Multi-Agent Architecture of Intelligent and Distributed Platform of Governance, Risk and Compliance of Information Systems

Governance, risk management and compliance of information technologies (IT GRC) is the responsibility of the company’s executives. The IT GRC responds to the important concerns of information systems managers, to ensure the necessary changes in the Information System (IS) over time, and enable it to meet the needs of risk mitigation, regulatory compliance, value creation and strategic alignment. Like a large number of organizations' activities, the IT GRC has to find a solution that is equipped through IS applications. Although these tools do exist, they are never developed by considering the IT GRC processes as a whole. We respond to this lack of consideration by proposing an intelligent and distributed platform of risk, governance and compliance of information systems that deploys a variety of IT GRC best practices and frameworks and makes an intelligent choice under constraints and parameters of the best framework to evaluate the objectives and processes in question. EAS-COM (communication system dedicated to the IT GRC platform) is our second proposal in this work: it ensures end-to-end communication between the different layers of the proposed IT GRC platform. This approach is based on Multi-Agent System (MAS) intelligence to manage the interactions between the distributed systems of the IT GRC platform. Keywords—IT Governance risk; and compliance; information system; multi agent systems


1) Governance:
Corporate governance refers to the processes, systems and controls by which organizations operate. A more concrete definition states that "governance is the culture, values, mission, structure, policies, processes and measures through which organizations are directed and controlled". ISO / IEC 38500 subdivides IT governance into three main tasks: To evaluate, direct and monitor the implementation of plans and policies in order to meet the objectives of the company.
2) Risk: Risk definitions generally refer to the possibility of loss or harm created by an activity or by a person [4]. Risk management aims to identify, assess and measure risks and develop counter measures to address them, while communicating risk decisions to stakeholders. Typically, this does not mean eliminating risk, but rather seeking to mitigate and minimize impacts. From the point of view of the GRC, the most appropriate concept of Enterprise Risk Management (ERM): "Enterprise risk management is a process implemented by a consulting entity, Management, and other personnel used to establish the company-wide strategy to identify potential events that may affect the organization and manage the risk to provide reasonable assurance regarding the achievement of the organization's objectives " [5]. A wellstructured risk management should be aligned and linked to both governance and compliance activities in order to achieve benefits such as better decision-making and increased confidence between the parties Regulatory compliance.
3) Compliance: Compliance means not only the establishment of laws, regulations and standards, but also contractual obligations and internal policies [4]. Compliance must ensure that the organization meets all its obligations, and therefore operates within defined prescribed and voluntary limits. The diversity of activities, processes and behaviors that are related to compliance can be very large. But if organizations can manage all these activities, they will operate more efficiently, compete more effectively, and build their Research in the field of information systems considers that the integration of governance, risk and compliance is interesting from two main perspectives [8].
First, the IT GRC is seen as a mechanism: How information systems can support the integration of the GRC (business) into the activities of an organization, and how the integration of The GRC can be applied to the information technology of an organization? IT GRC is better understood as a subset of the GRC that supports IT operations in the same way that the GRC as a whole supports business activities. It is aligned with the IT activities and the overall GRC strategy of an organization. Integration of IT governance, IT risk management and compliance has not yet been adequately addressed. Since more than half of GRC publications deal primarily with software technology [8], it can be assumed that there is great potential for integration in technology.
The review of the literature reveals that research priorities in the IT GRC field have not emerged so far, and that a wide variety of aspects ranging from a powerful technical consideration involving the development of a IT GRC application.
Pedro Vicente [7] proposes a business architecture that describes the integration of the main IT governance processes, IT risk management and IT compliance based on a process model for IT GRC. The latter is considered the first process model for IT GRC, it was proposed by the analysis and combination of three references that treat GRC as a separate subject: a process model of ISO / IEC 38500: 2008 for IT Governance; The COSO ERM framework for risk management; and a generic model for IT compliance. Although the process model is directed at IT, it takes into account only three frameworks of good practices, dropping the benefits of standard multitudes and existing standards in this area [9].
Puspasari has created a tool that combines governance, risk management and compliance of information technology [10]. This application consists of managing the following processes: policy management process, risk management, compliance, audit management, business continuity, disaster recovery planning and incident management. Each domain represents a module in the proposed application. The architecture proposed by Puspasari responds to a specific need that is the Bank XYZ who hopes to manage the risks by complying with the regulations associated with this process. Therefore, this architecture cannot meet all companies and SI environments. In addition, it supports only process management in relation to risk management. Moreover, it does not follow the recommendations of any good practice guidelines.

