Enterprise Architecture Principles

Statement

EA process must be in use when developing information systems, processes and services. EA process apply to all organizations within university. Information systems development must endorse university’s foundational missions; Research, Teaching, Artistic Activity and Societal Impact.

Rationale

EA process endorses the achievement of university’s strategic objectives.

Implications

1. Development of information systems consist of determination of the requirements, the needs of users and the solutions brought about by the changes in working practices and processes.

2. The development of information systems is open and transparent.

3. Development work is based on the constructive cooperation between the different actors.

Statement

All organization within the university must comply with EA principles, when developing information systems.

Rationale

EA principles ensure the re-usability assets and the optimization of existing and future costs. It also has a strong influence on the quality of university services.

Implications

1. The best possible compliance is born out of understanding and acceptance of the benefits and implications of EA principles.

2. Although principles are of prescriptive nature, non- adherence will generally not cause sanctions, but rather operational problems and inhibit the ability of the organization to fulfill its mission.

3. The implementation of the EA priciples is governed with separate EA approval in the portfolio gate process.

Statement

Information is an asset that has value to the university and is managed accordingly.

Rationale

Information is a valuable university resource; it has real, measurable value. In simple terms, the purpose of information is to aid decision-making. Accurate, timely information is critical to accurate, timely decisions. Most university assets are carefully managed, and information is no exception. Information is the foundation of our decision-making, so we must also carefully manage information to ensure that we know where it is, can rely upon its accuracy, and can obtain it when and where we need it.

Implications

1. The implication is that there is an education task to ensure that all organizations within the university understand the value of information.

2. Stewards must have the authority and means to manage the information for which they are accountable.

3. We must make the cultural transition from "information ownership" thinking to "information stewardship" thinking.

4. The role of information steward is critical because obsolete, incorrect, or inconsistent information could be passed to university personnel and adversely affect decisions across the university.

5. Part of the role of information steward, who manages the data, is to ensure information quality. Procedures must be developed and used to prevent and correct errors in the information and to improve those processes that produce flawed information. Information quality will need to be measured and steps taken to improve information quality - it is probable that policy and procedures will need to be developed for this as well.

6. A forum with comprehensive university-wide representation should decide on process changes suggested by the steward.

7. Since information is an asset of value to the entire university, information stewards accountable for properly managing the information must be assigned at the university level.

Statement

Applications are easy to use. The underlying technology is transparent to users, so they can concentrate on tasks at hand.

Rationale

The more a user has to understand the underlying technology, the less productive that user is. Ease-of-use is a positive incentive for use of applications. It encourages users to work within the integrated information environment instead of developing isolated systems to accomplish the task outside of the university's integrated information environment. Most of the knowledge required to operate one system will be similar to others. Training is kept to a minimum, and the risk of using a system improperly is low.

Implications

Applications will be required to have a common "look-and-feel" and support ergonomic requirements. Hence, the common look-and-feel standard must be designed and usability test criteria must be developed.

Statement

Software and hardware should conform to defined standards that promote interoperability for information, applications, and technology.

Rationale

Standards help ensure consistency, thus improving the ability to manage systems and improve user satisfaction, and protect existing IT investments, thus maximizing return on investment and reducing costs. Standards for interoperability additionally help ensure support from multiple vendors for their products.

Implications

1. Interoperability standards and industry standards will be followed unless there is a compelling business reason to implement a non-standard solution.

2. A process for setting standards, reviewing and revising them periodically, and granting exceptions must be established.

3. The existing IT platforms must be identified and documented.

Statement

The future maintainability of IT solutions relevant to Aalto core functions must be assured.

Rationale

Products and services acquired or produced by the Aalto University must be maintainable and/or adaptable to changes even then when the vendor's services or products are discontinued during the useful lifetime of the Aalto IT solution. At a minimum the Aalto  University ought to be able to:

1. Maintain and/or adapt a discontinued service/product with the assistance of an alternative provider

2. Bridge the time between to changed provider relations and the planning and implementation of alternative solutions

Implications

When acquiring or producing solutions and/or services relevant to Aalto core functions the following needs to be considered.

1. Whenever possible, Aalto IT shall prefer solutions that are offered and maintained by multiple suppliers.

2. Aalto IT shall prefer solutions based primarily upon open standards or on de facto standards.

3. The minimum acceptable continuity assurance is "escrow assurance" In addition; The Aalto University will pursue access and usage rights for source code whenever feasible.

4. A risks assessment to determine disaster recovery and continuity options must be considered.
 

Statement

Only in response to university needs are changes to applications and technology made.

