The Open Group TOGAF Enterprise Architecture Combined Part 1 and Part 2 OGEA-103 Exam Questions

Page: 1 / 14
Total 180 questions

Want more questions? Get Premium Access.
()

Question 1

Scenario

You are working as an Enterprise Architect within a large manufacturing company. The company has multiple divisions located worldwide.

After a recent study, senior management is concerned about the impact of the company's multiple data centers and duplication of applications on business efficiency. To address this concern, a strategic architecture has been defined; it will help improve the ability to meet customer demand and improve the efficiency of operations. The strategic architecture involves the consolidation of multiple application programs that are currently used in different divisions and putting them all onto a cloud-based solution instead.

Each division has completed the Architecture Definition documentation to meet its own specific operational requirements. The enterprise architects have analyzed the corporate changes and implementation constraints. A consolidated gap analysis has been completed. Based on its results, the architects have reviewed the requirements, dependencies, and interoperability requirements needed to integrate the cloud-based solution. The architects have completed the Business Transformation Readiness Assessment. Based on all these factors, they have produced a risk assessment. They have also completed the draft Implementation and Migration Plan, the draft Architecture Roadmap, and the Capability Assessment deliverables.

Due to the risks of changing from the current environment, the decision has been taken that a gradual approach is needed to implement the target architecture. It will likely take a few years to complete the whole implementation process.

The company has a mature Enterprise Architecture (EA) practice and uses the TOGAF standard for its architecture development method. The EA practice is engaged throughout all the divisions, with implementation governance assigned to a business line. In addition to providing guidance on using architecture frameworks, including business planning, project/portfolio management, and operations management, the EA program is sponsored by the Chief Information Officer (CIO).

You have been asked to decide on the next steps for the migration planning.

Based on the TOGAF standard, which of the following is the best answer?

AYou update the Architecture Definition Document, which includes setting project objectives and documenting the final requirements. This will ensure that the architecture remains relevant and responsive to the needs of the enterprise. You then produce an Implementation Governance Model to manage the lessons learned prior to finalizing the Implementation and Migration Plan. You recommend that lessons learned be applied as changes to the architecture without review.

BYou conduct a series of Compliance Assessments to ensure that the architecture is being implemented according to the contract. The Compliance Assessment verifies that the implementation team is using the proper development methodology. It should include deployment of monitoring tools and ensure that performance targets are being met. If they are not met, then you would identify changes to performance requirements and update those in the Implementation and Migration Plan.

CYou examine how the Implementation and Migration Plan affects the other frameworks being used in the organization. You coordinate the planning with the business planning, project/portfolio management, and operations management frameworks. You assign a business value to each project, considering the available resources and how well they align with the strategy. You then update the architecture roadmap and the Implementation and Migration Plan.

DYou assess the business value for each project by applying the Business Value Assessment Technique. The assessment should focus on return on investment and performance evaluation criteria to prioritize the most progress of the architecture transformation. You confirm and plan a series of Transition Architecture phases using an Architecture Definition Increments Table. You document the lessons learned and generate the final Implementation and Migration Plan.

Answer : C

Context of the Scenario

The organization is currently in the Migration Planning phase, which corresponds to Phase F of the TOGAF ADM (Architecture Development Method). The key activities for this phase involve:

Evaluating dependencies and impacts on other organizational frameworks.

Aligning the roadmap and migration plan with strategic objectives and available resources.

Addressing the risks of transitioning from the current architecture to the target architecture using a phased approach.

The deliverables (Architecture Roadmap, Capability Assessment, etc.) and assessments (Gap Analysis, Risk Assessment, Transformation Readiness) have already been developed. The next step is to refine and finalize the migration planning.

Option Analysis

Option A:

While updating the Architecture Definition Document could ensure alignment, this step was completed in earlier phases (B, C, D). At this stage, further changes to the architecture must go through a formal governance review, and applying lessons learned without review contradicts TOGAF principles.

Producing an Implementation Governance Model is more relevant in Phase G (Implementation Governance), not in Phase F.

Conclusion: Incorrect, as it suggests revisiting earlier steps and does not align with the current phase.

