SlideShare a Scribd company logo

SABSA overview

Download as PPTX, PDF
SABSAcourses, profile picture
SABSAcourses

This document provides an overview of the SABSA (Sherwood Applied Business Security Architecture) methodology. SABSA is a free and open-source security architecture framework used for developing business-driven security architectures. It includes frameworks for business requirements engineering, risk management, security architecture, governance, and through-life security service management. SABSA has been widely adopted internationally and is recognized for its business focus, comprehensive and modular nature, and ability to integrate with other frameworks. It also offers competency-based certification for practitioners.

Technology
Related topics:
Enterprise Architecture Business Security Information Security security-architecture
1 of 45
Downloaded 753 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Most read
24
25
26
27
28
29
30
31
32
33
34
35
Most read
36
37
38
39
40
41
42
43
44
Most read
45
 SABSAcourses An overview of the SABSA Methodology
 SABSA Foundation 2010 1 What is SABSA?  The world’s leading free-use and open-source security architecture development and management method  Methodology for developing business-driven, risk and opportunity focused enterprise security & information assurance architectures, and for delivering security infrastructure & service management solutions that traceably support critical business initiatives  Development, maintenance, certification and accreditation is governed by the SABSA Institute Sherwood Applied Business Security Architecture
 SABSA Foundation 2010 2 What is SABSA?  Comprised of a number of integrated frameworks, models, methods and processes, including:  Business Requirements Engineering Framework (also known as Attributes Profiling)  Risk & Opportunity Management Framework  Policy Architecture Framework  Security Services-Oriented Architecture Framework  Governance Framework  Security Domain Framework  Through-life Security Service & Performance Management Sherwood Applied Business Security Architecture
 SABSA Foundation 2010 3 What is SABSA?  White Paper originally authored by John Sherwood 1995  First use in global financial messaging (S.W.I.F.T.net) 1995  SABSA Textbook (CMP / Elsevier version) by John Sherwood, Andrew Clark & David Lynas, 2005  “Enterprise Security Architecture: A Business-driven Approach”  ISBN 1-57820-318-X  Adopted as UK MoD Information Assurance Standard 2007  Certification programme introduced March 2007 SABSA History & Development
 SABSA Foundation 2010 4 Why is SABSA So Successful?  In UK “Institute” has a protected and highly-regulated status  SABSA Institute is a formal non-profit ‘Community-of- Interest’ Corporation  SABSA Intellectual Property can never be sold  Underwrites free-use status in perpetuity  Guarantees protected on-going development  Independently certifies & accredits SABSA Architects to provide confidence & assurance to industry, government & the professional community Institute Status
 SABSA Foundation 2010 5 Why is SABSA So Successful? FEATURE ADVANTAGE Business-driven Value-assured Risk-focused Prioritised & proportional responses Comprehensive Scalable scope Modular Agility - ease of implementation & management Open Source (protected) Free use, open source, global standard Auditable Demonstrates compliance Transparent Two-way traceability Features & Advantages Summary
 SABSA Foundation 2010 6 Why is SABSA So Successful?  Each of the seven primary features and advantages can be interpreted and customised into key “elevator pitch” messages and unique selling points (USPs) for specific stakeholders or customers  There is a case study example created for eight stakeholders / job titles at a global bank in the reference document “SABSA Features, Advantages & Benefits Summary” Unique Selling Points & “Elevator Pitches”
 SABSA Foundation 2010 7 Why is SABSA So Successful?  Real ‘professionals’ (such as pilots and doctors) are not certified by their professional body based on knowledge  They are required to demonstrate application of skill  Career progression is achieved by ‘doing’ not ‘knowing’  Certification by the SABSA Institute is competency-based  It delivers to stakeholders the assurance, trust and confidence that a professional has demonstrated the skill and ability to use the SABSA method in the real world Competency-based Professional Certification
 SABSA Foundation 2010 8 How is SABSA Used?  Enterprise Security Architecture  Enterprise Architecture  Individual solutions-based Architectures  Seamless security integration & alignment with other frameworks (including TOGAF, ITIL, ISO27000 series, Zachman, DoDAF, CobIT, NIST, etc.)  Filling the security architecture and security service management gaps in other frameworks Applications of SABSA
 SABSA Foundation 2010 9 How is SABSA Used?  Business requirements engineering  Solutions traceability  Risk & Opportunity Management  Information Assurance  Governance, Compliance & Audit  Policy Architecture Applications of SABSA
 SABSA Foundation 2010 10 How is SABSA Used?  Security service management  IT Service management  Security performance management, measures & metrics  Service performance management, measures & metrics  Over-arching decision-making framework for end-to-end solutions Applications of SABSA
 SABSA Foundation 2010 11 Who Uses SABSA?  As SABSA is free-use and registration is not required, we do not have a definitive list of user organisations  However, we do know the profiles of the thousands of professionals who have qualified as SABSA Chartered Architects  There are SABSA Chartered Architects at Foundation Level (SCF) in more than 50 countries, on every continent, and from every imaginable business sector SABSA User Base
 SABSA Foundation 2010 12 Who Uses SABSA?  SABSA is a standard (formal & de facto) world-wide, including:  UK Ministry of Defence - Information Assurance Standard  Canadian Government - Architecture Development Standard  The Open Group – TOGAF Security Standard  USA Government – NIST Security Standard for SmartGrid  Finance Sector – including European Central Bank & Westpac  And is widely referenced as a recommended approach, including:  ISACA - CISM Study Guides & Examinations  IT Governance Institute – Executive Guide to Governance Growth & Standardisation
 SABSA Foundation 2010 13 Where is SABSA Used? SABSA Demographics Africa & Middle East Algeria, Bahrain Oman, Saudi Arabia South Africa United Arab Emirates Americas Argentina Canada Colombia Mexico United States Asia Pacific Australia, China, Hong Kong India, Korea, Malaysia, New Zealand, Philippines, Singapore Taiwan, Thailand, Vietnam Europe Belgium, Finland, France Germany, Hungary, Ireland Italy, Netherlands, Poland Portugal, Slovakia, Spain Sweden, United Kingdom
 SABSA Foundation 2010 14 When is SABSA Used?  SABSA is used ‘through-life’ – throughout the entire lifecycle from business requirements engineering to managing the solutions delivered SABSA as a Through-Life Solution Framework Business View Contextual Architecture Architect’s View Conceptual Architecture Designer’s View Logical Architecture Builder’s View Physical Architecture Tradesman’s View Component Architecture Service Manager’s View Operational Architecture Strategy & Planning Design Implement Manage & Measure
 SABSA Foundation 2010 15 Independent Assessment of Frameworks  Independent assessment on behalf of UK Government (Jan 2007)  Assessed Information Assurance and Architecture frameworks  Open source e.g. SABSA  Proprietary e.g. Gartner  Provider e.g. IBM MASS  Pre-existing in-house methodologies and frameworks  SABSA top-scored in every assessment category  Discriminating factors included  Comprehensive, flexible and adaptable  Competency development and training  Non-proprietary / open source  Business and risk focus  No ties to specific vendors or suppliers  No ties to specific standards or technologies  Enables open competition
