Development of a framework to evaluate service-oriented architecture governance using COBIT approach

Nowadays organizations require an effective governance framework for their service-oriented architecture (SOA) in order to enable them to use a framework to evaluate their current state governance and determine the governance requirements, and then to offer a suitable model for their governance. Various frameworks have been developed to evaluate the SOA governance. In this paper, a brief introduction to the internal control framework COBIT is described, and it is used to show how to develop a framework to evaluate the SOA governance within an organization. The SOA and information technology expert surveys are carried out to evaluate the proposed framework. The results of this survey verify the proposed framework.


Introduction
A service-oriented architecture (SOA) has created a framework to integrate business processes [1,2] and support information technology (IT) infrastructure as secure standardized services that can be reused and combined to address changing the business priorities [3].SOA has created opportunities to provide loosely-coupled and interoperable services to service the providers at different Quality of Service (QoS) and cost levels in a number of service domains.This provides a unique opportunity for businesses to dynamically select services that better meet their business and QoS needs in a cost-effective manner [4].SOA can be a basis for the components and the constant changing of software programs [1].SOA focuses mainly on service governance [5], and can reduce the interoperability problems within the IT structure that can evolve in more flexibility for the business, decrease the IT cost, and improve business IT alignment [6].Among the different potential causes of SOA project failures, lack of IT governance, which should be supplied from the beginning, is one of them.Without governance, an organization is not capable of fully understanding the SOA value [7].SOA processes provide benefits for all stakeholders.SOA is a kind of strategic investment that supports enterprise and its functions in projects [8].An organization can provide high quality and reliable services, while SOA governance is successful.These services have led to the efficiency and effectiveness of an organization [9] .Appropriate design and implementation of SOA governance can help organizations to achieve high levels of agility, and respond to customers in the market.In order to evaluate the current status of SOA governance, all organizations require an evaluation framework.The framework could be useful in determining the SOA governance requirements and providing a suitable SOA governance model.This framework ensures the alignment of SOA governance with business, IT with SOA strategy.It is useful in identifying the competencies and current processes of an organization.It can be used to determine what an organization should do and what it should not.
The SOA governance maturity models are one of the main tools used to evaluate the SOA governance.A SOA governance maturity model specifies the actions to be taken in transition to a SOA based on a gradual approach and the organization service oriented maturity, and this helps organizations to move toward serviceorientation [10].
To date, many models have been proposed for governance maturity such that each one of the models for a particular landscape that looked to governance on certain aspects of governance are concentrated.Table 1 shows an overview of some models of governance maturity that are in the field of SOA.By analyzing the proposed governance maturity model in order to evaluate the SOA governance, it was found out that the available models did not have the essential ability to assess the maturity of the organization processes.Therefore, a governance maturity model is required to evaluate the maturity level of processes in addition to assessing the governance maturity levels of SOA.COBIT governance maturity model can play an important role in evaluating the SOA governance based on the trajectory of process-oriented organizations, which has been used in the recent years.Thus far, various models of COBIT framework have been proposed [14].COBIT4.1 is a manageable and control-based process framework that covers the entire business process of an organization, and exposes it in a logical structure that can be managed and

Model Features
Governance maturity levels SOA adoption domains SOA maturity levels Processes maturity level -In this model, as soon as it was completed, the initial phase of planning for the systematic development of SOA can be started.From this point onward, SOA governance as a comprehensive tool support is important.In this model, the move towards higher IT and SOA governance is needed.
-SOA adoption domain is not considered.
-In this model, maturity level and the adoption of service-oriented architecture are completely and clearly not covered, and only the maturity levels of governance are considered.
-In this model, service-oriented architecture adoption domain is not completely covered but the maturity level of service-oriented architecture and governance maturity levels is considered.

 (Hassanzadeh and Namdarian, 2010) [2]
-In this model of SOA governance, which considers the maturity of the proposed SOA and serviceoriented, the better picture of the status in terms of the type of governance.