Option B:

Conducting Compliance Assessments ensures the architecture is implemented correctly, but this is a task for Phase G (Implementation Governance) after migration planning has been finalized and implementation begins.

Deployment of monitoring tools is also part of implementation and governance activities, not migration planning.

Conclusion: Incorrect, as it focuses on tasks belonging to a later phase.

Option C:

Examining how the Implementation and Migration Plan affects other organizational frameworks is critical in Phase F, as TOGAF emphasizes alignment with business planning, project/portfolio management, and operations management.

Assigning business value to each project ensures prioritization and optimal allocation of resources.

Updating the Architecture Roadmap and the Implementation and Migration Plan based on this analysis ensures strategic alignment and readiness for implementation.

Conclusion: Correct, as it addresses the key objectives of the Migration Planning phase comprehensively.

Option D:

Applying the Business Value Assessment Technique is valid for prioritizing initiatives but is a limited aspect of Migration Planning.

Planning Transition Architecture phases and documenting lessons learned are valid, but this does not address broader organizational impacts or dependencies as effectively as Option C.

Conclusion: Narrow focus; less comprehensive than Option C.

Reference to TOGAF

Phase F (Migration Planning): The focus is on aligning the migration plan with business objectives, considering organizational dependencies, and prioritizing projects (TOGAF 9.2, Chapter 12).

Architecture Roadmap and Implementation Plan: Updated to reflect changes in priorities and alignment with business frameworks (TOGAF 9.2, Section 12.4).

Framework Integration: Collaboration with other frameworks (e.g., business planning, portfolio management) ensures alignment across the organization (TOGAF 9.2, Section 6.5.2).

Business Value Assessment Technique: Used to prioritize initiatives based on return on investment and performance criteria (TOGAF 9.2, Section 24.4).

Question 2

Scenario:

You are working as an Enterprise Architect at a large company. The company runs a chain of home improvement stores, as well as a website for selling products. The website lets many brands work with the company.

The stores open seven days a week and use a standard method to track sales and inventory. This involves sending accurate and timely sales data to a central inventory management system that can predict demand, adjust stock levels, and automate reordering. The website is supported by regional fulfillment centers and also uses the central inventory management system. The central inventory management system is housed at the company's central data center.

The company has agreed to merge with a major competitor. The leadership teams of both organizations have said they are committed to a smooth transition for customers. All stores will keep their own brand names. They will combine the systems of the organizations, which includes merging retail operations and systems. Duplicated systems will be replaced with one standard retail management system. Additionally, they will reduce the number of applications being used. The CIO expects that these changes will lead to substantial cost savings for the newly merged company.

An enterprise plan for both organizations has been created. The aim is to set priorities for the transition, especially in terms of information management and application development. It is crucial to make decisions that will create long-term value.

The company has a mature Enterprise Architecture (EA) practice and uses the TOGAF standard for its architecture development method. The EA program is sponsored by the Chief Information Officer (CIO).

The Request for Architecture Work to oversee the transition has been approved. The project has been scoped, and you have been assigned to work on it.

You have been asked to confirm the most relevant architecture principles for the transition.

Based on the TOGAF Standard, which of the following is the best answer?

AControl Technical Diversity, Interoperability, Data is an Asset, Data is Shared, Business Continuity

BService Orientation, Compliance with the Law, Requirements Based Change, Responsive Change Management, Data Security

CCommon Use Applications, Data is an Asset, Common Vocabulary and Data Definitions, Maximize Benefit to the Enterprise, Business Continuity

DEase of Use, Common Use Applications, Data is an Asset, Technology Independence, Business Continuity

Answer : C

The correct answer is C, as it aligns with the key TOGAF principles necessary for guiding enterprise architecture in a merger scenario where retail operations and systems are being consolidated.

Analysis of the Principles in Option C:

Common Use Applications

Since the two companies are merging, it is essential to standardize applications across the enterprise.

Using common applications ensures consistency, reduces costs, and improves efficiency.

TOGAF emphasizes this principle to prevent duplicate or redundant systems, which aligns with the CIO's goal of reducing the number of applications used.

Data is an Asset

In the scenario, a central inventory management system is a core business function.

Treating data as an asset ensures it is managed properly, shared efficiently, and used strategically across the merged organization.

