IT Governance Ontology Building Process : Example Of .
International Journal of Computer Techniques -– Volume 2 Issue 1, 2015RESEARCH ARTICLEOPEN ACCESSIT Governance Ontology Building Process : Example ofdeveloping Audit OntologyChergui Meriyem1, Sayouti Adil2, Medromi Hicham3*(ENSEM, Hassan II UniversityLISER-EASCasablanca, *********---------------------------AbstractThis article aims at building ontology based on COBIT Framework named: “AuditOntology”, to beused in an IT Governance solution, through this implementation, IT Governance Ontology buildingprocess will be proposed in order to be used for other frameworks Ontologies. In fact, theontological meta-modelling is nowadays, a necessity for every discipline to share concepts andterms and to annotate information. It clarifies knowledge structure for better understanding ofdomain vocabulary and entities relationship. Ontologies are often made for reasoning purposes;there engineering benefits are about stakeholders’ communication, systems interoperability and reusability. Till now, there is no IT Governance ontology with a scientific foundation to be deployedon AI software solutions or conceptual modelling so the main goal of this work is to proposeontology based on COBIT Framework in Web Ontology Language using particular life cycle steps.Keywords:-COBIT, Ontology, OWL, semantic web, meta- modelling, IT-Governance, Audit, Information **********---------------------------I. INTRODUCTION.Information technologies (IT) have more andmore impact on companies’ revenue, makingdifferences on their evolution function.Information Systems (IS) become a seriousinvestment in front of world market agility andexponential changing; it’s also an asset onwitch companies rely to achieve business goals[1].But this investment is not 100% asuccessfulone,ITintroductionandimplementation makes enterprises wasting bigbudgets without an efficient result in case theirdeployment project was not correctly measured ,randomness has no place on IS overhaul orbusiness applicative development.IT Governance (ITG) is the vital and uniquesolution to ensure positive returns [2]. Indeed,Information System Experts put at the disposalof companies best practices and frameworksable to control their IT decisions and projectssince the launch until the commissioning,dealing with risks and services management.ISSN : 2394-2231Although, ITG implementation is still acomplex task which is not very practical sinceit depends on companies’ context and businessparticularity, so the challenge is to understandthese frameworks structure to be able to controlhow adaptable they are to the informationsystem and where can we use each of them.As a result, we need a logical structuremodelling of ITG frameworks for an effectiveintegration.In this sense, Information TechnologyGovernance Institute (ITGI) [3] made a multicriteria classification with framework functionsmapping but it still lacks of theoretical andscientific foundation, despite its efficiency inpractical special cases.As a solution, ontology building in ITG contextseems to be an essential step to overcome so asto give a high level of abstraction modellingcapable to explain logical structure andhttp://www.ijctjournal.orgPage 134
International Journal of Computer Techniques -– Volume X Issue X, YearrelationshipsbetweendifferentITGframeworks components. This in harmony withother disciplines standardized Ontologiesdevelopment examples: SNEMOD [4] in themedical domain, UNSPSC for products andservices terminology [5] etc.B. Types of OntologiesThere are many types of Ontologies in semanticweb literature the most common are namely [7]: Generic ontology: describe very generalconcepts such as space, time, matter,objects, events, actions, etc., which areindependent of a problem or a particulararea of application. Domain ontology: vocabulary linked toa generic domain by specializing theconcepts presented in Generic ontology:electronic, automobile Task ontology: vocabulary linked tospecial task or activity. Method ontology: the role played byeach concept in the argument is madeexplicit. Application ontology or task anddomain ontology: write conceptsdepending on both of a domain and aparticular task, which are often twospecializations of the related Ontologies.These concepts often are the roles ofdomain entities while performing acertain activity, such as replaceable unitor component available.In this paper, we try to