Explore UCD

UCD Home >

Enterprise Architecture Principles

Enterprise Architecture Principles

Enterprise Architecture Principles

UCD Enterprise Architecture Principles

The complete set of UCD Enterprise Architecture Principles have been approved by the UMT Digital Campus Group to inform, guide and govern the design and deployment of applications and technologies across the University.  

Alignment with these principles is a requirement for all initiatives, from departmental solutions deployed by individual schools and units, to centrally-managed university-wide platforms.  

These principles are supported by a detailed set of Non-functional Requirements (which outline Performance and Availability, System Integration and Interoperability, IT Security and Data Controls, and Service Management & Support requirements) which should be incorporated into the design , procurement, evaluation, and implementation of applications.

The Enterprise Architecture Principles are interrelated and should be considered as a cohesive set.

Statement

  • Decisions are made with a people-centric approach and the intention of achieving optimum benefit to the University as a whole

Rationale

  • Decisions made from a University-wide perspective and a strategic “big picture” viewpoint and will drive long-term value across the University
  • Strive for services that meet essential requirements without unnecessary features.
  • Recognise that perfection is not always necessary. 
  • Prioritise value over perfection

Implications

  • Governance structures will be established to ensure that any conflicts between immediate local interests and long-term University-wide goals can be addressed in a fair and transparent manner
  • Investment priorities should be established for the entire University
  • The Digital Roadmap sets the overarching direction for IT enabled investments.
  • All applications deployed should align to UCDs Digital Roadmap, which sets the direction for future use of applications within UCD’s digital campus

Statement

  • UCD must comply with all relevant internal and external laws, policies, statutory obligations, and regulations

Rationale

  • The University must be mindful to comply with laws, regulations, and external policies, ensuring they are identified as key prioritised requirements

Implications

  • Applications must comply with local laws and regulations regarding data privacy, security, and accessibility
  • Favour applications that are easily adaptable when statutory and regulatory obligations alter
  • Changes in the law and changes in regulations may drive changes in our applications
  • The procurement of all applications must adhere to UCD procurement policies and public procurement regulations and contractual obligations. See UCD Procurement and Contracts Office
  • All Applications used to store and process University, personal, and/or sensitive data must comply with GDPR and legal obligations. See UCD Office of the DPO, and UCD Legal Office 

Statement

  • Standardised university-wide applications are preferred over similar or duplicative departmental applications

Rationale

  • Reuse of common applications leads to a consistent and coherent experience for users and a simpler learning, familiarisation effort for everyone, and streamlines accurate data

Implications

  • Units and Schools will not be allowed to develop applications for their own use which are similar or duplicative of University-wide applications
  • Where a similar or duplicative solution is requested, this must be supported by a justification. This may be around a justifiable functional uniqueness or regulatory requirement
  • Schools/units should engage with IT Services to evaluate whether existing applications within the University can meet their needs, recognising that a non
    perfect fit solution may be good enough
  • Applications should be catalogued in such a fashion that makes it easier to determine their reusability
  • Units and Schools which depend on applications which do not serve the entire University must change over to the replacement University-wide solutions. This will require establishment of and adherence to a policy requiring this
  • Data and information used to support University decision-making will be standardised to a much greater extent because departmental applications which
    produce data which is not shared among other Schools and Units will be replaced by University-wide solutions where the data produced can be shared across the University

Statement

  • Business operations need to be maintained in spite of interruptions

Rationale

  • Business areas throughout the organisation must be able to continue conducting their normal activities, regardless of external events - whether it’s a natural disaster, man-made or wilful damage such as a cyberattack or power failure

Implications

  • Business areas must determine the level of availability and recovery objectives that they need to ensure adequate business continuity, to be included in requirements and addressed at the time of the design
  • Dependencies on other applications and/or shared underlying technical components should be assessed during design
  • Applications should be assessed for criticality and dependencies, in order to inform disaster recovery planning
  • Business Continuity plans should be developed and tested by the business
  • Applications should have availability and security monitoring, with automated alerting for breaches

Statement

  • Strong relationships with strategic partners and vendors, support and enable UCD’s
    future growth

Rationale

  • Strategic partnerships create value through focusing multi-disciplinary resources on achieving shared objectives and outcomes
  • By leveraging external partners and vendors, UCD can focus resources on what it does best and where the most benefit is derived
  • Strategic sourcing can reduce costs through economies of scale, better contract management, flexibility to scale operations, and mitigate risks associated with technology obsolescence and vendor lock-in 