This principle supports the company's ability to predict demand, adjust stock levels, and automate reordering.

Common Vocabulary and Data Definitions

The merger requires integrating different systems and data structures.

Having a common vocabulary ensures that all stakeholders (stores, fulfillment centers, and digital platforms) use consistent terminology and data definitions.

This minimizes confusion and ensures interoperability across business functions.

Maximize Benefit to the Enterprise

Every architectural decision should focus on the overall benefit to the business.

By consolidating IT systems and reducing redundancies, the company achieves cost savings, which directly supports this principle.

Business Continuity

The stores operate seven days a week, so system changes must ensure uninterrupted service.

Business continuity ensures that customers are not affected during the transition and that critical retail operations (sales, inventory tracking, and fulfillment) remain functional.

Why Other Options Are Incorrect?

Option A: Control Technical Diversity, Interoperability, Data is an Asset, Data is Shared, Business Continuity

Control Technical Diversity is not the primary concern here. The focus is on system consolidation, not necessarily on limiting technology diversity.

Interoperability is important but not as critical as defining a common system and data structure.

Option B: Service Orientation, Compliance with the Law, Requirements-Based Change, Responsive Change Management, Data Security

While service orientation and compliance are valuable, they are not the most relevant to this specific business transition.

Change management and data security are important but do not address the primary enterprise-wide architectural concerns of system consolidation.

Option D: Ease of Use, Common Use Applications, Data is an Asset, Technology Independence, Business Continuity

Ease of Use is beneficial but is not a core architecture principle in this case.

Technology Independence is useful but does not align directly with the scenario's priority, which is consolidating applications and data structures.

TOGAF Standard, ADM Techniques, Architecture Principles (Section 2.6)

TOGAF Standard, Part III: ADM Guidelines and Techniques

TOGAF Enterprise Architecture Principles -- The Open Group

Question 3

What provides context for architecture work, by describing the needs and ways of working employed by the enterprise?

AArchitecture Contracts

BBusiness principles business goals, and business drivers

CStrategy and vision

DStakeholder needs

Answer : B

Business principles business goals, and business drivers provide context for architecture work, by describing the needs and ways of working employed by the enterprise. They define what the enterprise wants to achieve, how it wants to operate, and what factors influence its decisions and actions. Reference: The TOGAF Standard | The Open Group Website, Section 3.2 Preliminary Phase.

Question 4

Scenario

You are working as an Enterprise Architect within an Enterprise Architecture (EA) team at a large government agency. The agency has multiple divisions.

The agency has a well-established EA practice and follows the TOGAF standard as its method for architecture development. Along with the EA program, the agency also uses various management frameworks, including business planning, project/portfolio management, and operations management. The EA program is sponsored by the Chief Information Officer (CIO), who has actively promoted architecting with agility within the EA department as her preferred approach for projects.

The government has mandated that the agency prepare themselves for an Artificial Intelligence (AI)-first world, which they have called their ''AI-first'' plan. As a result, the agency is looking to determine the impact and role that AI will play moving forward. The CIO has approved a Request for Architecture Work to look at how AI can be used for services across the agency. She has noted that digital platforms will be a priority for investment in order to scale the AI applications planned. Using AI to automate tasks and make things run smoother is seen as a big advantage. Process automation and improved efficiency from manual, repetitive activities have been identified as the key benefits of applying generative AI to their agency's business. This will include back-office automation, for example, for help center agents who receive hundreds of email inquiries. This should also improve services for citizens by making them more efficient and personalized, tailored to each individual's needs.

Many of the agency leaders are worried about relying too much on AI. Some leaders think their employees will need to learn new skills. Some employees are worried they might lose their jobs to AI. Other leaders worry about security and cyber resilience in the digital platforms needed for AI to be successful.

The leader of the Enterprise Architecture team has asked for your suggestions on how to address the concerns, and how to manage the risks of a new architecture for the AI-first project.

Based on the TOGAF standard, which of the following is the best answer?

AYou recommend creating an Organization Map to display the links between different parts of the agency. This will help the EA team to find and involve all areas of the agency impacted by this strategic change. Multiple business models should then be created that can be applied to AI-related projects. A meeting will be held with the stakeholders to teach them how to interpret the models and see how their concerns are being addressed. Risk will be managed as part of the Security Architecture development.

