability and commitment are systematically integrated as components of responsibility. • The accountability is no more perceived as an attribute that links an employee to an action and that is on the same level as the responsibility but as a component that composes this responsibility. • The informed component of the RACI chart is no more perceived as a type of allocation/assignment of “role – action” but as a type of right for responsibility. • The consulted component of the RACI chart is no more seen as a type of allocation/delegation of “role – action” but as a type of responsibility. 5. COBIT RACI CHART CASE STUDY To illustrate the proposed improvement of the COBIT responsibility model, the Identify system owner’s action of PO4 “Define the IT Processes, Organisation and Relationships” is analyzed. The RACI chart that concerns this action is represented in Table 1.
  • 7. Table 1: COBIT RACI Chart of Identity system owners Following that RACI chart: The Head Operation (HO) is responsible; he gets the action done whereas he is not accountable for it. The CIO is accountable; based on the explanation of the accountability in section 3.1, he is answerable to the action and is sanctioned according to the result. In parallel, the HO is responsible but does not have to justify the achievement of the action. Based on our model, the function of the CIO and of the HO could be clarified: the CIO could have managerial obligations like provisioning the HO with the necessary right to achieve the action, controlling the work of the HO, delegating this action if requested, etc. The HO has Functional Obligations like collecting information on the system, understanding how it is used and affecting responsibilities to subalterns. Based upon the identification of this dual responsibility, we may clarify the concept of accountability: CIO is accountable for i.e. having provided the rights to the HO and the HO is accountable for i.e. having affected responsibilities to subalterns. The RACI Chart highlights that CFO, Business Executive and Business Process Owner are consulted. According to our model, Consult is a type of responsibility and consequently may be defined based on the corresponding concepts that are right/capability, obligation/accountability and commitment. Indeed, to provide the required information, the employee who is consulted needs to have some rights like: access to some information or the right to provide information if it is confidential information. He also has the obligation to provide clear and accurate data and is accountable for that. This last point means that he is answerable and is subject to sanction if the information that he has provided following the consultation is wrong. Moreover, when an employee is affected as a consulted employee, he has to be committed to this responsibility and must consequently have commitment antecedents activated. Finally, RACI Chart designs five peoples informed of the action. Being informed may not be associated to a responsibility in that it is impossible to be accountable or committed to that. Inform or getting information on the achievement of an action is rather to be considered as a type of right for responsibility. Indeed, in the following case study the employee responsible for the Compliance, Audit, Risk and Security needs to be informed of the output of the action to performed others actions he is responsible for like i.e. preparing the list of auditable employees for assessing system performance. Additionally, right is formulated for the control in a whole rather than to a particular action or for a particular responsibility. That means in our case study that, if we consider the control input of the PO4 control as rights necessary to achieve the actions of the control, these rights are automatically provided to every employees engaged in the control without distinguishing the action they perform. I.e.: The 10 functions identified in the RACI chart of the Action « Identify system owners » have indifferent access to all inputs of the control. These rules are in opposition to other security rules like the minimum privilege [30] and separation of duties [31]. Concerning the action Identify system owners again, ten people at least are involved but only one could be held accountable for the results. Our model proposed a solution to dispatch the accountability to all employees who assume responsibilities. We finally propose to manage the commitment of all employees when responsibilities are affected or delegated. 6. CONCLUSIONS Current economic context and ongoing willingness to improve corporate and IT governance of enterprise advocate a strengthening of the definition and acceptation of rules that govern the behavior of a system. Simultaneously, we observe that the responsibility concept is central to these rules but remains whatever moderately and in an unstructured way addressed to professional norms, standards and frameworks. Consequently, this paper proposes an analysis of the main concepts that compose the concept of responsibility and defines an innovative responsibility model that tends to integrate all of the meaningful analyzed concepts. The responsibility model is afterwards validated by comparison with the COBIT RACI chart and some improvements are proposed and justified to enhanced the perception of responsibility in this framework: Systematic integration of obligation, right and commitment as responsibility components, accountability is a component related to obligation and informed a type of right, consulted is a type of responsibility and inherits of its properties. Finally, the Identify system owners action of PO4 “Define the IT Processes, Organisation and Relationships” is analyzed to illustrate the added value of our proposition in a real context. 7. ACKNOWLEDGMENTS This research was funded by the National Research Fund of Luxemburg in the context of TITAN (Trust-Assurance for Critical Infrastructures in Multi-Agents Environments, FNR CO/08/IS/21) project. 8. REFERENCES [1] ISO/IEC 38500 (2008), International Standard for Corporate Governance of IT.
