TOGAF Enterprise Architecture Practitioner — Question 106
Please read this scenario prior to answering the question
Your role is that of an Enterprise Architect, reporting to the Chief Enterprise Architect, at a technology company. The company provides staff, as well as cloud-based services for many government agencies.
The company uses the TOGAF standard as the method and guiding framework for its Enterprise Architecture (EA) practice. The Chief Technology Officer (CTO) is the sponsor of the activity. The practice uses an iterative approach for its architecture development. This has enabled the decision makers to gain valuable insights into the different aspects of the business.
The nature of the business is such that the data and the information stored on the company systems is the company’s major asset and is highly confidential. The company employees work remotely and need constant access to the company systems, which is done by the public infrastructure. They use message encryption, secure internet connections using Virtual Private Networks (VPNs), and other standard security measures. The company has provided computer security awareness training for all its staff.
The Chief Security Officer (CSO) has noted an increase in distributed denial of service (DDoS) attacks on companies with a similar profile. The CSO understand that even with thorough preparation, a major attack could stop employees from being able to do their jobs. This could lead to a large financial loss, damage to the company’s reputation with customers, and employees being unable to work.
A risk assessment has been completed and the company has looked for cyber insurance that covers such attacks. The price for this insurance is very high. The CTO has decided not to get cyber insurance to cover such attacks.
Please read this scenario prior to answering the question
You have been asked to describe the steps you would take to strengthen the current architecture to improve data protection.
Based on the TOGAF standard which of the following is the best answer?
Answer options
- A. You would assess the business continuity requirements and analyze the current Enterprise Architecture for gaps. You would recommend changes to address the situation and create a change request. You would arrange a meeting of the Architecture Board to assess and approve the change request. Once approved you would create a new Request for Architecture Work to begin an ADM cycle to implement the changes.
- B. You would request an Architecture Compliance Review with the scope to examine the company’s ability to respond to such attacks. You would identify the departments involved and have them nominate representatives. You would then tailor checklists to address the requirement for increased resilience. You would circulate to the nominated representatives for them to complete. You would then review the completed checklists, identifying and resolving issues. You would then determine and present your recommendations.
- C. You would ensure that the company has in place up-to-date processes for managing change to the current Enterprise Architecture. Based on the scope of the concerns raised you recommend that this be managed at the infrastructure level. Changes should be made to the baseline description of the Technology Architecture. The changes should be approved by the Architecture Board and implemented by change management techniques.
- D. You would monitor for technology updates from your existing suppliers that could enhance the company’s capabilities to detect, react, and recover from an IT security incident. You would prepare and run a disaster recovery planning exercise for an attack and analyze the performance of the current Enterprise Architecture. Using the findings, you would prepare a gap analysis of the current Enterprise Architecture. You would prepare change requests to address identified gaps. You would add the changes implemented to the Architecture Repository.
Correct answer: A
Explanation
The correct answer is A because it follows the TOGAF approach of assessing business continuity requirements and analyzing the current architecture for gaps, leading to a structured change request process. Options B, C, and D, while relevant, do not directly address the immediate need for a comprehensive evaluation and structured response to enhance architecture in light of potential DDoS attacks.