 SABSA Foundation 2010 16 The Issue with Architectural Strategy  Every morning in Africa, a Gazelle wakes up. It knows it must run faster than the fastest lion…….or it will be killed.  Every morning in Africa, a Lion wakes up. It knows it must run faster than the slowest Gazelle …….or it will die of starvation.  Is it better to be a Lion or a Gazelle? Business View – Survival Strategy When the sun comes up in Africa, it doesn’t matter what shape you are: If you want to survive, what matters is that you’d better be running!
 SABSA Foundation 2010 17 SABSA Architecture Guiding Principles  Architecture must not presuppose any particular:  Cultures or operating regimes  Management style  Set of management processes  Management standards  Technical standards  Technology platforms
 SABSA Foundation 2010 18 SABSA Architecture Guiding Principles  Architecture must meet YOUR unique set of business requirements  Architecture must provide sufficient flexibility to incorporate choice and change of policy, standards, practices, or legislation  ISO 27001, ACSI 33, DSD ISR, HIPAA, ISF Code, CobIT, SOx, PCI, NIST, etc  ITIL, TNN, ISO 9000, etc  AS / NZS 4360, Basel ii, ISO 27005, etc  Balanced scorecards, capability maturity models, ROI, NPV, etc  When a question is asked starting with “Is this Architecture compatible / compliant with….?” a good Architecture framework with automatically have the answer “Yes”  A good architecture provides the roadmap for joining together all of your requirements, whatever they might be, or become  It does not replace ITIL or ISO 27001 or NIST etc but rather enables their deployment and effective integration into the corporate culture
 SABSA Foundation 2010 19 Built to Drive Complex Design Solutions  SABSA influenced in 1995 by need to enhance ISO 7498-2 Applications Presentation Session Transport Network Link Physical Applications Presentation Session Transport Network Link Physical ISO 7498-1 ISO 7498-2 Logical Security Services Physical Security Mechanisms Contextual Architecture Conceptual Architecture Business Driven Requirements & Strategy SABSA Views Logical Architecture Physical Architecture Component Architecture Operational Architecture Service Management Detailed Custom Specification
 SABSA Foundation 2010 20 Architecture Reconsidered Business View Contextual Architecture Architect’s View Conceptual Architecture Designer’s View Logical Architecture Builder’s View Physical Architecture Tradesperson’s View Component Architecture Service Manager’s View Operational Architecture
 SABSA Foundation 2010 21 Vertical Analysis: Six Honest Serving Security Men What Why How Who Where When What are we trying to do at this layer? The assets, goals & objectives to be protected & enhanced Why are we doing it? The risk & opportunity motivation at this layer How are we trying to do it? The processes required to achieve security at this layer Who is involved? The people and organisational aspects of security at this layer Where are we doing it? The locations where we are applying security at this layer When are we doing it? The time related aspects of security at this layer
 SABSA Foundation 2010 22 Logical Process Maps & Services Domain Maps Entity & Trust Framework Calendar & Timetable Physical ICT Infrastructure Human Interface Processing Schedule Component Locator Tools & Standards Personnel Management Tools & Standards Step Timing & Sequencing Tools Service Management Service Delivery Management Process Delivery Management Management of Environment Personnel Management Time & Performance Management Information Assets Data Assets ICT Components Process Mechanisms Process Tools & Standards Assets (What) Process (How) Location (Where) People (Who) Time (When) Contextual Business Decisions Business Processes Business Geography Business Governance Business Time Dependence Conceptual Business Knowledge & Risk Strategy Strategies for Process Assurance Domain Framework Roles & Responsibilities Time Management Framework Motivation (Why) Business Risk Risk Management Objectives Risk Management Policies Risk Management Practices Risk Management Tools & Standards Operational Risk Management The SABSA Matrix
 SABSA Foundation 2010 23 Architecture Strategy & Planning Phase Assets (what) Contextual Business Decisions Conceptual Business Knowledge & Risk Strategy Taxonomy of Business Assets, Including Goals & Objectives Business Attributes Profile Motivation (why) Business Risk Risk Management Objectives Opportunities & Threats Inventory Enablement & Control Objectives; Policy Architecture Process (how) Business Processes Strategies for Process Assurance Inventory of Operational Processes Process Mapping Framework; Architectural Strategies for ICT People (who) Business Governance Roles & Responsibilities Organisational Structure & the Extended Enterprise Owners, Custodians & Users; Service Providers & Customers Location (where) Business Geography Domain Framework Inventory of Buildings, Sites, Territories, Jurisdictions etc. Security Domain Concepts & Framework Time (when) Business Time Dependence Time Management Framework Time Dependencies of Business Objectives Through-life Risk Management Framework
 SABSA Foundation 2010 24 Architecture Design Phase Assets (what) Logical Information Assets Physical Data Assets Inventory of Information Assets Data Dictionary & Data Inventory Component ICT Components ICT Products, Data Repositories & Processors Motivation (why) Risk Management Policies Risk Management Practices Domain Policies Risk Management Rules & Procedures Risk Management Tools & Standards Risk Analysis Tools; Risk Registers; Risk Monitoring, Reporting & Treatment Process (how) Process Maps & Services Process Mechanisms Information Flows; Functional Transformations; SOA Applications, Middleware; Systems; Security Mechanisms Process Tools & Standards Tools & Protocols for Process Delivery People (who) Entity & Trust Framework Human Interface Entity Schema; Trust Models; Privilege Profiles User Interface to ICT Systems; Access Control Systems Personnel Man’nt Tools & Standards Identities, Job Descriptions; Roles; Functions; Actions & ACLs Location (where) Domain Maps ICT Infrastructure Domain Definitions; Inter-domain Associations & Inter-actions Host Platforms & Networks Layout Locator Tools & Standards Nodes, Addresses & Other Locators Time (when) Calendar & Timetable Processing Schedule Start Times, Lifetimes & Deadlines Timing & Sequencing of Processes & Sessions Step Timing & Sequencing Tools Time Schedules; Clocks; Timers & Interrupts
 SABSA Foundation 2010 25 Design Framework (Service Management View) Contextual Security Architecture Conceptual Security Architecture Logical Security Architecture Physical Security Architecture Component Security Architecture SecurityService ManagementArchitecture
 SABSA Foundation 2010 26 SABSA Service Management Architecture Assets (What) Process (How) Location (Where) People (Who) Time (When) Contextual Business Driver Definitions Service Management Point-of-Supply Management Relationship Management Performance Management Conceptual Proxy Asset Definitions Service Delivery Planning Service Portfolio Service Management Roles Service Level Definitions Logical Service Delivery Management Service Catalogue Management Service Customer Support Evaluation Management Physical Service Resources Protection User Support Service Performance Data Collection Component Security Management Tools Personnel Deployment Service Monitoring Tools Asset Management Asset Security & Protection Tool Protection Operations Management Tool Deployment Motivation (Why) Business Risk Assessment Developing ORM Objectives Policy Management Operational Risk Data Collection ORM Tools Service Delivery Management Process Delivery Management Management of Environment Personnel Management Time & Performance Management Operational Risk Management The row above is a repeat of Layer 6 of the main SABSA Matrix. The five rows below are an exploded overlay of how this Layer 6 relates to each of these other Layers