 
Pre-requisites of a SOA governance maturity model  controlled effectively.This framework helps government agencies in conducting selfassessment and in determining to what extent the implementation of IT governance has been done.The primary purpose of this model is to monitor the organization IT to see that it is not designed to evaluate the architecture governance independently.There is no precise survey on SOA from the aspect of governance evaluation.According to the relationship between the COBIT4.1 model goals and SOA (i.e. business and IT alignment), it can be found out that the processes of this model have the highest correlation and value with respect to SOA.This model can be used as a suitable factor to evaluate the governance on SOA [14,15].Nevertheless, one of the challenges of using this framework is the lack of a method to evaluate the governance on SOA.Therefore, this study was conducted to provide a framework to show the status of the governance on SOA using the COBIT governance maturity model and the main aspects of a comprehensive SOA governance maturity.This paper has been organized as follows: Section 2 introduces and surveys the main aspects of the SOA governance maturity model.Section 3 provides a brief review about the COBIT 4.1 framework and the governance maturity model.The proposed framework is described in section 4. In section 5, the proposed framework is evaluated, and finally, in section 6, conclusion of the discussions is presented.

Main aspects of SOA governance maturity model
Implementation and formalization of SOA governance is an essential phase for organizational maturity in SOA.The maturity model can be used as a measurement tool to assess the level of quality of some activities.Marks (2008) has presented a comprehensive model for the SOA governance maturity model.Evaluation of the maturity level by implementing a SOA maturity model reflects the organizational governance implications on the organizational governance [10,16].However, the presented framework seeks to identify the measurement tools, and integrate them into a unified model for the COBIT framework.

General SOA maturity model
SOA maturity model is a framework that is used to prepare an organization for a successful adoption of SOA.It defines a standard path to progress toward SOA; it is like an airport control tower.As an airport control tower navigates an airplane in its way for a successful landing, the SOA maturity model guides an organization to adopt SOA and achieve higher levels of SOA maturity.In this way, the organization can evaluate the level of maturity in the field of SOA.In fact, a SOA maturity model provides an image of SOA maturity model in the organization based on major requirements, and shows the main gaps that the organization should consider [2].A brief description of the SOA maturity model that has been proposed so far is described.The Service Integration Maturity Model (SIMM) was provided by IBM in 2005.It consists of seven levels of maturity such as silo, integrated, componentized, simple services, composite services, and virtualized services, and allows movement towards a SOA by accepting different states of an institution [17].The model identifies the target in certain circumstances, and provides guidelines to show how to reach the desired situation [17].The IT Service Capability Maturity Model (ITSCMM) was provided in 2005.It concentrates on determining the maturity level of services, and involves all the necessary actions required for setting up SOA.The service capability maturity model increases the organization capability in identifying and running the IT services with five levels including initial, repeatable, defined, managed, and optimizing.The Enterprise SOA Maturity Model (ESOAMM) divides the SOA maturity model into four levels including traditional development and integration, developing web applications, developing composite applications, and automate business processes [18].Another maturity model is the SOA Maturity Model (SOAMM), which was provided in 2005.This model focuses on serviceoriented maturity, and its goal is to support the gradual process adoption of SOA and suggest methods for it.Designers have designed this model with the received feedbacks of 2000 architects.This model divides SOA maturity into five levels including Initial Services, Architected Services, Business/Collaborative Services, Measured Services, and Optimized Services [17].

SOA adoption maturity model
The most important benefit of the SOA maturity model is that it can help to guide SOA adaption.However, the model helps to coordinate the different paths to SOA inside a company.SOA adoption is a gradual process.In many cases, SOA adoption begins from the initial level of maturity.Some organizations may apply SOA in an organization unit level, and others may apply it in the business level .The issue of SOA adoption was created to help the organizations to recognize their level of SOA maturity.The SOA maturity model adoption helps to understand, accept, and determine the goals and strategic level of an organization [3].One of the adoption maturity models is a model that was provided by Marks Inganti (2007), which includes four levels involving the intradepartment level, inter-department/business unit level, inter-business level, and enterprise level [18].