Implications

  • Develop relationships with strategic partners which can provide broad services across the University
  • Robust vendor management is needed to evaluate, onboard, and manage partnerships effectively, including performance metrics, SLAs, and risk assessments
  • The enterprise must invest in technology that supports smooth integration between internal systems and external platforms
  • The Procurement Office should be engaged to ensure that the procurement process is adhered to for identifying and engaging with strategic partners
  • Periodically evaluate alternative strategic suppliers to ensure that the University doesn’t become locked in or overly dependent on a single strategic supplier, and that they support of UCD's long-standing commitment to sustainability
  • Evaluate vendors on their maturity, viability, ability and credibility
  • Adherence with UCD Procurement Policy / Guidelines is a requirement. Units and Schools should engage with UCD Procurement as early as possible, so that they can be guided on procurement thresholds, particular frameworks available, and timeline considerations
  • The University is subject to EU and National Public Procurement legislation and all staff with responsibility for purchasing should be familiar with UCDs Procurement / Purchasing Unit procedures and quotation and tender compliance requirements.
  • It is strongly recommended that all software and cloud service purchases are made using Purchase Orders (PO) as they include UCD’s standard terms and conditions. Where this is not possible, and the unit/school is purchasing using a Credit Card, the unit/school must review the vendor terms of use to evaluate and accept the risk prior to purchase

Statement

  • Application ownership requires appropriate authority and adequate resources for sustainable support

Rationale

  • Applications need to be sustainably supported so that they can be relied upon by students, staff, researchers and faculty

Implications

  • Every application must have clearly identified and agreed Application Business Owner and Application Technical Owner in place to ensure that the application is correctly designed, developed, and deployed
  • Every application must have a clearly defined and agreed Application Business Contact and Application Technical Contact in place responsible for liaising with the Enterprise Architecture team to provide accurate and complete information about the application
  • Application Owners and Application Managers need to be aware of their roles and responsibilities, and empowered, so that they can perform them effectively

Statement

  • Users should have ready access to the information they need in carrying out their job

Rationale

  • Up-to-date and accurate information is a key input into decision making processes at all levels of the University - operational and strategic

Implications

  • Information needs to be timely, accurate and complete
  • Access to information should be defined by the role(s) of the user
  • Users should avoid creating separate replicas of data outside of master data systems where possible
  • Where the same data is stored across multiple applications, data replication relationships should be clearly defined and approved
  • Access to data does not constitute understanding of the data. Caution should be taken not to misinterpret information.
  • Users should be informed by business owners where and how to access information required to complete their business activities
  • Interfaces should be designed to mitigate impact to the University when changes occur
  • Confidentiality measures must be used to ensure that sensitive information is accessible only to authorised individuals or systems
  • Integrity measures must be used to ensure the accuracy and reliability of data by preventing unauthorised alterations or modifications
  • Availability measures must be used to ensure that data is accessible and usable when needed by authorised users
  • IT Services must be consulted at the evaluation stage where data integration with another system is required

Statement

  • Data must be protected from unauthorised use and disclosure

Rationale

  • Data is a valuable corporate resource; it has real measurable value
  • Unauthorised disclosure of personal or confidential University data can have a significant legal, financial and reputational consequence for the University, including fines
  • Data Protection by Design & Default is a GDPR concept (Article 25) and mandates integrating data protection measures into systems and processes from the outset and ensuring only necessary personal data is processed by default

Implications

  • Privacy and security of data is everyone’s responsibility and it is important for building trust
  • UCD data must be classified, and stored & processed appropriately
  • Confidentiality measures must ensure that data is kept secret and only accessible to authorised users by protecting data from unauthorised access, disclosure, or exposure
  • Applications should include an exit strategy for disengaging from the vendor or service, allowing UCD data to be recovered from the vendor and having an agreed retention schedule for any data stored
  • Where personal or sensitive data is being recorded or processed, it is recommended that a security partner be engaged to undertake an external security review of the proposed application
  • All Applications used to store and process University, personal, and/or sensitive data must comply with GDPR and legal obligations. See UCD Office of the DPO, and UCD Legal Office
  • The deployment of applications for research projects must comply with the University’s Research Data Management Policy

Statement

  • Universal Design ensures systems are inclusive, accessible, and usable by all individuals

Rationale

  • Universal Design supports UCD’s people-centric approach to service delivery
  • UCD is competing globally to attract students, researchers, faculty and staff
  • Universal Design fosters inclusivity, enhances user experience, meets legal accessibility standards, and drives innovation by accommodating diverse needs from the start, ultimately improving organisational efficiency and social responsibility
  • Internationalisation requires consideration of diverse cultural contexts, languages, and regulatory requirements