 SABSA Foundation 2010 27 Built to Integrate Management Practices  SABSA Service Management designed to comply with, integrate, and enable management best practice of the day Operational Architecture Service Management BS7799(1) (controls library) BS7799(2) (ISMS) ISO 17799 (controls library) ISO 27001 (ISMS) ISO 27002 (controls library) ISO 20000 ITIL Code of Practice For Information Security Management Designed-in then Code of Practice For Information Technology Service Management Compatible now
 SABSA Foundation 2010 28 SABSA Top-Down Process Analysis Contextual: Meta-Processes VerticalSecurityConsistency Horizontal Security Consistency Conceptual: Strategic View of Process Logical: Information Flows & Transformations Physical: Data Flows & System Interactions Component: Protocols & Step Sequences
 SABSA Foundation 2010 29 Traceability For Completeness Contextual Security Architecture Conceptual Security Architecture Logical Security Architecture Physical Security Architecture Component Security Architecture Security Service Management Architecture  Every business requirement for security is met and the residual risk is acceptable to the business appetite
 SABSA Foundation 2010 30 Traceability For Justification Contextual Security Architecture Conceptual Security Architecture Logical Security Architecture Physical Security Architecture Component Security Architecture Security Service Management Architecture  Every operational or technological security element can be justified by reference to a risk-prioritised business requirement.
 SABSA Foundation 2010 31 The Problem of Defining Security  “Security is the means of achieving acceptable level of residual risks”  “The value of the information has to be protected”  “This value is determined in terms of confidentiality, integrity & availability” Availability
 SABSA Foundation 2010 32 SABSA Business Attributes  Powerful requirements engineering technique  Populates the vital ‘missing link’ between business requirements and technology / process design  Each attribute is an abstraction of a business requirement (the goals, objectives, drivers, targets, and assets confirmed as part of the business contextual architecture)  Attributes can be tangible or intangible  Each attribute requires a meaningful name and detailed definition customised specifically for a particular organisation  Each attribute requires a measurement approach and metric to be defined during the SABSA Strategy & Planning phase to set performance targets for security  The performance targets are then used as the basis for reporting and/or SLAs in the SABSA Manage & Measure phase
 SABSA Foundation 2010 33 Sample Taxonomy of ICT Attributes Business Attributes Management Attributes User Attributes Operational Attributes Risk Management Attributes Technical Strategy Attributes Flexible / Adaptable Scalable Upgradeable Usable Accessible Cost-Effective Efficient Reliable Inter-Operable Trustworthy Reputable Business Strategy Attributes Credible Confident Crime-Free Insurable Compliant Confidential Private Controlled Liability Managed Admissible Resolvable Available Legal / Regulatory Attributes EnforceableError-Free Non-Repudiable Accountable Auditable Traceable Integrity-Assured Assurable Authorised Governable Business-Enabled Protected IndependentlySecure Measured Legacy-Sensitive Migratable Flexibly Secure Productive COTS/ GOTS Simple ProvidingInvestment Re-use Supportable Automated Standards Compliant Architecturally Open Future-Proof CapturingNewRisks Multi-Sourced Extendible Maintainable Consistent Accurate Current Supported Access-controlled Inoursole possession Change-managed Informed Owned Identified Authenticated Time-bound Timely ProvidingGood Stewardship and Custody AssuringHonesty Educated&Aware Motivated RecoverableDutySegregated Detectable BrandEnhancing Competent Transparent Responsive Anonymous Continuous Monitored Legal Regulated ProvidingReturn on Investment Enablingtime-to-market Culture-sensitive
 SABSA Foundation 2010 34 Attributes Usage  Attributes must be validated (and preferably created) by senior management & the business stake-holders by report, interview or facilitated workshop  Pick-list of desired requirements  Cross-check for completeness of requirements  Key to traceability mappings  Measurement & operations – contracts, SLAs, performance targets  Return on Investment & Value propositions  Procurement  Risk status summary & risk monitoring  Key to a SABSA integrated compliance tool  Powerful executive communications
 SABSA Foundation 2010 35 SABSA BAP - the Key to Framework Integration Extract reproduced with permission from Hans Hopman, ISO 27000 committee
 SABSA Foundation 2010 36 Security Services Value Reconsidered
 SABSA Foundation 2010 37 Risk Context Assets at Risk Overall likelihood of loss Likelihood of threat materialising Likelihood of weakness exploited Negative Outcomes Threats Loss Event Positive Outcomes Opportunities Beneficial Event Overall loss value Asset value Negative impact value Overall benefit value Asset value Positive impact value Overall likelihood of benefit Likelihood of opportunity materialising Likelihood of strength exploited Risk Reconsidered - SABSA O.R.M.
 SABSA Foundation 2010 38 Feedback Control Loop System System Monitoring & Measurement Sub- System Decision Sub- System Control Sub- System Affects state of system Reports new state of system Calls for new parameter settings
 SABSA Foundation 2010 39 SABSA Multi-tiered Control Strategy Deterrence Prevention Containment Detection & Notification Recovery & Restoration Evidence Collection & Tracking Audit&Assurance
 SABSA Foundation 2010 40 SABSA Operation of Controls Threats Vulnerabilities Assets Business Impacts Incidents exploit causing affecting producing Deterrent Controls Preventive Controls Detective Controls Corrective Controls Risk Assessment Selection of Controls reduces leads to discovers triggers triggers reduces reduces
 SABSA Foundation 2010 41 Taxonomy of Cognitive Levels (Foundation) Competency Level Skill Demonstrated 1 Knowledge Observation and recall of information Knowledge of facts Knowledge of major ideas Mastery of subject matter Carry out research to find information List, define, tell, describe, identify, show, label, collect, examine, tabulate, quote, name, find, identify Task Examples 2 Comprehension Understand information Grasp meaning Translate knowledge into new context Interpret facts, compare, contrast Order, group, infer causes Predict consequences Summarise, explain, interpret, contrast, predict, associate, distinguish, estimate, differentiate, discuss, extend
 SABSA Foundation 2010 42 Taxonomy of Cognitive Levels (Practitioner) Competency Level Skill Demonstrated Task Examples 3 Application Use information Use methods, concepts, theories in new situations Solve problems using required skills or knowledge Apply, demonstrate, calculate, complete, illustrate, show, solve, examine, modify, relate, change, classify, experiment, discover 4 Analysis Seeing patterns Organisation of parts Recognition of hidden meanings Identification of components Analyse, separate, order, connect, classify, arrange, divide, compare, select, infer
 SABSA Foundation 2010 43 Taxonomy of Cognitive Levels (Master) Competency Level Skill Demonstrated Task Examples 5 Synthesis Use old ideas to create new ones Generalise from given facts Relate knowledge from several areas Predict, draw conclusions Combine, integrate, modify, rearrange, substitute, plan, create, build, design, invent, compose, formulate, prepare, generalise, rewrite 6 Evaluation Compare and discriminate between ideas Assess value of theories, presentations Make choices based on reasoned argument Verify value of evidence Recognise subjectivity Assess, evaluate, decide, rank, grade, test, measure, recommend, convince, select, judge, discriminate, support, conclude
 SABSA Foundation 2010 44 For More Information  SABSA Text Book “Enterprise Security Architecture: A Business-driven Approach”  Currently - CMP Books (Elsevier)  Kindle version now available  SABSA Executive White Paper  SABSA – TOGAF White Paper  SABSA Institute – sabsa.org  SABSA Training & Certification – sabsacourses.com