build method and taskontology based on COBIT framework, using itsexisting meta-model, documentation andterminology indexation.The article is presented as following, section2 presents ontology literature review, section 3detailed COBIT constitution and its ITGovernance contribution section 4 showsdifferent steps of Auditontology building beforegiving a conclusion and perspectivesI.ONTOLOGIES IMPLEMENTATIONA. DefinitionsThe Artificial Intelligence (AI) literature gavemany definitions of ontology sometimesconflicting one another. The most pertinent andnear to our work context is Gruber one definingontology as "a specification explicitconceptualization”.In 1997, Borst has defined an ontology as "aformalspecificationofasharedconceptualization": these two definitions werecombined by Studer et al. (1998): "An ontologyis a formal and implicit specification of ashared conceptualization ". The construction ofa ontology intervenes only after theconceptualization of work has been completed[6].An ontology with instances of individualclasses made in AI a Knowledge Base, theClass is the focus of any ontology, a class canhave subclasses to detail the concept of theSuperclass the relation between subclasses andSuperclass is “subsumption” relation or “is- a”relation. There are other kinds of relationsdefined in conception context.Ontology class has also properties tocharacterized it, these properties are valued andare either data properties/ slots or objectproperties,ISSN :2394-2231We can eventually represent therelationship between different types ofOntologies in figure 1 bellow:Generic ontologyTask ontologyMethod ontologyDomain ontologyApplicationontologyFig1. Specialization relations between ontologies typeshttp://www.ijctjournal.orgPage 135
International Journal of Computer Techniques -– Volume X Issue X, YearC. Representation Languages and construction toolsThere are many languages and formalismused to represent Ontologies, the most commonare: Ontolingua: for portable Ontologies,defines classes, relations and functions onKIF (knowledge Interchange Format))formalism [8], able to translate genericOntologies to Loom, Epikit and KIF. Loom: later Power loom is a knowledgerepresentation platform able to makereasoning tools. Based on chaining earlier,the semantic unification and object-orientedtechnologies to provide a deductive Support. OIL: ontology Inference Layer is alanguage for Ontologies, representation andinfluence of combining modeling primitivesframe languages with formal semantics anddescriptive logical reasoning methods.Widely used for the web, based on RDF/RDFS and XML formalism [9]. SHOE: Simple HTML OntologyExtensions is an extension of HTML thatallows Web page authors to generateannotation of their documents that can beunderstood by a machine. This language canbe used by agents [10]. OWL:knowledgerepresentationlanguage especially web Ontologies, basedon RDF data model, its second version isW3C recommendation, it has threeincreasingly-expressive sublanguages: OWLLite, OWL DL, and OWL Full [11]In this work, we opted for OWL, since it canbe interfaced with all other language and it hasa variety of tools to implement ontology with it.As for tools, there are many, we presented in aprevious article the most known [12]. ButProtégé remains till now the most popular toolfor ontological engineering; we use it as well toimplement AuditOntology.D. Ontologies Conception methodologiesIn semantic web literature, there is no unifiedlife cycle, methodologies and techniques toconstruct Ontologies. But authors review threeISSN :2394-2231types of approaches to concept a formalontology [13]: Bottom up; Top Down; Middleapproach [14].Later, Gomez-Perez [15] proposes a methodcalled METHONTOLOGY, consisting on:1.listing all the concepts of a domain,2.conceptualizeasetofintermediate relationships between theseconcepts, 3.implement the model, and4.evaluate.There are other propositions such as TOVE [16]but this approach is specialized on evaluatingOntologies, after establishing skills fromexisting scenarios. Other authors had simplymade acceptance criteria [17] or constructiondifficulties.In our case, we will use a method close toMEHTONYOLOGY, with IT governanceparticularities. We will detail it in section 4.II.COBIT AS IT GOVERNANCEFRAMEWORKCOBIT (Control Objectives for Informationand related Technology Business), developed in1994 (published in 1996) by ISACA (TheInformation System