OGEA-102 TOGAF Enterprise Architecture Part 2 Exam (English) Questions and Answers

Comprehensive and Detailed Step-by-Step Explanation

Context of the Scenario

The scenario highlights significant risks due to ransomware attacks and the need to strengthen the company’s Enterprise Architecture to improve data protection and resilience. TOGAF emphasizes the Architecture Compliance Review as a mechanism for ensuring the architecturemeets its objectives and addresses specific concerns such as security, resilience, and compliance with organizational goals.

The organization has already conducted a risk assessment but requires actionable steps to:

Address ransomware attack risks.

Increase the resilience of the Technology Architecture.

Ensure proper alignment with governance and compliance frameworks.

Option Analysis

Option A:

Strengths:

Highlights the need for up-to-date processes for managing changes in the Enterprise Architecture.

Recognizes the importance of governance through the Architecture Board and change management techniques.

Weaknesses:

The approach focuses solely on the Technology Architecture baseline but does not address the need for specific steps such as compliance review, gap analysis, or tailored resilience measures for ransomware risks.

It provides a broad and generic approach rather than a targeted plan for ransomware and data protection issues.

Conclusion: Incorrect. While it adheres to governance processes, it lacks specific actions to improve resilience and address the immediate security concerns.

Option B:

Strengths:

Proposes an Architecture Compliance Review, which is a core TOGAF process used to evaluate architecture implementation against defined objectives, ensuring it is fit for purpose.

Involves identifying stakeholders (departments) and tailoring checklists specific to ransomware resilience.

Emphasizes issue identification and resolution through structured review processes.

Weaknesses:

Does not explicitly address longer-term updates to the Enterprise Architecture, but this can be inferred as a next step following compliance recommendations.

Conclusion: Correct. This is the most suitable approach based on TOGAF principles, as it uses an established process to evaluate and improve the architecture's resilience.

Option C:

Strengths:

Includes monitoring for updates from suppliers to enhance detection and recovery capabilities, which is relevant to addressing ransomware risks.

Proposes a gap analysis to identify shortcomings in the current Enterprise Architecture and recommends addressing gaps through change requests.

Incorporates disaster recovery planning exercises, which are useful for testing resilience.

Weaknesses:

While thorough, the approach lacks the Architecture Compliance Review process, which is a more structured way to ensure the architecture meets resilience requirements.

Monitoring suppliers and running disaster recovery exercises are operational steps rather than strategic architectural improvements.

Conclusion: Incorrect. While it includes valid activities, it does not adhere to TOGAF’s structured approach for architecture assessment and compliance.

Option D:

Strengths:

Proposes analyzing business continuity requirements and assessing the architecture for gaps, which is relevant to the scenario.

Suggests initiating an ADM cycle to address gaps, which aligns with TOGAF principles.

Weaknesses:

Focusing on initiating a new ADM cycle may be premature, as the immediate priority is to evaluate the existing architecture and address specific resilience concerns.

Does not mention compliance review or tailored resilience measures for ransomware attacks, which are central to the scenario.

Conclusion: Incorrect. It proposes a broader approach that may not adequately address the immediate concerns highlighted by the CSO.

TOGAF References

Architecture Compliance Review: A structured process used to evaluate whether an architecture meets the stated goals, objectives, and requirements (TOGAF 9.2, Chapter 19). It is particularly useful for identifying and addressing resilience requirements in scenarios involving security risks.

Stakeholder Engagement: Identifying and involving stakeholders (e.g., departments) is a critical part of architecture governance and compliance review (TOGAF 9.2, Section 24.2).

Change Management: The Architecture Compliance Review supports identifying necessary changes, which are then managed through governance and change management processes (TOGAF 9.2, Section 21.6).

By choosing Option B, you align with TOGAF’s structured approach to compliance, resilience, and addressing security concerns.

At this stage in the scenario:

A strategic architecture has been completed.

All divisions have completed their Architecture Definition Documents.

Work packages have been defined.

Transition Architectures between Baseline and Target are already identified.

A draft roadmap exists for a multi-year phased migration.

You are now asked to plan the next steps for the migration, which aligns exactly with TOGAF ADM Phase F: Implementation and Migration Planning.

