PhD Thesis

Assessing enterprise governance of information technology using multiple reference models

Rafael Saraiva de Almeida2019

Key information

Authors:

Rafael Saraiva de Almeida (Rafael Saraiva de Almeida)

Supervisors:

Miguel Leitão Bignolas Mira da Silva (Miguel Mira da Silva)

Published in

October 21, 2019

Abstract

Enterprises are increasingly making tangible and intangible investments in improving the Enterprise Governance of IT (EGIT). In support of this, enterprises are drawing upon the practical relevance of generally accepted good-practice models, hereafter called Reference Models. Approximately 315 EGIT Reference Models have been identified, and the number of these models has now increased, as have their application areas. However, the implementation of any of these models requires specific experience, knowledge, and resources, along with a high degree of effort and investment. Therefore, although compelling in theory, EGIT Reference Models can be challenging to implement in practice. As a result, while many enterprises have recognized the importance of EGIT Reference Models, many have yet to implement them. Moreover, none of the EGIT Reference Models meet all the requirements that an organization needs to satisfy to benchmark the organizational adherence to different regulations. As such, organizations need to select and implement processes from different EGIT Reference Models, and so, interoperability between different EGIT Reference Models is subsequently required. From the literature, we found and selected four research challenges to be addressed in this thesis. These research challenges were subsequently validated in practice. The research challenges follow next: • There is a lack of theoretical foundation regarding EGIT Reference Models that allows a varied interpretation of the models and leads to a lack of agreement, acceptance, and understanding of EGIT models due to its perceived complexity. • There is a lack of a comprehensive approach for integrating EGIT Models, and so, it is difficult to perform a simultaneous process assessment of multiple Reference Models. • There is a lack of a method to perform cost-effective process assessments in multi-models environments, and so, process assessments are costly and time-consuming. • There is a lack of an EGIT organizational process maturity model that is aligned with the Reference Models for EGIT and is compliant with the ISO/IEC 33000 family of standards. Using the design science research methodology as the main research methodology, several artifacts were designed, developed, demonstrated, and evaluated. To address the first research challenge, we propose the use of modeling techniques to represent EGIT Reference Models as conceptual metamodels, enabling in that way a better understanding of the main concepts of the model and their relations since these models can learn from a rigid formalization and a systematic approach. To address the second research challenge, two different approaches are proposed: In the first approach, we also propose the use of modeling techniques to map and integrate different EGIT Reference Models. In the second one, we propose an approach that through semantic similarity techniques, compares process assessment core concepts of different Reference Models. To address the third research challenge, we propose the development of an artifact in the form of a method that facilitates the selection and assessment of the processes by organizations in multi-models environments. The method was then instantiated in a software tool. Finally, in order to address the fourth research challenge, we propose an Organizational Process Maturity Model for EGIT based on the COBIT 5 PAM and compliant with the ISO/IEC 330xx family that allows organizations to assess their overall process maturity level, and improve their controls and governance practices. All the proposed artifacts can work in a standalone way to solve each research challenge defined, or they can be used together to perform a more robust process assessment, as it will be explained in this document. The evaluation of the different artifacts is grounded in a combination of several methods, including semi-structured interviews. We conclude this document with the conclusions, list of publications, limitations, and future work.

Publication details

Authors in the community:

Supervisors of this institution:

RENATES TID

101495331

Degree Name

Doutoramento em Engenharia Informática e de Computadores

Fields of Science and Technology (FOS)

electrical-engineering-electronic-engineering-information-engineering - Electrical engineering, electronic engineering, information engineering

Publication language (ISO code)

eng - English

Rights type:

Embargo lifted

Date available:

August 26, 2020

Institution name

Instituto Superior Técnico