Transcription
Journal of AI and Data MiningVol 4, No 2, 2016, t of a framework to evaluate service-oriented architecturegovernance using COBIT approachM. Dehghani1and S. Emadi2*1. Department of Computer College of Engineering, Yazd Science and Research Branch, Islamic Azad University, Yazd, Iran.2. Department of Computer College of Engineering, Yazd Branch, Islamic Azad University, Yazd, Iran.Received 23 January 2015; Accepted 29 May 2016*Corresponding author: emadi@iauyazd.ac.ir (S.Emadi).AbstractNowadays organizations require an effective governance framework for their service-oriented architecture(SOA) in order to enable them to use a framework to evaluate their current state governance and determinethe governance requirements, and then to offer a suitable model for their governance. Various frameworkshave been developed to evaluate the SOA governance. In this paper, a brief introduction to the internalcontrol framework COBIT is described, and it is used to show how to develop a framework to evaluate theSOA governance within an organization. The SOA and information technology expert surveys are carriedout to evaluate the proposed framework. The results of this survey verify the proposed framework.Keywords: Service-oriented Architecture; Service-oriented Architecture Maturity; Service-orientedArchitecture Governance; Service-oriented Architecture Adoption; Service-oriented ArchitectureGovernance Evaluation, COBIT.1. IntroductionA service-oriented architecture (SOA) has createda framework to integrate business processes [1,2]and support information technology (IT)infrastructure as secure standardized services thatcan be reused and combined to address changingthe business priorities [3]. SOA has createdopportunities to provide loosely-coupled andinteroperable services to service the providers atdifferent Quality of Service (QoS) and cost levelsin a number of service domains. This provides aunique opportunity for businesses to dynamicallyselect services that better meet their business andQoS needs in a cost-effective manner [4]. SOAcan be a basis for the components and the constantchanging of software programs [1]. SOA focusesmainly on service governance [5], and can reducethe interoperability problems within the ITstructure that can evolve in more flexibility for thebusiness, decrease the IT cost, and improvebusiness IT alignment [6]. Among the differentpotential causes of SOA project failures, lack ofIT governance, which should be supplied from thebeginning, is one of them. Without governance, anorganization is not capable of fully understandingthe SOA value [7]. SOA processes providebenefits for all stakeholders. SOA is a kind ofstrategic investment that supports enterprise andits functions in projects [8]. An organization canprovide high quality and reliable services, whileSOA governance is successful. These serviceshave led to the efficiency and effectiveness of anorganization [9]. Appropriate design andimplementation of SOA governance can helporganizations to achieve high levels of agility, andrespond to customers in the market. In order toevaluate the current status of SOA governance, allorganizations require an evaluation framework.The framework could be useful in determining theSOA governance requirements and providing asuitable SOA governance model.This framework ensures the alignment of SOAgovernance with business, IT with SOA strategy.It is useful in identifying the competencies andcurrent processes of an organization. It can beused to determine what an organization should doand what it should not.
Emadi & Dehghani/ Journal of AI and Data Mining, Vol 4, No 2, 2016.The SOA governance maturity models are one ofthe main tools used to evaluate the SOAgovernance. A SOA governance maturity modelspecifies the actions to be taken in transition to aSOA based on a gradual approach and theorganization service oriented maturity, and thishelps organizations to move toward serviceorientation [10].To date, many models have been proposed forgovernance maturity such that each one of themodels for a particular landscape that looked togovernance on certain aspects of governance areconcentrated. Table 1 shows an overview of somemodels of governance maturity that are in the fieldof SOA.Table 1. Review of SOA governance maturity models.(Software AG, 2005) [8]-In this model, as soon as it was completed, the initialphase of planning for the systematic development ofSOA can be started. From this point onward, SOAgovernance as a comprehensive tool support isimportant. In this model, the move towards higher ITand SOA governance is needed.-SOA adoption domain is not considered.(Bieberstein et al., 2005) [11]-In this model, maturity level and the adoption ofservice-oriented architecture are completely andclearly not covered, and only the maturity levels ofgovernance are considered.(Afshar et al., 2007) [12]-In this model, service-oriented architecture adoptiondomain is not completely covered but the maturitylevel of service-oriented architecture and governancematurity levels is considered.