BYou recommend that the key stakeholders be formally identified. This should include those who will be most helpful for the change to be successful. A Communication Plan should be made to address their needs. This plan should include a report that summarizes the key features of the architecture based on stakeholder requirements and addressing concerns. You communicate with each key stakeholder to make sure their concerns are being addressed. You make sure that the architecture being developed clearly addresses risk management.

CYou recommend conducting an analysis of the stakeholders. This involves documenting the positions, concerns, issues, and cultural factors of each group. This information will shape how the architecture is to be presented and communicated. The concerns and relevant views can then be defined for each group and recorded in the Architecture Vision document. The requirements for addressing risk should be recorded in the Architecture Requirements Specification and checked through regular assessments and feedback.

DYou recommend conducting an analysis that separates the different types of stakeholders into groups. They can be divided into categories: corporate functions, end-user organization, project team, external vendors, and external partners. A model will be developed for each stakeholder category to ensure that all the necessary information and actions are taken into account. Meetings will be arranged with stakeholders to verify that their concerns have been adequately addressed. Risk management will be included in this process.

Answer : C

Comprehensive and Detailed Step-by-Step Explanation

Context of the Scenario

The agency is initiating a strategic ''AI-first'' plan to transform processes using AI and improve efficiency while ensuring service improvements for citizens. Several stakeholder concerns have been raised, such as:

Job security for employees.

Skill development for adapting to new technologies.

Cybersecurity and resilience risks due to reliance on digital platforms.

TOGAF emphasizes the importance of stakeholder management, communication, and risk management to ensure successful adoption and implementation of new architecture. These concerns need to be addressed methodically by gathering requirements, analyzing stakeholder positions, and ensuring proper communication of risks and benefits.

Option Analysis

Option A:

Strengths:

Proposes creating an Organization Map to identify the links between different parts of the agency and the impact of the strategic change.

Suggests holding stakeholder meetings to address concerns.

Includes managing risks as part of Security Architecture development.

Weaknesses:

Focusing solely on creating business models and teaching stakeholders how to interpret them does not directly address cultural and positional concerns about job loss, skill development, and security.

Risk management is addressed as part of Security Architecture development but lacks broader integration into stakeholder requirements.

Conclusion: Incorrect, as it fails to systematically document stakeholder concerns and map them into requirements and architecture decisions.

Option B:

Strengths:

Highlights the importance of formal stakeholder identification and creating a Communication Plan.

Suggests addressing stakeholder concerns through communication and risk management.

Weaknesses:

Does not go into detail on analyzing stakeholder concerns, cultural positions, or specific requirements.

Lacks the inclusion of stakeholder feedback in architecture artifacts like the Architecture Vision or Requirements Specification, which are critical TOGAF outputs.

Conclusion: Incorrect, as it does not include a systematic and structured approach for stakeholder analysis and integration into architecture deliverables.

Option C:

Strengths:

Emphasizes conducting a thorough stakeholder analysis to document concerns, positions, and cultural factors, which aligns with TOGAF's approach in Phase A (Architecture Vision).

Ensures stakeholder views and requirements are recorded in the Architecture Vision document and reflected in the Architecture Requirements Specification.

Includes continuous assessment and feedback, ensuring concerns are addressed and risks managed effectively.

Aligns with TOGAF's principle of involving stakeholders in architecture development to ensure alignment and success.

Weaknesses:

Could further detail how risk management is included across all phases, but this is implied through integration into the Architecture Requirements Specification.

Conclusion: Correct, as it provides a structured and detailed approach for addressing stakeholder concerns and managing risks within TOGAF's framework.

Option D:

Strengths:

Suggests categorizing stakeholders into groups and creating models for each category.

Proposes arranging meetings to verify that concerns have been addressed.

Includes risk management as part of the process.

Weaknesses:

Dividing stakeholders into generic categories (e.g., corporate functions, project team) may not adequately capture specific cultural factors and concerns raised in the scenario.

Lacks integration of stakeholder feedback into architecture deliverables such as the Architecture Vision and Architecture Requirements Specification.

