A Control Framework for Current State Architecture (#ArchiMate) Models

We have a very large Current State Architecture (CSA) model, consisting of 25,000 elements and relations that are also visually maintained in views. Attached to that another 50,000 elements and relations are in a satellite model that has no neatly laid out views but is used to semi-automatically maintain coherence with other ‘models’ in our organisation. Our CSA model was recently formally (internally) audited (yet another step to maturity).

When you do an audit, you need to set up a Control Framework: the items you are going to look at when auditing. Such a Control Framework, as it turned out, does not exist yet. We weren’t even able to find published Control Frameworks for comparable setups, such as CMDBs. So, we had to invent our own.

Together with the auditors, we created a list of items that needed to be audited. I am not exactly copying these here, as there are some company internal items, but taking what I learned during the audit process, I present here a generic Control Framework example that can be used to audit large (ArchiMate) CSA models.

The first Controls are a couple at generic Enterprise Architecture level:

Enterprise Architecture Controls

1. Enterprise architecture processes are budgeted and planned.
2. Architecture is part of the organization’s Standard development/maintenance processes.

These are quite simple. You need to have EA established as a part of your organisation’s setup. The next few controls are governance controls on the CSA maintenance:

CSA Maintenance Controls

3. An owner of the Current State Architecture model has been appointed.
4. Responsibilities and tasks of staff involved in the development/maintenance process of Current State Architecture are transparent and unambiguous.
5. Employees involved in the various stages of the Current State architecture have the appropriate skills and training to perform their duties adequately.
6. To ensure the continuity of the Current State Architecture version, control, back-up and recovery procedures are in place.
7. Adequate logical access controls with regard to key IT systems and applications used to document the enterprise architecture (EA Tooling) are in place.
8. The organization has procedures in place to ensure the correctness and completeness of the current state model.
9. The organization has procedures (change, logical access) in place to maintain the detailed models and descriptions of the organization’s business processes and functions, roles and actors, and the IT supporting that business.
10. The organization has procedures in place to ensure that other actively used models of the organization’s production environment are not in contradiction with the current state architecture.
11. Procedures are in place to ensure appropriate segregation of duties and review and approval by a co-worker on proposed changes in the Current State Architecture.
12. Changes in the primary production environment of the organization are input to the Current State Architecture model within set time-limits.

These all mostly speak for themselves. Number 8 is about making sure that changes that happen in the organisation’s landscape actually end up in the CSA. E.g., changes in the infrastructure may be documented in the CMDB. This control can, for instance, be covered if any change in the CMDB is automatically forwarded to EA for application in the CSA and now and then both models are reconciled. Number 9 is about requiring that we have documented our processes adequately and keeping those up to date and linked to the IT. E.g. here we talk about processes and support for linking BPMN and ArchiMate models. Number 10 is about ‘other models’. An example would be that the risk people who have their own models for risk are in sync with the CSA model. Example: you should not base your risk assessments on a different separate set of process descriptions and EA information than what is in the CSA.

Now we move on to the basic elements of the `how’:

13. The organisation uses a Standard modelling language to describe its Current State architecture.
14. The Current State Architecture is based on well described patterns and approaches.

The standard modelling language is easy: ArchiMate, of course. Now, ArchiMate is more of a grammar than a language, so we need to describe our patterns and approaches so that the whole model does not become a chaos of different styles. Such a chaos would make it impossible to use in an automated way. As a basic pattern set we use is from — surprise! — the Mastering ArchiMate book, and we only have a few small documents describing which variants we use or where we do thing differently than in the book (such improvements of course will end up in a second edition of the book later, as the book generally follows what I learn in our extensive ArchiMate practice).

Now we move on to controls on what is actually in the CSA:

15. The current state model includes the entire architecture (all layers: business & information, application & data, infrastructure) of the organization’s primary production environment.
16. Risk and security control objectives and control measures for the primary production environment are available in the model.
17. IT infrastructure, systems, applications and components with regard to enterprise architecture are defined and documented
18. The description of the Current State Architecture is modeled consistently. Exceptions on the design are documented, reported to and formally accepted by the lead architect.
19. All IT that contains business specific logic is recognizable at the application layer in the model.
20. For all IT that contains business specific logic (applications), the application owner is available in the model

This is of course a first attempt, but I have seen something like this already seen used once. From such an audit, certain white spots were identified and an improvement program was initiated. I really like audits like this: it forces you to think in a practical and pragmatic way about the quality your CSA modelling requires.

That’s it. No pictures this time. That might induce you to think auditing is boring, but it isn’t. Really. It was really interesting to work with auditors on this and up or level of quality by setting up an audit.