Operating Principles

An enterprise architecture should also described in terms of operating principles which govern the interaction with it. All strategy, design, implementation and break/fix activities should be subject to them. Below are some examples of operating principles.

  • Requirements-Based Change: Changes to technology should be made in response to legitimate business requirements.
  • Configuration and Change Management: Configuration and change management are the single-most important processes influencing IT stability and reliability. To what extent are all activities in support of the enterprise subject to published configuration, change, and release management policies and procedures?
  • Division of Labor: Production systems, especially business-critical, should be managed with checks-and-balances that can prevent human error and inadvertent mistakes. Accordingly, there is a separation of duties between those who create and those who maintain and support. Developers should not implement into Production. Production changes should be subject to peer review, change management procedures, appropriate logging, monitoring, and review. What is your organizations perspective? Guidelines for this principle are codified in published documentation from SEI, ITIL/itSMF, and ISACA.
  • Production Control: The concept of production control is strongly tied to change management and division of labor. In order to maintain a reliable production environment, operations must be tightly controlled, tracked and monitored. For instance, items should be introduced into Production at certain times, by certain people, after thorough testing in a test TOE prior, and deployed with specific instructions and feedback mechanisms. Some activities in Production must be forbidden. For instance, there must be no testing or development in Production. What is your organization’s stance on Production Control?
  • Standard Builds and Repeatable Build Procedures: Standards and standard builds allow IT to leverage economies of scale, to minimize deployment times, enforce best practices, and minimize human error. Does your IT shop enforce standardization of all device, server, and software configurations?
  • Rebuild vs Repair: Rebuilding or reimaging servers, desktops, and devices is preferred over repairing whenever and wherever possible. Rebuilding is a known activity with a known duration and cost, while troubleshooting and repair can carry on infinitely. Do you prefer to rebuild devices rather than incurring additional delay while you troubleshoot?
  • Backups: What are IT’s principles around back? For instance, backup frequency and duration will be based on the importance of the data; and backups should generally occur over a secondary, non-Production network.
  • Version control: Are all releases of software and hardware components properly versioned? Are subsequent versions maintained for potential rollback.
  • Information Security and Compliance: Operational principles need to reference and incorporate the information security goals, requirements and obligations of the IT department and company at large. Security can no longer be left as an afterthought that is bolted on during the latter part of the lifecycle. This principle should identify the sensitivity, privacy requirements of the organization’s data, as well as regulatory requirements vis-à-vis HIPAA (Health Insurance Portability and Accountability), SOX (Sarbanes-Oxley), PCI DSS (Payment Card Industry Data Security Standard), GLB (Gramm–Leach–Bliley), etc… Conversely, if the organization has no regulatory requirements and its data is mostly public domain, then this should be stated here, as it will make a large difference on how you run IT.
  • Patching: Because of the vast amount of custom applications, patching of enterprise services should be done with caution and with meticulous planning and testing. What is IT’s stance?
  • Process Frameworks: Does IT look to the process frameworks of ITIL, MOF, and COBIT for guidance.
  • Sourcing: Many organizations operate under the strategy that physical data center elements (i.e., floor space, power and HVAC) are outsourced. In addition, the majority of the consumer websites are outsourced.

<<–Enterprise Architecture
–>>Architectural Principles
–>>Enterprise Operating Principles