In Phase F, TOGAF prescribes the following key activities:

Evaluate and prioritize projects and work packages

Determine business value, cost, risk, dependencies

Confirm Transition Architectures and sequencing

Update and finalize the Implementation & Migration Plan

Option B is the ONLY answer that correctly follows these required TOGAF steps.

✔ Why Option B is correct

Option B states:

“Estimate the business value for each project by applying the Business Value Assessment Technique … to prioritize the migration projects.”✔ This is a TOGAF-recommended technique specifically for Phase F to evaluate and prioritize transformations using value, risk, and ROI.

“Confirm and plan a series of Transition Architecture phases … using a table of Architecture Definition Increments.”✔ Exactly aligned with TOGAF:

Transition Architectures were identified earlier.

In Phase F, they must be confirmed, sequenced, and documented.

“Update the Implementation and Migration Plan.”✔ This is the required output of ADM Phase F.✔ At this point, the plan must be validated and finalized based on value and prioritization.

Thus, Option B directly matches TOGAF’s prescribed migration planning process.

✘ Why the other options are incorrect

A – Incorrect

Suggests finalizing Architecture Definition documentation—this was already completed by each division.

Introduces an “Implementation Governance Model,” which is not a TOGAF artifact at this stage.

Focuses on lessons learned BEFORE execution, which is not appropriate for migration planning.

C – Incorrect

Focuses only on project selection and resource assignment.

Does not use TOGAF techniques for value/risk evaluation.

Does not reference Transition Architectures, which are central in the scenario.

Oversimplifies Implementation & Migration Planning to resource scheduling.

D – Incorrect

Compliance Assessments occur DURING execution, not before migration planning.

At this stage, no implementation has started, so compliance reviews are premature.

Adjusting performance requirements now has no alignment with TOGAF’s ADM sequence.

A security domain model is a technique that can be used to define the security requirements and policies for the architecture. A security domain is a grouping of assets that share a common level of security and trust. A security policy is a set of rules and procedures that govern the access and protection of the assets within a security domain. A security domain model can help to identify the security domains, the assets within each domain, the security policies for each domain, and the relationships and dependencies between the domains1

Since the data is being shared across partners, a security federation is needed to establish a trust relationship and a common security framework among the different parties. A security federation is a collection of security domains that have agreed to interoperate under a set of shared security policies and standards. A security federation can enable secure data exchange and collaboration across organizational boundaries, while preserving the autonomy and privacy of each party. A security federation requires contractual arrangements, and a definition of the responsibility areas for the data exchanged, as well as security implications2

A risk assessment is a process that identifies, analyzes, and evaluates the risks that may affect the architecture. A risk assessment can help to determine the likelihood and impact of the threats and vulnerabilities that may compromise the security and privacy of the data assets. A risk assessment can also help to prioritize and mitigate the risks, and to monitor and review the risk situation3

Therefore, the best answer is D, because it describes the risk and security considerations that would be included in the current phase of the architecture development, which is focused on the Business Architecture. The answer covers the security domain model, the security federation, and the risk assessment techniques that are relevant to the scenario.

Based on the TOGAF standard, this answer is the best approach for architecture development to realize the CEO’s change in direction for the company. The reason is as follows:

The scenario describes a major business transformation that requires a clear understanding of the current and future states of the enterprise, as well as the gaps and opportunities for change. Therefore, the priority is to understand and bring structure to the definition of the change, rather than focusing on the implementation details or the technology aspects.

The team should use the TOGAF ADM as the method and guiding framework for architecture development, and adapt it to suit the specific needs and context of the enterprise. The team should also leverage the existing Architecture Capability and the Architecture Repository to reuse and integrate relevant architecture assets and resources.

The team should focus iteration cycles on a baseline first approach to architecture development, which means starting with the definition of the Baseline Architecture in each domain (Business, Data, Application, and Technology), and then defining the Target Architecture in each domain. This will help to identify the current and desired states of the enterprise, and to perform a gap analysis to determine what needs to change in order to achieve the business goals and objectives.

The team should then focus on transition planning, which involves identifying and prioritizing the work packages, projects, and activities that will deliver the change. The team should also create an Architecture Roadmap and an Implementation and Migration Plan that will guide the execution and governance of the change.

