A Smart Updater IT Governance Platform Based on Artificial Intelligence

A R T I C L E I N F O A B S T R A C T Article history: Received: 16 June, 2020 Accepted: 19 August, 2020 Online: 08 September, 2020 This Information technology (IT) has a crucial role to improve business processes in companies. Getting the best technologies rapidly becomes as significant as understanding and developing the business plan of organizations. Thus, different IT best practices and norms are used by companies to help their services and IT business. These standards are set of best practices based on the experience and knowledge of numerous organizations; each of them focuses on specific governance issues such as ISO 27001 and ISO 27002 for IT security management, PMBOK and PRINCE2 for project management, ITIL for IT service management and COBIT for overall governance of an organization. As part of a collective research project that focuses on the IT governance axis, we have developed a smart global IT-GRC platform that allows to IT manager to design his own repository, considering the powers of each best practice, the organization's context and the IT strategic needs expressed by their stakeholders. To ensure the durability and the continuity of this project, we must consider the evolution of the IT GRC market, the problem posed is how to integrate recent versions of IT GRC frameworks, and how to ensure a periodic update of the knowledge base of the global ITGRC solution. It is the subject of this paper and the second part of an IT-GRC research project.


Introduction
The improving of the strategic sight of an organization is a major requirement of the Information Systems Department, that contributes to the organization's performance. The good functioning of an organization's information system, its evolution, and its effective improvement in its services' quality; is contemplated by the assortment and decent variety of IT best practice. Since the fundamental actors of an organization use set of IT directives which can be COBIT for the General Management [1], ITIL for the Information Systems bearing [2] and the arrangement of ISO 27000 norms for the IT Security [3].
Producing better and cheaper is a necessity common to all companies, whatever their field of activity. Companies working in the domain of information systems are not spared of events. To enhance the quality degree of their products and their services and the control of their processes should be possible by applying several best practices.
The market for the IT Governance Risk Compliance (IT GRC) has extended from a strategic basis on regulatory compliance to a strategic key on company risk management [4]. Numerous organizations are hoping to treat stakeholders' need by incorporating and implementing a repository, and by about management's strategic constraints.
IT-GRC solution gives an elevated level model to IT GRC which empowers the handling of strategic needs in a smart means based on the all the best practices available in the IT GRC market.
In view of the above, the following problem arises "How to integrate updates into the knowledge base of the IT-GRC platform, in order to consider the recent versions of methods, standards, ASTESJ ISSN: 2415-6698 frameworks and best practices of the IT GRC; that are available on the market".
To answer to this problem, we propose an intelligent architecture of IT governance, in its second version, which allows to process the IT requests remaining lined up with the motivations and goals of the organization's business processes through its facilitators (data, IT processes, services, infrastructure and applications ...). The updated layer is the most important layer in our IT-GRC project, it is the layer which guarantees the continuous improvement of the processing of the stakeholders' strategic needs considering all the IT-GRC solutions.
In section 2, we provide an overview of IT governance risks and compliance. In section 3, we define Artificial Intelligence for IT governance as advanced technical axes.
In section 4, we present the results and analysis of an empirical study showing the motivations of this approach. In section 5, an outline of the principal variant of our smart IT-GRC platform.
In section 6, we present the proposed architecture of the update layer and in the last section; we present a simulation of the global solution.

IT governance
The governance of information system or IT governance consists to set the information system objectives related to the company's strategy.
This approach helps to define the way in which the information system contributes to create the value by the company and it specifies the role of the various actors by considering their power stakes; for example determinate the answer of "Is the Information System Department responsible for the implementation of the information system" [5].
The IT governance is a collection of best practices that add to productive management and cooperative energy of all components of its IS so as to get most extreme profit by it. So as to [6]: • Hold up its value creation goals.
• Improve the IS processes's performance and their client attitude.
• Manager the financial axis related to IS.
• Enhance IS solutions and abilities that the organization will require later on.
• Ensure that IS's risks are overseen.
There are different frameworks developed to define, to assess, to document and to improve internal control, information technology in organizations such as ITIL, COBIT, ISO9000, and CMMI. These methods make it possible to define indicators for monitoring and steering the IS [7].

IT Risk management
IT risk management is a collection of directives to handle and mastery the company toward risk. we recognize three targets in IT risk the management [8,9]: • Improvement of information system's security.
• Justification of the budget allocated to secure the information system.
• Provability the information system's credibility using the analyzes carried out.
IT risk management directives and techniques permit an organization to put in practice programs to augment their chances, likewise it gouvern the effect of expected threats [10].