C. Positioning of Good Practice Guidelines
As noted by Johannsen and Croeken [11] (see Fig. 2), several frameworks are interdependent and some of their aspects overlap. It is important, however, to identify the appropriate standard to support the appropriate level of IT GRC requirements, for example:  Help IT managers make the right decisions.
 Define and regulate service management processes.
 Deploy these processes and required procedures, job instructions and monitoring functions.
From an academic point of view, these benchmarks of good practice can be considered as an interesting subject of scientific research, not only because these models are widespread, but also because they integrate enormous consolidated knowledge.
The approaches we have cited (frameworks, standards and best practices) are incomplete with respect to the management of all IS activities of the GRC. Some processes are not covered by certain approaches, and no approach covers all processes related to the IS management of the GRC. This means that the approaches are not complete but fragmented.  This is probably due to the fact that the approaches have been produced with the objective of meeting a specific need for governance, risk management of compliance without taking into account all aspects of these three disciplines. The most comprehensive approach is COBIT. However, the functionalities are partial for the IT Governance because the COBIT approach remains generalist. COBIT can be used at the highest level of IT governance, providing a global control framework, based on a computer process model that is generically tailored to each company. There is also a need for detailed, standardized practitioner processes. Specific practices and standards, such as ITIL and ISO / IEC 27002, cover specific areas and can be mapped to the COBIT framework, thus providing a hierarchy of guidance documents.
It should be noted that today there is no IT GRC approach covering the entire IT GRC needs. The objective of this work is motivated by this evidence. Our intention is to address the lack of a comprehensive and structured vision of the underlying concepts of the IT GRC on the one hand and of the IT GRC processes on the other.
In recent years, an array of ITIL (IT Infrastructure Library) or COBIT: Control Objectives for Information and related Technology, as well as internal frameworks, Microsoft operations framework (MOF), ITSM Hewlett-Packard) and ITPM (IT Process model of IBM) were developed. These frameworks, which are also summarized under the theme of Information Technology Governance, describe the objectives, processes and organizational aspects of IT management and control. These best practice models were developed based on practical experiences in IT organizations.
These numerous frameworks that exist on the market make it possible to optimize the functioning of the information system. They offer considerable inputs, but also a very large number of elements not applicable to certain scenarios some organization some systems.

D. Problematic
We are addressing a twofold challenge to respond to the needs of companies on the adaptation of the IT GRC and the choice of the best framework of good practices to implement the IT processes and generate the action plan, and on the other hand, the management of information workflows (communication) in order to meet business needs, namely from the expression of the need to the implementation of the action plans of the associated processes. We propose in this work to study the tools that help good governance, risk management and compliance of information systems. The lack of effective solutions of this kind (adaptable to any business and environment) is a fundamental problem that deserves further study and raises several research questions:  Steps in setting up the IT GRC are not clarified What are the steps that structure the implementation of the IT GRC? What is the nature of these steps?
 IT governance faces changing objectives. Despite this, the maintenance of good governance over time is little taken into account.
Decision-making is often cited as a key element guiding evolutionary actions. How can we then grasp the concept of decision-making in order to maintain good governance over time? What are the impacts of decisions on Information System objectives and on Information System in general?
 The adoption of best practice guidelines until now does not take into account the parameters and constraints of each company What are the criteria for choosing the best framework that should enable to support processes activities and processes related to the core business of the company?
 Implementation of end-to-end IS activities cannot be considered without effective interactions management.
In spite of this, the consideration of a communication system that manages the workflows is little considered.
What is the nature of the interactions that a communication system must support in managing GRC-related processes from the expression of needs to the generation of action plans? And what are the technologies to be used to achieve this result?
We propose to deal with the following problem: How can IT GRC processes be managed effectively to meet the strategic needs of information system? What is the best framework of good practices to implement the activities of these processes? How can interactions and information workflows be managed to build a platform to support good governance, risk management and information systems compliance?