Rationale

This principle will foster an atmosphere where the information environment changes in response to the needs of the university, rather than having the university change in response to IT changes. This is to ensure that the purpose of the information support - the transaction of university - is the basis for any proposed change. Unintended effects on university due to IT changes will be minimized. A change in technology may provide an opportunity to improve the process and, hence, change university needs.

Implications

1. Change management processes conforming to this principle will be developed and implemented. 

2. The purpose of this principle is to keep us focused on business, not technology needs - responsive change is also a business need.

Statement

Information is accessible for users to perform their functions.

Rationale

Wide access to information leads to efficiency and effectiveness in decision-making, and affords timely response to information requests and service delivery. Using information must be considered from a university perspective to allow access by a wide variety of users. Staff time is saved and consistency of data is improved.

Implications

1. Accessibility involves the ease with which users obtain information. 

2. The way information is accessed and displayed must be sufficiently adaptable to meet a wide range of university users and their corresponding methods of access.

3. Access to information does not constitute understanding of the information.

4. Personnel should take caution not to misinterpret information. 

5. Access to information does not necessarily grant the user access rights to modify or disclose the data. This will require an education process and a change in the organizational culture, which currently supports a belief in "ownership" of data by functional units.

Statement

Information is defined consistently throughout the university, and the definitions are understandable and available to all users.

Rationale

The information that will be used in the development of applications must have a common definition to enable sharing of information. A common vocabulary will facilitate communications and enable dialog to be effective. In addition, it is required to interface systems and exchange information.

Implications

1. Significant additional energy and resources must be committed to this task. It is key to the success of efforts to improve the information environment. This is separate from but related to the issue of information element definition, which is addressed by a broad community - this is more like a common vocabulary and definition.

2. Ambiguities resulting from multiple parochial definitions of data must give way to accepted university-wide definitions and understanding.

Statement

Information is protected from unauthorized use and disclosure. In addition to the traditional aspects of security classification, this includes, but is not limited to, protection of pre-decisional, sensitive, source selection-sensitive, and proprietary information.  

Rationale

Open sharing of information and the release of information via relevant legislation must be balanced against the need to restrict the availability of classified, proprietary, and sensitive information. Existing laws and regulations require the safeguarding of university security and the privacy of information, while permitting free and open access. Pre-decisional (work-in-progress, not yet authorized for release) information must be protected to avoid unwarranted speculation, misinterpretation, and inappropriate use.

Implications

1. In order to adequately provide access to open information while maintaining secure information, security needs must be identified and developed at the data level, not the application level

2. Security must be designed into data elements from the beginning; it cannot be added later. Systems, data, and technologies must be protected from unauthorized access and manipulation.

Statement

Development of applications used across the university is preferred over the development of similar or duplicative applications which are only provided to a particular organization.

Rationale

Duplicative capability is expensive and proliferates conflicting data.

Implications

1. Organizations which depend on a capability which does not serve the entire enterprise must change over to the replacement enterprise-wide capability. This will require establishment of and adherence to a policy requiring this.

2. Organizations will not be allowed to develop capabilities for their own use which are similar/duplicative of enterprise-wide capabilities. In this way, expenditures of scarce resources to develop essentially the same capability in marginally different ways will be reduced.

Statement

IT services provided by the Aalto University need to be able to provide the most commonly desired functions of a solution offering through a web-browser. Service specific clients are to be avoided.

Rationale

Using standard web-browsers for service delivery greatly simplifies service development, reduces vendor dependencies, reduces IT service development times and costs and is an excellent means to provide a cost effective common "look and feel" across multiple services.

Implications

 1. A list of accepted standard web browsers is to be defined and accepted.

2. Web-browsers capability for all accepted web-browser types is to be included in IT service planning and implementation.

3. Outsourced services need to be selected accordingly.

4. Failure to provide web-browser compatible service interfaces need to be justified.

Statement

Solutions must be modular. Building blocks must be used whenever possible.

Rationale

Solutions are usually comprised of functional building blocks like for example web-servers, authentication servers etc. In the interests of saving costs and development time functional building blocks are to be used in a standard and repeatable manner.

Implications

Developers will:

1. Use  building blocks in the implementation of  solutions

2. Justify and document the implementation of non-standard solutions. 
 

Statement

Service solutions are to be implemented by using open and generally accepted standards. All the deviations from this principle must be enforced separately.

Rationale

Adaptability and compatibility are of primary importance to keep Aalto IT service cost to own and cost to maintain low. Solutions according to proprietary standards may at times seem to perform better in the vendor specific environment but will in the majority of cases restrict the  interoperability with other third party service solutions or at best, favor the vendors own  solution  portfolio at the expense of other vendors. Proprietary standards are usually less well documented and force developers to favor certain solutions due to a lack of transparency thus endangering the adaptability and overall compatibility.

