An Analysis of The SABSA Framework. Note: Most of this information comes from the SABSA website. TJS. SABSA Overview



Similar documents
SABSA A Brief Introduction

Enterprise Architectures (EA) & Security

Enterprise Security Architecture

Business Security Architecture: Weaving Information Security into Your Organization's Enterprise Architecture through SABSA

Enterprise Security Architecture

Background: Business Value of Enterprise Architecture TOGAF Architectures and the Business Services Architecture

Enterprise Security Architecture for Cyber Security. M.M.Veeraragaloo 5 th September 2013

Security Architecture and Design from a Business/Enterprise Driven Viewpoint

Agile Business Process Modelling Framework and Enterprise Architecture.

1.0 Background and Problem Statement

Architecture Artifacts Vs Application Development Artifacts

Enterprise Architecture Assessment Guide

Guy Tozer, Doriq Associates DG Conference Europe 2009

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

Development of Enterprise Architecture of PPDR Organisations W. Müller, F. Reinert

Impact / Performance Matrix A Strategic Planning Tool

A Comparison of Common Business Modeling Approaches to GODS Generic Business Architecture

A COMPARISON OF ENTERPRISE ARCHITECTURE FRAMEWORKS

Lost in Space? Methodology for a Guided Drill-Through Analysis Out of the Wormhole

Patrick Bossert Director of Asset Information September

White Paper An Enterprise Security Program and Architecture to Support Business Drivers

Practitioner Certificate in Information Assurance Architecture (PCiIAA)

Enterprise Architecture (EA) is the blueprint

Overview. File Management. File System Properties. File Management

Introduction to etom. White Paper Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Bringing agility to Business Intelligence Metadata as key to Agile Data Warehousing. 1 P a g e.

Developing Entity Relationship Diagrams (ERDs)

TPI a model for Test Process Improvement

Business Process Management. Prof. Corrado Cerruti General Management Course

Enterprise Architecture Review

Developing an Enterprise Architecture

DATE REVISION xxxbyxxx. IT Modernization: EA Information Management. DATE: September 2003 AUTHOR: Enterprise Architecture Team

Master Data Management and Data Governance Second Edition

Unit 10: Software Quality

THE IMPACT OF CLOUD COMPUTING ON ENTERPRISE ARCHITECTURE. Johan Versendaal

A Methodology for Development of Enterprise Architecture of PPDR Organisations W. Müller, F. Reinert

Defining an EA Skillset EAPC Johannesburg March 2015

Der Mythos vom Re-Use

Enterprise Architect for an Enterprise Architecture

Modellistica Medica. Maria Grazia Pia, INFN Genova. Scuola di Specializzazione in Fisica Sanitaria Genova Anno Accademico

How to Make RAM Part of the Business Process

The Perusal and Review of Different Aspects of the Architecture of Information Security

Guiding SOA Evolution through Governance From SOA 101 to Virtualization to Cloud Computing

Network Configuration Management

Roles & Grades Rate Cards and Applicable SFIA Skills

Re-Design an Operational Database Author: Sovan Sinha (Business Intelligence Architect) May 4 th, 2009

White Paper Software Quality Management

Business Intelligence for the Chief Data Officer

The Digital Insurer. The insurance industry has entered the digital age. Find out how you can stand out as a digital insurer.

COLUMN. Planning your SharePoint intranet project. Intranet projects on SharePoint need a clear direction APRIL Challenges and opportunities

E-Commerce Supply Chain Management Domain Research and Standard Architectures Kunal Chopra, Jeff Elrod, Bill Glenn, Barry Jones.

Solutions. An introduction to the science & art of system architecture engineering

Creating a Corporate Integrated Data Environment through Stewardship

IRCA Briefing note ISO/IEC : 2011

COPYRIGHTED MATERIAL. Contents. Acknowledgments Introduction

US Department of Education Federal Student Aid Integration Leadership Support Contractor January 25, 2007

WHITE PAPER IT SERVICE MANAGEMENT IT SERVICE DESIGN 101

Software Architecture Action Guide. Why do we care about Software Architecture?

THE REASONING ART: or, The Need for an Analytical Theory of Architecture

Enterprise Cybersecurity: Building an Effective Defense

» Kienbaum 360 Degree Feedback

SECTION 2 PROGRAMMING & DEVELOPMENT

Core Fittings C-Core and CD-Core Fittings

CT30A8901 Chapter 10 SOA Delivery Strategies

The Zachman Framework For Enterprise Architecture: Primer for Enterprise Engineering and Manufacturing

Security and The Zachman Framework (Revised )

Agile Techniques for Object Databases

World Wide Wireless Web The Nano Core Disruptive or Generation Bridge! The Power of 5G

How To Design An Enterprise System

Enterprise architecture Manufacturing operations management Information systems in industry ELEC-E8113

White Paper: Establishing a Configuration Management Database Schema: A Working Model

Architecting the Cloud: Enterprise Architecture Patterns for Cloud Computing

Architecture & Change Management

The Role of the Software Architect

Developing an Architectural Framework towards achieving Cyber Resiliency. Presented by Deepak Singh

The Process. Improvement. Handbook. A Blueprint for Managing Change and. Increasing Organizational Performance. Tristan Boutros.