(MARKS, 2008) [10]-Related features of each level of governance areseparated and comprehensive.-The governance issues including roles andresponsibilities for each level governance andalignment governance are considered.- This model only focuses on SOA governancematurity levels and lowers the considered SOAmaturity levels and SOA adoption domains.)Scheper and kratz, 2009) [13]-This model does not specify SOA governancematurity levels and SOA adoption domains clearly,and only presents SOA maturity levels for businessprocess, and on this basis, proposes some actions forgovernance.(Hassanzadeh and Namdarian,2010) [2]- In this model of SOA governance, which considersthe maturity of the proposed SOA and serviceoriented, the better picture of the status in terms of thetype of governance.By analyzing the proposed governance maturitymodel in order to evaluate the SOA governance, itwas found out that the available models did nothave the essential ability to assess the maturity ofthe organization processes. Therefore, agovernance maturity model is required to evaluatethe maturity level of processes in addition toassessing the governance maturity levels of SOA.COBIT governance maturity model can play an SOA maturitylevelsProcesses maturitylevelSOA adoptiondomainsPre-requisites of a SOA governance maturity modelFeaturesGovernance maturitylevelsModel important role in evaluating the SOA governancebased on the trajectory of process-orientedorganizations, which has been used in the recentyears. Thus far, various models of COBITframework have been proposed [14].COBIT4.1 is a manageable and control-basedprocess framework that covers the entire businessprocess of an organization, and exposes it in alogical structure that can be managed and178
Emadi & Dehghani/ Journal of AI and Data Mining, Vol 4, No 2, 2016.controlled effectively. This framework helpsgovernment agencies in conducting selfassessment and in determining to what extent theimplementation of IT governance has been done.The primary purpose of this model is to monitorthe organization IT to see that it is not designed toevaluatethearchitecturegovernanceindependently. There is no precise survey on SOAfrom the aspect of governance evaluation.According to the relationship between theCOBIT4.1 model goals and SOA (i.e. businessand IT alignment), it can be found out that theprocesses of this model have the highestcorrelation and value with respect to SOA. Thismodel can be used as a suitable factor to evaluatethe governance on SOA [14, 15]. Nevertheless,one of the challenges of using this framework isthe lack of a method to evaluate the governanceon SOA. Therefore, this study was conducted toprovide a framework to show the status of thegovernance on SOA using the COBIT governancematurity model and the main aspects of acomprehensive SOA governance maturity.This paper has been organized as follows: Section2 introduces and surveys the main aspects of theSOA governance maturity model. Section 3provides a brief review about the COBIT 4.1framework and the governance maturity model.The proposed framework is described in section 4.In section 5, the proposed framework is evaluated,and finally, in section 6, conclusion of thediscussions is presented.airplane in its way for a successful landing, theSOA maturity model guides an organization toadopt SOA and achieve higher levels of SOAmaturity. In this way, the organization canevaluate the level of maturity in the field of SOA.In fact, a SOA maturity model provides an imageof SOA maturity model in the organization basedon major requirements, and shows the main gapsthat the organization should consider [2]. A briefdescription of the SOA maturity model that hasbeen proposed so far is described.The Service Integration Maturity Model (SIMM)was provided by IBM in 2005. It consists of sevenlevels of maturity such as silo, integrated,componentized, simple services, compositeservices, and virtualized services, and allowsmovement towards a SOA by accepting differentstates of an institution [17]. The model identifiesthe target in certain circumstances, and providesguidelines to show how to reach the desiredsituation [17]. The IT Service Capability MaturityModel (ITSCMM) was provided in 2005. Itconcentrates on determining the maturity level ofservices, and involves all the necessary actionsrequired for setting up SOA. The servicecapability maturity model increases theorganization capability in identifying and runningthe IT services with five levels including initial,repeatable, defined, managed, and optimizing.The Enterprise SOA Maturity Model (ESOAMM)divides the SOA maturity model into four levelsincluding traditional development and mposite applications, and automate businessprocesses [18]. Another maturity model is theSOA Maturity Model (SOAMM), which wasprovided in 2005. This model focuses on serviceoriented maturity, and its goal is to support thegradual process adoption of SOA and