E. Research Methodology
Our proposal for the construction of an IT GRC platform is based on the following:  An understanding of the nature of the IT GRC implementation process  An IT GRC implementation model, or modeling the architecture of the IT GRC platform, the proposed platform is a smart, distributed, multi-frameworks solution that provides good governance, risk management and compliance of information technology within a company, including a set of distributed systems that:  The modeling of a communication architecture, which manages the interactions between the distributed systems of the IT GRC platform, ensuring end-to-end communication between the different layers of the solution. It comprises a communication block per layer for the particularity of the workflows of each layer and the specificity of the processing to be launched before redirecting the information flow to the following layer.
In this way, we wish to respond to the needs and current failures of IS engineering research on the formalization of the IS concepts and the need observed on the adaptation of the frameworks and references of the IT GRC.
The next section presents the global IT GRC solution proposed to address the problematic. Recall that the latter refers to the observation of a lack of adaptation of the processes of the Governance, the management of the risks and the conformity of the Information Systems to the needs of the companies.

II. PROPOSED GRC IT PLATFORM ARCHITECTURE
The analysis of the literature shows the weakness of research investigations in this field. We address this problematic by proposing an intelligent and distributed Platform of Governance, Risk and Compliance based on Multiframeworks of Information Systems consisting of:  A strategic system whose objective is to ensure and evaluate the alignment of the company's business objectives with the IS objectives and strategy.
 A decision-making system whose objective is to choose the best reference system for Governance, Risk and Compliance of Information Systems.  A communication system that manages the communication (flow of information) between the different systems of the GRC IT platform in a smart way.
 Processing systems whose objective is to manage the IT processes according to the reference system chosen by the decision-making system.  An updating system which serves to update the frameworks of good practices considered by each processing system. The proposed architecture consists of the following layers:

A. Strategic Layer
The strategic layer allowing persisting the dynamic and static configurations of the company, to encapsulate the objectives related to the Information Technology of the various departments of the company and to correspond them with the IT objectives and the adequate computer processes, Edit the matrix of responsibilities, the maturity model and the control objectives of the strategy in question. To ensure these functionalities, the strategic layer is based on inter-organization workflows based on multi-agent systems to ensure the orchestration of workflows from different independent and non-pre-packaged business departments for a common final objective for one or more initial business objectives. Moreover, it puts at the service of its users a semantic engine allowing translating their business objectives into a query that can be interpreted by all IT GRC frameworks. Requests are archived for the enrichment of the framework set to initial state.
The strategic layer of the platform is based on the EAS-STRATEGIC system making it possible to make the static configuration of the company necessary for all the components, namely the general information, the resources, the departments, the certifications obtained or prepared, the constraints, strategies implemented ... etc., in addition to the dynamic configuration consisting of expressing the current specific business objectives of a given department. The persistence of the configuration, the translation of the business objectives expressed in language comprehensible by all IT GRC frameworks and the intelligent correspondence between business objectives, IT objectives and IT processes. In order to serve as a reference to the objectives expressed by the business manager, the choice is based on the COBIT framework for which a multi-agent decomposition has been made, which will constantly feed the semantic engine, plus requests already processed that are stored at the level of the knowledge base (learning aspect).
At the end of its processing, this layer sends the synthesis of the results to the communication layer for a possible redirection to the processing components for the purpose of specialization.

B. Decision Making Layer
The decision layer is capable of selecting the best framework of IT governance, risk management and compliance for a request from the strategic layer, capable of detailing the activities and measures to be executed for an IT process according to its category (Governance, Risk, Compliance) based on the company configuration and the IT process evaluation criteria per framework. To respond to these functionalities, the decision-making layer is based on a multi-criteria intelligent choice capable of designing frameworks to be mobilized in order to respond effectively to the user's demand. It offers two decision-making modes: an IT-oriented mode and an activity oriented mode; According to the needs of the company. Each mode is supported by intelligent agents running two algorithms of choice first by criteria and the second by framework.
The decision-making layer of the IT GRC platform is based on the EAS-DECISION system making it possible to make an intelligent choice of the best framework to process a request from EAS-Strategic. A decisional categorization of the IT processes is made at the level of the communication layer and then the two algorithms of choice of the framework are executed by the agents responsible. Any other decision of the processing layer must be redirected to the communication layer, example: choice of the best risk management strategy.