  • 8. [2] Sarbanes, P. S. and Oxley, M. (2002) “Sarbanes-Oxley Act of 2002” [3] Basel Committee on Banking Supervision, “International convergence of capital measurement and capital standards”; BIS; Basel, June 2004 [4] COBIT 4.1, Control Objectives for Information and Related Technology, Information Systems Audit and Control Association. [5] ITIL (2001), IT Infrastructure Library – Service Delivery, The Stationery Office Edition, ISBN 011 3308930. [6] Vernadat F. B., Enterprise Modelling and Integration, Chapman & Hall, London (1995), ISBN 0-412-60550-3 [7] ISO/IEC 15504, “Information Technology – Process assessment”, (parts 1-5), 2003-2006. [8] Dulay, N., Lupu, E.,. Solman, M., Damianou, N., A Policy Deployment Model for the Ponder Language, An extended version of paper in Proc. IEEE/IFIP International Symposium on Integrated Network Management, Seattle, May 2001, IEEE Press. [9] Feltus, C., Petit, M., Building a Responsibility Model Including Accountability, Capability and Commitment, Fourth International Conference on Availability, Reliability and Security, 2009, Fukuoka, Japan [10] Feltus, C., Petit, M., Vernadat, F., Enhancement of CIMOSA with Responsibility Concept to Conform to Principles of Corporate Governance of IT, 13th IFAC Symposium on Information Control Problems in Manufacturing, 3-5/6/2009, Moscow, Russia. [11] Cholvy, L., Cuppens, F., and Saurel, C., Towards a logical formalization of responsibility, Sixth International Conference on Artificial Intelligence and Law, pages 233- 242, 1997. [12] Feltus, C., Petit, M., Ataya, G., Definition and Validation of a Business IT Alignment Method for Enterprise Governance Improvement in the Context of Processes Based Organizations, 2008 Corporate Governance of IT International Conference, 1-2/12/2008,Wellington, New Zealand. [13] Fox, J. A., The uncertain relationship between transparency and accountability" (August 1, 2007). Center for Global, International and Regional Studies. Reprint Series. Paper CGIRS-Reprint-2007-2. http://repositories.cdlib.org/cgirs/reprint/CGIRS-Reprint- 2007-2 [14] Stahl, B. C. & Wood, Ch. Forming IT Professionals in the Internet Age: A Critical Case Study" In: Yoong, Pak & Huff, Sid (eds.) (2006): Managing IT Professionals in the Internet Age. Idea Group, Hershey, PA: 120 – 139 [15] Dobson, J. and Martin, D., “Enterprise Modeling Based on Responsibility”, TRUST IN Technology: A Socio-Technical Perspective, Clarke, K., Hardstone, G., Rouncefield, M. and Sommerville, I., eds., Springer, 2006. [16] Meyer, J.P. & Allen, N.J. (1991). ‘A three component conceptualization of organizational commitment’. Human Resource Management Review. 1, 61-98 [17] Vandenberghe, C., Bentein, K., Stinglhamber, F., Affective commitment to the organization, supervisor, and work group: Antecedents and outcomes, Journal of Vocational Behavior, Volume 64, Issue 1, February 2004, Pages 47-71 [18] Mowday, R.T., Porter, L. W. and Steers, R. M. (1982), Employee-Organization Linkages: The Psychology of Commitment, Absenteeim, and Turnover. New York: Academic Press. [19] Buchanana, B., II. (194), Building organizational Commitment: The Socialization of Managers in work organizations, Administrative science Quarterly, 19, pp. 533 – 546. [20] Hall, D. (1977), Organizational Identification as a function of Career Pattern and Organizational Type, Administrative Science Quarterly, 17, pp. 340 – 350. [21] Lio, K. (1995), Professional Orientation and Organizational Commitment among Employees: an Empirical Study of Detention Workers, Journal of Public Administration Research and Theory, 5, pp. 231 – 246. [22] Niehoff, B. P., Enz, C.A., Grover, R. A. (1990), The Impact of Top-Management Ctions on Employee Attitudes and Perceptions, Group & Organization Studies, 15, 3, 337 – 352. [23] Florkowski, G., Schuster, M. (1992), Support for Profit Sharing and Organizational Commitment: A Path Analysis, Human Relations, 45, 5, pp. 507 – 523. [24] Blau, G. J. (1985), The measurmement and Prediction of Career Commitment, Journal of Occupational Psychology, 58, pp. 277 – 288. [25] Pfeffer, J. (1998). The Human Equation. Boston, MA., Harvard Business School Press. [26] Meyer, J. P. Allen, N. J. (1984), Testing the ‘Side-Bet Theory’ of Organizational Commitment: Some Methodological Considerations, Journal of Applied Psychology, 69, pp. 372 – 378 [27] Porter, L.W., Steers, R. M., Mowday, R. T., Boulian, P. V. (1974), Organizational Commitment, Job Satisfaction, and Turnover Among Psychiatric Technicians, Journal of Applied Psychology, 59, pp. 603 – 9. [28] Williams, E.S., Rondeau, K.V., Francescutti, L.H., Impact of culture on commitment, satisfaction, and extra-role behaviors among Canadian ER physicians, Leadership in Health Services, 2007, vol. 20, Issue 3, 147-158. [29] Chrissis, M.B., Konrad, M., Shrum, S., CMMI 2° édition - Guide des bonnes pratiques pour l'amélioration des processus - CMMI (r) pour le développement, version 1.2 [30] Schneider, F.B., Least privilege and more [computer security], Security & Privacy, IEEEVolume 1, Issue 5, Sept.-Oct. 2003 Page(s): 55 – 59 [31] Sandhu, R.,“Transaction Control Expressions for Separation of Duties,” Proceedings of the 4th Aerospace Computer Security Conference (December 1988), pp. 282–286. [32] Norman, T. J. and Reed, C. 2001. Delegation and Responsibility. In Proceedings of the 7th international Workshop on intelligent Employees Vii. Employee theories
  • 9. Architectures and Languages (July 07 - 09, 2000). C. Castelfranchi and Y. Lespérance, Eds. Lecture Notes In Computer Science, vol. 1986. Springer-Verlag, London, 136-149. [33] Laudon, K.C. and Laudon, J.P. (1999), Essentials of Management Information Systems, 4th edition London et al., Prentics Hall. [34] Goodpaster, K.E., Matthews, J.B.Jr., (1982), Can a corporation have a moral conscience ? Hardvard Business Review (Jan-Feb 1982), pp. 132 – 141. [35] Spinello, R. (1997), Case studies in information and computer ethics, Upper Saddle River, NJ: Prentice Hall. [36] Ian Sommerville, Russell Lock, Tim Storer and John Dobson, Deriving Information Requirements from Responsibility Models, 21st International Conference, CAiSE 2009, Amsterdam, The Netherlands, June 8-12, 2009. ISBN 978-3-642-02143-5. [37] Yu, E. S. and Liu, L. 2001. Modelling Trust for System Design Using the i* Strategic Actors Framework. Workshop on Deception, Fraud, and Trust in Agent Societies Held During the Autonomous, Eds. Lecture Notes In Computer Science, vol. 2246. Springer-Verlag, London, 175-194. [38] Qingfeng He, Annies I. Antón, A Framework for Privacy- Enhanced Access Control Analysis in Requirements Engineering, REFSQ'03, Austria, June 2003. [39] Roeckle, H., Schimpf, G., and Weidinger, R. 2000. Process- oriented approach for role-finding to implement role-based security administration in a large industrial organization. RBAC '00. ACM, New York, NY, 103-110.