Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF -...
Transcript of Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF -...
![Page 1: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/1.jpg)
Risk modeling by custom extensions to Archimate Experimental extensions towards a complete EA framework
Erik Hagen
June 2014
Contact: [email protected]
![Page 2: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/2.jpg)
EnterCard delivers smart payment and financing solutions to
customers. We have over 50 card products and 2 million
customers across Scandinavia
![Page 3: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/3.jpg)
• There are requirements and use cases for EA modeling in many
areas – solution design, work instructions, IT planning,
knowledge management, training, master data, project
management, business transformation, incident management,
risk management and more.
• There is currently no single modeling standard that covers all of
this.
• So, we have combined severel EA standards into a larger
framework, with modeling conventions independent of any
particular tool. (We use ARIS.)
• Our main effort so far has been as-is documentation in relation
to Business Continuity Management and impact analysis, but
we are also proceeding in other areas.
This presentation is about how the EA framework we have
developed so far could cover risk modeling going forward. Note
that this presentation does not cover how EnterCard is actually
working with risk management today.
First, some considerations regarding risk mangement vs. EA...
3
Introduction
![Page 4: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/4.jpg)
• “For too long, information security has been considered a
separate discipline, isolated from the enterprise architecture”
• “Operational risk and its relevance to enterprise architecture
– why incorporating the concept of operational risk is
essential to modern enterprise architecture design. “
• “This White Paper is intended to guide enterprise and
security architects in fully integrating security and risk
management into enterprise-level architectures “
EA 4
SABSA and TOGAF - “Integrating security and risk
management into enterprise-level architectures”
![Page 5: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/5.jpg)
EA 5
The SABSA Operational Risk Model
“The IT security and information security industry has evolved over its lifetime a
view of operational risk that is concerned only with threats, vulnerabilities, and
loss events (negative impacts)--- This negative approach to risk management
has also found its way into the ISO/IEC 27005:2011 standard…“
“Arguably, the sole role of the enterprise architect is to create an operational
environment in which operational risk can be optimized for maximum business
benefit and minimum business loss.”
![Page 6: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/6.jpg)
• “In SABSA thinking these operational capabilities are the
primary assets at risk… examples… Production capability,
Service delivery capability... Capability to build and sustain
brands and reputation…”
• «In traditional information and IT risk management
frameworks … the assets at risk are usually classified as
information assets (databases, files, documents, etc.) and IT
assets (computer hardware, software, communications
networks, etc.). These are regarded in SABSA as secondary
assets, supporting the primary assets of business capability
• “SABSA risk assessment, risk measurement, and risk
monitoring focuses on the primary assets…”
• “In this respect SABSA is leading-edge thinking, challenging
the traditional IT view of operational risk management, but
aligning operational risk with true business risk.”
EA 6
Assets at risk – primary and secondary
![Page 7: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/7.jpg)
EA 7
SABSA Artifacts in the TOGAF ADM
![Page 8: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/8.jpg)
EA 8
TOGAF ADM primer Architecture Development Method
![Page 9: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/9.jpg)
EA 9
Archimate metamodel mapped to the TOGAF ADM
![Page 10: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/10.jpg)
EnterCard’s modeling conventions – based on open standards
10
![Page 11: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/11.jpg)
EA 11
Relevant modeling standards and their relation
![Page 12: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/12.jpg)
Main Archimate concepts
12 subject-verb-object (in «Chinese»)
![Page 13: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/13.jpg)
13
Archimate symbols – «the alphabet»
![Page 14: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/14.jpg)
14
Additional symbols
Business rules (DMN)
User stories and use cases
Test cases
Risk modeling
Various other symbols
![Page 15: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/15.jpg)
EA 15
Archimate viewpoints – «the sentences»
Archimate is currently missing viewpoints for risk, capability
(and some more)
![Page 16: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/16.jpg)
EA 16
Additional/custom viewpoints
![Page 17: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/17.jpg)
Custom «Relationship Roles»
associated with
associated with (master stored by)
associated with (copy stored by)
associated with (groups)
associated with (provides)
associated with (supports)
associated with (delivers)
associated with (changes)
associated with (defines)
associated with (signs)
associated with (may exploit)
associated with (defined by)
accesses
accesses (reads)
accesses (creates)
accesses (updates)
accesses (deletes)
accesses (consumes)
accesses (produces)
17
used by
uses
realizes
realizes (copy of)
realized by
assigned to
assigned to (resides on)
assigned to (fulfills)
assigned to (performs)
assigned to (responsible)
assigned to (accountable)
assigned to (consulted)
assigned to (informed)
aggregates
composed of
generalization of
influences
influences (triggers)
influences (mitigates)
influences (resolves)
influences (leads to)
influences (results in)
influences (may result in)
influences (implies)
influences (impacts)
![Page 18: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/18.jpg)
Risk & Impact viewpoint (custom)
18
Asset at risk: Any object,
including capability
Planned enhancements:
• Threat agent
• Opportunity
![Page 19: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/19.jpg)
Assets at risk
19
SABSA view: The output of architecture work
is the creation of operational capability.