C. Processing Layer
The processing layer encapsulates each IT GRC framework in an intelligent, stand-alone system that deploys actions and implements all of the framework's recommendations in an interactive way. The interaction is done by sending a specification request to the strategic layer to request static information to be configured or to open an exchange form with a potential user whose answers are redirected to the knowledge base of the System in question.
The processing layer of the proposed IT GRC platform is based on several EAS-Processing processing systems (EAS-ITIL, EAS-PMP, EAS-ISO 27001 ...) which are notified by EAS-C OM after recovering the decision from EAS-Decision. Each EAS-Processing system encapsulates a specific IT GRC framework and puts it into production through Intelligent Agents that communicate with each other in order to detail the process acquired in input. For example EAS-ITIL represents the ITIL framework, so once one or more IT processes have to be dealt with this framework the agents of the latter choose the process of an appropriate ITIL cycle with the associated recommendations. A communication with a potential user is possible to detail the request.

D. Communication Layer
The communication layer provides end-to-end communication between the different layers of the solution in two different modes synchronous by message sending and asynchronous by information sharing, each mode is triggered according to the specificities of the organization and the strategy in question. It comprises a communication block per layer for the particularity of the flows of each layer and the specificity of the processing to be launched before redirecting the information flow to the following layer.
The communication layer of our IT GRC platform is based on the EAS-COM system, which is responsible for exchanging flows and messages between EAS-Strategic, EAS-Decision and EAS-Processing. Two communication modes are involved: communication mode by sharing information and the second by message sending.
This system constitutes the second scientific contribution in this work which we will present in the following section.

E. Update Layer
The update layer supports updating versions of frameworks of best practices used to periodically upgrade the entire platform. This upgrade is ensured from a correspondence between the processes of the old and the new version, injecting the necessary information to the knowledge bases of the different blocks of the platform. The updating layer of the IT GRC platform is based on the EAS-Updater system which upgrades the versions of all the frameworks deployed to the platform: a correspondence is made from the official documentation between the old and the new version in flat files, an intelligent agent at the level of EAS-Updater loads the received files into the knowledge bases of the different layers.
The IT-GRC platform is a solution based on the concept of distributed systems, based on multi-agent systems (MAS) in its various parts namely user interface, static and dynamic configuration of the organization management profiles, choice of the best framework and processing of processes, it takes advantage of the autonomy and learning aspect of the MAS as well as their communication and coordination of high level.
However, these technological components are difficult to manipulate, or, users lack the skills necessary to use them properly. In this situation, the modeling of communication architecture is necessary, with the aim of adapting the functionalities of the platform to the needs of the users. To help achieve these objectives, it is necessary to develop a functional and intelligent communication architecture that is adaptable and capable of providing a support framework, thus allowing access to the functionalities of the systems independently of the physical and temporal constraints.
A functional architecture defines the logical and physical structure of the components that make up a system and the interactions between them [12][13] [14]. If we focus on intelligent and distributed architectures, the main paradigm to consider is the multi-agent system. EAS-COM is a new architecture focused on product development based on multi-agent systems. It integrates this technology to facilitate the development of a flexible distributed system by taking advantage of the characteristics of interaction between agents to model functional system.