More Related Content

PPTX
SABSA Implementation(Part VI)_ver1-0
Maganathin Veeraragaloo
 
PPTX
SABSA Implementation(Part II)_ver1-0
Maganathin Veeraragaloo
 
PPT
SABSA - Business Attributes Profiling
SABSAcourses
 
PPTX
SABSA Implementation(Part I)_ver1-0
Maganathin Veeraragaloo
 
PDF
Security review using SABSA
Maganathin Veeraragaloo
 
PPTX
SABSA Implementation(Part III)_ver1-0
Maganathin Veeraragaloo
 
PPTX
Modelling Security Architecture
narenvivek
 
PDF
SABSA: Key features, advantages & benefits summary
SABSAcourses
 
SABSA Implementation(Part VI)_ver1-0
Maganathin Veeraragaloo
 
SABSA Implementation(Part II)_ver1-0
Maganathin Veeraragaloo
 
SABSA - Business Attributes Profiling
SABSAcourses
 
SABSA Implementation(Part I)_ver1-0
Maganathin Veeraragaloo
 
Security review using SABSA
Maganathin Veeraragaloo
 
SABSA Implementation(Part III)_ver1-0
Maganathin Veeraragaloo
 
Modelling Security Architecture
narenvivek
 
SABSA: Key features, advantages & benefits summary
SABSAcourses
 

What's hot (20)

PPTX
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
Allen Baranov
 
PPTX
Enterprise Security Architecture Design
Priyanka Aash
 
PPTX
Enterprise Security Architecture
Priyanka Aash
 
PPTX
SABSA Implementation(Part V)_ver1-0
Maganathin Veeraragaloo
 
PDF
Enterprise Security Architecture
Priyanka Aash
 
PDF
SABSA white paper
SABSAcourses
 
PDF
Enterprise Security Architecture
Kris Kimmerle
 
PDF
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
PPTX
Adaptive Enterprise Security Architecture
SABSAcourses
 
PDF
DTS Solution - Building a SOC (Security Operations Center)
Shah Sheikh
 
PPTX
SABSA Implementation(Part IV)_ver1-0
Maganathin Veeraragaloo
 
PDF
Practical Enterprise Security Architecture
Priyanka Aash
 
PPTX
NIST Critical Security Framework (CSF)
Priyanka Aash
 
PPTX
Security architecture frameworks
John Arnold
 
PPTX
Compliance to Enablement - SABSA & GDPR
SABSAcourses
 
PPTX
Conceptual security architecture
MubashirAslam5
 
PDF
SABSA vs. TOGAF in a RMF NIST 800-30 context
David Sweigert
 
PPTX
SOC Architecture Workshop - Part 1
Priyanka Aash
 
PDF
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
PPTX
What is a secure enterprise architecture roadmap?
Ulf Mattsson
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
Allen Baranov
 
Enterprise Security Architecture Design
Priyanka Aash
 
Enterprise Security Architecture
Priyanka Aash
 
SABSA Implementation(Part V)_ver1-0
Maganathin Veeraragaloo
 
Enterprise Security Architecture
Priyanka Aash
 
SABSA white paper
SABSAcourses
 
Enterprise Security Architecture
Kris Kimmerle
 
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
Adaptive Enterprise Security Architecture
SABSAcourses
 
DTS Solution - Building a SOC (Security Operations Center)
Shah Sheikh
 
SABSA Implementation(Part IV)_ver1-0
Maganathin Veeraragaloo
 
Practical Enterprise Security Architecture
Priyanka Aash
 
NIST Critical Security Framework (CSF)
Priyanka Aash
 
Security architecture frameworks
John Arnold
 
Compliance to Enablement - SABSA & GDPR
SABSAcourses
 
Conceptual security architecture
MubashirAslam5
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
David Sweigert
 
SOC Architecture Workshop - Part 1
Priyanka Aash
 
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
What is a secure enterprise architecture roadmap?
Ulf Mattsson
 
Ad

Similar to SABSA overview (20)