These operational capabilities are the
primary assets at risk.
Example: Capability to build and sustain
brand and reputation
SABSA based view of primary
vs. secondary assets:
«Indirect impacts»:
Example: An incident related to e.g. an IT
system «indirectly» impacts «Reputation» Either way, we can model it
![Page 20: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/20.jpg)
Example impact viewpoint
20
![Page 21: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/21.jpg)
Report example – impact analysis with output to Excel
Export of raw data to Excel for flexible analysis
21
![Page 22: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/22.jpg)
EA 22
Navigating into our repository
![Page 23: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/23.jpg)
23
The «complete» picture
![Page 24: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/24.jpg)
Mandatory deliverables for new projects
24
![Page 25: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/25.jpg)
EA 25
Template catalog
![Page 26: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/26.jpg)
Easy access to templates and education
Click the
template and
get started
modeling
General
viewpoint
description
Examples
«Document
chapter»
26
![Page 27: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/27.jpg)
A template example (Archimate Business Process)
© EnterCard, 18 December, 2012
![Page 28: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/28.jpg)
Keep it simple – risk attribute for BPMN tasks
© EnterCard, 18 December, 2012
BPMN process modelers can choose to specify
a Risk attribute, in which case an «attribute
symbol» is automatically inserted.
More advanced modelers can create
connected Archimate models (with
extensions)
![Page 29: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/29.jpg)
Change management is key
Library contents
C
h
a
n
g
e
m
a
n
a
g
e
m
e
n
t
Project deliverables
reuse QA
29
![Page 30: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/30.jpg)
• SABSA’s Business Attribute Profiling and Business Attribute
Taxanomy
• The Open Group’s Risk Taxanomy (O-RT)
• ...
EA 30
Anticipated extensions to the modeling framework
![Page 31: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/31.jpg)
• Building on the Archimate metamodel enables us to
consistenly model the entire enterprise architecture with full
traceability between risks and assets.
• This modeling framework supports traditional risk modeling
with a focus on threats and negative impacts as well as e.g.
the SABSA approach which also deals with opportunites and
positive impacts.
• Consequently, architecture and risk go hand in hand and
marries business improvement
EA 31
Conclusions
![Page 32: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/32.jpg)
![Page 33: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/33.jpg)
EA 33
Bonus slides
![Page 34: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/34.jpg)
EA 34
The SABSA Matrix
![Page 35: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/35.jpg)
EA 35
SABSA “Business Attribute Profiling” Alignment in the SABSA Matrix between Business Drivers
and Services through Business Attribute Profiling
![Page 36: Experimental extensions towards a complete EA framework … · · 2018-05-03SABSA and TOGAF - “Integrating ... supporting the primary assets of business capability • “SABSA](https://reader031.fdocuments.net/reader031/viewer/2022020214/5afc45b77f8b9a814d8bdf43/html5/thumbnails/36.jpg)
EA 36
SABSA Business Attribute Taxonomy