IT GRC Smart Adviser: Process Driven Architecture Applying an Integrated Framework

A R T I C L E I N F O A B S T R A C T Article history: Received: 04 August, 2020 Accepted: 21 October, 2020 Online: 10 November, 2020 This article is a continuation of the work presented in the Third World Conference on Smart Trends in Systems Security and Sustainability (WorldS4). In this version we focus on matching IT and business processes from different management levels by using ITGovernance (ITG) Risk and Compliance frameworks in a smart way. In fact, every information system (IS) has two main interfaces with two key systems: Operating System (OS) and Decision System (DS). Every system has his own frameworks and best practices for efficient management. IT Governance is the ability to control IT strategy implementation by ensuring business and IT alignment for profitable digital services. Also, the variety of IT Governance frameworks for each hierarchical level in the enterprise, should be efficiently deployed together in order to have coherent recommendations for IS, OS and DS users. It is why we use COBIT 5 as a strategic IT Governance framework able to match and integrate other frameworks and best practices dealing with IT services, IT risks and compliance as well. We based the proposed IT GRC smart adviser on artificial intelligence and knowledge management as technical axes. This article presents, IT Governance frameworks, their matching problems and related works. Then it proposes a smart architecture with new functionalities to match COBIT processes with other frameworks in order to cover different management levels. The technical contribution of this article is to propose and implement an IT GRC smart adviser based on many frameworks and best practices to optimize and improve IT Strategies. The simulation was presented, the obtained results were compared to human experts’ decisions and big similarities were observed. The aim of this article is to integrate knowledge from many IT GRC frameworks for better IT governance in a smart and easy way.


Introduction
Information system Governance is nowadays different from classical management of software and hardware. Many users with different profiles are interacting directly or indirectly with it. They use IS to enrich their data sources through operation systems deployed in different gadgets for simple use. They use it to answer daily questions as well such as production rate, new clients number and providers' expectations. The created data is the most valuable resources ever. It enables CEO and other Business offices to take the right decision. But good IT governance allows to take this decision in the right time through the right IT solution.
The real challenge of top managers is to use digital solution to create value. They should also manage risk, and comply with regulations. The decision is no longer IT responsibility. It achieves business and technical offices as well. The use of one IT governance framework in its document version is no longer enough: It is true that they contain very advanced know-how and feedback, but it requires experts, time and a large budget to take advantage of them. These three elements: time, budget and knowledge are very expensive in the current market due to its severe competition and the law of the most powerful.
As a result, digital tools are mandatory to facilitates the governance of the information system. It is also a need for ASTESJ ISSN: 2415-6698 performance management system to ensure the right and efficient use of these frameworks.
Consequently, in this new multi-user, multi-partner environment, the CIO's missions remain information system strategy definition, IT resources management and technical problems resolution as well. Meanwhile, with Big data and cloud computing matters, we notice the emergence of new technical and business risks that should be managed effectively by IT and business together. To perform these tasks, many IT governance frameworks should be deployed in easy to use digital solutions as we did in [1]. But the main problem is how to integrate them in the same personalized repository for every company. How can we design an IT Governance, risk and compliance framework that matches the company's needs with optimal time, minimum budget and good software quality insurance? How can we integrate Data Governance into IT Governance in a fluid and value-creating way by taking in consideration Governance critical success factors [2]?
To answer these question, we propose an intelligent IT Governance model based on COBIT 5 as a business driven repository for corporate and IT governance. In fact, COBIT 5 offers with a common, non-technical and technology-independent language a management framework able to align governance and management standards. By providing a simple architecture to structure guidance documents, Cobit 5 contains knowledge previously distributed in different standards like COBIT 4, Risk IT, Val IT, ITAF and BMIS. It also allows practical matchmaking with different management levels' frameworks like ITIL, CMMI, ISO 27000 family and COSO.
In this article, we propose an update of the smart IT Governance adviser architecture [1] to allow IT services, IT risk management and compliance efficient management, in addition to matching stakeholders' motivations with real business goals [2].
We will add new layers communicating with the semantic model, to link stakeholders and digital solutions via IT Governance ontology designed and created in [3]. We also propose a smart matching between every COBIT process and its correspondence with other frameworks. In IT Governance jargon we call that "Appling a unique and integrated standard principal" for better alignment as presented in [4].
After the introduction in the first section, the second section presents the most pertinent IT Governance Risk and Compliance frameworks and then exposes an overview of their matchings with COBIT 5. The third section gives a brief state of art of Knowledge management as a technical axe. The fourth section analyses briefly related works. The fifth section presents the smart IT Governance adviser updates and the knowledge management system architecture. The fifth section, discusses the new model, its uses and its extensions, the sixth section details the model implementation and results analysis. In the last section, the article is concluded and work perspectives are listed.

