Upload
sabsacourses
View
8.696
Download
11
Embed Size (px)
Citation preview
SABSAcourses
An overview of the SABSA Methodology
SABSA Foundation 2010 2
What is SABSA?
The world’s leading free-use and open-source security architecture development and management method
Methodology for developing business-driven, risk and opportunity focused enterprise security & information assurance architectures, and for delivering security infrastructure & service management solutions that traceably support critical business initiatives
Development, maintenance, certification and accreditation is governed by the SABSA Institute
Sherwood Applied Business Security Architecture
SABSA Foundation 2010 3
What is SABSA?
Comprised of a number of integrated frameworks, models, methods and processes, including:Business Requirements Engineering Framework (also known as
Attributes Profiling)Risk & Opportunity Management FrameworkPolicy Architecture FrameworkSecurity Services-Oriented Architecture FrameworkGovernance FrameworkSecurity Domain FrameworkThrough-life Security Service & Performance Management
Sherwood Applied Business Security Architecture
SABSA Foundation 2010 4
What is SABSA?
White Paper originally authored by John Sherwood 1995 First use in global financial messaging (S.W.I.F.T.net) 1995 SABSA Textbook (CMP / Elsevier version) by John Sherwood, Andrew
Clark & David Lynas, 2005 “Enterprise Security Architecture: A Business-driven Approach” ISBN 1-57820-318-X
Adopted as UK MoD Information Assurance Standard 2007 Certification programme introduced March 2007
SABSA History & Development
SABSA Foundation 2010 5
Why is SABSA So Successful?
In UK “Institute” has a protected and highly-regulated status SABSA Institute is a formal non-profit ‘Community-of-
Interest’ CorporationSABSA Intellectual Property can never be soldUnderwrites free-use status in perpetuityGuarantees protected on-going developmentIndependently certifies & accredits SABSA Architects to
provide confidence & assurance to industry, government & the professional community
Institute Status
SABSA Foundation 2010 6
Why is SABSA So Successful?
FEATURE ADVANTAGEBusiness-driven Value-assured
Risk-focused Prioritised & proportional responses
Comprehensive Scalable scope
Modular Agility - ease of implementation & management
Open Source (protected) Free use, open source, global standard
Auditable Demonstrates compliance
Transparent Two-way traceability
Features & Advantages Summary
SABSA Foundation 2010 7
Why is SABSA So Successful?
Each of the seven primary features and advantages can be interpreted and customised into key “elevator pitch” messages and unique selling points (USPs) for specific stakeholders or customers
There is a case study example created for eight stakeholders / job titles at a global bank in the reference document “SABSA Features, Advantages & Benefits Summary”
Unique Selling Points & “Elevator Pitches”
SABSA Foundation 2010 8
Why is SABSA So Successful?
Real ‘professionals’ (such as pilots and doctors) are not certified by their professional body based on knowledgeThey are required to demonstrate application of skillCareer progression is achieved by ‘doing’ not ‘knowing’
Certification by the SABSA Institute is competency-based It delivers to stakeholders the assurance, trust and
confidence that a professional has demonstrated the skill and ability to use the SABSA method in the real world
Competency-based Professional Certification
SABSA Foundation 2010 9
How is SABSA Used?
Enterprise Security ArchitectureEnterprise Architecture Individual solutions-based ArchitecturesSeamless security integration & alignment with other
frameworks (including TOGAF, ITIL, ISO27000 series, Zachman, DoDAF, CobIT, NIST, etc.)
Filling the security architecture and security service management gaps in other frameworks
Applications of SABSA
SABSA Foundation 2010 10
How is SABSA Used?
Business requirements engineeringSolutions traceabilityRisk & Opportunity Management Information AssuranceGovernance, Compliance & AuditPolicy Architecture
Applications of SABSA
SABSA Foundation 2010 11
How is SABSA Used?
Security service management IT Service management Security performance management, measures & metricsService performance management, measures & metricsOver-arching decision-making framework for end-to-end
solutions
Applications of SABSA
SABSA Foundation 2010 12
Who Uses SABSA?
As SABSA is free-use and registration is not required, we do not have a definitive list of user organisations
However, we do know the profiles of the thousands of professionals who have qualified as SABSA Chartered Architects
There are SABSA Chartered Architects at Foundation Level (SCF) in more than 50 countries, on every continent, and from every imaginable business sector
SABSA User Base
SABSA Foundation 2010 13
Who Uses SABSA?