COBIT 4.1
The control objectives for information and its related technologies (i.e.COBIT) are a set of the best IT practices provided by Audit Association and Information Systems Control (2007) with a process-control approach.COBIT 4.1 has 4 domains involving Plan and Organize (PO), Acquire and Implement (AI), Deliver and Support (DS), and Monitor and Evaluate (ME), and 34 processes and a 318 control objective in the IT evaluating domain.This framework provides measures and indices to help managers, auditors, and IT users to have maximum benefits of developing the observance and appropriate IT control in an organization [19].Each one of these domains and its related processes are shown in table 2.

Governance maturity model from COBIT 4.1 viewpoint
The present COBIT4.1 framework contains 34 processes, which provide an IT maturity model driven from the Software Engineering Institute Capability Maturity Model.This framework evaluates the maturity level of an organization.Then the organization evaluation is ranked between the absence level (0) and the optimized level (5) [19].One of the most important applications of this maturity model is to determine the maturity level by an organization itself, and to specify the existing gaps to achieve the maximum level of maturity.Consequently, in order to fill the existing gaps, the organization programs the practical improvements in internal control system of IT.Indeed, this model specifies the IT organization ability to address the business needs and its alignment with the business and strategic demands [21].Different levels of maturity in the aforementioned model can be classified as shown in figure 1.

Proposed framework
As mentioned earlier, moving toward processoriented in an organization has been improved significantly, so the process efficiency shows the organization efficiency.When the organization processes are recognized and managed correctly, a desired output will be gained.Thus the use of a reference framework seems imperative.What should be considered to choose a framework is a  reference model that covers all activities of the organization, and that can be used as a road map.Since the COBIT governance process maturity model is an international comprehensive and adopted model, it can be confirmed.This framework provides comprehensive results to the IT managers to plan, develop, and upgrade the maturity level [20].It may be considered as an evaluation model but the lack of a suitable SOA governance maturity model avoids to be used as an evaluation model.In this context, this study intended to use the main aspects of the governance maturity model of SOA in order to provide a desirable framework for the COBIT 4.1 governance maturity model.Since this model is based on SOA, the framework can be used to evaluate the SOA governance.In this study, four main areas of the COBIT 4.1 model, which has a total of 34 processes, were addressed as the evaluation indices of the proposed framework.Accordingly, the proposed framework was done in 4 steps.Figure 2 shows the main steps of the proposed framework.
Step 1: Compliance COBIT 4.1 processes and SOA governance processes COBIT 4.1 processes play a significant role in the governance maturity evaluation.The compliance between the COBIT 4.1 processes and the main processes in SOA governance was considered as the first step to present the proposed framework.It is the main role in the SOA governance maturity evaluation.In this compliance, all the main processes of SOA governance for developing the proposed framework in COBIT 4.1 are positioned.this work reviews all the 34 COBIT 4.1 processes, and finds possible relationships or connections with the main process SOA governance done.Table 3 shows how the compliance COBIT 4.1 processes with the main processes of SOA governance could be divided into 4 areas according to the COBIT 4.1 process indicated.
Step 2: Mapping COBIT 4.1 processes and SOA adoption domain The SOA adaption domain and its relation to the maturity of SOA, i.e. one of the aspects of the proposed framework, was extracted from the model proposed by Inganti and Arvamudan (2007).They used a multi-aspect viewpoint in their SOA maturity model, and proposed the aspects that were important to implement SOA.They included the reception domain of SOA, the maturity level of SOA, and the SOA development steps.Considering these aspects makes the complete picture of the current level of SOA maturity [3].To determine the maturity level of SOA in this model, SOAMM which has five levels including Initial Services, Architected Services, Business/Collaborative Services, Measured Services, and Optimized Services was used, and the four domain intra-department, interdepartments/business unit level, inter-business units and within the enterprise level were taken into consideration for adoption [18].(Business) Application Portfolio Planning In SOA, the strategic planning is taking place in the business and service portfolio planning, in which a long-term planning is determined to decide which services and applications to develop and maintain to maximize business-IT alignment.


