Re: [soa-rm-ra] Comments on the nature of governance

[Ken Laskey <klaskey@mitre.org>]

Frank,

I think we are heading in the same direction but have to tweak the perspective.  My government sponsors are all for creating governance boards.  In fact, they constantly create them along the standalone system patterns of the past and fill them with mandates without considering how a distributed world is different.  I think there will be a need for something akin to OASIS or W3C where the processes of control are worked out that will be implemented and tailored by more local governance entities.  But it is this agreement on processes that will be necessary for interoperability far more than the specifics.

I remember writing earlier that there are some organizations that will instinctively try to over-control and have no more success at that than they have in the past and others that will start with too little and realize some substantive  governance is necessary.  There will evolve a best practice of how much (some reasonable range) is necessary and sufficient but I don't think we currently know what that is.

So now we need to capture all this as architecture, eh?

Ken

On Aug 22, 2007, at 12:20 AM, Francis McCabe wrote:

Ken:

 Two things stand out for me (which was one of the reasons I picked the term organs of control)

1. Giving specific guidance for the kinds of groups that would offer control seems to 'technology-specific' to me. I think something like a 'policy originating' entity is more to the core of the matter then governance standards setting groups/people. Whatever the shape of that organ is, they will need means of recording policy choices, promulgating them, enforcing them etc. etc.

2. On the other hand, I think that something needs to be recorded about the relationships between the different policy setting elements. I think that the concept of provenance is critical to the smooth functioning of any governance mechanism. (E.g., I am deciding that we shall use SOAP 3.0 because I am the CTO and because deciding this kind of technical standard is both within my competence and authority.)

Frank

On Aug 21, 2007, at 9:00 PM, Ken Laskey wrote:

Some comments inline and a suggestion for a simplified diagram.

Ken

On Aug 15, 2007, at 4:24 PM, Francis McCabe wrote:

I think that the governance section needs to be more architectural in nature.

I suggest the folowing outline:

1. A short intro on what governance is:

   What is governance, what are the issues, who are the stakeholders.

   Why is it important?

   What is the relationship to management

   How multi-ownership domains affects those pieces and maybe puts

natural limits on authority

      specifically point out differences (at least in our opinion) vs. single standalone system

2. What are the key pieces that need to be put into place:

   Structure of explicit rules/constitution, the idea of there being organs of control.

      Rather than "organs of control", think in terms of well known entities through which globally applicable governance framework is established and then more locally how use of framework is kept in compliance.  (See more a few lines down on enforcement.)

What are the levers of those organs (policies, roles, powers, authorities and responsibilities)

   Policies for versioning and CM.

   Monitoring, i.e. you can't govern what you can't measure.

   Governance standards, e.g. pieces of a framework developed by larger and for which there is wide buy-in (i.e. deriving their just power from the consent of the governed)

   Measurement infrastructure analytics, policy violations, policy conflicts

   Enforcement infrastructure: policy enforcement points, meta-policies

      The only real enforcement mechanism is locally restriction on whether external service can be accessed, e.g. blocking message to a restricted service.  Eventually have accepted (across ownership domains) on principles by which a service can be blocked.  Eventually, a representative governance body may be formed to codify such principles/policies but it is unlikely an effective body can be formed before there is an explicit problem for which there is no better response.

   The inputs to the organs of control

       More challenging is decisions about processes through which specifics established.

: decisions about Standards and other regulatory influences, conflicts between participants.

   What kind of cross-organizational entities are important in the

context of a multi-domain SOA-based system. What kind of entities exist within an organization.

   Previous comments touch on these.

3. More elaboration on the relationship to management as one of

enforcement (and hence implementation of governance) This is where

material on policies and contracts as descriptions of governance

intentions could link things together nicely.

   This will be tough to write about architecture and not have a treatise on governance because so little has really been established.  To what extent is a treatise justified and needed?

4. The specific features of the relationship between regulatory

authorities and any governance structure. Something that draws out the links between internal authority within the realm and external

authority. (e.g., I have to ask you to follow these processes because of my obligations under SOX).

Also, we need to base the model on a diagram. This was my diagram:

<Governance Model.png>

-----------------------------------------------------------------------------

Ken Laskey

MITRE Corporation, M/S H305      phone: 703-983-7934

7151 Colshire Drive                         fax:       703-983-1379

McLean VA 22102-7508

-----------------------------------------------------------------------------

Ken Laskey

MITRE Corporation, M/S H305      phone: 703-983-7934

7151 Colshire Drive                         fax:       703-983-1379

McLean VA 22102-7508

smime.p7s