SABSA is a standard (formal & de facto) world-wide, including:UK Ministry of Defence - Information Assurance StandardCanadian Government - Architecture Development StandardThe Open Group – TOGAF Security StandardUSA Government – NIST Security Standard for SmartGridFinance Sector – including European Central Bank & Westpac
And is widely referenced as a recommended approach, including: ISACA - CISM Study Guides & Examinations IT Governance Institute – Executive Guide to Governance
Growth & Standardisation
SABSA Foundation 2010 14
Where is SABSA Used?SABSA Demographics
Africa & Middle EastAlgeria, Bahrain
Oman, Saudi ArabiaSouth Africa
United Arab Emirates
AmericasArgentinaCanada
ColombiaMexico
United States
Asia PacificAustralia, China, Hong Kong
India, Korea, Malaysia, New Zealand, Philippines, Singapore
Taiwan, Thailand, Vietnam
EuropeBelgium, Finland, France
Germany, Hungary, IrelandItaly, Netherlands, PolandPortugal, Slovakia, SpainSweden, United Kingdom
SABSA Foundation 2010 15
When is SABSA Used?
SABSA is used ‘through-life’ – throughout the entire lifecycle from business requirements engineering to managing the solutions delivered
SABSA as a Through-Life Solution Framework
Business View Contextual Architecture
Architect’s View Conceptual Architecture
Designer’s View Logical Architecture
Builder’s View Physical Architecture
Tradesman’s View Component Architecture
Service Manager’s View Operational Architecture
Strategy &Planning
Design
Implement
Manage &Measure
SABSA Foundation 2010 16
Independent Assessment of Frameworks Independent assessment on behalf of UK Government (Jan 2007) Assessed Information Assurance and Architecture frameworks
Open source e.g. SABSA Proprietary e.g. Gartner Provider e.g. IBM MASS Pre-existing in-house methodologies and frameworks
SABSA top-scored in every assessment category Discriminating factors included
Comprehensive, flexible and adaptable Competency development and training Non-proprietary / open source Business and risk focus No ties to specific vendors or suppliers No ties to specific standards or technologies Enables open competition
SABSA Foundation 2010 17
The Issue with Architectural Strategy
Every morning in Africa, a Gazelle wakes up. It knows it must run faster than the fastest lion…….or it will be killed.
Every morning in Africa, a Lion wakes up. It knows it must run faster than the slowest Gazelle …….or it will die of starvation.
Is it better to be a Lion or a Gazelle?
Business View – Survival StrategyWhen the sun comes up in Africa, it doesn’t matter what shape you are:
If you want to survive, what matters is that you’d better be running!
SABSA Foundation 2010 18
SABSA Architecture Guiding Principles
Architecture must not presuppose any particular:Cultures or operating regimesManagement style Set of management processesManagement standardsTechnical standardsTechnology platforms
SABSA Foundation 2010 19
SABSA Architecture Guiding Principles
Architecture must meet YOUR unique set of business requirements Architecture must provide sufficient flexibility to incorporate choice and change of policy,
standards, practices, or legislation ISO 27001, ACSI 33, DSD ISR, HIPAA, ISF Code, CobIT, SOx, PCI, NIST, etc ITIL, TNN, ISO 9000, etc AS / NZS 4360, Basel ii, ISO 27005, etc Balanced scorecards, capability maturity models, ROI, NPV, etc
When a question is asked starting with “Is this Architecture compatible / compliant with….?” a good Architecture framework with automatically have the answer “Yes” A good architecture provides the roadmap for joining together all of your
requirements, whatever they might be, or become It does not replace ITIL or ISO 27001 or NIST etc but rather enables their
deployment and effective integration into the corporate culture
SABSA Foundation 2010 20
Built to Drive Complex Design Solutions SABSA influenced in 1995 by need to enhance ISO 7498-2
Applications
Presentation
Session
Transport
Network
Link
Physical
Applications
Presentation
Session
Transport
Network
Link
Physical
ISO 7498-1 ISO 7498-2
LogicalSecurityServices
PhysicalSecurity
Mechanisms
Contextual Architecture
Conceptual Architecture
BusinessDriven
