Scenario
Please read this scenario prior to answering the question
You are serving as the Lead Architect for an insurance company, which has been formed through the
merger of three previously independent companies. The company now consists of three divisions
with the same names and division headquarters as their predecessors.
The lack of integration between the three divisions has increasingly caused problems in the handling
of customer and financial information. The inability to share information has resulted in lost
opportunities to “leverage the synergies” that had been intended when the company was formed. At
present, each division maintains its own applications. Despite an earlier initiative to install a
common application to manage customer, products, and claims information, each division has
different ways of defining these core elements and has customized the common application to the
point where the ability to exchange information is difficult, costly, and error-prone.
As a result, the company has made the decision to introduce a common web portal, contact center
software suite, and document management system. Also the company has selected a single
enterprise-wide customer relationship management (CRM) application to consolidate information
from several applications that exist across the divisions. The application will be used by each of the
divisions and accessed by third party partners through well defined interfaces.
The Corporate Board is concerned that the new application must be able to manage and safeguard
confidential customer information in a secure manner that meets or exceeds the legal requirements
of the countries in which the company operates. This will be an increasingly important capability as
the company expands its online services in cooperation with its partners.
The CIO has formed an Enterprise Architecture department, and one of the primary goals in its
charter is to coordinate efforts between the implementation team and the migration teams in each
division. The CIO has also formed a cross-functional Architecture Board to oversee and govern the
architecture. The company has an existing team of security architects.
TOGAF 9 has been selected as the core framework for use for the Enterprise Architecture program.
The CIO has endorsed this choice with the full support of top management.
Refer to the Scenario
In the Preliminary Phase you need to define suitable policies and ensure that the company has the
appropriate capability to address the concerns of the Corporate Board.
Based on TOGAF, which of the following is the best answer?
A.
You evaluate the implications of the concerns raised by the Corporate Board in terms of
regulatory requirements and their impact on business goals and objectives. Based on this
understanding, you then issue a Request for Architecture Work to commence an architecture
development project to develop a solution that will address the concerns. You allocate a security
architect to oversee the implementation of the new application that is being developed.
B.
You start by clarifying the intent that the Board has for raising these concerns. This enables you to
understand the implications of the concerns in terms of regulatory requirements and the potential
impact on current business goals and objectives. You propose that a security architect or security
architecture team be allocated to develop a comprehensive security architecture and that this be
considered an additional domain architecture.
C.
You evaluate the implications of the Board’s concerns by examining the security and regulatory
impacts on business goals, business drivers and objectives. Based on your understanding, you then
update the current security policy to include an emphasis on the concerns. You define architecture
principles to form constraints on the architecture work to be undertaken in the project. You then
allocate a security architect to ensure that security considerations are included in the architecture
planning for all domains.
D.
You identify and document the security and regulatory requirements for the application and the
data being collected. You ensure that written policies are put in place to address the requirements,
and that they are communicated across the organization, together with appropriate training for key
employees. You identify constraints on the architecture and communicate those to the architecture
team. You establish an agreement with the security architects defining their role within the ongoing
architecture project.
C
0
0
Would you mind sharing your thoughts why “C”?
0
0
Its D, similar to Q.18-global commodities trading company
0
0
Same question 18.
According 21.5
Define and document applicable regulatory and security policy requirements:
The framework and principles rarely change, and so the security implications called out in the
objectives of this phase should be fair ly straightforward. A written security policy for the
organization must be in place, and there should be regular notification and education established
for employees
3
0
I will go with D
0
0
Agree with D
0
0
D
0
0
I believe the correct answer is A then D
—–
The security policy and security standards become part of the enterprise requirements management process. Security policy is established at an executive level of the business, is long-lived, and resistant to whimsical change. Security policy is not tied to any specific technology. Once the security policies are established, they can be referred to as requirements for all architecture projects.
—–
so the policy is endured and rarely changed.
1
2
I changed my mind, the correct answer is D.
1
1
Initially I was tossing up between C and D.
The key here is to read chapter 21 (Security architecture), rather than just chapter 6 (Preliminary phase).
The way that the TOGAF spec i written, chapter 21 actually tells you how the security architecture is used in each phase. It could have just have easily been included in the actual chapter for the phase I think.
So reviewing section 21.5 – preliminary phase, there is the section “define and document applicable regulatory and security policy requirements”.
Hence, the answer is “D”.
4
1