Conclusion: Incorrect, as it provides a generalized and less targeted approach to stakeholder concerns compared to Option C.

TOGAF Reference

Stakeholder Management (Phase A): TOGAF emphasizes analyzing stakeholders' positions, concerns, and issues to shape architecture development and communication (TOGAF 9.2, Section 24.2).

Architecture Vision: Captures high-level requirements and stakeholder views to ensure alignment with business goals (TOGAF 9.2, Section 6.2).

Architecture Requirements Specification: Records detailed requirements, including those related to risk management, to guide the development of target architectures (TOGAF 9.2, Section 35.5).

Iterative Feedback: Regular assessments and feedback loops are critical to ensure stakeholder concerns are addressed effectively throughout the ADM cycle.

By selecting Option C, the approach adheres to TOGAF's principles of stakeholder analysis, communication, and integration of concerns into architecture development.

Question 5

Full Scenario (Complete and Unmodified):

You are employed as an Enterprise Architect at a healthcare company. The company operates over 250 hospitals and is dedicated to transforming healthcare with new ideas and advancements. The company has multiple divisions including surgery centers, freestanding emergency departments, urgent care clinics, and physician practices. They also develop and supply a range of products and services, many with specialized systems and clinical needs.

The company's Enterprise Architecture (EA) department has been operating for several years and has mature, well-developed architecture governance and development processes following the TOGAF standard. The Chief Information Officer (CIO) is the sponsor of the Enterprise Architecture program.

Healthcare is a highly controlled sector, and the company must maintain robust security practices to keep patient information private and prevent data breaches. The company shares electronic health records with multiple providers and has standardized its medical coding for billing and reporting.

Many of the company's rivals have begun using Artificial Intelligence (AI) in their operations, and the indications are that this will be transformative for healthcare delivery. This is something the EA department has been interested in for a while, and they had recently submitted an architecture Change Request which was approved. As a result, the CIO has approved a Request for Architecture Work to implement AI-based solutions in the company.

The project has been established and you have been assigned to work on it. Stakeholders, concerns, and business requirements have been identified. The stakeholders have made it clear that timely implementation of changes can be life-critical, and that changes should be focused on improving patient outcomes. They also have a concern about disruption due to the changes and require the systems to preserve clinical data access and maintain critical life-support systems during any outages.

The scope of what is inside and what is outside the architecture efforts has now been confirmed. Your task is to revisit and review the Architecture Principles, as they form part of the constraints on architecture work.

The EA team leader has asked you to explain which Architecture Principles are most relevant for this project.

Based on the TOGAF standard, which of the following is the best answer?

(Assume the company follows the example Architecture Principles from the TOGAF ADM Techniques -- Architecture Principles chapter.)

ACompliance with the Law, Interoperability, Control Technical Diversity

BResponsive Change Management, Primacy of Principles, Maximize Benefit to the Enterprise

CCommon Vocabulary and Data Definitions, Data Security, Requirements-Based Change

DCommon Use Applications, Information Management Is Everybody's Business, Data Is Accessible

Answer : C

Comprehensive and Detailed Explanation From Exact Extract (150--250 words):

Option C is the best answer because it directly aligns with the most critical concerns expressed in the scenario and maps precisely to the example Architecture Principles defined in the TOGAF standard.

The principle Common Vocabulary and Data Definitions is essential in a healthcare environment where standardized medical coding, shared electronic health records, and cross-provider data exchange are core operational requirements. Without consistent data definitions, AI-based solutions would misinterpret clinical information, leading to unsafe or incorrect outcomes.

Data Security is one of the most fundamental principles in regulated industries such as healthcare. The scenario explicitly highlights privacy, prevention of data breaches, system availability, and protection of life-critical systems. This principle ensures confidentiality, integrity, and availability of patient data, all of which are non-negotiable constraints for architecture work in this context.

Requirements-Based Change ensures that architectural decisions are driven by clearly defined business and clinical requirements rather than technology trends alone. This is particularly important for AI initiatives, where stakeholder concerns emphasize patient outcomes, life-critical timing, and minimal disruption. This principle ensures that AI adoption is justified, traceable, and aligned with healthcare priorities.