III. EAS-COM
EAS-COM (see Fig. 4: EAS-COM is represented by the transverse layer of the platform) is a communication system that facilitates the integration of distributed systems of the IT GRC platform. This system must be dynamic, flexible, robust, adaptable to each user's request, scalable and easy to use and maintain. However, this architecture is extensible to integrate the desired processing system, without dependence on a specific programming language. The systems integrated into the IT GRC platform must follow a communication protocol that must integrate. Another important feature is that, thanks to the capabilities of the agents, the developed systems can make use of the learning techniques to manage the decisions previously taken and which are recorded in knowledge bases.
On the other hand, the use of the information sharing mode to establish the communication between EAS-COM and the other distributed systems of the IT GRC platform raises the problem of the synchronization of execution of the requests of these systems by our system Communication.
Concerning the second proposal was the use of the message sending mode for the modeling of a communication system within a distributed platform. This proposal has several advantages, namely: On the other hand, the use of message sending, especially for messages containing the most relevant information (IT service requested, categorized IT service, IT service decided and result of processing), risks losing this information and therefore the Workflow of the communication layer will be interrupted. Therefore, focusing only on sending a message is likely to saturate communication, especially between the three EAS-COM (Strategic-Com, Decision-Com and processing-Com) subsystems. These three multi-agent systems need to have a permanent backup of the data that we deemed most relevant to achieve the desired goal of each subsystem.
The architecture of the hybrid communication system that we are going to propose in this section combines the two modes of communication: information sharing and message sending. This solution will overcome the shortcomings encountered in the two previous architectures (see the evaluations of the two proposals).
The exclusive use of one of these two modes of communication does not provide a persistence of the data to be exchanged. However, in view of their complementarities in this context, their association provides relevant results in the coordination and control of the interactions between distributed systems of the IT GRC platform, between EAS-COM subsystems and these latter. Therefore, a high level of interaction is achieved in a smart way.
In this third version of the architecture of the EAS-COM (see Fig. 5), we have combined the two modes of communication.  In order to solve the problem of managing communication workflows within the IT GRC platform, we break down the EAS-COM system into subsystems. Each subsystem is concerned with the execution of a specific task of the whole communication problem.
There is a close link between the choice of agents and the objectives for which they are designed. Since we intend to manage workflows between components of the IT GRC platform based on the importance of their content to users, we need to perform the following main tasks: 1) The categorization of IT services received from the strategic layer.
2) Request and receive the processing of the decision (interaction with the decision layer) in relation to the best references.
3) Management of processing systems (sending of IT services to be processed and reception of processing results) taking into account the quality of their processing and their performance. Each task can be assigned to an agent or group of agents.
 We call the multi-agent system dedicated to the categorization of IT services (interaction with strategic layer) "Strategic-com". It contains task agents (1).
 We call the assigned multi-agent system to communicate with the Decision-Com decision-making layer. It contains agents responsible for executing task (2).
 We call the "processing-com" multi-agent system for managing the processing of IT services (interaction with the processing layer). The agents of this multiagent system are responsible for task (3).

A. Strategic-COM
The Strategic-COM subsystem ensures communication with the strategic layer represented by the EAS-STRATEGIC system. This one translate strategic needs of the user in terms of IT service. The deduced IT services are redirected to the Strategic-COM subsystem which categorize the IT processes included in the IT service requested. Categorization consists of associating each IT process into one or more good practices/ frameworks to manage activities of the IT process. Here after the diagram explaining the procedure for categorizing an IT service received by the strategic layer (see Fig. 6). The IT Service categorization procedure is as follows the IT service received must be divided according to the IT processes that contain.
Each IT process is associated with one or more good practice references according to the discipline to which it belongs (IT Governance, IT Risk Management, IT compliance) The elements of the matrix are constructed as the following form: {Proc i, (Ref 1, Ref 2 We defined three types of agents: Collector Agent, Manager Agent, Constructor Agent (see Fig. 7).

1) Collector agent:
Collector Agent performs an organizational task. It checks the structure of the web services received, it classifies them according to the date of their creation by the user (date of creation is specified in all IT service). At the end of its processing, it transfers the IT Services to the Manager Agent.
2) Agent manager: Manager Agent is the heart of Strategic-COM. It categorizes IT services by associating each IT process with one or more appropriate frameworks for its implementation. At the end of the processing, it merges the elements of the matrix which will constitute the IT service categorized as {IT process, {ref1, ref2, ..., refn}}. This result will be transferred to the builder agent.
The Agent Manager has a knowledge base, this one depends of the mapping of the COBIT processes with the other frameworks. This mapping list will be fed from the IT GRC platform.

3) Constructor agent:
The objective of this agent is to provide a comprehensible representation of the IT service, while preserving as much as possible the IT service setting data (the user creating the IT service, the date of its creation, Priority of IT processes ...). To achieve this goal, it retrieves the result of categorizing the IT processes provided by the Manager Agent and constructs the final matrix that represents the categorized IT service that will be sent to the decision layer (EAS-Decision) as a web service.  In the following figure (Fig. 8), we present the distribution of Strategic-COM Agents according to their tasks.

