TOGAF Enterprise Architecture Practitioner — Question 105

Please read this scenario prior to answering the question

You are an Enterprise Architect working at an electric vehicle manufacturer. You are part of an Enterprise Architecture (EA) team that has responsibilities across multiple divisions of the company. The company produces electric cars, and battery systems. The goal of the company is to build the best technology and software platform to support self-driving cars.

An architecture to support strategy has been completed defining a long-term Target Architecture with a roadmap over five years. This has identified the need for a portfolio of projects over the next two years. The portfolio includes the development of travel assistance systems using data gathered from multiple vehicles on the road.

The design of the presentation and accessibility of different types of data that the company plans to offer through its platform appears to be challenging. It is important for the application portfolio to work securely with third-party cloud services and V2X (Vehicle-to-Everything) service providers across many countries in order to effectively manage large amounts of data. Stakeholders are particularly concerned about the security of V2X. Regulations in various markets mandate that user privacy must always be safeguarded, to prevent tracking and compiling of data that could reveal drivers’ journeys.

The company uses the TOGAF Standard as the basis for its Enterprise Architecture framework. Architecture development within the company uses the purpose-based EA Capability Model as described in the TOGAF Series Guide: A Practitioner’s Approach to Developing Enterprise Architecture Following the TOGAF® ADM. The EA team reports to the Chief Information Officer (CIO), who is the sponsor of the EA program.

The current phase of architecture development is focused on the Business Architecture, which needs to support the primary travel assistance services that the company plans to provide. These services will manage and process the data created by vehicles, paving the way for self-driving vehicles in the future.

Refer to the scenario -

You have been asked to describe the risk and security considerations you would include in the current phase of the architecture development.

Based on the TOGAF Standard, which of the following is the best answer?

Answer options

• A. You focus on data quality as it is a key factor in risk management. You identify the datasets that need to be safeguarded. For each dataset, you assign ownership and responsibility for the quality of data needs. A security classification will be defined and applied to each dataset. The dataset owner is then able to authorize processes that are trusted for a certain activity on the dataset under specific circumstances.
• B. You perform a qualitative risk assessment for the data assets exchanged with partners. This delivers a set of priorities, high to medium to low, based on identified threats, the likelihood of occurrence, and the impact if it does occur. Using the priorities, you then develop a Business Risk Model that details the risk strategy including classifications to determine what mitigation is enough.
• C. You create a security domain model so that assets with the same level can be managed under one security policy. Since data is being shared across partners, you establish a security federation to include them. This includes contractual arrangements, and a definition of the responsibility areas for the exchanged data, as well as security implications. You undertake a risk assessment determining risks relevant to specific data assets.
• D. You focus on the relationship with the third parties required for the travel assistance systems and define a trust framework. This describes the relationship with each party. Digital certificates are a key part of the framework and will be used to create trust between parties. You monitor legal and regulatory changes across all countries to keep the trust framework in compliance.

Correct answer: C

Explanation

The correct answer is C because it comprehensively addresses the need for a security domain model and a security federation, which are essential when sharing data with partners while focusing on specific risks related to data assets. Options A and B, while important, do not fully encompass the collaborative nature of the security requirements in a multi-party environment. Option D, though relevant to trust, does not prioritize the necessary risk assessment and management of data assets themselves.