The other options either focus too broadly on governance, enterprise-wide benefit, or general accessibility, and do not sufficiently address the clinical safety, data integrity, and requirements-driven nature of the project. Therefore, Option C best reflects TOGAF guidance for this scenario.

Question 6

Which of the following describes the practice by which the enterprise architecture is managed and controlled at an enterprise-wide level?

ACorporate governance

BArchitecture governance

CIT governance

DTechnology governance

Answer : B

According to the TOGAF Standard, 10th Edition, architecture governance is ''the practice by which enterprise architectures and other architectures are managed and controlled at an enterprise-wide level'' 1. Architecture governance ensures that the architecture development and implementation are aligned with the strategic objectives, principles, standards, and requirements of the enterprise, and that they deliver the expected value and outcomes. Architecture governance also involves establishing and maintaining the architecture framework, repository, board, contracts, and compliance reviews 1. The other options are not correct, as they are not the term used by the TOGAF Standard to describe the practice by which the enterprise architecture is managed and controlled at an enterprise-wide level. Corporate governance is ''the system by which an organization is directed and controlled'' 2, and it covers aspects such as leadership, strategy, performance, accountability, and ethics. IT governance is ''the system by which the current and future use of IT is directed and controlled'' 2, and it covers aspects such as IT strategy, policies, standards, and services. Technology governance is ''the system by which the technology decisions and investments are directed and controlled'' 3, and it covers aspects such as technology selection, acquisition, deployment, and maintenance. Reference: 1: TOGAF Standard, 10th Edition, Part VI: Architecture Governance, Chapter 44: Introduction. 2: TOGAF Standard, 10th Edition, Part I: Introduction, Chapter 3: Definitions. 3: TOGAF Series Guide: Using the TOGAF Framework to Define and Govern Service-Oriented Architectures, Part II: Using the TOGAF Framework to Define and Govern Service-Oriented Architectures, Chapter 5: Technology Governance.

Question 7

Scenario

Your role is that of an Enterprise Architect, reporting to the Chief Enterprise Architect, at a technology company.

The company uses the TOGAF standard as the method and guiding framework for its Enterprise Architecture (EA) practice. The Chief Technology Officer (CTO) is the sponsor of the activity. The EA practice uses an iterative approach for its architecture development. This has enabled the decision-makers to gain valuable insights into the different aspects of the business.

The nature of the business is such that the data and the information stored on the company systems is the company's major asset and is highly confidential. The company employees travel a lot for work and need to communicate over public infrastructure. They use message encryption, secure internet connections using Virtual Private Networks (VPNs), and other standard security measures. The company has provided computer security awareness training for all its staff. However, despite good education and system security, there is still a need to rely on third-party suppliers for infrastructure and software.

The Chief Security Officer (CSO) has noted an increase in ransomware (malicious software used in ransom demands) attacks on companies with a similar profile. The CSO recognizes that no matter how much is spent on education and support, the company could be a victim of a significant attack that could completely lock them out of their important data.

A risk assessment has been completed, and the company has looked for cyber insurance that covers ransomware. The price for this insurance is very high. The CTO recently saw a survey that said 1 out of 4 businesses that paid ransoms could not get their data back, and almost thesame number were able to recover the data without paying. The CTO has decided not to get cyber insurance to cover ransom payment.

You have been asked to describe the steps you would take to strengthen the current architecture to improve data protection.

Based on the TOGAF standard, which of the following is the best answer?

AYou would ensure that the company has in place up-to-date processes for managing change to the current Enterprise Architecture. Based on the scope of the concerns raised, you recommend that this be managed at the infrastructure level. Changes should be made to the baseline description of the Technology Architecture. The changes should be approved by the Architecture Board and implemented by change management techniques.

BYou would request an Architecture Compliance Review with the scope to examine the company's ability to respond to ransomware attacks. You would identify the departments involved and have them nominate representatives. You would then tailor checklists to address the requirement for increased resilience. You would circulate to the nominated representatives for them to complete. You would then review the completed checklists, identifying and resolving issues. You would then determine and present your recommendations.

CYou would monitor for technology updates from your existing suppliers that could enhance the company's capabilities to detect, react, and recover from an IT security incident. You would prepare and run a disaster recovery planning exercise for a ransomware attack and analyze the performance of the current Enterprise Architecture. Using the findings, you would prepare a gap analysis of the current Enterprise Architecture. You would prepare change requests to address identified gaps. You would add the changes implemented to the Architecture Repository.