B. Decision-COM
The Decision-COM ensures communication with the decision layer represented by the EAS-Decision system (see Fig. 9). This communication consists of sending the categorized IT service to the decision-making layer represented by the EAS-DECISION system. Once the decision is taken in relation to the best frameworks to be associated with each of the IT processes included in the IT service, Decision-COM receives the result of the decision, represented by the IT service decided. The latter must have the following format: {(Proc a,

1) DD agent:
This agent ensure the communication of the IT service with the decision layer. It receives the categorized IT service from the Constructor Agent and translates it into a web service so that it can be sent to the decision layer via network (knowing the IP address of the server in which EAS-Decision runs) and it remains Listening to receive the result of the decision. Once it is received, it is transferred to the processing-Com subsystem for processing.

C. Processing-Com
The Processing-COM ensures communication with the processing layer. Processing systems of the EAS-PROCESSING layer manage the IT processes following the recommendations dictated by the framework chosen by the EAS-COM decision-making system in order to generate the action plans to be implemented to meet the needs users of the IT GRC platform. We defined four types of agents: Agent ComIn, Agent Admin, Agent Directory, ComOut Agent.

1) Comin agent: Agent ComIn is a communicating agent.
It receives the decision-making IT service from the Decisioncom and transfers it to the Admin agent to determine the processing systems capable of managing the IT processes.
2) Admin agent: The Admin agent invokes the processing system that is best placed.
If there are several systems that can solve the requested task, the Admin agent has the ability to select the optimal choice. This decision-making capacity in relation to the choice of the processing system depends on the performance of the latter, its execution number, its availability.... This information is stored in its knowledge base which it uses during the resolution of conflicting situations. With each choice made, it communicates with the agent ComOut and determines the best system to trigger.
3) Agent directory: The Directory Agent records system processing reports, as well as the information about them (system performance, number of execution...).

4) Comout agent:
Notifying and triggering processing systems that can handle all the processes of an IT service is a complex task that can lead to additional processing time, and therefore can slow down this task. In this step, we propose a new approach whereby process triggering of IT service processes can be partitioned. Our idea is to trigger the set of processing systems chosen to implement the processes of the same IT service. During this trigger, the ComOut agent receives the list of processing systems to be notified. This list must contain the information of these systems, namely the name of the system, the description, the IP address of the server in which the processing system is running.
This method provides simultaneous processing of all processes included in the IT service. However, there may be situations where multiple processing requests are not permitted, including requests to process multiple processes through the same processing system, which could significantly reduce the processor's performance. In these cases, the Admin agent instructs the ComOut agent to check the status of the affected system and notify it that it is busy and cannot accept other requests until it finishes.
In the following figure (Fig. 10), we present the distribution of the Processing-COM Agents according to their tasks.  We have defined three subsystems that make up our EAS-COM system: Strategic-Com, Decision-Com and Processing-Com: they are multi-agent systems made up of several agents that interact to guarantee the achievement of the goals to which they are Affected. During this interaction, agents intervene to manage possible workflows. To achieve their objectives, our agents act according to their knowledge and skills. In Table II  and Table III, we summarize the main characteristics of our agents in the Annexure B.