PPT
Mcs2453 aniq mc101053-assignment2
Aniq Eastrarulkhair
 
PPTX
ESA for Business
Maganathin Veeraragaloo
 
PPTX
The Role of Architecture in the Enterprise
Peter Nikitser
 
PDF
Security-by-Design in Enterprise Architecture
The Open Group SA
 
PDF
Enterprise%20 security%20architecture%20 %20business%20driven%20security
wardell henley
 
PDF
SABSA domain modelling for enterprise architects
Dave Hornford
 
PDF
Security architecture
Duncan Unwin
 
PDF
Introduction to SABSA for BAs - Sac Valley IIBA 09.20.17 FINAL.pdf
ssuserc3fe80
 
PDF
SFIA Overview
SFIA User Forum
 
PPTX
Embedding ea
Bas van Gils
 
PPT
togaf_ovu.ppt
ssuser36c428
 
PDF
Making Architecture Business Value Driven
IASA
 
PPT
2011 Savvis Overview
jasonhudnall
 
PDF
(SACON) Wayne Tufek - chapter three - sabsa
Priyanka Aash
 
PPT
Putting the Business in Enterprise Information Security Architecture
Ravila White
 
PDF
SABSA - TOGAF Integration White Paper
SABSAcourses
 
PPTX
The Need to Know for Information Architects: Big Data to Big Information
DATAVERSITY
 
PPT
Corporate Presentation Savvis
jburmanolson
 
PPT
Sap Security Assessment V3 English
guest5bd7a1
 
PDF
Outsourcing it security yes, it’s still your problem
Interop
 
Mcs2453 aniq mc101053-assignment2
Aniq Eastrarulkhair
 
ESA for Business
Maganathin Veeraragaloo
 
The Role of Architecture in the Enterprise
Peter Nikitser
 
Security-by-Design in Enterprise Architecture
The Open Group SA
 
Enterprise%20 security%20architecture%20 %20business%20driven%20security
wardell henley
 
SABSA domain modelling for enterprise architects
Dave Hornford
 
Security architecture
Duncan Unwin
 
Introduction to SABSA for BAs - Sac Valley IIBA 09.20.17 FINAL.pdf
ssuserc3fe80
 
SFIA Overview
SFIA User Forum
 
Embedding ea
Bas van Gils
 
togaf_ovu.ppt
ssuser36c428
 
Making Architecture Business Value Driven
IASA
 
2011 Savvis Overview
jasonhudnall
 
(SACON) Wayne Tufek - chapter three - sabsa
Priyanka Aash
 
Putting the Business in Enterprise Information Security Architecture
Ravila White
 
SABSA - TOGAF Integration White Paper
SABSAcourses
 
The Need to Know for Information Architects: Big Data to Big Information
DATAVERSITY
 
Corporate Presentation Savvis
jburmanolson
 
Sap Security Assessment V3 English
guest5bd7a1
 
Outsourcing it security yes, it’s still your problem
Interop
 
Ad

Recently uploaded (20)

PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PDF
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PDF
The Evolution of KM Roles (Presented at Knowledge Summit Dublin 2025)
Enterprise Knowledge
 
PDF
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
PDF
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
PDF
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
PDF
REPORT: Heating appliances market in Poland 2024
SPIUG
 
PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
PDF
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PPTX
IoT Sensor Integration 2025 Powering Smart Tech and Industrial Automation.pptx
Rejig Digital
 
PDF
Event Presentation Google Cloud Next Extended 2025
minhtrietgect
 
PPTX
How to Build a Scalable Micro-Investing Platform in 2025 - A Founder’s Guide ...
Third Rock Techkno
 
PDF
Software Development Methodologies in 2025
KodekX
 
PDF
This slide provides an overview Technology
mineshkharadi333
 
PDF
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
The Evolution of KM Roles (Presented at Knowledge Summit Dublin 2025)
Enterprise Knowledge
 
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
REPORT: Heating appliances market in Poland 2024
SPIUG
 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
IoT Sensor Integration 2025 Powering Smart Tech and Industrial Automation.pptx
Rejig Digital
 
Event Presentation Google Cloud Next Extended 2025
minhtrietgect
 
How to Build a Scalable Micro-Investing Platform in 2025 - A Founder’s Guide ...
Third Rock Techkno
 
