Abstract
The article presents a practical case of using a modelling technique called Fractal Enterprise Modelling (FEM) to improve a highly regulated financial sector company in the EU. The company had the practical goals of achieving compliance and improving operations in three closely related areas - IT governance, information security management, and privacy management. The project also had an unusual constraint, as it was not possible to use visual models for communication in the project. We decided to use design science principles to investigate whether FEM could be useful within this scenario and its limitations.
It turned out that the conceptual structure of FEM fits quite well with the concepts of the three areas, and it was possible to use FEM despite the constraint on its usage. This led to the invention of a new analysis approach to go around the restriction. It included translating patterns defined with FEM into mind maps that were used for conducting interviews. FEM enabled the analyst to systematically, flexibly and quickly explore and understand the company and its state in the three areas. The paper aims to provide practically useful insights to practitioners that want to drive innovation, improve security or achieve compliance.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
AXELOS. ITIL foundation, ITIL 4 edition. TSO The Stationery Office (2019)
ISO. ISO/IEC 27001:2013 Information technology - Information technology - Security techniques - Information security management systems - Requirements (2013)
European Union. General Data Protection Regulation, Regulation (EU) 2016/679 (2016). https://eur-lex.europa.eu/eli/reg/2016/679/oj. Accessed 16 July 2023
IIBA, BABOK v3 A Guide to the Business Analysis Body of Knowledge (2015)
Bider, I., Perjons, E., Elias, M., et al.: A fractal enterprise model and its application for business development. Softw. Syst. Model. 16, 663–689 (2017)
Leego, S., Bider, I.: Using fractal enterprise model in technology-driven organisational change projects: a case of a water utility company. In: 2021 IEEE 23rd Conference on Business Informatics (CBI), pp. 107–116 (2021)
Bider, I., Lodhi, A.: Moving from Manufacturing to Software Business: A Business Model Transformation Pattern (2020)
Henkel, M., Koutsopoulos, G., Bider, I., Perjons, E.: Using the Fractal Enterprise Model for Inter-organizational Business Processes (2019)
ISACA. COBIT 2019 Framework: Introduction and Methodology (2018)
ISACA. COBIT 2019 Framework: Governance and Management Objectives (2018)
ISO. ISO/IEC 27000:2018 Information technology – Security techniques – Information security management systems – Overview and vocabulary (2018)
ISO. ISO/IEC 27002:2013 Information technology – Security techniques – Code of practice for information security controls (2013)
Center for Internet Security. CIS Controls Version 8 (2021)
FEM toolkit. www.fractalmodel.org/fem-toolkit/. Accessed 16 July 2023
ADOxx.org, ADOxx. https://www.adoxx.org. Accessed 16 July 2023
The Open Group. ArchiMate® 3.1 Specification (2019). https://pubs.opengroup.org/architecture/archimate3-doc/. Accessed 16 July 2023
FEM website. www.fractalmodel.org/. Accessed 16 July 2023
Bider, I., Johannesson, P., Perjons, E.: Design science research as movement between individual and generic situation-problem-solution spaces. In: Baskerville, R., De Marco, M., Spagnoletti, P. (eds.) Designing Organizational Systems. An Interdisciplinary Discourse, pp. 35–61. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-33371-2_3
Hevner, A.R., March, S.T., Park, J., Ram, S.: Design science in information systems research. MIS Q. 28(1), 75–105 (2004)
Sein, M., Henfridsson, O., Purao, S., Rossi, M., Lindgren, R.: Action design research. MIS Q. 35(1), 37–56 (2011). https://doi.org/10.2307/23043488
OMG, Unified Modeling Language (UML), Version 2.5.1. https://www.omg.org/spec/UML/. Accessed 16 July 2023
Gregor, S., Hevner, A.: Positioning and Presenting Design Science Research for Maximum Impact, White Paper submitted for publication (2011)
Soldatos, J. (ed.): Security Risk Management for the Internet of Things (2020)
Tsohou, A., et al.: Privacy, security, legal and technology acceptance elicited and consolidated requirements for a GDPR compliance platform (2020)
Gehrmann, M.: Combining ITIL, COBIT and ISO/IEC 27002 for structuring comprehensive information technology for management in organizations. Navus: Revista de Gestão e Tecnologia 2, 66–77 (2012)
Sheikhpour, R., Modiri, N.: A best practice approach for integration of ITIL and ISO/IEC 27001 services for information security management. Indian J. Sci. Technol. 5, 2170–2176 (2012)
Al Faruq, B., Herlianto, H., Simbolon, S., Utama, D., Wibowo, A.: Integration of ITIL V3, ISO 20000 & ISO 27001: 2013 for IT services and security management system. Int. J. Adv. Trends Comput. Sci. Eng. (2020)
Models at Work website. www.models-at-work.org. Accessed 16 July 2023
Mott, V.: Knowledge comes from practice: reflective theory building in practice. In: Rowden, R.W. (ed.) Workplace Learning: Debating Five Critical Questions of Theory and Practice, pp. 57–63. Jossey-Bass, San Francisco (1996)
European Union. Proposal for a regulation of the European Parliament and of the Council on digital operational resilience for the financial sector. COM/2020/595 final (2020). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52020PC0595. Accessed 16 July 2023
European Banking Authority. Final report on guidelines on ICT and security risk management (2019). https://www.eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-ict-and-security-risk-management. Accessed 16 July 2023
Dumas, M., La Rosa, M., Mendling, J., Reijers, H.A.: Fundamentals of Business Process Management. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-662-56509-4
Acknowledgments
The first author’s work was fully supported, and the second author’s work was partly supported by the Estonian Research Council (grant PRG1226).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Leego, S., Bider, I. (2023). Improving IT Governance, Security and Privacy Using Fractal Enterprise Modeling: A Case of a Highly Regulated Company. In: Hinkelmann, K., López-Pellicer, F.J., Polini, A. (eds) Perspectives in Business Informatics Research. BIR 2023. Lecture Notes in Business Information Processing, vol 493. Springer, Cham. https://doi.org/10.1007/978-3-031-43126-5_15
Download citation
DOI: https://doi.org/10.1007/978-3-031-43126-5_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-43125-8
Online ISBN: 978-3-031-43126-5
eBook Packages: Computer ScienceComputer Science (R0)