IT GRC frameworks
In the ITG literature, numerous frameworks are presented, with advantages and limitations of each of them. Thus, each framework offers specific recommendation according to its domain. In practice, ITG should makes these repositories coexist for better results, since they present a necessary complementarily for pertinent decisions. We present some of the main standards in terms of enterprise management, services, projects management and IT security to show how IT governance frameworks drive accountability and process maturity [5]. In what follows, we present the most used frameworks namely ITIL, CMMI, ISO27001 and IT BSC.

ITIL
IT Infrastructure Library (ITIL), is an approach documentation for IT service management, to support business organizations users. It is created by the British government in 1990 [6]. In 2004, ITIL v2 was created with 9 books, focusing on the link between technology and business, and based on processes to provide the right services to customers. Many companies are using ITIL to improve IT services control and good results are as for processes improvements. ITIL service is a way to deliver value to a customer in an easy way and with low cost and risk. In 2007, ITIL V3 was implemented on five best practice books, offering supplements by sector or by market as well as generic models (process maps). This version is not subject to certification, and it offers continuous improvement of the services offered to IT Department clients. The latest version is ITIL V4. its main advantage is the integration of new agile practices and Devops method. It has developed 34 practices, in 3 themes instead of 26 processes in 5 categories.
• 14 in "General Management practices", • 17 in "Service management practices" • 3 in "Technical management practices". ITIL V4 edition book introduces new like Service Value System (SVS) and the four-dimensional model.

ISO 27001
ISO 27001 is a framework to implement information security management system (ISMS). Released in November 2005, it also provides a model for operation, monitoring, and review the ISMS. It also enables the creation and implementation of good IT service management, a s presented in [7]. The risk management approach ISO 27001 uses is a top-down and neutral method. It is a planning process with six parts: • Security policy definition • WSIS scope definition.
• Risk assessment performance.
• Goals and controls implementation • Applicability declaration.
ISO 27001 deals with responsibility management, internal audit and continuous improvement without specific information security controls. It should be noted that in the accompanying code for each practice, a checklist must be taken into consideration.
The last version is ISO27001 with 2014 and 2015 corrections. It highlights information security management systems requirements with special focus on information technology and security techniques.

IT Balanced Scorecard
Balanced Scorecard (BSC) [8] is the framework explaining company vision and strategy. It suggests action plans to give internal processes feedback with continues improvement. The BSC, according to its authors Robert Kaplan and David Norton, allows for traditional financial results, but these results highlight the past, which was normal in the industrial era, with long-term investments. There are insufficient customer relationships. These financial elements are insufficient, however, to control companies in the digital age, which should be based on their future value by investing in customers, suppliers, employees, processes, technology and innovation. ". The BSC offers a management tool, organized on four aspects: • Financial aspect: define the financial benefit provided to shareholders • Customer aspect: market and customer expectations; • Internal process aspect: potential improvements to be made to the company's internal processes, which bring value; • Future construction aspect: mobilization of human resources and infrastructure for improvement and learning.
It is assumed that this approach leads to a good vision of corporate Governance.

CMMI
The Capability Maturity Model (CMM) [9] is a project management framework developed by the Software Engineering Institute (SEI) of Carnegie Mellon University. It describes software development maturity practices and principals. With an ad hoc path, CMMI proposes to software development organizations a process improvement capability. IT contains a list of models like MM Software, CMM systems engineering and integrated development of CMM products. These models were merged and extended into CMM integration known as "CMMI" with either a stage view or continuous view. As for the staged view, it offers five organizational maturity level (initial, managed, defined, quantitatively managed and optimization). As for the continuous view, it includes six levels of processing capacity (incomplete, executed, managed, defined, quantitatively managed and optimization).