Software Development Methodologies in 2025
KodekX
 
This slide provides an overview Technology
mineshkharadi333
 
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 

SABSA overview

  • 1.  SABSAcourses An overview of the SABSA Methodology
  • 2.  SABSA Foundation 2010 1 What is SABSA?  The world’s leading free-use and open-source security architecture development and management method  Methodology for developing business-driven, risk and opportunity focused enterprise security & information assurance architectures, and for delivering security infrastructure & service management solutions that traceably support critical business initiatives  Development, maintenance, certification and accreditation is governed by the SABSA Institute Sherwood Applied Business Security Architecture
  • 3.  SABSA Foundation 2010 2 What is SABSA?  Comprised of a number of integrated frameworks, models, methods and processes, including:  Business Requirements Engineering Framework (also known as Attributes Profiling)  Risk & Opportunity Management Framework  Policy Architecture Framework  Security Services-Oriented Architecture Framework  Governance Framework  Security Domain Framework  Through-life Security Service & Performance Management Sherwood Applied Business Security Architecture
  • 4.  SABSA Foundation 2010 3 What is SABSA?  White Paper originally authored by John Sherwood 1995  First use in global financial messaging (S.W.I.F.T.net) 1995  SABSA Textbook (CMP / Elsevier version) by John Sherwood, Andrew Clark & David Lynas, 2005  “Enterprise Security Architecture: A Business-driven Approach”  ISBN 1-57820-318-X  Adopted as UK MoD Information Assurance Standard 2007  Certification programme introduced March 2007 SABSA History & Development
  • 5.  SABSA Foundation 2010 4 Why is SABSA So Successful?  In UK “Institute” has a protected and highly-regulated status  SABSA Institute is a formal non-profit ‘Community-of- Interest’ Corporation  SABSA Intellectual Property can never be sold  Underwrites free-use status in perpetuity  Guarantees protected on-going development  Independently certifies & accredits SABSA Architects to provide confidence & assurance to industry, government & the professional community Institute Status
  • 6.  SABSA Foundation 2010 5 Why is SABSA So Successful? FEATURE ADVANTAGE Business-driven Value-assured Risk-focused Prioritised & proportional responses Comprehensive Scalable scope Modular Agility - ease of implementation & management Open Source (protected) Free use, open source, global standard Auditable Demonstrates compliance Transparent Two-way traceability Features & Advantages Summary
  • 7.  SABSA Foundation 2010 6 Why is SABSA So Successful?  Each of the seven primary features and advantages can be interpreted and customised into key “elevator pitch” messages and unique selling points (USPs) for specific stakeholders or customers  There is a case study example created for eight stakeholders / job titles at a global bank in the reference document “SABSA Features, Advantages & Benefits Summary” Unique Selling Points & “Elevator Pitches”
  • 8.  SABSA Foundation 2010 7 Why is SABSA So Successful?  Real ‘professionals’ (such as pilots and doctors) are not certified by their professional body based on knowledge  They are required to demonstrate application of skill  Career progression is achieved by ‘doing’ not ‘knowing’  Certification by the SABSA Institute is competency-based  It delivers to stakeholders the assurance, trust and confidence that a professional has demonstrated the skill and ability to use the SABSA method in the real world Competency-based Professional Certification
  • 9.  SABSA Foundation 2010 8 How is SABSA Used?  Enterprise Security Architecture  Enterprise Architecture  Individual solutions-based Architectures  Seamless security integration & alignment with other frameworks (including TOGAF, ITIL, ISO27000 series, Zachman, DoDAF, CobIT, NIST, etc.)  Filling the security architecture and security service management gaps in other frameworks Applications of SABSA
  • 10.  SABSA Foundation 2010 9 How is SABSA Used?  Business requirements engineering  Solutions traceability  Risk & Opportunity Management  Information Assurance  Governance, Compliance & Audit  Policy Architecture Applications of SABSA
  • 11.  SABSA Foundation 2010 10 How is SABSA Used?  Security service management  IT Service management  Security performance management, measures & metrics  Service performance management, measures & metrics  Over-arching decision-making framework for end-to-end solutions Applications of SABSA
  • 12.  SABSA Foundation 2010 11 Who Uses SABSA?  As SABSA is free-use and registration is not required, we do not have a definitive list of user organisations  However, we do know the profiles of the thousands of professionals who have qualified as SABSA Chartered Architects  There are SABSA Chartered Architects at Foundation Level (SCF) in more than 50 countries, on every continent, and from every imaginable business sector SABSA User Base
  • 13.  SABSA Foundation 2010 12 Who Uses SABSA?  SABSA is a standard (formal & de facto) world-wide, including:  UK Ministry of Defence - Information Assurance Standard  Canadian Government - Architecture Development Standard  The Open Group – TOGAF Security Standard  USA Government – NIST Security Standard for SmartGrid  Finance Sector – including European Central Bank & Westpac  And is widely referenced as a recommended approach, including:  ISACA - CISM Study Guides & Examinations  IT Governance Institute – Executive Guide to Governance Growth & Standardisation
  • 14.  SABSA Foundation 2010 13 Where is SABSA Used? SABSA Demographics Africa & Middle East Algeria, Bahrain Oman, Saudi Arabia South Africa United Arab Emirates Americas Argentina Canada Colombia Mexico United States Asia Pacific Australia, China, Hong Kong India, Korea, Malaysia, New Zealand, Philippines, Singapore Taiwan, Thailand, Vietnam Europe Belgium, Finland, France Germany, Hungary, Ireland Italy, Netherlands, Poland Portugal, Slovakia, Spain Sweden, United Kingdom
  • 15.  SABSA Foundation 2010 14 When is SABSA Used?  SABSA is used ‘through-life’ – throughout the entire lifecycle from business requirements engineering to managing the solutions delivered SABSA as a Through-Life Solution Framework Business View Contextual Architecture Architect’s View Conceptual Architecture Designer’s View Logical Architecture Builder’s View Physical Architecture Tradesman’s View Component Architecture Service Manager’s View Operational Architecture Strategy & Planning Design Implement Manage & Measure
  • 16.  SABSA Foundation 2010 15 Independent Assessment of Frameworks  Independent assessment on behalf of UK Government (Jan 2007)  Assessed Information Assurance and Architecture frameworks  Open source e.g. SABSA  Proprietary e.g. Gartner  Provider e.g. IBM MASS  Pre-existing in-house methodologies and frameworks  SABSA top-scored in every assessment category  Discriminating factors included  Comprehensive, flexible and adaptable  Competency development and training  Non-proprietary / open source  Business and risk focus  No ties to specific vendors or suppliers  No ties to specific standards or technologies  Enables open competition
  • 17.  SABSA Foundation 2010 16 The Issue with Architectural Strategy  Every morning in Africa, a Gazelle wakes up. It knows it must run faster than the fastest lion…….or it will be killed.  Every morning in Africa, a Lion wakes up. It knows it must run faster than the slowest Gazelle …….or it will die of starvation.  Is it better to be a Lion or a Gazelle? Business View – Survival Strategy When the sun comes up in Africa, it doesn’t matter what shape you are: If you want to survive, what matters is that you’d better be running!