DYou would assess business continuity requirements and analyze the current Enterprise Architecture for gaps. You would recommend changes to address the situation and create a change request. You would engage the Architecture Board to assess and approve the change request. Once approved, you would create a new Request for Architecture Work to begin an ADM cycle to implement the changes.

Answer : B

Comprehensive and Detailed Step-by-Step Explanation

Context of the Scenario

The scenario highlights significant risks due to ransomware attacks and the need to strengthen the company's Enterprise Architecture to improve data protection and resilience. TOGAF emphasizes the Architecture Compliance Review as a mechanism for ensuring the architecturemeets its objectives and addresses specific concerns such as security, resilience, and compliance with organizational goals.

The organization has already conducted a risk assessment but requires actionable steps to:

Address ransomware attack risks.

Increase the resilience of the Technology Architecture.

Ensure proper alignment with governance and compliance frameworks.

Option Analysis

Option A:

Strengths:

Highlights the need for up-to-date processes for managing changes in the Enterprise Architecture.

Recognizes the importance of governance through the Architecture Board and change management techniques.

Weaknesses:

The approach focuses solely on the Technology Architecture baseline but does not address the need for specific steps such as compliance review, gap analysis, or tailored resilience measures for ransomware risks.

It provides a broad and generic approach rather than a targeted plan for ransomware and data protection issues.

Conclusion: Incorrect. While it adheres to governance processes, it lacks specific actions to improve resilience and address the immediate security concerns.

Option B:

Strengths:

Proposes an Architecture Compliance Review, which is a core TOGAF process used to evaluate architecture implementation against defined objectives, ensuring it is fit for purpose.

Involves identifying stakeholders (departments) and tailoring checklists specific to ransomware resilience.

Emphasizes issue identification and resolution through structured review processes.

Weaknesses:

Does not explicitly address longer-term updates to the Enterprise Architecture, but this can be inferred as a next step following compliance recommendations.

Conclusion: Correct. This is the most suitable approach based on TOGAF principles, as it uses an established process to evaluate and improve the architecture's resilience.

Option C:

Strengths:

Includes monitoring for updates from suppliers to enhance detection and recovery capabilities, which is relevant to addressing ransomware risks.

Proposes a gap analysis to identify shortcomings in the current Enterprise Architecture and recommends addressing gaps through change requests.

Incorporates disaster recovery planning exercises, which are useful for testing resilience.

Weaknesses:

While thorough, the approach lacks the Architecture Compliance Review process, which is a more structured way to ensure the architecture meets resilience requirements.

Monitoring suppliers and running disaster recovery exercises are operational steps rather than strategic architectural improvements.

Conclusion: Incorrect. While it includes valid activities, it does not adhere to TOGAF's structured approach for architecture assessment and compliance.

Option D:

Strengths:

Proposes analyzing business continuity requirements and assessing the architecture for gaps, which is relevant to the scenario.

Suggests initiating an ADM cycle to address gaps, which aligns with TOGAF principles.

Weaknesses:

Focusing on initiating a new ADM cycle may be premature, as the immediate priority is to evaluate the existing architecture and address specific resilience concerns.

Does not mention compliance review or tailored resilience measures for ransomware attacks, which are central to the scenario.

Conclusion: Incorrect. It proposes a broader approach that may not adequately address the immediate concerns highlighted by the CSO.

TOGAF Reference

Architecture Compliance Review: A structured process used to evaluate whether an architecture meets the stated goals, objectives, and requirements (TOGAF 9.2, Chapter 19). It is particularly useful for identifying and addressing resilience requirements in scenarios involving security risks.

Stakeholder Engagement: Identifying and involving stakeholders (e.g., departments) is a critical part of architecture governance and compliance review (TOGAF 9.2, Section 24.2).

Change Management: The Architecture Compliance Review supports identifying necessary changes, which are then managed through governance and change management processes (TOGAF 9.2, Section 21.6).

By choosing Option B, you align with TOGAF's structured approach to compliance, resilience, and addressing security concerns.