PO2: Determine technological direction  Service Developing Policies In SOA, the technical direction is set in the service developing policies, in which the technology and standards used for realizing the services should be determined.This also includes policies related to the use of technologies and Standards for the development of services, naming policies, and agreements on metadata.Another important aspect is the determination of service granularity.


AI6: Manage change  Version (release) Management In SOA, special attention is required for managing the changes outlined in version (release) management.Since the services have an enterprise wide reach, the impact of changes and new release will increase.To stay in control of the services, it is important to properly manage the number of service versions in use, to have clear rules on migration to new versions and the support of older versions.


DS1: Define and manage service levels  Service Level Agreements In SOA, where services can be consumed through the whole organization (or even outside the organization), service levels should be managed as well.This requires a formalized relation between service consumer and service provider.This ongoing process should ensure (and improve) the quality by meeting the agreed service levels and also includes monitoring and timely reporting to stakeholders on the accomplishment of service levels.


DS3: Manage performance and capacity  Runtime Qualities For SOA, this is described as runtime qualities.The call for a service will increase due to its enterprise wide reach.Therefore, the capacity has to raise to be able to handle all requests.This together with the message oriented character of SOA (this will affect the performance of IT) calls for special attention to Performance and Capacity Management.

SOA Governance processes
 DS6: Ensure system security  Security Policies SOA requires more complex security solutions to permit access to multiple applications, when executing a service.Another security issue within SOA is the need for encryption in confidential messages.Therefore, SOA requires a special attention to this objective.


DS9:manage the configuration  Service Repository The service repository is also a kind of configuration repository, in which business consumers can see which services are available, and under which conditions. Service Life Cycle Management The service life cycle management can be grouped within managing the configuration, as well.In this aspect, configuration of the services is managed mainly in the pre and con production phase.


DS10:manage problems  Error Tracking and resolution (exception handling) This is also valid for SOA because of the execution of chains of services which require attention for error tracking and resolution.An effective problem management process maximizes system availability, improves service levels, reduces costs, and improves customer convenience and satisfaction.


DS13: Manage operation  Transaction management The execution of chains of services requires operation management.Operations which are operated on a long-term period need to be able to be tracked on their progress.Therefore, this objective is important for SOA.


ME1: Monitor and evaluate IT performance  System (service) Monitoring Since the introduction of SOA can be expensive, it is important to show the value of IT to the business.Monitoring the usage of service can be an appropriate way to make the reuse of services visible.Monitoring is needed to make sure that the right things are done and are in line with the set directions and policies.Therefore, this objective needs special attention for SOA.


ME2: Ensure compliance with external requirements  Methods for dealing with regulatory requirements For SOA, with its (inter) organizational reach, compliance is an important aspect because small deviations can result in serious problems.

SOA Governance processes
Step 3: Mapping COBIT 4.1 processes and SOA maturity levels Since SOA maturity is one of the framework aspects of the COBIT governance maturity, SOAMM has its most attention and focus on SOA maturity between the proposed maturity models of SOA, and follows the gradual process of SOA adoption [18], and thus it has been used in the integrated framework of this maturity model.
Step 4: Mapping SOA maturity levels and COBIT 4.1 governance maturity levels To provide a framework, mapping occurs between the maturity levels of SOA and the COBIT 4.1 governance maturity in the last step.When maturity level maximizes, governance needs to be modified, i.e. once SOA was implemented and it reached a new maturity level, using the previous governance would not be simple [2]. Figure 3 shows the proposed framework to evaluate governance on a SOA.The framework consists of four aspects including process domain, SOA adoption domain, SOA maturity levels, and COBIT 4.1 governance maturity level.Using this framework, the level of SOA adoption domain and action level of COBIT 4.1 governance maturity can be determined according to the SOA maturity level of the organization.Table 4 demonstrates the measures of each one of the four dimensions of the proposed framework in detail.