IT GRC Frameworks matching with COBIT
For better IT Governance, IT department must deal with each task by deploying it in its real context and link it with a project or a process. IT processes are the starting points while governing an information system. For example: deploying an ERP; computer backup organization; servers' security; or new IT supplier integration; An IT process is defined as a set of activities around a specific event to measure results for customers [10].
While analyzing the IT GRC frameworks before, we remark that process-driven aspect is almost in all them. IT changes approaching components into active components inside the organization. The IT process is measurable in effectiveness and efficiency by defining activities to implement, responsibilities and controls. At this level, each repository focuses on one or more concepts to find more priority and to zoom on either governance risk or compliance.
Meanwhile, process management is highly recommended in the agile environment we are living in. This type of management allows [11]: • Requirements understanding • Processes added value; • Process performance and efficiency measurement; • Positive communication between stakeholders.
• Top Management easy and measurable decisions.
Technically speaking, IT process is easily designed as a simple or complex function or procedure with inputs and outputs. In this article encapsulate best practices and frameworks processes into computerized executable functions.

a) ITIL -COBIT
COBIT identifies what the CIO should do, ITIL prescribes how it should be done to optimize the use of IT resources. ITIL and COBIT have several common points (for example the BAI10 process in COBIT is equivalent to configuration management process in ITIL). COBIT 5 proposes the convenient IT investment to link priorities with objectives in both IT and business context (cascade principle). We have already seen it in [1]. The cascade of COBIT 5 objectives makes it possible to align IT objectives and company objectives, which makes it possible to refine and prioritize IT processes. the cascade of COBIT 5 objectives allows stakeholders to answer the following two questions: • How to prioritize areas of interest when applying ITIL v3 processes?
• How to define the right maturity level and the efficient processes for better business decisions?
One last thing, COBIT 2019 is also correctly matched with ITIL v4 which allow us to upgrade our system regarding future IT GRC Frameworks versions.

b) CMMI -COBIT
Traditional mapping is designed to be used in one direction. Indeed, a user searching for an element in COBIT model finds the element or elements linked to the appropriate CMMI model. Others by the reverse probably exist in several places on the map (several elements of CMMI for a COBIT element) which is not easy to isolate to determine what is linked exactly. These traditional cards are unidirectional and they are valid for the correspondence of all IT GRC repositories. In this perspective, COBIT 5 CMMI Practices Pathway Tool, has emerged as a common Excel tool made by ISACA and CMMI, intended for users who want to navigate freely from COBIT 5 to CMMI and vice versa [12]. The dynamic and permanent correspondence between CMMI and COBIT makes it possible to limit maturity in the different levels of governance, which allows self-assessment and continuous development.

c) ISO27001 -COBIT
There is a mapping between COBIT 5 and ISO 27001 domains: "COBIT 5 for information security" this repository presents a mapping guide aiming at implementing the domain area of COBIT process with ISO27001 controls [13].

Definition
Knowledge Management (KM,) is a multidisciplinary research area offering methods, techniques and assistant tools: creation, acquisition, sharing and use of knowledge in an organization, with a view to 'improve individual, collective or organizational learning [14]. Knowledge is defined in a complementary way by raising one of his systemic aspects namely: • Ontological (what is knowledge), • Functional (what it does), • Genetics (genetics here has the meaning of genesis not inheritance) • Transformational (where it comes from and what it becomes) • Teleological (why).
In artificial intelligence context, different types of knowledge are identified: • Procedural knowledge to explain how can we solve a given problem is solved. It indicates how to complete a task; • Declarative knowledge: it is statements describing objects and concepts and focusing on problem resolution indications.
• Meta Knowledge is specific domain knowledge explanation.
For example, what is suitable at a given situation e to solve a given task; • Heuristic knowledge: also called surface knowledge. It is empirical knowledge acquired by an expert through his past experience, it is used to guide reasoning; • Structured knowledge: describes a mental model of the expert in the form of a structure (concepts, sub-concepts, objects, etc.).