Implications

Architects and implementers must for services:

1. Require the vendor to state which open standards are supported and the possible price/performance penalty for this support

2. Assure - when forced to implement according to proprietary standards - compatibility with other Aalto IT solutions and systems depending on the service under development or vice versa.

3. As certain that the required conversion costs and additional maintenance costs for proprietary solutions are taken into account in the cost/benefit calculation.

Counter argument: 

The IT industry has dominant providers with a biased view on open standards. Many providers also maintain their own specific technology development paths. Pragmatism may therefore dictate a partial departure in the principled use of open standards. Nevertheless, the use of open standard must be seriously considered for all development

Statement

The technology supporting newly developed or improved systems and services comprises of standard and exchangeable solution modules called "building blocks". 

Rationale

Modular design reduces development costs, development time, enhances interoperability and scalability.

Implications

IT developers will:

1. Use IT building blocks in the implementation of solutions

2. Justify and document the implementation of non-standard solutions. 

 
3. Reduce the use of hazardous materials, maximize energy efficiency during the product's lifetime, and promote the recyclability.

Statement

Aalto IT services are available on all Aalto University campus sites and facilities. Remote Aalto IT services are available through common internet connections and standard web-browser interfaces. Terminal dependencies for service connections are kept low and in accordance with Aalto IT end-user needs.

Rationale

The primary purpose of Aalto IT services is to support the educational and research activities in the Aalto University. Those activities take place on all campus sites. Modern research often requires communication and cooperation with national and international bodies located outside of the Aalto University facilities. To support this activities global and easy access to certain IT services is required.

Implications

IT service provision independently of location has the following implications:

1. The Aalto IT infrastructure must be able to connect all offered IT services throughout all Aalto University campus sites and facilities where those service may be requested.

2. Remote services provided through internet access must be designed to handle the possibly much longer delay times associated with Internet access, varying connection speeds and less reliable data transfers.

3. Promised or guaranteed "remote" service quality as compared to "Aalto internal" service quality need to be adjusted accordingly.

4. Remote internet services are to be protected against the dangers associated with public networks.

Statement

Connection to Aalto IT services is easy and standardized. The Aalto IT service user needs to know only basic and standardized facts about Aalto IT services to connect and start using a service. However, the use of certain services may require specialized, non "IT service" related knowledge. 

Rationale

Aalto IT service users are not to be burdened with the complexity of service provision nor should it be necessary to spend an inappropriate amount of time to initiate a service connection.

Implications

The ease of use principle has the following implications:

1. Service provision interfaces need to be standardized and provide a similar services look and feel.

2. Service and inter-service dependencies are handled without undue service user intervention.

3. Service authentication, if required needs to be straight forward and understandable.

4. Initial authentication and verification ought to be in relation to identified risks.

5. Protection of Information in transfer ought to be transparent and verifiable to the service users.

Statement

Aalto IT service users must have the possibility to determine which service are available and under which conditions.

Rationale

Aalto IT services can only be used effectively and support the goals of the Aalto University when there is a general understanding:

1. Which IT services are available;

2. The benefits those services offer;

3. The conditions under which those service can be offered (where when and to whom);

4. How service delivery can be requested;

5. How information processed, stored or deleted is protected against unauthorized disclosure, use, modification or deletion.

Implications

Aalto IT needs to maintain and publish an IT service catalogue that:

1. describes the IT service offering in clear and concise terms;

2. provides information about the availability of all IT services;

3. Describes the service provision scope (internal only or remote);

4. Informs the prospective service users how a service can be requested and which conditions are associated to its usage (i.e. initial authentication, non-disclosure, personal use, non-commercially etc.);

5. Warns about precautions to take and possible risks associated with a service.
In addition for one time/ad-hoc service users: the service user must be informed about the "acceptable terms of use" and accept those terms before entrance to the network connecting to a service is granted.

Statement

Aallon IT-palvelujen ja sitä tukevan IT-infrastruktuurin tekninen hallinta on palvelun käyttäjästä erotettu, mutta käyttäjälle läpinäkyvää.

Rationale

Aallon IT-palvelujen ja IT-infrastruktuurin konfiguraation ja hallinnan eheys on edellytys Aallon IT-palvelujen hyvälle laadulle, suorituskyvylle, eheydelle ja turvallisuudelle, ja sitä sovelletaan kaikkiin sovelluksiin, järjestelmiin, palvelimiin, verkkoihin, laitteisiin ja hallintatyökaluihin.

Implications

Management of IT Services and service associated support systems, application and equipment must not be within the scope of control of ordinary IT service users. IT service management and associated support entities management are never allocated to regular IT service user ID's. Good IT management is a significant factor in the transparency of IT service provision and management.