Implications

  • Promote Universal Design Standards for accessibility, consistency and ease-of-use through the end user experience
  • Accessibility testing is carried out according to agreed standards in order to ensure an optimal user experience for users with accessibility needs
  • User interfaces should be responsive to device formats and adopt the latest standards whilst maintaining backwards compatibility with supported systems
  • Users should have access to self-serve options where appropriate
  • All Applications must support accessibility standards, to ensure all users are able to perceive, understand, navigate and interact with our services. See UCD Accessibility
  • Applications should be designed with internationalisation in mind from the outset, to ensure a consistent user experience across different languages and regions
  • Applications should be ready for localisation without requiring significant redesign, redevelopment, or performance degradation. This includes support for multiple character sets, languages (including right-to-left), date formats, currency formats, and cultural conventions
  • Applications should provide mechanisms for easy content translation and updates, including dynamic content, and user interface elements should be designed to accommodate varying lengths of text and different alphabets
  • There are specific technical challenges related to providing access to applications and technologies to some overseas campuses (such as the China Joint Colleges Office), including but not limited to data security, internet restrictions, and regulatory requirements. This may require setting up localised infrastructure (application and technologies) to ensure compliance with national laws
  • The Irish Language Act 2021 increases the obligations on UCD to promote the use of the Irish language for official purposes 

Statement

  • Users should be automatically provisioned with access to the services and applications needed to do their job, based on their role within the university,
    eliminating the need to request it 

Rationale

  • Provisioning access to standardised and high-volume services and applications based on established University roles simplifies the onboarding experience and allows them to get started quicker
  • Reduces data protection risks - as users move roles their access changes to reflect this
  • Reduces user support therefore improves user experience
  • Self-service on-request access should be provided where access requirements are specific to individuals

Implications

  • Providing users with seamless access to applications automatically encourages the use of existing available applications and technologies
  • Access to applications and data should be role based, based on a person’s record
  • Application-level roles should be mapped to organisational roles where possible
  • Users should have a single identity related to their capacity within the University (e.g. staff, student) which is maintained throughout their lifecycle with the University in the central Identity Management system Automated provisioning is best suited for repetitive, high-volume requests that
    benefit from consistency and predefined rules
  • Applying automation to all services can introduce rigidity or inefficiencies in handling unique needs
  • Self-service enhances user satisfaction and agility by allowing on-demand access while still ensuring compliance with established governance policies.
  • Services enabled for self-service must be designed with user-friendly interfaces and clear guidance to ensure effective adoption
  • Appropriate governance and controls must be implemented to prevent misuse or misconfiguration
  • Ensure alignment with security and compliance standards through access controls, role-based authorisations, and audit trails 

Statement

  • Consider packaged solutions before custom-build applications and configuration before customisation 1.

Configuration refers to tailoring of an application using built-in tools without alteration of the underlying code. Customisation refers to modifications or extensions to the application's underlying source code.

Rationale

  • Packaged applications come with built in processes that are typically well tested and based on market standards
  • Building customisation and bespoke applications requires functional and technical expertise, often relying on niche skills that are in short supply. They can also
    introduce deployment, technical performance, and data privacy and security risks.
  • There may be exceptional cases to justify a customisation or bespoke development where critical business or technical capabilities cannot be met with configuration of a packaged solution.

Implications

  • A detailed analysis of options should be considered including the availability of packaged solutions, the business requirements and the cost of each option
  • When procuring and implementing new solutions, consider whether the solution supports a person-centric approach and consider whether university business
    processes can be amended to simplify implementation, or where requirements exist that require tailoring in some form to deliver - the application should be configured rather than customised
  • The justification and cost/benefit analysis for customisations or bespoke development should take into account the cost and resource implications for the
    implementation and ongoing support.  