Design methods
There are 3 approaches of Knowledge management modeling: a) Bottom-up modeling approach: The bottom-up or data-driven approach is based on a step of elicitation of expert knowledge (interviews, document analysis, task analysis, etc.) followed by a conceptualization step. Example: KOD and MIKE [14]. One of the advantages of the bottom-up approach is that it leaves experts free to express their perceptions and their tasks without constraining them. In addition, developed models correspond to existing points of view. However, the high cost in terms of time and expertise in the elicitation process, the difficulty of re-use as well as the complexity of the validation process are major drawbacks of the approach.

b) Top-down modeling approach:
This approach is called Model-Driven Approach. The development of knowledge models in this approach consists of finding pre-existing generic models and adapting them to the field and the application concerned. Two sub-approaches can be distinguished in this family: the select-and-modify approach and the modeling-by-composition approach from library elements. Example: CommonKADS [15], MASK [16]. The main advantages of this approach in addition to providing a support for knowledge acquisition are models generality and reusability. But adapting an existing model to a specific application is a very difficult task. In the literature, we also find mixed approaches which tried to take advantage of the two approaches like [17] and [18].

COBIT knowledge Base
Applying a single integrated framework is the third principle of COBIT 5 that proposes a knowledge management for COBIT alignment with other standards and frameworks for enterprise complete coverage. As shown in figure 2, Cobit 5 has a knowledge base of current guidance and contents collected from old versions and other standards and frameworks. This knowledge base enriched by enablers such as data, IT processes, resources and ethics allow different stakeholders to find answers to their questions about best practices to deal with different IT Governance situations in different levels (strategy, services providing, risk management…etc.). In fact, simplicity, guidance materials structuring and consistent production are the main advantages of this architecture that integrates different frameworks. knowledge in one shot [19]. IT Governance repositories are a set of knowledge sources capitalized by experts for better Information system management in different types of organizations. In this perspective, we are working on a smart IT Governance Knowledge Management system that will be interfaced with the adviser in future version.

Related works
To assess the state of art of IT GRC platforms, a rigorous evaluation of the fourteen main suppliers [20] is presented in table 1. A comparison of the strengths of each of the solutions was established from the Forrester description, functionalities presented on the official sites and the demos available on the net, as long as the solutions are all proprietary. The comparative analysis and the measurement of the effectiveness of these solutions in relation to the ITG dependency factors allow us to deduce that: • In most cases, it is GRC solutions without IT GRC functionalities, • The majority of these solutions even if they have IT GRC functionalities, it is ERP solution module to be deployed with the rest of the modules.
• The cost of setting up is high (by consulting the list of their references on the market and their targets).
• Need for external advice for better operation (possibly advice from the seller of the solution).
• There is a discrepancy with regard to the ITG implementation in the IS of various companies (size, turnover, type, maturity, location, etc.).
• They do not concern all of Information System stakeholders and all areas of the company at the same time.

Proposed model
This project started by EAS team [21] to propose an IT GRC digital solution with five intelligent modules for business and IT alignment by mapping processes. It also manages IT risks and measures business impacts. This was done by choosing for every process the right framework(s). There were many limitations for this architecture namely as far as execution time is concerned and also many communication problems among distributed systems which cause the decrease of IT Governance service's quality. IT is the reason why in[1], we implement the strategic level via a smart advisor to optimize the IT Governance semantic model. This solution main advantage was the "All in one" service and the easy use for final users. The advisor is a simple chatbot to which IT manager, Business Manager, CEO or even a project manager can ask IT Governance questions and he is answered simply and quickly.
In this version, we kept the same semantic engine model that interprets user real time questions using test mining. The same IT Governance ontology [3] to match concepts and relations but we replace our knowledge base by COBIT knowledge base. Cobit knowledge base, as shown before, is fed by Cobit but also the other repositories (ITIL, CMMI and ISO27001 at first) with processes matching.
This change allows the semantic engine not only to answer via Cobit guidelines but also ISO27001 for risk management, ITIL for services Governance and CMMI for IT project management in implicit way. The unique Knowledge base improves the performance of the system and ensures the efficiency of responses by arriving at a more delicate granularity for each process.
Indeed, the smart adviser is mainly made of an expert system applying cascading principles (1st principal of Cobit 5) to unify objective and value creation definition among different stakeholders. By updating the semantic engine, we also unified guidelines in hierarchical way.
Every stakeholder will find deeper guidelines depending on what he is asking for: a top manager will be satisfied by Cobit suggestions but CIO or a business manager will need more details that he will find properly in ISO27001, ITIL or even CMMI. So, by deploying the cascading principle and the single unified principle, the IT GRC smart adviser deep dive enterprise needs to suggest more operational recommendations.
The business driven architecture has a chatbot to ask stakeholder questions about eventual risks, resources management, value creation…etc) according to users' answers the smart advisor cascade his business request into enterprise goals. Then, depending on the questioned profile, the smart advisor asks for more details to match enterprise goals with IT goals. Every company description and characteristics should be previously configured in the knowledge base facts to define IT Governance road map. The proposed solution also allows cascading IT decision according to COBIT 5, through the semantic engine as shown in figure 2. After that, IT related goals are matched to enablers in a new abstraction level compared to [13]. The proposed semantic engine is now a five layers' system: • Text mining layer annotate stakeholder answers.
• Persistence component storages stakeholder needs in the knowledge base • Processing component compares stakeholder's request to Cobit 5 suggestions from knowledge base.
• Enabling component chooses the best facilitator (s) to implement.
• IT GRC KMS is a knowledge management system to feed Cobit Knowledge base with matched processes and guidelines.
As for Cobit Knowledge base, it is the set of rules and facts related to each COBIT process and domain one by one with: CMMI, ISO27001 and ITIL. In this level we are not updating the ontology since the system will interpret user questions through COBIT cascading.

