Scenario
Please read this scenario prior to answering the Question You are serving as the Chief Architect for a
large, global commodities trading company which has been growing rapidly through a series of
acquisitions. Each business is performing well in its markets. However, the lack of integration
between headquarters and the business units has increasingly caused problems in the handling of
customer and financial information. The inability to share information across businesses has resulted
in lost opportunities to “leverage the synergies” that had been intended when the businesses were
acquired. At present, each business unit maintains its own applications. Despite an earlier initiative
to install a common application to manage customer, products, supplier, and inventory information,
each business unit has different ways of defining each of these core elements and has customized
the common application to the point where the ability to exchange information is difficult, costly,
and error-prone. As a result, the company has made the decision to introduce a single enterprisewide application to consolidate information from several applications that exist across the lines of
business. The application will be used by all business units and accessed by suppliers through well
defined interfaces. The Corporate Board is concerned that the new application must be able to
manage and safeguard confidential customer information in a secure manner that meets or exceeds
the legal requirements of the countries in which the company operates. This will be an increasingly
important capability as the company expands its online services in cooperation with its trading
partners. The CIO has formed an Enterprise Architecture department, and one of the primary goals
in its charter is to coordinate efforts between the implementation team and the business unit
personnel who will be involved in the migration process. The CIO has also formed a cross-functional
Architecture Board to oversee and govern the architecture. The company has an existing team of
security architects. TOGAF 9 has been selected for use for the Enterprise Architecture program. The
CIO has endorsed this choice with the full support of top management. Refer to the Scenario In the
Preliminary Phase you need to define suitable policies and ensure that the company has the
appropriate capability to address the concerns of the Corporate Board. Based on TOGAF 9, which of
the following is the best answer?

A.
You start by clarifying the intent that the Board has for raising these concerns. This enables you to
understand the implications of the concern in terms of regulatory requirements and the potential
impact on current business goals and objectives. You propose that a security architect or security
architecture team be allocated to develop a comprehensive security architecture and that this be
considered an additional domain architecture.

B.
You evaluate the implications of the Board’s concerns by examining the security and regulatory
impacts on business goals, business drivers and objectives. Based on your understanding, you then
update the current security policy to include an emphasis on the concerns. You define architecture
principles to form constraints on the architecture work to be undertaken in the project. You then
allocate a security architect to ensure that security considerations are included in the architecture
planning for all domains.

C.
You identify and document the security and regulatory requirements for the application and the
data being collected. You ensure that written policies are put in place to address the requirements,
and that they are communicated across the organization, together with appropriate training for key
employees. You identify constraints on the architecture and communicate those to the architecture
team. You establish an agreement with the security architects defining their role within the ongoing
architecture project.

D.
You evaluate the implications of the concerns raised by the Corporate Board in terms of
regulatory requirements and their impact on business goals and objectives. Based on this
understanding, you then issue a Request for Architecture Work to commence an architecture
development project to develop a solution that will address the concerns. You allocate a security
architect to oversee the implementation of the new application that is being developed.