IT Compliance
IT compliance is a secret piece of a corporate risk management and a critical part of good corporate governance. This concept helps to ensure the corporate governance by identifying, understanding and complying with the large number of laws, regulations and standards that affect the way of functioning an organization [11].
Becoming compliant requires a company to adopt best practices, including internal control procedures for systems' protection, processes' conforming and assets' creating value. A number of risk management regulations have been introduced. These include Sarbanes-Oxley, corporate governance codes, data protection acts, and telecommunications laws [12].

Artificial Intelligence for IT Governance
Artificial intelligence (AI) has made techniques and devices for computer-based knowledge handling, and approaches for knowledge based reasoning and critical thinking. These incorporate knowledges obtaining and designing, knowledge modeling, critical thinking, machine learning, analogue reasoning, automatic language handling, neural network, multi-agent systems, and others [13].
In contrast to traditional computing, man-made reasoning is additionally intrigued by humans, since they are the ones who clutch knowledge: how to transmit knowledge, how to model it to make it understandable to the computer, what type of reasoning is the most effective for a given problem, how to program the computer so that it can learn all alone and helps us in our work [14].
IT Governance defines frameworks that orient organizations to manage risk and compliance and to guarantee a moral methodology. The AI can possibly improve administration and decrease costs, however it additionally makes challenges that should be overseen.
IA combined with an IT GRC environment can increase organization's capacity, help to consolidate frameworks', standards' and best practices' necessities into a global framework used to order complex guidelines and help the company's stakeholders to process all the services and the information. Also, it can be useful to ensure the alignment of requirements' regulatory with internal taxonomies and organization's structures and IT GRC data [15].
IT GRC should likewise address the ethical difficulties related with the utilization of AI technologies. These incorporate the need to clarify and to secure privacy, just as vulnerabilities that could be used to assault the system [15] [16].
In conclusion, AI technologies offer the potential to govern organization easier by reducing the costs related to integration of new regulations, managing controls, processing compliance data, discovering hidden knowledge in databases, and searching for relevant information in a large amount of information.

Motivation of smart global IT-GRC platform
Many organizations have deployed and integrated IT technologies to manage their business and meet their strategic needs. the use of computer technologies has become essential to rationalize and dematerialize processes and thus optimize work and increase the profitability of the services provided regardless of the organization's sector of activity. Having a quality IT environment is a prerequisite for success because it is the strategic issue that affects the whole organization.
To measure organizational progress towards establishment of the strategic objectives and to make decision organizational, the organization require the foundation of a reliable information system. This IS giving possibility to provide decision help for leaders, to less the degree of uncertainty, and to contribute to the performance of decision-making.
The IS is not a basic instrument to enable the organization to run productively, yet a genuine switch of power.
In this perspective we got on an empirical study on the perception of the impact of the use of information systems on the profitability of Moroccan organizations. The study concerns 262 Moroccan enterprises which have an IS and represent different sectors of activity [17].
Each company in front of the market is looking for profitability: the pure and perfect competition of the company to act on the market. It is therefore only possible to accept the conditions and adapt to them as best as possible. Hence the need to propose an approach to measure the adequacy between the needs of companies in IS and the proposed solutions and to evolve the trends of use in IS, this is the objective of our project. This project concerns good governance of organizations based on IT GRC best practices to add value to the strategy, manage resources, and manage risk while minimizing costs in a cost-effective way [18]. Through this empirical study we concluded that the Moroccan organization lacks an IT governance approach that considers its behavior in their choice of an IT framework and which improves their performance by minimizing IT investments [18].
Based on the responses collected; the map below ( Figure 1) analyzes the three factors DSI budgets, IS management and IS cost by presenting the perception and interaction between them.
We note that companies which invest a budget of more than 1,000,000 MAD, remain with a moderately high cost and an IS management which partially cover all the IT needs (Zone C).
For the other areas, we can clearly see that there is no equivalence between the three factors that influence the good governance of an IS.
Managers must react to improve the efficiency of investments and govern there IS in a way that performs well to reduce IS costs.

Smart global IT-GRC platform: version 1
GSI solutions available on the market have limitations, in particular: • Specialization in a specific trade of the organization, • Necessity of coordinated IS management, • Rigid usage of one of the IT GRC frameworks • Need for GSI prerequisites from users to be able to use them.
The implementation of an information system that reacts viably to business desires while controlling its effect on performance and profitability; it is one of the significant challenges for organizations.
However, the development of the current IT market, the protection of the environment by be in compliance with regulations and laws, force an iterative questioning of the IS. Consequently, the requirement for an omnipresent governance of IS.
It is in this area fits our project, smart global IT-GRC platform, which aims to design a smart autonomous distributed repository capable of understanding continuously changing business needs, adapting to any type of IS, including heterogeneous parts of the IS and stakeholders, and advancing to collect the expertise of the organization in issues of GSI.
The smart global IT-GRC platform exploits the synergy effects between the organization and the multiple standards adopted. From one viewpoint, organizations can address various areas in an organized and regular manner. Then again, the shortcomings of a solitary reference model can be overwhelmed by the qualities of others. Information systems directors will use the best parts of existing standards to design their own IT framework [19].
Five layers to design the architecture of the smart global IT-GRC platform, namely ( Figure 2):