Statement

The enterprise architecture emphasizes the following planning principles:

1. Use custom built services or application only when they are university specific.

2. Buy if services or applications are generic.

3. Use cloud for scale and for ease of provisioning.

4. Interoperability is necessary and based on transparency for core services and applications.

Rationale

80% of the service life-cycle costs are maintenance costs. In-house developments may seem cheaper but are in fact in the majority of cases more expensive in the long run. The following aspects of in-house development add significantly to the costs to maintain and own:

1. Usually poor or altogether failing documentation make troubleshooting much more time consuming

2. Error routines - the most difficult part of  solution development - are usually poorly or very poorly established

3. user-interfaces are less well developed and often sluggish

4. Integration with other service require additional tailoring (missing standard interfaces)

5. Change management is time consuming

6. Information security is an (expensive) development afterthought

7. User management poorly defined

8. Event tracing missing or poorly established.

9. Specialized maintenance knowledge required and external assistance difficult to get.

Implications

Developers need to seriously consider the rationale for buying before in-house development and consider all aspects the end-user needs, the needs of IT operations and the Aalto IT organization's development ability to meet those needs in a cost effective manner.

Statement

Before a solution can be developed the associated information structures and processes must be understood. Solution specific information architecture is based on (see also picture below):

1. Processes that are being served (automated) in the service.

2. Needs of the service end-user whilst deploying the service

3. Information referred to, modified, deleted or created during the served processes.

High level overview of process and information architecture relationships

Rationale

Solutions designed without a thorough understanding of:

1. What information is to be retrieved, processed or stored;

2. What information is needed to sustain the uninterrupted and reliable use of the service;

3. Which processes are involved, need to be changed, added or abolished; are highly unlikely to be effective, efficient and/or appropriate to support the needs of Aalto University end-users.

Implications

IT developers need to pay attention to the following information architecture aspects:

1. The information needs of the intended target group for the IT service;

2. Appropriate ease of use and timeliness for information retrieval, information interpretation/analysis/modification and information storage;

3. Information needed to sustain service provision;

4. Inter-service an/or inter-system dependencies;

5.determination of existing processes, to be modified processes, processes that will become obsolete and the overall efficiency effectiveness appropriateness and completeness of the processes associated with the IT service;

6. Education of end-users and service maintainers in modified and/or new processes and the reasons for abandoning obsolete processes.

Statement

Information security needs must be clarified in the early stages of IT project planning for new services or new systems supporting existing services.

Rationale

Technical information protection measures are in the majority of cases a part of multiple and fundamental IT solution building blocks. Failure to consider information protection measures in the beginning stages means - with great certainty - that those security mechanism need to be included later on. Adding information protection features in a late stage of the development increases implementation costs of those features by a factor of 10 or more. In addition, technical information protection features added at a late stage in the development process have proven many times over to be less effective and less user-friendly than information protection features planned at the beginning.

Implications

IT developers need to pay attention to the following information protection aspects:

1. Definition of the information architecture (including processes) parts that need special attention in terms of:
a .information disclosure to non-intended recipients
b. information availability for authorized users
c .information timeliness and correctness
d. information retention
e. non repudiation of events and transaction information
f .traceability of information retrieval, information modification or information deletion
g. the effects of information aggregation and data mining
h. any combination of the above listed factors;

2. Determination of a reasonable risk profile for each instance of special information care case mentioned above; 

3. Formulation of technical and procedural protection measures;

4. Co-operation with the information security unit and information/services owners about the appropriateness and costs of the designed information protection measures.

Statement

IT systems supporting IT services have inter-system dependencies. New developed systems must be mutually interoperable and use common information protocols and formats irrespective of system location, system type or system purpose.

Rationale

All IT systems supporting an Aalto service - including the support functions for those systems - must be able to exchange information whenever required to maintain a service without the need for end-user intervention. IT service system dependencies must be transparent to the end-user. System specific knowledge or skills ought not to be required when using Aalto University IT services. Furthermore the use of common agreed information exchange protocols and formats reduces the need for information conversion. 

Implication

See general EA principle G3

Statement

Application integration is required in the early project planning process for applications. It must be included in the project plan.  

Rationale

In the past, application integration has often been an afterthought, resulting in missing or inferior interfaces built quickly on a tight budget.

Implications

1.simplifies the integration of new services

2.speeds up the development of IT services

Statement

Based on a service-oriented architecture (SOA), and other forms of Application Program Interfaces (API), are preferred to direct data access.

Rationale

This approach will minimize direct access to data; thus lowering the risk of bypassing the business logic or compromising data integrity.  

Implications

Decrease information management overhead and synchronization efforts.