Statement

  • Consider cloud services before selecting or implementing on premise alternatives

Rationale

  • Rapid deployment of cloud resources allows the University to work in a more agile manner
  • Cloud solutions may be designed to be highly durable and spread across multiple geographic locations to reduce availability risks

Implications

  • Utilise cloud services and infrastructure that support auto-scaling and on-demand resource allocation
  • Consider “subscription” over purchasing where possible and practical
  • Cloud solutions providers and hosting providers must adhere to international security standards, such as ISO27001 and SOC2
  • Develop an exit strategy before adopting Cloud solutions to avoid vendor lock-in
  • Prioritise Software-as-a-Service (SaaS) services, over Platform-as-a-Service (PaaS), over Infrastructure-as-a-Service (IaaS), over on premise when evaluating hosting options

Statement

  • Technology diversity is managed, to minimise the additional effort and cost associated with implementing and maintaining disparate solutions

Rationale

  • Embrace industry standards
  • Standardise to reduce needless diversity

Implications

  • Existing technologies should be considered before new technologies are introduced
  • Governance processes, supported by appropriate resources and tools should be put in place to control technical diversity
  • We should be cognisant of technology advances, and adopt where benefits can be demonstrated

Statement

  • Decisions around implementing applications must meet clearly defined and agreed requirements supporting a person-centric approach.

Rationale

  • Ensure that applications must adequately support both functional and non-functional requirements

Implications

  • Digital transformation of the University is achieved through a coordinated approach across the University
  • Changes, such as the introduction or removal of applications, should be supported by a clear and transparent decision-making process with due diligence and risk oversight
  • All applications should go through a review process before they are shared with other schools/units, or used to support University-wide business processes
  • Where an application requires IT Services assistance in the design, deployment, or operation, it must be submitted as an IT Project. See Request an IT Project for further details on the IT projects planning process. The planning and prioritisation of IT Projects is governed by the UMT Digital Campus Group
  • UCD has adopted PM2 as its recommended Project Management Methodology, so that, at an enterprise level, we have a defined, consistent way of working on projects
  • Changes should follow examination of the impact on the enterprise architecture.
  • Where changes to the architecture are going to be made, the architecture documentation should be kept updated
  • The University must continually invest in necessary resourcing for the evolution of applications to ensure that the fit is maintained
  • Evolving technologies will be monitored for acceptable use
  • All Applications must be registered before acquisition, and the registration updated before rollout, and at decommissioning. See (opens in a new window)Application Registration process

Statement

  • Balance long-term capacity and capability needs with cost effective and scalable, flexible, and extensible architectures

Rationale

  • To maintain competitiveness and operational efficiency, the University’s digital campus must accommodate growth, adapt to evolving technologies, and seamlessly integrate new functionalities

Implications

  • Applications should be designed to be scalable, flexible, and extensible to support current and future business needs, ensuring that it can efficiently adapt to changes in workload, technology, and business requirements, in a sustainable manner
  • Continuously monitor and optimise the performance and efficiency of applications to ensure they meet current and future demands, against service levels to make timely and quality decisions
  • Service levels should be defined when new processes and applications are being introduced and agreed between the provider and business owner
  • Applications should produce metrics and alerts to identify where service levels are not being met
  • Applications and services should not be designed with dependencies on deprecated components
  • Employ performance testing and tuning as part of the development lifecycle
  • Applications and technologies should be energy efficient and optimised to reduce their environmental impact
  • Ensure that IT partners and vendors have leading corporate social and environmental policies and practices, with sustainability-based certifications and documentation 

Statement

  • Security is integral, and must be considered across all layers including application, device, network and identity

Rationale

  • Strong security, and enhanced privacy for all is a constructive, win-win for both the University and all users

Implications

  • All applications must be configured and maintained in a secure manner to protect the digital assets of the University
  • Security requirements, including technical controls, auditing and incident management should be captured as part of requirements analysis
  • Security design should be based on “defence in depth” and assume that individual control failures shouldn’t result in security breaches
  • When allowing access to a resource, assign the minimum necessary privileges /‘minimum access (rights and permissions)’ that are required for users to complete their job function. These permissions must be reviewed on a regular basis
  • All applications should implement robust user account management and role-based access control - permissions should be assigned, relevant to the user's role(s) in UCD
  • Processes must be put in place to create, update, and remove accounts and update role-based access permissions as employees leave UCD or move to new positions
  • Privileged accounts (accounts with administrative, or root access, or other special or elevated permissions) must not be used for routine access, must be proactively monitored, must have enhanced security measures applied (such as multi factor authentication), and all user access routinely reviewed
  • Access to all applications processing University data must be password protected and adhere to UCD’s Password Protection Policy
  • Devices accessing or connecting to University systems and networks must adhere to UCD’s Device Protection Policy
  • Users access or connecting to University systems and networks must adhere to UCD’s Information Technology Services Acceptable Use Policy
  • All security incidents must be reported to the appropriate authority in the University

UCD IT Services

Computer Centre, University College Dublin, Belfield, Dublin 4, Ireland.

Contact us via the UCD IT Support Hub: www.ucd.ie/ithelp