Strategic layer (STR)
The strategic layer is based on COBIT to translate the company's strategy into IT objectives and processes. This layer guarantees an IT strategic alignment with the requirements defined by the stakeholders in an astute way [20].
It depends on inter-organizational workflows (WIO) and multiagent systems and it is furnished with a semantic motor which makes an interpretation of genuine business goals into a request that can be deciphered by all the frameworks of governance [21].
To implement this solution, we handled as follows: Design of an inter-organizational workflow explicit to the GSI, • Integrated mediation expert system in the IOW, • Setting of a process of IS governance ontology that considers all the best practices.
• Making of "IT Governance Ontology" as the fundamental component for the semantic engine of the global IT GRC solution.

Communication layer (COM)
All interchanges between the various layers are bolstered by this layer. It gives exchange in two distinct modes: synchronous and asynchronous. Every mode is set off as per the particulars of the organization and the strategy being referred to. It incorporates a communication block for each layer and this for ensuring the flows' specificity of each layer and the particularity of the handling to be set upstream before diverting the progression of flow of information to the following layer [22].

Decision-making layer (DM)
This layer implements a savvy smart model fit for picking the best IT framework for an IT request originating from the strategic layer. To do this, it is based on the configuration of the company and criteria for evaluating IT processes by reference [23].
This decision-making model is process-oriented; it generates the best benchmarks based on several stages [24]: • The first step is to diminish the size of the IT issue by partitioning it into sub-issues, while basing on the mapping between all the best practices and standards of IT GRC. This step guarantees the scheduling of these sub-issues as per environmental variables (organization's type, IT need's priority …).
• In the second step, each sub-issue is formalized as per the measures explicit to the organization and the performance indicators stocked in the data warehouse, and this, so as to generate the most ideal decision of good practice to fulfill IT needs defined as input.
• The third step is to assess IT satisfaction and help make decisions for each chosen benchmark.
A notification of better repositories is immediately sent to the communication layer.

Processing Layer (PROC)
This layer implements all the IT GRC repositories, by attaching for each IT GRC repository a smart system, which deploys the recommendations and the actions of the selected repository in an intelligent manner. Indeed, the interaction is finished by sending a request to the first layer, to demand static data recently configured, or open a questionnaire with an expected user, whose reactions are diverted to the knowledge base of the framework being referred to. From a technical perspective, it has a lot of expert sub-systems connected to knowledge bases explicit to the repository implemented. Its subsystems have a set of intelligent, communicating agents, allowing to dissect the request, to question the concerned user and to analyze the existing one to give an effective and documented answer. Each subsystem of the processing layer is required to send a specification request as a message to the strategic layer, passing through the communication layer [21] [25].

Updater Layer (UP)
This layer must guarantee the integration of new versions of the IT GRC frameworks that have showed up on the market. At this level, regulations must be outlined to include new knowledge into the knowledge bases of the various layers of the smart global IT-GRC platform.
This problem produces the second version of our project and this is the subject of this research.

Discussion
Large companies have changed considerably in recent years. Thousands of new employees have been hired. These newcomers need to know their company's culture, how to apply its procedures, how to govern its information systems, manage risks and remain in compliance with regulations. In addition, the projects they carry out are increasingly complex, and time has accelerated, forcing them to be more reactive.
Adapting and sharing new versions of good practice is a real challenge: the reflex to invent a solution must be substituted for that of finding the solution where it exists. Aware that this challenge, more cultural than technological, was at the heart of productivity, competitiveness and innovation, many companies have developed an organization and roadmap aimed at creating and developing this culture of sharing.
In this perspective, this research focuses on adapting the latest versions of best practices in the smart global IT-GRC platform in order to guarantee the following points: • Ensure and assess that the organization's business goals be aligned with the IS goals and strategy.
• Govern information streams to address business needs, from its expression to the usage of the action plans of the related processes.
• Manage IT processes according to the recommendations of the repository.