Audit and ControlAssociation) is an IT governance frameworkspecialized on control objectives of informationtechnology for both Information SystemManagement and business stakeholders.A. COBIT ContributionCOBIT has many goals expressing topmanagement preoccupations such as:-Strategic alignment between IT and Business,-Efficiency by bringing benefits to processesoperation,-Responsible and optimized use of resourceswith IT,-IT Risks control in relationship with business.COBIT originality is the creation ofcommunication links between IS Managementand business actors, minimizing strategicdistances among stakeholders. It’s the reasonwhy COBIT proposes 34 Generic Processes,divided into 4 generic domains, these processesand domains are reviewable according to thehttp://www.ijctjournal.orgPage 136
International Journal of Computer Techniques -– Volume X Issue X, Yearorganization specificities. Moreover, COBITcan easily be coupled with other best practicessuch as CMMI, ITIL, and ISO27001 etc.COBIT also allows enterprises to compare theirprocesses to others companies, or to evaluatethemselves through Generic maturity models.B. COBIT ComponentsCOBIT defines 4 domains [18]: Plan and Organize (PO): it’s the strategicdimension of IT governance. Acquire and Implement (AI): it’s nt and deployment Deliver and Support (DS): it’s about clientservices (management of security, data andcontinuity). Monitor and Evaluate (ME): it’s aboutcontrol dimension, performance managementand audit.For each 34 IT process COBIT detailed:Control objectives: it has general view anddetailed view, it aims at describing generalissues of the IT process such as, IT goals,activities, process goals and metrics, itseventually about results we get while applyingthe IT process and it helps auditors to definedspecific investigation grids.Management guide: it’s about The IT processinputs/outputs, responsibility matrix of keyactivities and Goals and Metrics matchmaking.Maturity Model: it’s a model inspired fromCMMI able to measure in a general way the ITprocess application level to guide itsimplementation and its improvement.C. How to use it?As generic IT governance framework, COBITimplementation is based on maximum of ITprocesses deployment remaining within thelimits of an appropriate scale on, COBIT can be deployed in-An operational way by deploying: theoperation management (DS13 process), thephysical environment (DS12 process), changes(AI6 Process)ISSN :2394-2231-A strategic way by deploying: the three-yearplan (PO1), investments (PO5), riskmanagement (PO9), project portfolio (PO10)monitoring of governance (SE4).-A Consumer relationship way by deploying:contractual services level (DS1), (DS10), (DS8).-An anticipation way by deploying: humanresource needs (PO7), organization (PO4 andPO8)suppliersmanagement(DS2)technological developments and business needs(PO2 and AI1), architectures changes (PO3).III. AUDITONTOLOGY BUILDINGAuditOntology is a result of many informationsources consolidation. In fact, in the absence ofIT Governance semi formal Ontology, we buildAuditOntology from: 1st COBIT indexing: We choose MAUIindexer, an open source project withGNU license, efficient for text indexing,able to resolve keywords and mainthesaurus in many fields [19]. 2nd COBIT existing meta-models,essentially based on Entity/relationshipMethodology, namely: the officialCOBIT Architecture model [1]. 3rd COBIT IT processes descriptions fordetailed relationships and cardinalitiesand practical validation.We opted for METHONTOLOGY asconception methodology and we addedsuccessively the previous steps at knowledgeacquisition and conception stages. In fact, these3 actions can be used for every IT GovernanceRisk Conformity Framework, while building itsontology and this can be considered in ontologybuilding literature as a semi formal modeling or“Ontologization” which will be followed by atranslation to a formal language or“Operationalization” [20]AuditOntology is eventually open toenrichment since it’s made in OWL and basedon COBIT framework which is interfaced withmany frameworks and good practices such asITIL, COSO, Val IT, SOX, PMP etc.A. Specificationhttp://www.ijctjournal.orgPage 137