suggestmethods for it. Designers have designed thismodel with the received feedbacks of 2000architects. This model divides SOA maturity intofive levels including Initial Services, ,Measured Services, and Optimized Services [17].2. Main aspects of SOA governance maturitymodelImplementation and formalization of SOAgovernance is an essential phase fororganizational maturity in SOA. The maturitymodel can be used as a measurement tool toassess the level of quality of some activities.Marks (2008) has presented a comprehensivemodel for the SOA governance maturity model.Evaluation of the maturity level by implementinga SOA maturity model reflects the organizationalgovernance implications on the organizationalgovernance [10, 16]. However, the presentedframework seeks to identify the measurementtools, and integrate them into a unified model forthe COBIT framework.2.2. SOA adoption maturity modelThe most important benefit of the SOA maturitymodel is that it can help to guide SOA adaption.However, the model helps to coordinate thedifferent paths to SOA inside a company. SOAadoption is a gradual process. In many cases, SOAadoption begins from the initial level of maturity.Some organizations may apply SOA in anorganization unit level, and others may apply it inthe business level .The issue of SOA adoption was2.1. General SOA maturity modelSOA maturity model is a framework that is usedto prepare an organization for a successfuladoption of SOA. It defines a standard path toprogress toward SOA; it is like an airport controltower. As an airport control tower navigates an179
Emadi & Dehghani/ Journal of AI and Data Mining, Vol 4, No 2, 2016.created to help the organizations to recognize theirlevel of SOA maturity. The SOA maturity modeladoption helps to understand, accept, anddetermine the goals and strategic level of anorganization [3]. One of the adoption maturitymodels is a model that was provided by Marks in2008. Various phases of this maturity model arethe initial phase of SOA, strategy and planningphase of SOA, SOA governance modeldevelopment phase, platform phase of SOA andSOA governance platform, SOA referenceimplementation, SOA program, SOA similarityand acceleration, and stable model of SOA.Another adoption of the maturity model is themodel presented by Inganti (2007), whichincludes four levels involving the intradepartment level, inter-department/business unitlevel, inter-business level, and enterprise level[18].3. COBIT 4.1The control objectives for information and itsrelated technologies (i.e. COBIT) are a set of thebest IT practices provided by Audit Associationand Information Systems Control (2007) with aprocess-control approach. COBIT 4.1 has 4domains involving Plan and Organize (PO),Acquire and Implement (AI), Deliver and Support(DS), and Monitor and Evaluate (ME), and 34processes and a 318 control objective in the ITevaluating domain. This framework providesmeasures and indices to help managers, auditors,and IT users to have maximum benefits ofdeveloping the observance and appropriate ITcontrol in an organization [19]. Each one of thesedomains and its related processes are shown intable 2.Table 2. IT processes identified by COBIT 4.1 [20].Plan and Organize (PO)PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine technological directionPO4 Define IT process, organization, andrelationshipsPO5 Manage the IT investmentPO6 Communication management aims anddirectionPO7 Manage IT human resourcesPO8 Manage qualityPO9 Asses and manage IT risksPO10 Manage projectsAcquire and Implement (AI)AI1 Identify automated solutionsAI2 Acquire and maintain application softwareAI3 Acquire and maintain technology infrastructureAI4 Enable operation and useAI5 Procure IT resourcesAI6 Manage changesAI7 Install and accredit solutions and changesDeliver and Support (DS)DS1 Define and manage service levelsDS2 Manage third-party servicesDS3 Manage performance and capacityDS4 Ensure continuous serviceDS5 Ensure system securityDS6 Identify and allocate costsDS7 Educate and train usersDS8 Manage service desk and incidentsDS9 Manage the configurationDS10 Manage problemsDS11 Manage dataDS12 Manage the physical environmentDS13 Manage operationMonitor and Evaluate (ME)ME1 Monitor and evaluate IT performanceME2 Monitor and evaluate internal controlME3 Ensure regulatory complianceME4 Provide IT governanceof IT. Indeed, this model specifies the ITorganization ability to address the business needsand its alignment with the business and strategicdemands [21]. Different levels of maturity in theaforementioned model can be classified as shownin figure 1.3.1. Governance maturity model from COBIT4.1 viewpointThe present COBIT4.1 framework contains 34processes, which provide an IT maturity modeldriven from the Software Engineering InstituteCapability Maturity Model. This frameworkevaluates the maturity level of an organization.Then the organization evaluation is rankedbetween the absence level (0) and the optimizedlevel (5) [19]. One of the most importantapplications of this maturity model is to determinethe maturity level by an organization itself, and tospecify the existing gaps to achieve the maximumlevel of maturity. Consequently, in order to fill theexisting gaps, the organization programs thepractical improvements in internal control system4. Proposed frameworkAs mentioned earlier, moving toward processoriented in an organization has been improvedsignificantly, so the process efficiency shows theorganization efficiency. When the organizationprocesses are recognized and managed correctly, adesired output will be gained. Thus the use of areference framework seems imperative. Whatshould be considered to choose a framework is a180