IV. IMPLEMENTATION AND EXPERIMENTATION
The AUML modeling of the EAS-COM system and the realization of the simulation platform were followed by the implementation of the communication and management system for the interactions between the distributed components of the IT GRC platform that run on networked machines. The IT GRC platform was tested on a local network and an internet network. This platform is based on the hardware architecture (see Fig. 11) composed of: A router is through which these PCs are connected. The figure below illustrates this architecture: The EAS-STRATEGIC system is in direct contact with the user of the IT GRC platform. It makes it possible to make the static configuration of the company necessary for all the components: general information, resources, departments, certifications obtained or prepared, constraints, strategies implemented ... etc, in addition to the dynamic configuration of expressing the current specific business objectives of a given department. This system allows the users of the platform to translate the business objectives expressed in language comprehensible by all GRC IT frameworks and the intelligent correspondence between business objectives, IT objectives and IT processes. Once performed, it sends the business requirement expressed in IT processes (IT Service) through a RESTful service by specifying the IP address of the PC on which the EAS-COM system is running and using JSON as the format of data. Here is the request sent by the EAS-  This query starts our EAS-COM system (see Fig. 12). It retrieves the requested IT service, and displays its data in a table. Then, it proceeds to the categorization of the IT processes included in the IT service by consulting the knowledge base. The latter follows the mapping between the COBIT processes and the ITIL, PMBOK, ISO 27001 and ISO 27002 frameworks (see Table I  The categorization result is then displayed in the second table (see Fig. 13). The EAS-COM system prepares the request to send to the decision-making system with respect to the frameworks associated with the IT processes, EAS-DECISION, this request translates the categorized IT service, the latter has the following format: EAS-COM then sends the processing requests. To do this, it associates to each IT process an appropriate processing system according to the reference system chosen by the EAS-DECSION system. In our case:  PO1 will be managed by the EAS-ITIL processing system  PO2 will be managed by the EAS-ITIL processing system  PO4 will be managed by the EAS-ISO 27002 processing system  PO8 will be managed by the EAS-PMBOK processing system The requests (notifications) to send to the processing systems are as follows: The request sent to EAS-ITIL: These queries will allows to launch the interfaces of the processing systems in order to follow the execution of the execution of the four IT processes. (Note: the EAS-ITIL processing system is executed twice but each execution concerns a different IT process: PO1 for the first execution and PO2 for the second).
Each processing system deploys the actions and implements all the recommendations of the framework in an interactive way. Once it completes its processing, it sends the processing report of the requested IT process to EAS-COM by specifying the download link (the report to the format of a PDF file stored in the server in which the treatment) (see Fig. 15).  The processing reports are received by EAS-COM, which stores them in the database of the platform. EAS-COM calculates the parameters of each of the four processing systems: performance, quality, and number of execution.

V. ANALYSIS OF RESULTS
The simulation and experimentation described in this section makes it possible to highlight the interest of the support provided by EAS-COM to face the design problems of the applications of the IT GRC platform. EAS-COM is designed to deal with the different problems encountered by distributed systems implemented in our platform.

A. Interest in Decoupling Functionality
The problem of decoupling functionality appears in the proposed IT solution GRC. EAS-COM addresses these issues, in particular through the use of a service-oriented (RESTful) approach and the use of agent technology: 1) Distribution: Distribution appears in the architecture of the IT GRC platform. The associated problems are largely handled at the service infrastructure level. The interest of EAS-COM in this case is therefore the possibility to build on these existing infrastructures and thus benefit from the solutions they provide to manage the decentralization, security and reliability of communications.
2) Reusability: The problem of reusability also appears in the IT GRC platform. On the one hand, applications have been developed primarily from existing functionalities. On the other hand, certain functionalities such as those of processing systems can be used in several applications. This problem is partly addressed by the use of an approach-oriented service, but EAS-COM increases the reusability by integrating an explicit representation of the context in the descriptions of the functionalities.
3) Heterogeneity: Two types of heterogeneity appear in the applications presented: the heterogeneity of the functionalities and the heterogeneity of the infrastructures of these applications. EAS-COM addresses the heterogeneity of functionalities through the use of the service-oriented approach, the heterogeneity of application infrastructures by making it possible to integrate these systems without taking into account its programming language.

B. Interest in Robust IT Platform GRC
The problem of application robustness is present in the IT GRC platform.

1) Deployment:
All applications presented in the IT GRC platform are defined in an abstract way and dynamically deployed in a given environment. EAS-COM exploits in particular the mechanisms of assembly of functionalities proposed by the applications integrated in the IT platform GRC.
2) Breakdown: Fault tolerance is not specifically detailed, but it appears in the case of the unavailability of one of the processing systems. In particular, we mentioned that when EAS-COM chooses a processing system to manage an IT process and that system disappears or fails, it is possible to use an alternate functionality (choose another processing system that Can take over the management of the same IT process according to the recommendations of the same reference system decided by EAS-DECISION).
3) Evolution: The evolution appears in the case of the EAS-Processing layer, in which new processing systems appear gradually. These systems are supported by EAS-COM and integrated without modification of the general architecture of EAS-COM. EAS-COM can thus take care of the evolution of an attentive environment without requiring internal modification. This capability is based on the presence of Admin agents capable of interpreting the descriptions of the new processing systems in its knowledge base.