  • 18.  SABSA Foundation 2010 17 SABSA Architecture Guiding Principles  Architecture must not presuppose any particular:  Cultures or operating regimes  Management style  Set of management processes  Management standards  Technical standards  Technology platforms
  • 19.  SABSA Foundation 2010 18 SABSA Architecture Guiding Principles  Architecture must meet YOUR unique set of business requirements  Architecture must provide sufficient flexibility to incorporate choice and change of policy, standards, practices, or legislation  ISO 27001, ACSI 33, DSD ISR, HIPAA, ISF Code, CobIT, SOx, PCI, NIST, etc  ITIL, TNN, ISO 9000, etc  AS / NZS 4360, Basel ii, ISO 27005, etc  Balanced scorecards, capability maturity models, ROI, NPV, etc  When a question is asked starting with “Is this Architecture compatible / compliant with….?” a good Architecture framework with automatically have the answer “Yes”  A good architecture provides the roadmap for joining together all of your requirements, whatever they might be, or become  It does not replace ITIL or ISO 27001 or NIST etc but rather enables their deployment and effective integration into the corporate culture
  • 20.  SABSA Foundation 2010 19 Built to Drive Complex Design Solutions  SABSA influenced in 1995 by need to enhance ISO 7498-2 Applications Presentation Session Transport Network Link Physical Applications Presentation Session Transport Network Link Physical ISO 7498-1 ISO 7498-2 Logical Security Services Physical Security Mechanisms Contextual Architecture Conceptual Architecture Business Driven Requirements & Strategy SABSA Views Logical Architecture Physical Architecture Component Architecture Operational Architecture Service Management Detailed Custom Specification
  • 21.  SABSA Foundation 2010 20 Architecture Reconsidered Business View Contextual Architecture Architect’s View Conceptual Architecture Designer’s View Logical Architecture Builder’s View Physical Architecture Tradesperson’s View Component Architecture Service Manager’s View Operational Architecture
  • 22.  SABSA Foundation 2010 21 Vertical Analysis: Six Honest Serving Security Men What Why How Who Where When What are we trying to do at this layer? The assets, goals & objectives to be protected & enhanced Why are we doing it? The risk & opportunity motivation at this layer How are we trying to do it? The processes required to achieve security at this layer Who is involved? The people and organisational aspects of security at this layer Where are we doing it? The locations where we are applying security at this layer When are we doing it? The time related aspects of security at this layer
  • 23.  SABSA Foundation 2010 22 Logical Process Maps & Services Domain Maps Entity & Trust Framework Calendar & Timetable Physical ICT Infrastructure Human Interface Processing Schedule Component Locator Tools & Standards Personnel Management Tools & Standards Step Timing & Sequencing Tools Service Management Service Delivery Management Process Delivery Management Management of Environment Personnel Management Time & Performance Management Information Assets Data Assets ICT Components Process Mechanisms Process Tools & Standards Assets (What) Process (How) Location (Where) People (Who) Time (When) Contextual Business Decisions Business Processes Business Geography Business Governance Business Time Dependence Conceptual Business Knowledge & Risk Strategy Strategies for Process Assurance Domain Framework Roles & Responsibilities Time Management Framework Motivation (Why) Business Risk Risk Management Objectives Risk Management Policies Risk Management Practices Risk Management Tools & Standards Operational Risk Management The SABSA Matrix
  • 24.  SABSA Foundation 2010 23 Architecture Strategy & Planning Phase Assets (what) Contextual Business Decisions Conceptual Business Knowledge & Risk Strategy Taxonomy of Business Assets, Including Goals & Objectives Business Attributes Profile Motivation (why) Business Risk Risk Management Objectives Opportunities & Threats Inventory Enablement & Control Objectives; Policy Architecture Process (how) Business Processes Strategies for Process Assurance Inventory of Operational Processes Process Mapping Framework; Architectural Strategies for ICT People (who) Business Governance Roles & Responsibilities Organisational Structure & the Extended Enterprise Owners, Custodians & Users; Service Providers & Customers Location (where) Business Geography Domain Framework Inventory of Buildings, Sites, Territories, Jurisdictions etc. Security Domain Concepts & Framework Time (when) Business Time Dependence Time Management Framework Time Dependencies of Business Objectives Through-life Risk Management Framework
  • 25.  SABSA Foundation 2010 24 Architecture Design Phase Assets (what) Logical Information Assets Physical Data Assets Inventory of Information Assets Data Dictionary & Data Inventory Component ICT Components ICT Products, Data Repositories & Processors Motivation (why) Risk Management Policies Risk Management Practices Domain Policies Risk Management Rules & Procedures Risk Management Tools & Standards Risk Analysis Tools; Risk Registers; Risk Monitoring, Reporting & Treatment Process (how) Process Maps & Services Process Mechanisms Information Flows; Functional Transformations; SOA Applications, Middleware; Systems; Security Mechanisms Process Tools & Standards Tools & Protocols for Process Delivery People (who) Entity & Trust Framework Human Interface Entity Schema; Trust Models; Privilege Profiles User Interface to ICT Systems; Access Control Systems Personnel Man’nt Tools & Standards Identities, Job Descriptions; Roles; Functions; Actions & ACLs Location (where) Domain Maps ICT Infrastructure Domain Definitions; Inter-domain Associations & Inter-actions Host Platforms & Networks Layout Locator Tools & Standards Nodes, Addresses & Other Locators Time (when) Calendar & Timetable Processing Schedule Start Times, Lifetimes & Deadlines Timing & Sequencing of Processes & Sessions Step Timing & Sequencing Tools Time Schedules; Clocks; Timers & Interrupts
  • 26.  SABSA Foundation 2010 25 Design Framework (Service Management View) Contextual Security Architecture Conceptual Security Architecture Logical Security Architecture Physical Security Architecture Component Security Architecture SecurityService ManagementArchitecture
  • 27.  SABSA Foundation 2010 26 SABSA Service Management Architecture Assets (What) Process (How) Location (Where) People (Who) Time (When) Contextual Business Driver Definitions Service Management Point-of-Supply Management Relationship Management Performance Management Conceptual Proxy Asset Definitions Service Delivery Planning Service Portfolio Service Management Roles Service Level Definitions Logical Service Delivery Management Service Catalogue Management Service Customer Support Evaluation Management Physical Service Resources Protection User Support Service Performance Data Collection Component Security Management Tools Personnel Deployment Service Monitoring Tools Asset Management Asset Security & Protection Tool Protection Operations Management Tool Deployment Motivation (Why) Business Risk Assessment Developing ORM Objectives Policy Management Operational Risk Data Collection ORM Tools Service Delivery Management Process Delivery Management Management of Environment Personnel Management Time & Performance Management Operational Risk Management The row above is a repeat of Layer 6 of the main SABSA Matrix. The five rows below are an exploded overlay of how this Layer 6 relates to each of these other Layers
  • 28.  SABSA Foundation 2010 27 Built to Integrate Management Practices  SABSA Service Management designed to comply with, integrate, and enable management best practice of the day Operational Architecture Service Management BS7799(1) (controls library) BS7799(2) (ISMS) ISO 17799 (controls library) ISO 27001 (ISMS) ISO 27002 (controls library) ISO 20000 ITIL Code of Practice For Information Security Management Designed-in then Code of Practice For Information Technology Service Management Compatible now