Mapping proposed framework, COBIT5
Among the different models, the COBIT framework proposed in the recent years, COBIT5 with respect to the features that this framework is having [22].In the existing processes along the main aspects of this framework, a comprehensive IT governance maturity model for SOA assess the maturity level of governance on the SOA used.Section 4.1 and table 5 summarize that the changes in the proposed framework are based on COBIT5 described.

Evaluation of proposed framework
In this study, the data type was quantitative, and the paradigm was positivism.The data collection tool questionnaire is based on the 5-point Likert's scale.In order to test the proposed framework, a sample of 18 experts in the field of SOA was included [24].
In this study, to determine the goal and achieve the correct result, 4 main hypotheses were defined involving the aspects and relations between the governance processes and the main aspects of a comprehensive SOA governance maturity model.

Validity and reliability of questionnaire
To conduct the questionnaire's justifiability test, pilot questionnaires were randomly handed out to

Description COBIT5 COBIT4.1 Aspect
The COBIT 5 process reference model divides the governance and management processes of enterprise IT into two main process domains: • Governance-Contains five governance processes; within each process, evaluate, direct and monitor (EDM)5 practices are defined.
• Management-Contains four domains, in line with the responsibility areas of plan, build, run and monitor (PBRM), and provides end-to-end coverage of IT.These domains are an evolution of the COBIT 4.1 domain and process structure.The names of the domains are chosen in line with these main area designations, but contain more verbs to describe them: -Align, Plan and Organise (APO) -Build, Acquire and Implement (BAI) -Deliver, Service and Support (DSS) -Monitor, Evaluate and Assess (MEA) More information on this site: www.isaca.org/cobit is visible.The COBIT 5 product set includes a process capability model, based on the internationally recognised ISO/IEC 15504Software Engineering-Process Assessment standard.This model will achieve the same overall objectives of process assessment and process improvement support, i.e., it will provide a means to measure the performance of any of the governance (EDMbased) processes or management (PBRM-based) processes, and will allow areas for improvement to be identified 5 of the managers and reporters at first; of course, the results obtained confirmed the questionnaire's justifiability.The durability option is another technical characteristic of the measurement tool, which points to the accuracy, confidentiality, integrity or repeatability of the test results.Durability refers to how much the acquired points scored by each user can show their actual point.Cronbach's alpha technique was chosen to evaluate the durability [24,25].This technique is calculated via the internal correlations' mean among the content evaluator elements, and it shows a good durability when it is close to the number.Using the Statistical Package for the Social Sciences (SPSS), the durability was studied, and the Cronbach's alpha was calculated to be 0.94, which showed a good durability among the questions [24].

Population and sample
The population included some experts in the field of SOA.Considering the limited number of experts in the field of SOA, the snowball sampling method was used.According to Hakim (1987), small samples can be used to develop and test explanations, particularly in the early stages of the work.Previous studies have used small samples to gain expert feedback to evaluate and support the model development [26].Therefore, 30 questionnaires were distributed.Finally, 18 completed questionnaires were returned and used.

