Professional Documents
Culture Documents
Chakir 2016
Chakir 2016
Abstract This work is registered in two disciplinary axes that are the decision
making system, and the practices of the IT GRC. Many organizations deployed
integrated the practices of the IT GRC, the problem that arises it is how to choose
the good one practices to satisfy a precise need. Our work is motivated by the need
to make decisions by understanding and by incorporating perceptions, decisions
and actions to make the best choice. The objective of the research is to build a
decision-making model to satisfy a precise need IT. The proposed approach bases
on three main stages to set up a decision-making model. The model takes in en-
trance the strategic needs, the first stage consists in reducing the size of the prob-
lem by dividing it into many problems, by basing itself on the mapping between
all the reference tables and methods of the GRC and also this stage is going to
allow us to assure the sequencing of these under problems according to the varia-
bles of the environment as for example the type of the organization. In the second
stage, it is a question of formalizing every under problems according to the criteria
stored in the datawarehouse to generate the best choice of the good practice by
using methods of aggregation multi criterion to satisfy the need IT. The third stage
consists in estimating the satisfaction IT and helps to make decisions at the level
of every chosen reference table.
1 Introduction
Three axes of the IT, Governance, Risk, and Compliance (GRC), assures the
alignment of the objectives of company with regard to the needs for stakeholder,
conditions and options putting the management. This is shown by the strategic
progress of a given organization and also by the taken decisions [1].
The variety of methodologies, standards, and best practice of the IT GRC [2] puts
the persons in charge of Information system in front of a problem of joint of these
reference tables to reach precise goals, especially as there are practices of the IT
GRC which aim to be global and which handle all the fields of activity of the IT
without being detailed enough and those who handle a domain in particular in detail
without a global view. The diversity of the practices of the IT GRC puts difficulties
for companies to make the adequate choice of the practices of the IT GRC. It’s
necessary to implement a decision-making model which assures the selection of
the best solution of the GRC.
The request expressed by nature strongly qualitative, subjective and rich in
thought of the users will be translated into quantitative and formal data to be ex-
ploited by the decision-making system with the supreme purpose to improve the
learning and the communication by endowing our system by a system multi-agent
and an expert system.
To exploit well, and to increase the utility of the GRC, especially for the not
experts, the decision-making system is going to allow the end users to see the
relevance of the chosen reference table.
2.1 GRC IT
The approach Governance, Risk and Compliance (GRC) allows to master an or-
ganization with the minimum of effort by staying in compliance with its internal
politics and with the external regulations by assuring one strategic alignment and
an effective improvement of its processes and its projects [3][10].
Three aspects GRC allows the companies to check well their activities. What
translates by:
3 Decision-making Systems
A is the set of the potential actions. This group can be explicitly defined (fin-
ished), the constraints being implicit, or implicitly (generally infinity), the
constraints being explicit. In this second case, we resort to the mathematical
programming with multiple objectives (PMOM) and we often indicate all the
acceptable actions by the symbol X;
A/F is the set finished by the attributes or the criteria, generally conflicting,
from which the actions will be estimated;
and E is all the benchmarking of the actions according to each of the attributes
or the criteria, that is all the vectors of performances, a vector by action.
Generally, this formulation allows to simplify the problem but she does not allow
to handle the problem of decision, what requires the call to the methods multi
criteria to release the preferences of an organization.
502 A. Chakir et al.
Problems of sorting P. ß
In this type of problem, we order all the actions of the best the least good, it is a kind
of affectation in classes of equivalence led by this preorder, orderly categories.
A Decision Approach to Select the Best Framework to Treat 503
This type of problem consists in determining all the potential actions by taking
into account a set of parameters such as threshold of indifference and rather, level
of pursuit … Generally this type of problem became an adequate type when the
decision-maker does not manage to define the problem, or to express the type of
result whom he would like to obtain. This type of problem is implemented by
cognitive procedures.
Comparing with our problem which consists in turning the best reference table
or the best reference tables, we opted in the procedures of selection.
Example of method:[22]
ELECTRA I (Problems of choice P.α):This method has for objective to split a set
of the actions, the reference tables, which contains the best alternatives among
which the one is that the decision-maker will choose.
4 Expert Systems
A knowledge base:
An interference engine:
○ Argue from the information contained in the base of facts and in the base
of rules
○ Capable of making deductions or inferences
What is an agent?
The SMA presents a common point by report the governance IT which is the man-
agement by process, indeed this way of managing prepares perfectly with the gov-
ernance IT which is nothing else than of a set of process which interact between
them for a better management of information technologies.[11]
A Decision Approach to Select the Best Framework to Treat 505
Level 1:
The first level sets up two layers, every layer has a precise feature has to assure.
The first layer “SMA sequencing” arranges two under layer “Categorization
decision 1.1” and “Categorization decision 1.2”.