Emadi & Dehghani/ Journal of AI and Data Mining, Vol 4, No 2, 2016.Figure 1. Graphic representations of COBIT 4.1 governance maturity model [19].reference model that covers all activities of theorganization, and that can be used as a road map.Since the COBIT governance process maturitymodel is an international comprehensive andadopted model, it can be confirmed. Thisframework provides comprehensive results to theIT managers to plan, develop, and upgrade thematurity level [20]. It may be considered as anevaluation model but the lack of a suitable SOAgovernance maturity model avoids to be used asan evaluation model.In this context, this study intended to use the mainaspects of the governance maturity model of SOAin order to provide a desirable framework for theCOBIT 4.1 governance maturity model. Since thismodel is based on SOA, the framework can beused to evaluate the SOA governance. In thisstudy, four main areas of the COBIT 4.1 model,which has a total of 34 processes, were addressedas the evaluation indices of the proposedframework. Accordingly, the proposed frameworkwas done in 4 steps. Figure 2 shows the mainsteps of the proposed framework.Step 1: Compliance COBIT 4.1 processes andSOA governance processesCOBIT 4.1 processes play a significant role in thegovernance maturity evaluation. The compliancebetween the COBIT 4.1 processes and the mainprocesses in SOA governance was considered asthe first step to present the proposed framework. Itis the main role in the SOA governance maturityevaluation. In this compliance, all the mainprocesses of SOA governance for developing theproposed framework in COBIT 4.1 are positioned.this work reviews all the 34 COBIT 4.1 processes,and finds possible relationships or connectionswith the main process SOA governance done.Table 3 shows how the compliance COBIT 4.1processes with the main processes of SOAgovernance could be divided into 4 areasaccording to the COBIT 4.1 process indicated.Compliance COBIT 4.1 processes and SOA governanceprocessesMapping COBIT 4.1 processes and SOA adoptiondomainMapping COBIT 4.1 processes and SOA maturity levelsMapping SOA maturity levels and COBIT 4.1governance maturity levelsFigure 2. Main steps of proposed framework.Step 2: Mapping COBIT 4.1 processes andSOA adoption domainThe SOA adaption domain and its relation to thematurity of SOA, i.e. one of the aspects of theproposed framework, was extracted from themodel proposed by Inganti and Arvamudan(2007). They used a multi-aspect viewpoint intheir SOA maturity model, and proposed theaspects that were important to implement SOA.They included the reception domain of SOA, thematurity level of SOA, and the SOA developmentsteps. Considering these aspects makes thecomplete picture of the current level of SOAmaturity [3]. To determine the maturity level ofSOA in this model, SOAMM which has fivelevels including Initial Services, ,Measured Services, and Optimized Services wasused, and the four domain intra-department, interdepartments/business unit level, inter-businessunits and within the enterprise level were takeninto consideration for adoption [18].181
Emadi & Dehghani/ Journal of AI and Data Mining, Vol 4, No 2, 2016.Table 3. Relationship between COBIT 4.1 process and main processes of SOA governance. PO1: Define a strategic planSOA Governance processes Service Portfolio Planning (Business) Application Portfolio PlanningIn SOA, the strategic planning is taking place in the business and service portfolio planning, inwhich a long-term planning is determined to decide which services and applications to developand maintain to maximize business-IT alignment. PO2: Determine technological directionSOA Governance processes Service Developing PoliciesIn SOA, the technical direction is set in the service developing policies, in which thetechnology and standards used for realizing the services should be determined. This alsoincludes policies related to the use of technologies and Standards for the development ofservices, naming policies, and agreements on metadata. Another important aspect is thedetermination of service granularity. AI6: Manage changeSOA Governance processes Version (release) ManagementIn SOA, special attention is required for managing the changes outlined in version (release)management. Since the services have an enterprise