Scenario: Raxlon Inc.
Case Study Title (Case Study):
Raxlon Inc. is a Fortune 500 Company dealing in high value drugs and pharma products. Its annual
turnover is over 120 billion $. It has more than 100,000 employees all over the globe in its R&D,
Manufacturing and Marketing Units.
Raxlon’s CEO, Dr Peter Fowles, is a pharmacology expert and has over 72 patents on various types of
drugs mainly used for treating patients with genetic disorders. Raxlon is now moving into a suite of
high end critical drug products used for Genetic Repair of congenital Diseases like Alzhmeir’s disease
and Epilepsy. Rexlon has a well developed EA practice and in 2009 the EA practice has adopted
TOGAF 9 as the primary Framework for Enterprise Architectural Change Agent.
Dr Fowles’ main concerns are:
Security of the critical data which they have gained over the years after painstaking research.
Although Rexlon had an adequate security system Dr Fowles feels it may not be adequate to deal
with the new order of things, especially with data which is highly confidential and if leaked would
have major financial impact on the Company.
Dr Fowles calls his CIO and explains his position to him and entrusts whim with the responsibly of
evaluating the current security system, operation and governance and determine which are the gaps
which need to be addressed during the fresh architectural work. Assume that a new Security
Framework would be used in the ADM life cycle. To protect Rexlon’s valuable IP.
The CIO apprises the Lead Architect of the sensitive nature of the work he has to complete within
the next 2 months.
Identify which of the following processes would be most appropriate for the Lead Architect to adopt
in this situation.
A.
Identify the sources of threat, review the relevant security statutes, see how disaster recovery can
be achieved, find who are the actors vis vis the system and design suitable access control
mechanisms, identify critical data and applications and ensure that they are given the highest level
of security
B.
First revisit the Preliminary Phase to determine the tailoring of ADM vis a vis Security. Identify any
change in the Principles or additions to be carried out. Engage with all Stakeholders to finalize the
Vision. Then in Business, Information systems and Technology Architectures ensure the Security
Frame work adopted to the ADM addresses all critical security issues. Finally conduct an overall
review to assess how effective the security ecosystem designed is and whether it meets the security
level desired
C.
Invoke Preliminary Phase and Vision Phase Identify Sources of threat, review and determine
revised regulatory, security and assumptions, document them get management buy in , develop
business continuity plans especially for critical data operations, assure data, application and
technological component security.
D.
Determine who are the people who are hacking into similar organizations, ensure that highly
secure measures are taken when external people enter the R&D and manufacturing locations,
ensure that there is a very strong firewall so that people cannot get illicit entry into the system,
periodically check the effectiveness of the security measures
I disagree with A.
I would say B because TOGAFish language including principles and tailoring of ADM. than C is appropriate as well.
A doesn’t make sense for architect trying to identfy source of threat ad D is of-course crazy.
5
0
Agree that B is a better option. Even C seems to be better than A.
3
0
I agree with A because it’s a more “quick-and-dirty” approach than others (not considering D, that is a solution with so much technology details, f.e. “very strong firewall”).
I did not choose C, that in my opinion it’s similar because it assumes to document and plan but everything must “The CIO apprises the Lead Architect of the sensitive nature of the work he has to complete within the next 2 months.”, so…
We don’t have IMO so much time to do that, and even to (B) “First revisit the Preliminary Phase to determine the tailoring of ADM vis à vis Security.” and “Finally conduct an overall review to assess how effective the security ecosystem designed is and whether it meets the security level desired”
1
0
I disagree with A as well.
TOGAF recommends that the security considerations are addressed “during application of the TOGAF Architecture Development Method (ADM)”
Could anyone explain why B was given as correct answer?
0
0
*typo – why A was given as correct answer
0
0
I agree with Sivix. B seems more accurate and then comes C. But A does not make sense.
1
0
Answer B.
See 6.4 Steps. Answer B follows these steps
som aspects:
Taylor TOGAF and, if any, other selected Architecture Frameworks –> security Framework
Identify Priciples –> change in the Principles or additions to be carried out
Next Vison –> phase A, including stakeholder mgt
Next design architecture B-D
Further more TOGAF is about structure. Even if it needs to be quick it must be structured. Answer A is not structured and cannot be the correct answer
Any thoughts?
1
0
I will go with B.
1
0
i would say B
0
0
Question is to identify the gap that needs to be address, question is not to approach to address concern raised. as per requirement management mentioned in sec 21.4, there is a need to identify requirements to be addressed and based on that
Answer A make sense.
Ref : Sec 21.4
New security requirements arise from many sources:
1. A new statutor y or regulatory mandate
2. A new threat realized or exper ienced
3. A new IT architecture initiative discovers new stakeholders and/or new requirements
In the case where 1. and 2. above occur, these new requirements would be drivers for input to
the change management system discussed in Phase H. A new architecture initiative might be
launched to examine the existing infrastr ucture and applications to determine the extent of
changes required to meet the new demands. In the case of 3. above, a new secur ity requirement
will enter the requirements management system.
4
0
The Answer A is right.
As time lines are 2 months, then we should go for cut down ADM.
And the concern is finding gaps in data security so need to look for security architecture in information security phase only for security gap analysis.
21.8 Phase C: Information Systems Architectures
Assess and baseline current security-specific architecture elements (enhancement of existing objective)
then look for section 28.1.1 for security input in information security.
D is distractor.
2
3