Discussion
In previous work [1], The smart adviser contains a matchmaker agent between the semantic engine described above and IT GRC business driven configuration.
The matchmaker verifies first the company static parameters to initiate the IT GRC road map. It also enables the stakeholder to ask questions and have answers from the semantic engine in Chatbot way. Meanwhile, matchmaking research and priority algorithm detailed in [22] match every request with best guidelines according to a corresponding rate. The indexing algorithm does the following: • Text indexing according to the words that compose it.
• Similarity test with inverted index.
• Returning similar texts with rank for every user query.
• Knowledge extraction from Cobit Knowledge Base.  The smart advisor update is done in this step: Once similarity ranks are fixed, an inference engine questioned the rules base according to a maximization algorithm. The rules base communicates simultaneously with the fact base and the inference engine to give the convenient answer according to COBIT first and later to ITIL, CMMI and ISO27001 (see figure 3). The answer is returned to the matchmaker agent who sends it to the active adviser. One last thing is that two or three advisors could be handled for the same request successively for IT Governance, risk management or project management as well.  In table 2 we compare the proposed IT GRC smart adviser to  solutions presented in table 1: To summarize, the update of the smart IT Governance adviser understand stakeholders' needs by annotating their questions and finding answers in Cobit 5 cascading model, via a text mining layer. This component is mainly managed by the processing entity connected with the Cobit knowledge base to confront them at this last base of rules to elaborate a roadmap with many granularity levels (IT Governance, risk management, services managements and IT project management. Cobit knowledge base is mainly made of facts bases and rules base linked to IT GRC Knowledge management system (that we will detail in a future work). Rules base is regularly actualized through IT GRC new repositories and expectations. As for Facts base, it is actualized by the organization information system parameters. The inference engine feeds the smart advisor with the appropriate decisions after semantic analysis and primitive matching. In addition, for every level facilitator implementation is also given, with a balanced squared card dimension, the result road map enables a prioritization of processes implementation.
As for the processing and analysis steps compared to [1], we: • update the semantic engine, • implement the COBIT knowledge base, • link the KB with the matchmaker agent, • implement the chatbot • annotate answers • test the adviser • compare its results with a human expert's decisions • evaluate the adviser performance

Implementation
To validate experimentally the proposed architecture, we implement and improve different versions of the platform. Let's give an overview of the IT Governance platform evolutions: The first and second versions were java simulators, the third, fourth and fifth version were web application where, in addition to the proposed functionalities, communicate with the global EAS-IT GRC platform [23]. In the first version, we simply validated the communication of different intelligent agents with predefined business goals. In the second version [24], we added to the first version kernel, the knowledge base where we stored the basic information and the different mediation rules and we implemented an agent launch interface to simulate exchanges. We have carried out tests to validate results. In the third version, we have implemented almost all of the features offered with interfaces of potential users; • IT Governance Ontology of information systems governance that we deployed in the mediation layer for the interpretation of offers and requests; • Global comparison algorithm to improve the expert mediation system; • Update repository with version 5 of Cobit; • Request logging and learning to develop the proposed offers.
As for the fourth version presented in [1], we simplify user web interface and encapsulate IS Layer in a configuration agent for better device coordination in multiple access case. We also optimize the semantic engine model, to extract IT Governance knowledge.
In the fifth version, presented in this paper, we add two main contributions namely the semantic engine knowledge management updater and the knowledge base detailed architecture.
Here is the fifth version IT Governance user query interface: Figure 5: User IT Governance query interface After a secure authentication and configuration questions interface, figure 5 shows user requests about the IT strategy or business strategy related to digital issues. An order of priority for every request is defined by the user (value from 1 to 5). Figure 6 shows results as recommended business objectives, IT objectives and IT processes to focus on. A report is generated with other details such as facilitators, controls and metrics, maturity models, key activities and the responsibility matrix. The application presents the detail of the request and the corresponding offers before allowing the user to edit the report, this primary summary allows him to decide whether it is necessary to start detailed ITG processing or obtained results are sufficient.
Many functional tests have been done. The corresponding framework of every objective is calculated via the priority function of the semantic engine. It also depends on the attribute and search criteria in the knowledge base. Let's compare as example the results of the platform with experts' decision about the request: "obtain relevant information and make strategic decisions in relation to risks" (experts proposed framework is ISO27001).
The results of the platform are presented in table 3. The request corresponds to several business objectives (OB). Each OB is detailed on one or more IT objectives and each IT objective is explained with several IT processes. According to results in table 3, we can deduce that the adviser chooses ISO27001 like the expert. IT objectives are recommended with priority gap due to semantic engine priority calculation; an IT Objective could be proposed by the expert but appears in the solution with a lower priority value.
As for evaluating the adviser response time to enhance its performance to give business managers rapid recommendations. It was made on a PC with Windows 10 operating system Intel Core i7 processor, 2.66 GHz and 16 GB of memory. Three comparison matchmaking modes were tested, namely equality, plug-in and Subsumption. We varied the number of requests according to four intervals [1,5]   Obtained results are presented in figure 7. The adviser is efficient since obtained results are in milliseconds. Governance advisor [1] is then presented trough a smart semantic model updater with IT Governance knowledge system architecture to deal with frameworks matching problem. These two contributions were added to implement other IT Governance frameworks for a 360° IT Strategy view: strategic alignment, risk and resources management, performance management and compliance. We chose COBIT 5 as IT Governance generic framework and semantic Web, and knowledge management as technical background to implement this solution.
As for limitations, the actual version of IT GRC adviser does not deep dive compliance recommendations. Compliance processes design should be done according to regional regulations. The same remark is available for specific risks namely financial and health risks analysis. As for the state of progress and perspectives of this work, we are working on: • IT Governance Knowledge management system • Functional tests and proof of concepts.
These perspectives enable the IT GRC advisor to be more performing so as to achieve industrialization level. The difference is also minimal between the 3 matchmaking mods which means that it is indifferent to requests complexity. The correlation of response time with requests number is linear per part, which means the algorithms complexity is reasonable with the increase of iterations.

Conclusion and perspectives
In this article, we raise IT Governance frameworks matching problem. After an introduction, we present IT Governance frameworks and their correspondences with COBIT5 as strategic level repository. We also listed existing IT Governance platforms with their strong and week points analysis. An update of the IT Governance advisor [1] is then presented trough a smart semantic model updater with IT Governance knowledge system architecture to deal with frameworks matching problem. These two contributions were added to implement other IT Governance frameworks for a 360° IT Strategy view: strategic alignment, risk and resources management, performance management and compliance. We chose COBIT 5 as IT Governance generic framework and semantic Web, and knowledge management as technical background to implement this solution.
As for limitations, the actual version of IT GRC adviser does not deep dive compliance recommendations. Compliance processes design should be done according to regional regulations. The same remark is available for specific risks namely financial and health risks analysis. As for the state of progress and perspectives of this work, we are working on: • IT Governance Knowledge management system • Functional tests and proof of concepts.
These perspectives enable the IT GRC advisor to be more performing so as to achieve industrialization level.