wide reach, the impact of changes and newrelease will increase. To stay in control of the services, it is important to properly manage thenumber of service versions in use, to have clear rules on migration to new versions and thesupport of older versions. DS1: Define and manage service levelsSOA Governance processes Service Level AgreementsIn SOA, where services can be consumed through the whole organization (or even outside theorganization), service levels should be managed as well. This requires a formalized relationbetween service consumer and service provider. This ongoing process should ensure (andimprove) the quality by meeting the agreed service levels and also includes monitoring andtimely reporting to stakeholders on the accomplishment of service levels. DS3: Manage performance and capacitySOA Governance processes Runtime QualitiesFor SOA, this is described as runtime qualities. The call for a service will increase due to itsenterprise wide reach. Therefore, the capacity has to raise to be able to handle all requests. Thistogether with the message oriented character of SOA (this will affect the performance of IT)calls for special attention to Performance and Capacity Management. DS6: Ensure system securitySOA Governance processes Security PoliciesSOA requires more complex security solutions to permit access to multiple applications, whenexecuting a service. Another security issue within SOA is the need for encryption inconfidential messages. Therefore, SOA requires a special attention to this objective. DS9:manage the configurationSOA Governance processes Service RepositoryThe service repository is also a kind of configuration repository, in which business consumerscan see which services are available, and under which conditions. Service Life Cycle ManagementThe service life cycle management can be grouped within managing the configuration, as well.In this aspect, configuration of the services is managed mainly in the pre and con productionphase. DS10:manage problemsSOA Governance processes Error Tracking and resolution (exception handling)This is also valid for SOA because of the execution of chains of services which requireattention for error tracking and resolution. An effective problem management processmaximizes system availability, improves service levels, reduces costs, and improves customerconvenience and satisfaction. DS13: Manage operationSOA Governance processes Transaction managementThe execution of chains of services requires operation management. Operations which areoperated on a long-term period need to be able to be tracked on their progress. Therefore, thisobjective is important for SOA. ME1: Monitor and evaluate IT performanceSOA Governance processes System (service) MonitoringSince the introduction of SOA can be expensive, it is important to show the value of IT to thebusiness. Monitoring the usage of service can be an appropriate way to make the reuse ofservices visible. Monitoring is needed to make sure that the right things are done and are in linewith the set directions and policies. Therefore, this objective needs special attention for SOA. ME2: Ensure compliance with external requirementsSOA Governance processes Methods for dealing with regulatory requirementsFor SOA, with its (inter) organizational reach, compliance is an important aspect because smalldeviations can result in serious problems.182
Emadi & Dehghani/ Journal of AI and Data Mining, Vol 4, No 2, 2016.modified, i.e. once SOA was implemented and itreached a new maturity level, using the previousgovernance would not be simple [2].Figure 3 shows the proposed framework toevaluate governance on a SOA. The frameworkconsists of four aspects including process domain,SOA adoption domain, SOA maturity levels, andCOBIT 4.1 governance maturity level. Using thisframework, the level of SOA adoption domainand action level of COBIT 4.1 governancematurity can be determined according to the SOAmaturity level of the organization.Table 4 demonstrates the measures of each one ofthe four dimensions of the proposed framework indetail.Step 3: Mapping COBIT 4.1 processes andSOA maturity levelsSince SOA maturity is one of the frameworkaspects of the COBIT governance maturity,SOAMM has its most attention and focus on SOAmaturity between the proposed maturity models ofSOA, and follows the gradual process of SOAadoption [18], and thus it has been used in theintegrated framework of this maturity model.Step 4: Mapping SOA maturity levels andCOBIT 4.1 governance maturity levelsTo provide a framework, mapping occurs betweenthe maturity levels of SOA and the COBIT 4.1governance maturity in the last step. Whenmaturity level maximizes, governance needs to beFigure 3. Conceptual framework to evaluate SOA governance.In this study, to determine the goal and achievethe correct result, 4 main hypotheses were definedinvolving the aspects and relations between thegovernance processes and the main aspects of acomprehensive SOA governance maturity model.The