The team should use the Architecture Vision phase and the Requirements Management phase to work out in detail what the shared vision is for the change, and to capture and validate the stakeholder requirements and expectations. The team should also use the Architecture Governance framework to ensure the quality, consistency, and compliance of the architecture work.

The Business Value Assessment Technique is a technique that can be used to estimate and compare the business value of the projects and project increments that implement the architecture work packages, which are the sets of actions or tasks that are required to implement a specific part of the architecture. The business value is the measure of the benefits or advantages that the project or project increment delivers to the business, such as increased revenue, reduced costs, improved quality, or enhanced customer satisfaction1

The steps for applying the Business Value Assessment Technique are:

Identify the criteria and factors that are relevant to the business value assessment, such as costs, benefits, risks, and opportunities. The criteria and factors should be aligned with the business goals and drivers that motivate the architecture work, and the stakeholder requirements and concerns that influence the architecture work.

Assign weights and scores to the criteria and factors, using various methods, such as expert judgment, historical data, or analytical models. The weights and scores should reflect the importance and performance of the criteria and factors, and the trade-offs and preferences of the stakeholders.

Calculate the business value for each project or project increment, using various techniques, such as net present value, return on investment, or balanced scorecard. The business value should indicate the expected or actual outcomes and impacts of the project or project increment on the business.

Prioritize the implementation projects and project increments, based on the business value and other considerations, such as dependencies, resources, or risks. The prioritization should determine the order or sequence of the projects and project increments, and the allocation and utilization of the resources.

Therefore, the best answer is C, because it describes the next steps for the migration planning, which are the activities that support the transition from the Baseline Architecture to the Target Architecture. The answer covers the Business Value Assessment Technique, which is relevant to the scenario.

In TOGAF, creating a Business Scenario is a foundational step in defining and understanding the business problem, especially for complex transformations involving multiple stakeholders and systems, such as in this scenario. This method aligns with Phase A (Architecture Vision) of the TOGAF Architecture Development Method (ADM). Here’s why this approach is the most effective:

Understanding Business Requirements:A Business Scenario provides a structured way to capture and analyze the business requirements, stakeholder concerns, and the contextual elements related to the problem. In this scenario, the company faces challenges in integrating newly acquired companies with existing operations, which includes complex stakeholder concerns across different functional areas. Developing a Business Scenario allows the EA team to break down these complexities into identifiable and manageable parts.

Risk Evaluation and Management:By using the Business Scenario approach, the EA team can not only define the requirements but also assess associated risks systematically. TOGAF emphasizes the importance of risk management through identifying potential risks, evaluating their impact, and defining strategies for handling these risks. The process includes assessing how risks can be avoided, transferred, or reduced—a necessary step in large-scale transformations to ensure that risks are proactively managed.

Residual Risks and Governance:Any risks that cannot be fully resolved should be identified as residual risks and escalated to the Architecture Board, which is aligned with TOGAF’s governance approach. The Architecture Board’s role in TOGAF is to provide oversight and make critical decisions on risks that exceed the control of the EA team. This ensures that unresolved risks are managed at the appropriate level of the organization.

Alignment with TOGAF ADM Phases:The Business Scenario approach directly aligns with the Preliminary and Architecture Vision phases of the TOGAF ADM, which focuses on establishing a baseline understanding of the business context and the strategic transformation required. The detailed understanding of requirements, stakeholder concerns, and risks identified here will guide the subsequent phases of the ADM, including Business Architecture and Information Systems Architecture.

TOGAF Reference (Section 2.6, ADM Techniques):TOGAF provides guidelines on the creation of Business Scenarios as part of ADM Techniques, highlighting the importance of defining a business problem comprehensively to ensure successful transformation. This method includes identification of stakeholders, business requirements, and associated risks, which aligns well with the company's need for strategic and systematic integration of new business units.

By utilizing a Business Scenario, the EA team ensures that all aspects of the transformation are well understood, risks are identified early, and residual risks are managed effectively, aligning with the company's strategic objectives and the TOGAF framework’s guidance on risk management and stakeholder alignment.