Scenario Please read this scenario prior to answering the Question You are serving as the
Chief Architect for a large, global commodities trading company which has been growing
rapidly through a series of acquisitions. Each business is performing well in its markets.
However, the lack of integration between headquarters and the business units has
increasingly caused problems in the handling of customer and financial information. The
inability to share information across businesses has resulted in lost opportunities to
“leverage the synergies” that had been intended when the businesses were acquired. At
present, each business unit maintains its own applications. Despite an earlier initiative to
install a common application to manage customer, products, supplier, and inventory
information, each business unit has different ways of defining each of these core elements
and has customized the common application to the point where the ability to exchange
information is difficult, costly, and error-prone. As a result, the company has made the
decision to introduce a single enterprisewide application to consolidate information from
several applications that exist across the lines of business. The application will be used by
all business units and accessed by suppliers through well defined interfaces. The Corporate
Board is concerned that the new application must be able to manage and safeguard
confidential customer information in a secure manner that meets or exceeds the legal
requirements of the countries in which the company operates. This will be an increasingly
important capability as the company expands its online services in cooperation with its
trading partners. The CIO has formed an Enterprise Architecture department, and one of the
primary goals in its charter is to coordinate efforts between the implementation team and the
business unit personnel who will be involved in the migration process. The CIO has also
formed a cross-functional Architecture Board to oversee and govern the architecture. The
company has an existing team of security architects. TOGAF 9 has been selected for use
for the Enterprise Architecture program. The CIO has endorsed this choice with the full
support of top management. Refer to the Scenario In the Preliminary Phase you need to

define suitable policies and ensure that the company has the appropriate capability to
address the concerns of the Corporate Board. Based on TOGAF 9, which of the following is
the best answer?

A.
You evaluate the implications of the concerns raised by the Corporate Board in terms of
regulatory requirements and their impact on business goals and objectives. Based on this
understanding, you then issue a Request for Architecture Work to commence an
architecture development project to develop a solution that will address the concerns. You
allocate a security architect to oversee the implementation of the new application that is
being developed.

B.
You identify and document the security and regulatory requirements for the application
and the data being collected. You ensure that written policies are put in place to address the
requirements, and that they are communicated across the organization, together with
appropriate training for key employees. You identify constraints on the architecture and
communicate those to the architecture team. You establish an agreement with the security
architects defining their role within the ongoing architecture project.

C.
You start by clarifying the intent that the Board has for raising these concerns. This
enables you to understand the implications of the concern in terms of regulatory
requirements and the potential impact on current business goals and objectives. You
propose that a security architect or security architecture team be allocated to develop a
comprehensive security architecture and that this be considered an additional domain
architecture.

D.
You evaluate the implications of the Board’s concerns by examining the security and
regulatory impacts on business goals, business drivers and objectives. Based on your
understanding, you then update the current security policy to include an emphasis on the
concerns. You define architecture principles to form constraints on the architecture work to
be undertaken in the project. You then allocate a security architect to ensure that security
considerations are included in the architecture planning for all domains.

Explanation: