Pass the The Open Group Enterprise Architecture OGEA-103 Questions and answers with CertsForce

A security domain model is a technique that can be used to define the security requirements and policies for the architecture. A security domain is a grouping of assets that share a common level of security and trust. A security policy is a set of rules and procedures that govern the access and protection of the assets within a security domain. A security domain model can help to identify the security domains, the assets within each domain, the security policies for each domain, and the relationships and dependencies between the domains1

Since the data is being shared across partners, a security federation is needed to establish a trust relationship and a common security framework among the different parties. A security federation is a collection of security domains that have agreed to interoperate under a set of shared security policies and standards. A security federation can enable secure data exchange and collaboration across organizational boundaries, while preserving the autonomy and privacy of each party. A security federation requires contractual arrangements, and a definition of the responsibility areas for the data exchanged, as well as security implications2

A risk assessment is a process that identifies, analyzes, and evaluates the risks that may affect the architecture. A risk assessment can help to determine the likelihood and impact of the threats and vulnerabilities that may compromise the security and privacy of the data assets. A risk assessment can also help to prioritize and mitigate the risks, and to monitor and review the risk situation3

Therefore, the best answer is D, because it describes the risk and security considerations that would be included in the current phase of the architecture development, which is focused on the Business Architecture. The answer covers the security domain model, the security federation, and the risk assessment techniques that are relevant to the scenario.

 1: The TOGAF Standard, Version 9.2, Part III: ADM Guidelines and Techniques, Chapter 35: Security Architecture and the ADM 2: The TOGAF Standard, Version 9.2, Part IV: Architecture Content Framework, Chapter 38: Security Architecture 3: The TOGAF Standard, Version 9.2, Part III: ADM Guidelines and Techniques, Chapter 32: Risk Management

Option C aligns best with TOGAF Phase F: Migration Planning, which deals with developing a detailed Implementation and Migration Plan, ensuring alignment with other enterprise frameworks, and assigning business value to work packages and projects.

???? TOGAF Phase F Activities (from the standard):

Confirm Management Framework Interactions:

Per TOGAF, Phase F ensures that the migration planning is aligned with the business planning, portfolio/project management, and operations management frameworks used by the enterprise (which are mentioned in the scenario).

TOGAF emphasizes coordination between EA and other enterprise governance processes.

Prioritize Projects:

TOGAF recommends using business value, resource availability, and strategic alignment to prioritize the various work packages and projects for implementation.

This is directly referenced in option C: "assign a business value to each project, considering the available resources and how well they align with the strategy."

Update Roadmaps and Implementation Plan:

After coordination and prioritization, the Architecture Roadmap and the Implementation and Migration Plan are updated.

This is essential before formal governance (Phase G).

❌ Why the Other Options Are Incorrect:

A: Incorrect focus on updating the Architecture Definition Document and lessons learned.

The Architecture Definition Document is mostly finalized in Phases B–E.

Lessons learned and governance modeling are more relevant to Phase G (Implementation Governance) and Phase H (Architecture Change Management), not Phase F.

B: Although it mentions the Business Value Assessment Technique (a valid tool in TOGAF), it includes Architecture Definition Increments Table, which is not a standard TOGAF artifact.

Also, "document the lessons learned" is premature in Phase F; these are more applicable in Phase H.

D: Focuses on Compliance Assessment, which is part of Phase G (Implementation Governance), not Phase F.

Changing performance requirements based on monitoring tools is handled during operations and change management, not during migration planning.

???? Source References from TOGAF:

TOGAF 9.2 – Section 11.3 (Phase F: Migration Planning)

"Activities include confirming the enterprise's capability for transition, prioritizing projects, identifying dependencies and resource availability, and co-ordinating with other management frameworks."

TOGAF 9.2 – Section 11.4 Outputs:

Architecture Roadmap (updated)

Implementation and Migration Plan (updated)

Business Value Assessment

Consolidated Gaps, Solutions, and Dependencies

At this stage in the scenario:

A strategic architecture has been completed.

All divisions have completed their Architecture Definition Documents.

Work packages have been defined.

Transition Architectures between Baseline and Target are already identified.

A draft roadmap exists for a multi-year phased migration.

You are now asked to plan the next steps for the migration, which aligns exactly with TOGAF ADM Phase F: Implementation and Migration Planning.

In Phase F, TOGAF prescribes the following key activities:

Evaluate and prioritize projects and work packages

Determine business value, cost, risk, dependencies

Confirm Transition Architectures and sequencing

Update and finalize the Implementation & Migration Plan

Option B is the ONLY answer that correctly follows these required TOGAF steps.

✔ Why Option B is correct

Option B states:

“Estimate the business value for each project by applying the Business Value Assessment Technique … to prioritize the migration projects.”✔ This is a TOGAF-recommended technique specifically for Phase F to evaluate and prioritize transformations using value, risk, and ROI.

“Confirm and plan a series of Transition Architecture phases … using a table of Architecture Definition Increments.”✔ Exactly aligned with TOGAF:

Transition Architectures were identified earlier.

In Phase F, they must be confirmed, sequenced, and documented.

“Update the Implementation and Migration Plan.”✔ This is the required output of ADM Phase F.✔ At this point, the plan must be validated and finalized based on value and prioritization.

Thus, Option B directly matches TOGAF’s prescribed migration planning process.

✘ Why the other options are incorrect

A – Incorrect

Suggests finalizing Architecture Definition documentation—this was already completed by each division.

Introduces an “Implementation Governance Model,” which is not a TOGAF artifact at this stage.

Focuses on lessons learned BEFORE execution, which is not appropriate for migration planning.

C – Incorrect

Focuses only on project selection and resource assignment.

Does not use TOGAF techniques for value/risk evaluation.

Does not reference Transition Architectures, which are central in the scenario.

Oversimplifies Implementation & Migration Planning to resource scheduling.

D – Incorrect

Compliance Assessments occur DURING execution, not before migration planning.

At this stage, no implementation has started, so compliance reviews are premature.

Adjusting performance requirements now has no alignment with TOGAF’s ADM sequence.

Comprehensive and Detailed Step-by-Step Explanation

Context of the Scenario

The scenario highlights significant risks due to ransomware attacks and the need to strengthen the company’s Enterprise Architecture to improve data protection and resilience. TOGAF emphasizes the Architecture Compliance Review as a mechanism for ensuring the architecturemeets its objectives and addresses specific concerns such as security, resilience, and compliance with organizational goals.

The organization has already conducted a risk assessment but requires actionable steps to:

Address ransomware attack risks.

Increase the resilience of the Technology Architecture.

Ensure proper alignment with governance and compliance frameworks.

Option Analysis

Option A:

Strengths:

Highlights the need for up-to-date processes for managing changes in the Enterprise Architecture.

Recognizes the importance of governance through the Architecture Board and change management techniques.

Weaknesses:

The approach focuses solely on the Technology Architecture baseline but does not address the need for specific steps such as compliance review, gap analysis, or tailored resilience measures for ransomware risks.

It provides a broad and generic approach rather than a targeted plan for ransomware and data protection issues.

Conclusion: Incorrect. While it adheres to governance processes, it lacks specific actions to improve resilience and address the immediate security concerns.

Option B:

Strengths:

Proposes an Architecture Compliance Review, which is a core TOGAF process used to evaluate architecture implementation against defined objectives, ensuring it is fit for purpose.

Involves identifying stakeholders (departments) and tailoring checklists specific to ransomware resilience.

Emphasizes issue identification and resolution through structured review processes.

Weaknesses:

Does not explicitly address longer-term updates to the Enterprise Architecture, but this can be inferred as a next step following compliance recommendations.

Conclusion: Correct. This is the most suitable approach based on TOGAF principles, as it uses an established process to evaluate and improve the architecture's resilience.

Option C:

Strengths:

Includes monitoring for updates from suppliers to enhance detection and recovery capabilities, which is relevant to addressing ransomware risks.

Proposes a gap analysis to identify shortcomings in the current Enterprise Architecture and recommends addressing gaps through change requests.

Incorporates disaster recovery planning exercises, which are useful for testing resilience.

Weaknesses:

While thorough, the approach lacks the Architecture Compliance Review process, which is a more structured way to ensure the architecture meets resilience requirements.

Monitoring suppliers and running disaster recovery exercises are operational steps rather than strategic architectural improvements.

Conclusion: Incorrect. While it includes valid activities, it does not adhere to TOGAF’s structured approach for architecture assessment and compliance.

Option D:

Strengths:

Proposes analyzing business continuity requirements and assessing the architecture for gaps, which is relevant to the scenario.

Suggests initiating an ADM cycle to address gaps, which aligns with TOGAF principles.

Weaknesses:

Focusing on initiating a new ADM cycle may be premature, as the immediate priority is to evaluate the existing architecture and address specific resilience concerns.

Does not mention compliance review or tailored resilience measures for ransomware attacks, which are central to the scenario.

Conclusion: Incorrect. It proposes a broader approach that may not adequately address the immediate concerns highlighted by the CSO.

TOGAF References

Architecture Compliance Review: A structured process used to evaluate whether an architecture meets the stated goals, objectives, and requirements (TOGAF 9.2, Chapter 19). It is particularly useful for identifying and addressing resilience requirements in scenarios involving security risks.

Stakeholder Engagement: Identifying and involving stakeholders (e.g., departments) is a critical part of architecture governance and compliance review (TOGAF 9.2, Section 24.2).

Change Management: The Architecture Compliance Review supports identifying necessary changes, which are then managed through governance and change management processes (TOGAF 9.2, Section 21.6).

By choosing Option B, you align with TOGAF’s structured approach to compliance, resilience, and addressing security concerns.

Option A best aligns with TOGAF Phase A: Architecture Vision, which is the starting phase for an architecture development cycle in TOGAF. This phase sets the foundation for the architecture engagement and ensures alignment with stakeholders and their concerns, especially when evaluating a major transformation like moving to a cloud-based planning and scheduling system.

???? Key TOGAF Concepts Supporting Option A:

1. Phase A: Architecture Vision Objectives

Establish the high-level scope, constraints, and expectations.

Identify stakeholders and define their concerns and business requirements.

Create the Architecture Vision, which includes:

Summary-level Baseline and Target Architecture views (business, data, application, and technology).

Initial requirements and key concerns.

Stakeholder buy-in and approval for moving forward.

2. Engagement with Stakeholders

In this case, the plant managers and local supply chain partners have concerns regarding safety and dependability.

TOGAF emphasizes early engagement with business stakeholders to ensure concerns are identified and incorporated into the vision.

3. Creating Architecture Vision Document

A deliverable of Phase A.

Includes high-level descriptions of the baseline and target architectures, initial business goals, and stakeholder viewpoints.

Used to build agreement and obtain formal approval to proceed with detailed architecture work in later phases (B–D).

❌ Why Other Options Are Incorrect:

B: Focuses on suppliers and not the actual stakeholders impacted by the architecture — i.e., plant managers and internal operations. This diverts from TOGAF’s stakeholder-driven approach in Phase A.

C: This reflects Phases B–D of the ADM (Business, Information Systems, and Technology Architecture). It is too detailed and premature for the start of the project. In Phase A, you don’t yet develop full baseline and target architectures or conduct a consolidated gap analysis.

D: While interviewing stakeholders is valid in Phase A, this option lacks a holistic view of the Architecture Vision development, and skips the TOGAF requirement to produce summary views of the baseline and target architectures and to use them to drive stakeholder buy-in. It is tactically correct, but strategically incomplete.

???? TOGAF Source References:

TOGAF 9.2 – Section 6.2 (Phase A: Architecture Vision)

"The Architecture Vision describes how the proposed architecture support the business goals, and the strategic direction. It also provides a high-level description of the baseline and target architectures and identifies key stakeholders and concerns."

TOGAF 9.2 – Part IV, Architecture Content Framework

"The Architecture Vision includes the scope, constraints, and expectations. It forms the basis for approval to proceed with further architecture development."