The first one under layer “Categorization decision 1.1” has for objective to re-
peat the strategic needs according to a matrix of priority, which translates the
mapping of the objectives IT expressed by Cobit [4] [6] and the other reference
tables (ITIL[5], ISO 270001, ISO 270002, ISO 270005, PMBOK, CMMI) and the
methods of the GRC (MEHARI, EBIOS…) And which arranges as information
the classification of the reference tables of less detailed in the most detailed, this
under layer allows us to make a joint between the matrix of the strategic needs IT
and the matrix of the priority to produce a reduced matrix which will be handled
by the second under layer of the decision-making model.
506 A. Chakir et al.
The following plan illustrates the size of the matrix of the priority
The second under layer “Categorization decision 1.2” takes in entrance the ma-
trix produced by the first one under layer, the type of activity of an organization
and the data stored in one dated warehouse to attribute an order number to needs
IT to assure the sequencing of their execution by basing itself on the algorithms of
the sequencing of the operational research.
The second layer “SMA Evaluates collective” takes in entrance the matrix pro-
duced by the first layer and treats every objective IT as one under problem. This
layer formalizes every under problem by taking in entrance the set up reference
tables, their versions, the certification or not employers the organization and it also
takes the dimensions and the indicators stored in data warehouse IT as criteria to
exploit any kind of information, to generate the best choice of the good practice IT
GRC, by using methods of aggregation multi criterion to satisfy the need IT
expressed in entrance and by setting up an expert system.
The following plan illustrates performance indicators proposed by date ware-
house IT:
The following plan illustrates the functioning of our expert system which is go-
ing to assure the collective expertise of the decision-making model.
508 A. Chakir et al.
Level 2:
The second level assures the satisfaction or the not satisfaction of the choice by
basing itself for example on the success rate, if the success rate is upper to a
threshold thus it is OK for the choice and if it is not the case we have to see again
the reformulation of the strategic need, or regenerate the second choice by basing
itself on of other one criteria.
The first objective can be handled by the reference ITIL which is a part of the
axis governance (G) or by the reference CMMI which is a part of the axis govern-
ance (G).
The second objective can be handled by the reference ISO27002 which is a part
of the axis risk (R) or by the reference ISO27005 which is a part of the axis
Compliance (C).
The third objective can be handled by the reference ISO27001qui been a part of
the axis risk (R) or by the reference ISO27002 which is a part of the axis (R) or by
the reference ITIL which is a part of the axis governance (G).
The first level produced got out of it the best reference by objective IT, for the
first objective gives as result ITIL and for the second objective gives as result
ISO27002 and for the third objective give ISO 27001.
And the second level assures the satisfaction or the not satisfaction of the
choice by basing itself for example on the success rate, if the success rate is upper
to a threshold thus it is OK for the choice and if it is not the case we have to see
again the reformulation of the strategic need, or regenerate the second choice by
basing itself on of other one criteria.
7 Conclusion
This paper handles the problems of selection of a better reference table or the best
reference tables of IT GRC by basing itself on methods for decision-making sup-
port multi criteria.
Our approach is based on expert systems, systems multi-agents and methods of
aggregation multi criterion by exploiting any kind of available information by the
organization to satisfy their strategic need.
References
1. Racz, N., Weippl, E., Seufert, A.: A process model for integrated IT governance, risk,
and compliance management databases and information systems. In: Proceedings of
the Ninth International Baltic Conference, Baltic DB&IS 2010, pp. 155–170. Universi-
ty of Latvia Press, Riga (2010)
2. Kooper, M.N., Maes, R., Roos Lindgreen, E.E.O.: On the governance of information:
introducing a new concept of governance to support the management of information.
International Journal of Information Management: The Journal for Information Profes-
sionals 31(3), 195–200 (2011)
3. Racz, N., Panitz, J.C., Amberg, M., Weippl, E., Seufert, A.: Governance, risk & com-
pliance (GRC) status quo and software use: results from a survey among large enter-
prises. In: ACIS 2010 Proceedings, paper 21 (2010). http://aisel.aisnet.org/acis2010/21
(retrieved 13 December 2010)
4. Stachtchenko, P.: COBIT 5, ses apports pour management et la gouvernance du SI,
Janvier 25, 2013
5. Delbrayelle, Introduction à ITIL V3 et au cycle de vie des services, juillet 2011. ISO
office, Information technology— Security techniques— Code of practice for infor-
mation security management (2005)
6. ITGI and OGC, Aligning CobiT® 4.1, ITIL® V3 and ISO/IEC 27002 for Business
Benefit (2008)
7. Ferber, J.: Les systèmes multi-agents, vers une intelligence collective. InterEditions,
63–144 (1995)
A Decision Approach to Select the Best Framework to Treat 511