G-Cloud III Services Service Definition Accenture Cloud Security Services

The Role of Requirements Traceability in System Development

Improving your Data Warehouse s IQ

A Complete Model of the Supermarket Business

Data Center is the Foundation of Carrier ICT Transformation. The challenges of building a service driven data center

Knowledge Management 101 Better Support Decisions, Faster

The Cornwell Enterprise Architecture Maturity Dashboard

The Asset Management Landscape

Dr. Anton Security Warrior Consulting

Enterprise Architecture Modeling PowerDesigner 16.1

Organisation data architecture with standards connections

Quick Guide: Meeting ISO Requirements for Asset Management

Transcription:

Note: Most of this information comes from the SABSA website. TJS SABSA Overview SABSA is a model and a methodology for developing risk-driven enterprise information security architectures and for delivering security infrastructure solutions that support critical business initiatives. The primary characteristic of the SABSA model is that everything must be derived from an analysis of the business requirements for security, especially those in which security has an enabling function through which new business opportunities can be developed and exploited. The process analyses the business requirements at the outset, and creates a chain of traceability through the strategy and concept, design, implementation, and ongoing manage and measure phases of the lifecycle to ensure that the business mandate is preserved. Framework tools created from practical experience further support the whole methodology. The model is layered, with the top layer being the business requirements definition stage. At each lower layer a new level of abstraction and detail is developed, going through the definition of the conceptual architecture, logical services architecture, physical infrastructure architecture and finally at the lowest layer, the selection of technologies and products (component architecture). The SABSA model itself is generic and can be the starting point for any organisation, but by going through the process of analysis and decisionmaking implied by its structure, it becomes specific to the enterprise, and is finally highly customised to a unique business model. It becomes in reality the enterprise security architecture, and it is central to the success of a strategic programme of information security management within the organisation. SABSA History SABSA is a six-layer model for security architecture widely accepted today as the most mature and most comprehensive security architecture The SABSA Model Excerpted from the SABSA website by J. Scott 2012 Page 1 of 5

framework available. SABSA is based on an idea first developed by John Sherwood in 1995 and published in 1996 as SABSA: A Method for Developing the Enterprise Security Architecture and Strategy. SABSA was originally an acronym for Sherwood Applied Business Security Architecture. The starting point for this work was ISO 7498-2 1989: Information processing systems - Open Systems Interconnection - Basic Reference Model - Part 2: Security Architecture. This standard is relatively unsophisticated in terms of business drivers, but it sets out an important framework in terms of security services the logical architecture, security mechanisms the physical architecture, and security management the operational architecture. The Sherwood team added two upper layers to provide a business-driven approach (contextual and conceptual architectures), and a lower layer to map onto real tools and products (component architecture). John Sherwood presented the SABSA work at COMPSEC 96 in London and published the follow-up paper on it later that year. At that time he had never heard of Zachman s work. In April 1998 Sherwood was working for an international client as the security architect on a team engaged in developing entirely new global infrastructure architecture was fortunate enough to visit a conference entitled Enterprise Architecture in San Francisco, where one of the key note speakers at that conference was John Zachman. The Sherwood team was able to re-work SABSA to incorporate some of the language and ideas that Zachman had talked about in his presentation. However, the original concepts of SABSA remained pretty much unchanged. SABSA Model The SABSA Model comprises six layers, as shown in the table below. It follows the work done by John A. Zachman in developing a model for enterprise architecture, although it has been adapted somewhat to a security view of the world. The SABSA Model Excerpted from the SABSA website by J. Scott 2012 Page 2 of 5

Each layer represents the view of a different player in the process of specifying, designing, constructing and using the business system. These six layers are similar to the rows of the Zachman matrix. The Business View The Architect s View The Designer s View The Builder s View The Tradesman s View The Facilities Manager s View Contextual Security Architecture Conceptual Security Architecture Logical Security Architecture Physical Security Architecture Component Security Architecture Operational Security Architecture The SABSA Model for Security Architecture Development Another configuration of these six layers which is perhaps more helpful, shown in the next figure. Here, the operational security architecture has been placed vertically across the other five layers. This is because operational security issues arise at each and every one of the other five layers. Operational security has a meaning in the context of each of these other layers. The SABSA Model for Security Architecture Development The SABSA Model Excerpted from the SABSA website by J. Scott 2012 Page 3 of 5

SABSA Matrix and SABSA Method For detailed analysis of each of the six layers, the SABSA Matrix also uses the same six questions that are represented by columns in the Zachman Framework: What, Why and When, How, Where and Who? For each horizontal layer there is a vertical analysis as follows: What are you trying to do at this layer? The assets to be protected by your security architecture. Why are you doing it? The motivation for wanting to apply security, expressed in the terms of this layer. How are you trying to do it? The functions needed to achieve security at this layer. Who is involved? The people and organisational aspects of security at this layer. Where are you doing it? The locations where you apply your security, relevant to this layer. When are you doing it? The time-related aspects of security relevant to this layer. These six vertical architectural elements are now summarized for all six horizontal layers. This gives a 6 x 6 matrix of cells, which represents the whole model for the enterprise security architecture. This arrangement is called the SABSA Matrix (see below). If you can address the issues raised by each and every one of these cells, then you will have covered the entire range of questions to be answered, and you can have a high level of confidence that your security architecture is complete. According to the SABSA team approach, The process of developing an enterprise security architecture is a process of populating all of these thirty-six cells. The SABSA Model Excerpted from the SABSA website by J. Scott 2012 Page 4 of 5

The SABSA Matrix for Security Architecture Development A final Question for you: 1) How is the SABSA model different from the Zachman model? List at least three items. Only one of these answers can come from the above model diagram. The SABSA Model Excerpted from the SABSA website by J. Scott 2012 Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information