Q: 10
Please read this scenario prior to answering the question
Your role is that of a senior architect, reporting to the Chief Enterprise Architect, at a medium-sized
company with 400 employees. The nature of the business is such that the data and the information
stored on the company systems is their major asset and is highly confidential.
The company employees travel extensively for work and must communicate over public
infrastructure using message encryption, VPNs, and other standard safeguards. The company has
invested in cybersecurity awareness training for all its staff. However, it is recognized that even with
good education as well as system security, there is a dependency on third-parly suppliers of
infrastructure and software.
The company uses the TOGAF standard as the method and guiding framework for its Enterprise
Architecture (EA) practice. The CTO is the sponsor of the activity.
The Chief Security Officer (CSO) has noted an increase in ransomware (malicious software used in
ransom demands) attacks on companies with a similar profile. The CSO recognizes that no matter
how much is spent on education, and support, it is likely just a matter of time before the company
suffers a significant attack that could completely lock them out of their information assets.
A risk assessment has been done and the company has sought cyber insurance that includes
ransomware coverage. The quotation for this insurance is hugely expensive. The CTO has recently
read a survey that stated that one in four organizations paying ransoms were still unable to recover
their data, while nearly as many were able to recover the data without paying a ransom. The CTO has
concluded that taking out cyber insurance in case they need to pay a ransom is not an option.
Refer to the scenario
You have been asked to describe the steps you would take to improve the resilience of the current
architecture?
Based on the TOGAF standard which of the following is the best answer?
Options
Discussion
Nah, I think A is right here. B looks tempting because it talks about DR exercises but only A follows TOGAF's proper ADM flow with business continuity, gap analysis, and triggering a new Architecture Work Request. Pretty sure that's what they're after. Not 100% though if you see it differently.
A is wrong, it's B. A follows TOGAF's ADM pretty closely, hitting business continuity, gap analysis, and governance with the Architecture Board. That's what they'd expect in a scenario like this where they want you to show the right process steps. Saw similar framing in some practice tests.
I see it differently, I'd actually pick D here.
Wouldn't B be more reactive though, just running DR tests and updating gaps after the fact? I think the question wants a TOGAF-driven proactive governance cycle, not just a tech refresh or incident drill.
A Seen a similar question in practice tests and the official guide, A fits TOGAF's method best for handling this scenario.
Its A
A is the right call for a "best answer" since it directly follows TOGAF method with gap analysis, change request, and kicking off an ADM cycle. D's compliance review checklist is more of a tactical assessment step and kind of misses the bigger governance/process piece. Pretty sure that's what the exam wants, but let me know if you see it differently.
Likely A, fits TOGAF full process since it includes gap analysis and formal ADM steps.
Probably A here. D looks tempting if you just want a quick compliance review, but TOGAF likes full process with gap analysis and change requests. Trap is skipping over the formal ADM cycle.
Why does TOGAF have to make everything so process heavy? Wouldn't a more immediate resilience check (like D) be more practical in real life?
Be respectful. No spam.