Proposed architecture -Updater Layer
The proposed approach Smart-Updater is based on the overall process of integrating the recent versions of the IT frameworks, which is based on four activities carried out by all actors: continuous searching of new versions, collecting, integrating, and innovating knowledge.
The proposed approach requires AI to build aggregate decisions in complex circumstances, to deal with the intricacy of incoming streams (e.g. documents and web), to find knowledge in texts and in databases (for example level documents). AI can enhance the proficiency of aggregate work, the aggregate design of complex hardware, and it can likewise add to global development of the IT-GRC knowledge.
The proposed approach (Figure 3) receives the strategic request with a list of repositories that can implement it; and it process to check if the knowledge base requires an update or no, by using the following entities:

Knowledge search layer
This layer is able of organizing the sources of knowledge of the governance of information systems: humans, documents, and computers. It receives an IT request from the communication layer (COM-IT request) that present the list of IT objectives with the adequate best framework. In a smart way, this layer searches the recent versions of the adequate best practices.
It is not limited to searching only for the new versions of the proposed frameworks; it also searches for the new IT-GRC framework which appeared recently on the IT market and which is capable to process the IT objective.

Knowledge seeker
It is the entity responsible for searching for a knowledge of any kinds in the knowledge base of the Smart global IT-GRC platform, in the memory of the organization through its facilitators (data, files, processes, services, infrastructure, applications and web…) if the answer is favorable, it sends an information alert to the layer "Strategic integration of knowledge layer", and if the answer is unfavorable, an information alert will be send it to "Request layer" that ensure the sending of the same IT request to the communication layer.

Strategic integration of knowledge layer
In a smart mean, this layer manages the knowledge of the IT governance on two stages, the initial step «Knowledge creation» comprises to create new knowledge as indicated by the framework model of the smart global IT-GRC platform's layer (DML-IT Framework Model, PROCL-IT Framework Model,…) and the second step «Knowledge optimization» permits to enhance and to gain by information sources.

Knowledge update layer
This layer intermittently updates the versions of IT GRC repositories used in the global project. This update is guaranteed from a correspondence between the procedures of the old and the new version if there is just an enhancement of the functionalities, we return to the ongoing adaptation of the knowledge recognized in the knowledge bases of the various layers of the platform, else we include the knowledge on the new processes identified in the knowledge bases of the various layers of the global IT GRC solution.

Request layer
The request layer prepares the new request (COM-IT request) to be sent to the communication layer, respecting the format required by this layer. It changes the repository and its recent version in the request to send to the communication layer. If there is no appearance of new versions on the IT market, it returns the request received with a notification of the nonexistence of update. To meet this need, the strategic layer sends the request via the communication layer to the update layer in the format [Define a strategic IT plan, ITIL 3]. At the level of "Knowledge search layer", we seek if there is new knowledge in governance of information systems appeared on the market capable of processing this request.
For the implementation of this request, we have as a proposal framework the ITIL version 3, the "Knowledge seeker" entity will check if there are new versions of ITIL appeared on the market or indeed if there are new frameworks capable of handling this request. This entity will identify the existence of version 4 of ITIL. There after this knowledge will be transmitted to "Strategic integration of knowledge layer", which will be responsible for the creation of new knowledge according to the knowledge models of each layer of the global platform, for example for the decisionmaking layer, it must comply with the DML-IT Framework Model. After knowledge creation, knowledge optimization is necessary to optimize and capitalize the knowledge of version 4 of ITIL.
New knowledge is created, at the "Knowledge update layer" level, an upgrade is necessary to make the link between the old and the new processes, subsequently an injection of the new knowledge into all of the knowledge bases of the global platform.
The table (Table 1) below provides the mapping between practices of the recent version of ITIL (version 4) and processes of the old one (Version 3) for the "Service management practices". For the processes which do not present a subject of change, we keep them like for example the process "Availability management". For the others which present an improvement like for example the process "Change enablement" an upgrade is necessary. And for newly developed processes such as "Business analysis" we update the knowledge bases of the global project by injecting the new knowledge [26].
And finally, at the "Request layer" level, the preparation of the new request to be sent to the communication layer with the new version detected.
The objective is to make the ITIL version 4 usable and interpretable by all layers of the smart global IT-GRC platform.
The figure below (Figure 4) represents the global architecture of version 2 of the smart global IT-GRC platform.

Conclusion
The aim of this paper is to keep up the operability of the generic information systems governance solution which is skilled to guarantee and to assess the alignment of the organization's business targets with the IS's strategy and goals, likewise to manage data streams by answering to business needs from its expression to the execution of actions for related processes.
The generic solution has an updated layer to follow the development of the IT market, based on a new method to knowledge management based on the powers of artificial intelligence, in order to integrate and share recent versions of IT GRC frameworks in all the knowledge base blocks of the smart global IT-GRC platform.