International Journal of Computer Techniques -– Volume X Issue X, YearAuditOntology is formal task ontology forAudit and IT Governance, its main goal is toguide Information Systems users to evaluateBusiness objectives by themselves throughCOBIT framework to get: IT processesmeasures, metrics, responsibilities, activities,resources, IT Goals.AuditOntology describes vocabulary about ITGovernance and Information Systems Audit, inaddition to functions and methods done byCOBIT components, and this in independentway from enterprise IS and context.It answers questions such as: witch maturitylevel did IS achieved? What should we do toimprove it? Who’s responsible for a givenBusiness Objective or IT Process? Which ITprocesses can be convenient for a real BusinessObjective?In brief, AuditOntology supports all COBITComponents’ operations and methods tomeasure the strategic alignment of an IS toBusiness matters, to require values and wellmanage human and material resources.B. Knowledge acquisitionAs said before, in this step, we address first alisting of main vocabulary required from MAUIIndexer applied to COBIT 4.1 framework, theresult was as following:TAB1: MAUI INDEXER APPLIED TO COBIT 4.1IT ressourcelevel of maturitymanagement urityproceduresprogramRACI ngriskssecurityperformanceservice essbusiness goalsbusiness requirementsCOBITcontrolcontrol objectivesdevelopmentdevelopment oninformation criteriainternal controlinvestmentISSN :2394-2231ActionsIT ressourcelevel ofmaturitymanagementand typroceduresprogramRACI ngriskssecurityperformanceservice levelssolutionsstandardsstrategictactical plansstandardsstrategicSecond, we studied existing Meta-models andreread IT processes descriptions to give awayall questions this ontology can answer in ITGcontext.Let’s share some of them:1. Which COBIT Business Objectivecorresponds to this request?2. Which IT Goals are linked to thisBusiness Objective?3. Which IT processes should we deploy?4. Which controls should we apply toevery IT Process?5. Which metrics are suitable for everycontrol?6. Which key activities should we executefor an IT process? And who isresponsible for these activities?7. What maturity level did this IT processachieve and for what maturity model?C. ConceptualizationIn this step a Class diagram of the frameworkshould be established, in COBIT case we didthe diagram Figure 2:From previous steps, we were able to define thebasic concepts:IT Domain: COBIT contains 4 domainscontaining coherent processes.IT Process: it’s the central entity, COBIT has34 processes that belong to the 4 domains.Activity: every IT process is divided into manyactivities, having a management view.IT Control: Its controls IT process can have,with an operational view for auditors.Goal: defined by an IT process, measured by aMetric this represents a key indicator.Maturity Model: specific declination able tomeasure every IT process and drive itsimprovement.Maturity Level: it’s a numeric value from 0 to5 to measure the process in Maturity tion trough 7 criteria: ,Availability, Compliance and ReliabilityIT Resource: it concerns, application,infrastructure, information and persons.http://www.ijctjournal.orgPage 138
International Journal of Computer Techniques -– Volume X Issue X, YearIT Governance Focus Area: it’s the fivecontrol focus area of COSO: Strategicalignment, Value delivery, Risk Management,Resources Management and PerformanceMeasurement.Result: IT process in output of another ITprocess.InputOutputRole: It’s the responsible for a key activityimplementation.As for properties there are two types, dataproperties and object ourceApplicationControl56is requirment ofITDomain11groups 1.*Result1ITProcesscreats1.*definesGoalis managed by1.*0.*1.*KeyActivity1.*is measured byProcessGoalITControlcontrols1.*11is devided intoITGoalProcessControl11.*1BusinesGoal4is supported byControlObjectiveis rated by1MaturityModel0.*1.*is performed surePerformanceIndicatorFig2. The Proposed Class Diagram of COBIT ConceptsThe main important object properties are:Is-a: generalization relationIs-audited with: relation between IT Controland Control Test.Is-classified-by: relation between MaturityModel and Maturity LevelIs-controlled-by: relation between IT Processand IT ControlIs-measured-by: relation between Goal andMetricIs-rated-by: relation between IT Process andMaturity ModelIs-supported-by: relation between IT Processand ITG Focus AreaProperties:exampleITProcess(StringprocessCode, String processDescription).D. ImplementationTo implement AuditOntology, we chooseOWL-DL as language and Protégé 4.3 asontology editor, we pursuit the following steps:Step1: Active ontology definition anddescription,Step2: Classes and subclasses creation,Step3: Object Properties creation,Step4: Data Properties creation.Step5: individuals’ creationWe get the following result:And there are other object properties relatingbasic concepts. As for data properties it’sConcepts descriptionISSN :2394-2231http://www.ijctjournal.orgPage 139