Data analysis
In this study, the inferential statistical techniques were used in analyzing the calculated performance, and confirming the hypothesis was performed by the binomial test in (0.05 significance level and cut point = 3) SPSS software.Tables 6-9 show the results of the research hypotheses.The results of the hypothesis test A are shown in table 6.According to this table, the value for the significant level column is lower than 0.05, and the frequency of observation for the category (>3) is more than other categories.Thus the hypothesis was approved, and it could be concluded with 95% confidence.The results of the hypothesis test B are shown in table 7.According to this table, the value for the significant level column is lower than 0.05, and the frequency of observation for the category (>3) is more than the other categories.Thus the hypothesis was approved, and it could be concluded with 95% confidence.
The results of the hypothesis test C are shown in table 8.According to this table, the value for the significance level column is lower than 0.05, and the frequency of observation for the category (>3) is more than the other categories.Thus the hypothesis was approved, and could be concluded with 95% confidence.The results of the hypothesis test D are shown in table 9.According to this table, the value for significance level column is lower than 0.05, and the frequency of observation for the category (>3) is more than other categories.Thus the hypothesis was approved, and it could be concluded with 95% confidence.

Conclusions and recommendations
Organizations need to evaluate the progress rate in implementing the SOA process and establishment of a SOA governance system to understand their level of progress and identify the required processes, mechanisms, and procedures to be successful.Thus a desired framework to evaluate SOA governance was proposed based on the COBIT 4.1 framework that is one of the important frameworks in the IT domain.It was used for evaluating governance maturity in IT domain and for using the main aspects of a comprehensive SOA governance maturity model.A questionnaire was prepared, and experts gave feedback to confirm the framework aspects that the studied results confirm framework aspects.In this work, it is recommended that the proposed framework should be validated for the application of serviceoriented framework to assess the maturity of an organization.They are needed for a successful recovery.This framework has features and a process covering one of the important parts.In the proposed framework of the current study, the SOA governance status is considered with the existing organization processes from SOA organization status in the field of serviceorientation and the necessary organization governance.An organization can better recognize its current status using this roadmap, and can specify its next status.to follow this work, it is recommended that this framework should be used to measure the SOA maturity of an organization or a specific case in order to validate the application of the proposed framework.Furthermore, because of the wide range of SOA governance processes and limitations, it was not possible to evaluate the maturity levels of all governance processes, and so it is recommended that the next research works should evaluate the maturity levels of other processes.
Compliance COBIT 4.1 processes and SOA governance processes Mapping COBIT 4.1 processes and SOA adoption domain Mapping COBIT 4.1 processes and SOA maturity levels Mapping SOA maturity levels and COBIT 4.1 governance maturity levels

Figure 2 .
Figure 2. Main steps of proposed framework.

Figure 3 .
Figure 3. Conceptual framework to evaluate SOA governance.
The main hypotheses of this study are: A: The hypotheses related to the 4-fold dimensions of the proposed framework.B: The hypotheses related to the communication between the organization process domains and the SOA adoption domain.C: The hypotheses concerning the relation of the existing organization process domains and the SOA maturity model.D: The hypotheses related to the communication between the maturity levels of SOA and the maturity levels of COBIT governance.
Service Agreements DS1 Define and manage service levels BAI04.Manage Availability and Capacity DS3 Manage performance and capacity BAI06:Manage Security Services DS6: Ensure system security BAI10.Manage Configuration Framework DS9 Manage the configuration DSS03.Manage Problems DS10 Manage problems DSS01.Manage Operations DS13:Manage operation 4. Monitor, Evaluate and Assess (MEA) 4. Monitor and Evaluate(ME) MEA01.Monitor, Evaluate and Assess Performance and Conformance ME1:Monitor and evaluate it performance MEA03.Monitor, Evaluate and Assess Compliance With External Requirements ME2:Ensure compliance with external requirements existence All SOA adoption domain proposed framework, are mapped to cobit5.1-Inter-department business unit SOA adoption domain 1-Inter-department business unit SOA adoption domain SOA adoption domain 2-Inter business SOA adoption domain 2-Inter business SOA adoption domain 3-Enterprise SOA adoption domain 3-Enterprise SOA adoption domain All SOA maturity levels proposed framework, are mapped to cobit5service level 5-Measured service level 6-Optimized service level 6-Optimized service level