main hypotheses of this study are:A: The hypotheses related to the 4-folddimensions of the proposed framework.B: The hypotheses related to the communicationbetween the organization process domains and theSOA adoption domain.C: The hypotheses concerning the relation of theexisting organization process domains and theSOA maturity model.D: The hypotheses related to the communicationbetween the maturity levels of SOA and thematurity levels of COBIT governance.4.1. Mapping proposed framework, COBIT5Among the different models, the COBITframework proposed in the recent years, COBIT5with respect to the features that this framework ishaving [22]. In the existing processes along themain aspects of this framework, a comprehensiveIT governance maturity model for SOA assess thematurity level of governance on the SOA used.Section 4.1 and table 5 summarize that thechanges in the proposed framework are based onCOBIT5 described.5. Evaluation of proposed frameworkIn this study, the data type was quantitative, andthe paradigm was positivism. The data collectiontool questionnaire is based on the 5-point Likert’sscale. In order to test the proposed framework, asample of 18 experts in the field of SOA wasincluded [24].183
Emadi & Dehghani/ Journal of AI and Data Mining, Vol 4, No 2, 2016.Management-Security andmanagement-Applying SOA formally-Specify technology standardsfor SOA-There is no formaltraining in this domain;there is no communicationwith standard proceduresandindividualresponsibility.-The level of standardprocedures,buttheseprocedures are documentedand have been associatedwith the training of highlevel, but are only aformality.inthe-The relationship betweenbusiness and technology-Full support of the sameprocess of business-Policy to create and changebusiness processes-Connect internal services withexternal service-Extend business processes toexternal organizations-Implement cross enterprisesecurity-External services enablement,translation of protocols- Long running transactions-A firm step in the direction ofenterprise SOA enablement isthe interaction of servicesacross business units.-Service reuse is maximized atthis point.-Afirmlyestablishedgovernance module institutespolicies,processesandstandards to be followed, whilecreating new services.-A service repository ensuresmaximum service reuse-Regular Business ActivityMonitoring ensures the optimalfunctioning of services184process domainDefine a Strategic IT plan-Data classification schemeand security levels-The beginnings of SOA reuseare found at this stage alongwith the evolution of aRudimentarygovernancecharter.-Business Responsiveness-Business Process ManagementDefined governance levelSimilar procedures areperformed by the same.Repeatable governance level-TrainingSOAorganization-The level processes havebeen developed to someextent.performance-Create a data dictionary of therules for writing dataInter business SOA adoption domain-There are no standardizedprocedures but there arecertain approaches thatindividually do.Initial governance level-Translate service for types ofmessage- This is the second stage ofSOA adoption, where variousdepartments within a businessunits are SOA-enabled andinteract with each other usingarchitected services.BuArchitected service levelsinessservicele Inter-department business unit SOAadoption domainvel-ExceptionService-Updating the long run process- Monitoring and reporting ofcomplementaryservicesstakeholdersDefine the Information Architecture-Governance using policies andservice definition- Individual departments slowlybeginning to engineer theirsystems to be service-oriented.- Proof of concept projects,smaller SOA rollouts, andintegrationprojectsareundertaken at this stage.- There is little or no crossbusiness interaction.- The governance charter hasnot yet been instituted, andthere are only the beginnings ofanorganizationwidesponsorship and visibility forthe SOA effort.MeasureDefine and Manage Service Levels-Service and policy repositoryMeasureSOA adoption domainSOA maturity levels- Initial learning phase- Pilot projects- Legacy integration- Apply SOA technology toimmediate organizational- Define initial budget for SOAproject- ESBInitial service level حاكميت MeasureCollaborative service level-The lack of any process;the organization still didnot understand that wemust consider the contextof such establishment.Non-existent governance levelMeasureSOA governance maturitylevelTable 4: Measure of process domain [21], SOA maturity levels, SOA adoption domain [3], and COBIT governance maturitylevels [18].
Emadi & Dehghani/ Journal of AI and Data Mining, Vol 4, No 2, 2016.-Separateservicesformanaging, monitoringand responding to events-Provides automationbusiness pr
framework seeks to identify the measurement tools, and integrate them into a unified model for the COBIT framework. 2.1. General SOA maturity model SOA maturity model is a framework that is used to prepare an organization for a successful adoption of SOA. It defines a standard path to