International Journal of Computer Techniques -– Volume X Issue X, YearFig4: AuditOntology inferred classesFig3: OWLViz view of AuditOntologyII. CONCLUSION AND PERSPECTIVESE. Ontology EvaluationMETHONTOLOGY require an evaluation ofthe proposed Ontology, it’s an integrityevaluation done through an inference engine toshow how consistent is the ontology. There aremany inference engines such as, Jena, Hermit,Pellet and Fact .In our case we choose Fact integrated asPlug-in of Protégé to test AuditOntology andthrough its propositions we get the followinginferred classes:ISSN :2394-2231AuditOntology is task ontology of ITGovernance describing Audit Process throughCOBIT.It is based on the indexation of the ITGovernance Framework, COBIT meta-modelsfederation and IT processes analysis.AuditOntology is developed with OWL-DLlanguage in Protégé ontological engineeringtool, it was evaluated by Fact Inferenceengine.As perspective of this ontology we willintegrate it in the Knowledge Base of the ITGovernance Platform “AUDIT-EAS” [12], tomake sure of its efficiency and to validate itsperformance.http://www.ijctjournal.orgPage 140
International Journal of Computer Techniques -– Volume X Issue X, YearREFERENCES[1] Gerrard, M. (2009). IT Governan
In this paper, we try to build method and task ontology based on COBIT framework, using its existing meta-model, documentation and terminology indexation. The article is presented as following, section 2 presents ontology literature review, section 3 detailed COBIT consti
community-driven ontology matching and an overview of the M-Gov framework. 2.1 Collaborative ontology engineering . Ontology engineering refers to the study of the activities related to the ontology de-velopment, the ontology life cycle, and tools and technologies for building the ontol-ogies [6]. In the situation of a collaborative ontology .
method in map-reduce framework based on the struc-ture of ontologies and alignment of entities between ontologies. Definition 1 (Ontology Graph): An ontology graph is a directed, cyclic graph G V;E , where V include all the entities of an ontology and E is a set of all properties between entities. Definition 2 (Ontology Vocabulary): The .
To enable reuse of domain knowledge . Ontologies Databases Declare structure Knowledge bases Software agents Problem-solving methods Domain-independent applications Provide domain description. Outline What is an ontology? Why develop an ontology? Step-By-Step: Developing an ontology Underwater ? What to look out for. What Is "Ontology .
ontology database, we can answer queries based on the ontology while automat-ically accounting for subsumption hierarchies and other logical structures within each set of data. In other words, the database system is ontology-driven, com-pletely hiding underlying data storageand retrieval details from domain experts,
A Framework for Ontology-Driven Similarity Measuring Using Vector Learning Tricks Mengxiang Chen, Beixiong Liu, Desheng Zeng and Wei Gao, Abstract—Ontology learning problem has raised much atten-tion in semantic structure expression and information retrieval. As a powerful tool, ontology is evenly employed in various
This research investigates how these technologies can be integrated into an Ontology Driven Multi-Agent System (ODMAS) for the Sensor Web. The research proposes an ODMAS framework and an implemented middleware platform, i.e. the Sensor Web Agent Platform (SWAP). SWAP deals with ontology construction, ontology use, and agent
Ontology provides a sharable structure and semantics in knowledge management, e-commerce, decision-support and agent communication [6]. In this paper, we described the conceptual framework for an ontology-driven semantic web examination system. Succinctly, the paper described an ontology required for developing
Ontology driven clinical decision support frameworks An ontology is an explicit specification of a conceptualization. The term is borrowed from philosophy, where an ontology is a systematic account of existence. For AI systems, what “exists” is that which can be represented. When the knowledge of a domain is rep-