  • 29.  SABSA Foundation 2010 28 SABSA Top-Down Process Analysis Contextual: Meta-Processes VerticalSecurityConsistency Horizontal Security Consistency Conceptual: Strategic View of Process Logical: Information Flows & Transformations Physical: Data Flows & System Interactions Component: Protocols & Step Sequences
  • 30.  SABSA Foundation 2010 29 Traceability For Completeness Contextual Security Architecture Conceptual Security Architecture Logical Security Architecture Physical Security Architecture Component Security Architecture Security Service Management Architecture  Every business requirement for security is met and the residual risk is acceptable to the business appetite
  • 31.  SABSA Foundation 2010 30 Traceability For Justification Contextual Security Architecture Conceptual Security Architecture Logical Security Architecture Physical Security Architecture Component Security Architecture Security Service Management Architecture  Every operational or technological security element can be justified by reference to a risk-prioritised business requirement.
  • 32.  SABSA Foundation 2010 31 The Problem of Defining Security  “Security is the means of achieving acceptable level of residual risks”  “The value of the information has to be protected”  “This value is determined in terms of confidentiality, integrity & availability” Availability
  • 33.  SABSA Foundation 2010 32 SABSA Business Attributes  Powerful requirements engineering technique  Populates the vital ‘missing link’ between business requirements and technology / process design  Each attribute is an abstraction of a business requirement (the goals, objectives, drivers, targets, and assets confirmed as part of the business contextual architecture)  Attributes can be tangible or intangible  Each attribute requires a meaningful name and detailed definition customised specifically for a particular organisation  Each attribute requires a measurement approach and metric to be defined during the SABSA Strategy & Planning phase to set performance targets for security  The performance targets are then used as the basis for reporting and/or SLAs in the SABSA Manage & Measure phase
  • 34.  SABSA Foundation 2010 33 Sample Taxonomy of ICT Attributes Business Attributes Management Attributes User Attributes Operational Attributes Risk Management Attributes Technical Strategy Attributes Flexible / Adaptable Scalable Upgradeable Usable Accessible Cost-Effective Efficient Reliable Inter-Operable Trustworthy Reputable Business Strategy Attributes Credible Confident Crime-Free Insurable Compliant Confidential Private Controlled Liability Managed Admissible Resolvable Available Legal / Regulatory Attributes EnforceableError-Free Non-Repudiable Accountable Auditable Traceable Integrity-Assured Assurable Authorised Governable Business-Enabled Protected IndependentlySecure Measured Legacy-Sensitive Migratable Flexibly Secure Productive COTS/ GOTS Simple ProvidingInvestment Re-use Supportable Automated Standards Compliant Architecturally Open Future-Proof CapturingNewRisks Multi-Sourced Extendible Maintainable Consistent Accurate Current Supported Access-controlled Inoursole possession Change-managed Informed Owned Identified Authenticated Time-bound Timely ProvidingGood Stewardship and Custody AssuringHonesty Educated&Aware Motivated RecoverableDutySegregated Detectable BrandEnhancing Competent Transparent Responsive Anonymous Continuous Monitored Legal Regulated ProvidingReturn on Investment Enablingtime-to-market Culture-sensitive
  • 35.  SABSA Foundation 2010 34 Attributes Usage  Attributes must be validated (and preferably created) by senior management & the business stake-holders by report, interview or facilitated workshop  Pick-list of desired requirements  Cross-check for completeness of requirements  Key to traceability mappings  Measurement & operations – contracts, SLAs, performance targets  Return on Investment & Value propositions  Procurement  Risk status summary & risk monitoring  Key to a SABSA integrated compliance tool  Powerful executive communications
  • 36.  SABSA Foundation 2010 35 SABSA BAP - the Key to Framework Integration Extract reproduced with permission from Hans Hopman, ISO 27000 committee
  • 37.  SABSA Foundation 2010 36 Security Services Value Reconsidered
  • 38.  SABSA Foundation 2010 37 Risk Context Assets at Risk Overall likelihood of loss Likelihood of threat materialising Likelihood of weakness exploited Negative Outcomes Threats Loss Event Positive Outcomes Opportunities Beneficial Event Overall loss value Asset value Negative impact value Overall benefit value Asset value Positive impact value Overall likelihood of benefit Likelihood of opportunity materialising Likelihood of strength exploited Risk Reconsidered - SABSA O.R.M.
  • 39.  SABSA Foundation 2010 38 Feedback Control Loop System System Monitoring & Measurement Sub- System Decision Sub- System Control Sub- System Affects state of system Reports new state of system Calls for new parameter settings
  • 40.  SABSA Foundation 2010 39 SABSA Multi-tiered Control Strategy Deterrence Prevention Containment Detection & Notification Recovery & Restoration Evidence Collection & Tracking Audit&Assurance
  • 41.  SABSA Foundation 2010 40 SABSA Operation of Controls Threats Vulnerabilities Assets Business Impacts Incidents exploit causing affecting producing Deterrent Controls Preventive Controls Detective Controls Corrective Controls Risk Assessment Selection of Controls reduces leads to discovers triggers triggers reduces reduces
  • 42.  SABSA Foundation 2010 41 Taxonomy of Cognitive Levels (Foundation) Competency Level Skill Demonstrated 1 Knowledge Observation and recall of information Knowledge of facts Knowledge of major ideas Mastery of subject matter Carry out research to find information List, define, tell, describe, identify, show, label, collect, examine, tabulate, quote, name, find, identify Task Examples 2 Comprehension Understand information Grasp meaning Translate knowledge into new context Interpret facts, compare, contrast Order, group, infer causes Predict consequences Summarise, explain, interpret, contrast, predict, associate, distinguish, estimate, differentiate, discuss, extend
  • 43.  SABSA Foundation 2010 42 Taxonomy of Cognitive Levels (Practitioner) Competency Level Skill Demonstrated Task Examples 3 Application Use information Use methods, concepts, theories in new situations Solve problems using required skills or knowledge Apply, demonstrate, calculate, complete, illustrate, show, solve, examine, modify, relate, change, classify, experiment, discover 4 Analysis Seeing patterns Organisation of parts Recognition of hidden meanings Identification of components Analyse, separate, order, connect, classify, arrange, divide, compare, select, infer
  • 44.  SABSA Foundation 2010 43 Taxonomy of Cognitive Levels (Master) Competency Level Skill Demonstrated Task Examples 5 Synthesis Use old ideas to create new ones Generalise from given facts Relate knowledge from several areas Predict, draw conclusions Combine, integrate, modify, rearrange, substitute, plan, create, build, design, invent, compose, formulate, prepare, generalise, rewrite 6 Evaluation Compare and discriminate between ideas Assess value of theories, presentations Make choices based on reasoned argument Verify value of evidence Recognise subjectivity Assess, evaluate, decide, rank, grade, test, measure, recommend, convince, select, judge, discriminate, support, conclude
  • 45.  SABSA Foundation 2010 44 For More Information  SABSA Text Book “Enterprise Security Architecture: A Business-driven Approach”  Currently - CMP Books (Elsevier)  Kindle version now available  SABSA Executive White Paper  SABSA – TOGAF White Paper  SABSA Institute – sabsa.org  SABSA Training & Certification – sabsacourses.com