VI. CONCLUSION
We proposed a new intelligent distributed platform of Governance, Risk Management and Compliance of Information Systems based on the multi-agent system. In order to adapt the functionalities of the platform to the needs of the users and to help achieve its objectives, it is necessary to develop a functional and intelligent communication architecture that is adaptable and capable of providing a support framework, Accessing the functionality of the IT GRC platform's distributed systems regardless of physical and time constraints. The architecture of the proposed intrusion detection system is based on a new detection model consisting of two independent analyzers using a new functional approach. EAS-COM is a communication architecture dedicated to managing the interactions and information flows between the distributed systems of the IT GRC platform, focusing on the development of products based on multi-agent systems. It integrates this technology to facilitate the development of a flexible distributed system by taking advantage of the characteristics of interaction between agents to model functional system. This approach is based on the intelligence of Multi-Agent Systems (SMA). Intelligent agents, distributed across the three subsystems that make up EAS-COM, cooperate and communicate to effectively manage the IT needs of IT users. To manage this communication, we have established three versions of the architecture: the first is based on the information sharing paradigm, the second is based on the mode of sending messages, and the last one we opted for the implementation, is based on the combination of these two communication modes (hybrid communication architecture).
We subsequently realized an experimentation of the IT GRC platform, implementing our communication system. This system was concretized and validated by the actual tests. It uses web services (RESTful) to interact with components of the general platform that are connected to a local network or an internet network. As for the execution of internal functionalities, it relies on the technology of multi-agent systems by deploying different types of agents who communicate and interact with one another in order to achieve the intended objectives.
In perspective, we continue our work to finalize the experimental platform, adding other processing systems and ensuring their implementations in the platform through the 72 | P a g e www.ijacsa.thesai.org communication system, and then submitting to real tests. Then we will expand the IT platform GRC in such a way to set up a layer of change management and performance that will set up the action plans generated by the processing systems. To do this, we will adapt our communication system to connect this layer to the existing components of the IT GRC platform. Finally evolve into a marketing platform. -* * SE 4 : Put in place IS governance * -* *

ANNEXURE B
We have defined three subsystems that make up our EAS-COM system: Strategic-Com, Decision-Com and Processing-Com: they are multi-agent systems made up of several agents that interact to guarantee the achievement of the goals to which they are Affected. During this interaction, agents intervene to manage possible workflows. To achieve their objectives, our agents act according to their knowledge and skills. In the following Table I, we summarize the main characteristics of our agents: Identifies IT processes and their associated best framework  Consults processing system performance/execution number  Associates every IT process to adequate processing system  Generates processing system notification {IT process/system Processing}  Transfers system processing choice to COM-OUT agent Directory Agent  Stores processing reports into database  Identifies run time of each processing system  Increments execution number of each implemented processing system Com-Out Agent  Checks notifications structure  Sends notification system to processing systems chosen (number of notification=number of processes included into the IT service)  Supervises the progression of processing of the IT service  Receives the response of each processing system invoked  Checks processing reports structure  Transfers all reports to Directory Agent www.ijacsa.thesai.org Fig. 16 summarizes the operation of our multi-agent system. It presents the messages exchanged between the agents when receiving the IT services, the decision on the best framework to apply and the implementation of the IT processes by the processing systems. These messages are summarized in the following table (Table II):   TABLE III. MESSAGES EXCHANGES BETWEEN EAS-COM AGENTS Help (demand-info-system) Message sent by the admin agent instances to directory Agent in order to get information about concerned processing system to perform action of processing.
10 Help (response-info-system) Message sent by Directory agent to Admin agent' instances to tell it whether there is information about the asked processing system.

11
Aggregation (response-processing) Message sent by Admin Agent' instances to the Admin agent that asks association of IT processes to the appropriate processing systems. This last one synthetizes all responses.

12
Inform (processing IT service-Demand) Message sent by Admin agent to Com-Out agent. It contains final data of IT service demands of processing: every IT process is associated with the adequate processing system.

13
Notify (conflicts) Message sent by Com-Out Agent to Admin agent in order to notify it if a processing system is "busy".
14 Notify (end processing) Message sent by Com-Out agent to Directory agent in order to notify it that a processing system has finished its processing.