Requirements& Strategy
SABSA Views
Logical Architecture
Physical Architecture
Component Architecture
Operational Architecture ServiceManagement
DetailedCustom
Specification
SABSA Foundation 2010 21
Architecture Reconsidered
Business View Contextual ArchitectureArchitect’s View Conceptual ArchitectureDesigner’s View Logical ArchitectureBuilder’s View Physical Architecture
Tradesperson’s View Component ArchitectureService Manager’s View Operational Architecture
SABSA Foundation 2010 22
Vertical Analysis:Six Honest Serving Security Men
What
Why
How
Who
Where
When
What are we trying to do at this layer?The assets, goals & objectives to be protected & enhanced
Why are we doing it?The risk & opportunity motivation at this layer
How are we trying to do it?The processes required to achieve security at this layer
Who is involved?The people and organisational aspects of security at this layer
Where are we doing it?The locations where we are applying security at this layer
When are we doing it?The time related aspects of security at this layer
SABSA Foundation 2010 23
Logical Process Maps& Services Domain MapsEntity & Trust
FrameworkCalendar &Timetable
Physical ICTInfrastructure
HumanInterface
ProcessingSchedule
ComponentLocatorTools &
Standards
PersonnelManagement
Tools & Standards
Step Timing& Sequencing
Tools
ServiceManagement
ServiceDelivery
Management
ProcessDelivery
Management
Management ofEnvironment
PersonnelManagement
Time & PerformanceManagement
InformationAssets
DataAssets
ICTComponents
ProcessMechanisms
Process Tools& Standards
Assets(What)
Process(How)
Location(Where)
People(Who)
Time(When)
Contextual BusinessDecisions
BusinessProcesses
BusinessGeography
BusinessGovernance
BusinessTime
Dependence
ConceptualBusiness
Knowledge &Risk Strategy
Strategies forProcess
Assurance
DomainFramework
Roles &Responsibilities
TimeManagementFramework
Motivation(Why)Business
Risk
RiskManagement
Objectives
RiskManagement
Policies
RiskManagement
Practices
Risk ManagementTools &
Standards
OperationalRisk
Management
The SABSA Matrix
SABSA Foundation 2010 24
Architecture Strategy & Planning Phase
Assets(what)
Contextual
BusinessDecisions
Conceptual
BusinessKnowledge &Risk Strategy
Taxonomy ofBusiness Assets,Including Goals
& Objectives
Business AttributesProfile
Motivation(why)
BusinessRisk
Risk ManagementObjectives
Opportunities& ThreatsInventory
Enablement& Control Objectives;
Policy Architecture
Process(how)
BusinessProcesses
Strategies forProcess Assurance
Inventory ofOperationalProcesses
Process MappingFramework;
Architectural Strategiesfor ICT
People(who)
BusinessGovernance
Roles & Responsibilities
Organisational Structure & the
Extended Enterprise
Owners, Custodians& Users; Service
Providers & Customers
Location(where)
BusinessGeography
Domain Framework
Inventory of Buildings, Sites,
Territories,Jurisdictions etc.
Security DomainConcepts &Framework
Time(when)
Business TimeDependence
Time ManagementFramework
Time Dependenciesof BusinessObjectives
Through-life RiskManagementFramework
SABSA Foundation 2010 25
Architecture Design PhaseAssets(what)
Logical
Information Assets
Physical
Data Assets
Inventory ofInformation Assets
Data Dictionary &Data Inventory
Component
ICT Components
ICT Products,Data Repositories &
Processors
Motivation(why)
Risk ManagementPolicies
Risk ManagementPractices
Domain Policies
Risk ManagementRules & Procedures
Risk ManagementTools & Standards
Risk Analysis Tools;Risk Registers;
Risk Monitoring, Reporting & Treatment
Process(how)
Process Maps& Services
Process Mechanisms
Information Flows;Functional
Transformations;SOA
Applications,Middleware;
Systems; SecurityMechanisms
Process Tools& Standards
Tools & Protocolsfor Process Delivery
People(who)
Entity & TrustFramework
Human Interface
Entity Schema;Trust Models;
Privilege Profiles
User Interface to ICTSystems; AccessControl Systems
Personnel Man’ntTools & Standards
Identities, Job Descriptions; Roles;Functions; Actions
& ACLs
Location(where)
Domain Maps
ICT Infrastructure
Domain Definitions;Inter-domain
Associations &Inter-actions
Host Platforms& Networks Layout
Locator Tools& Standards
Nodes, Addresses& Other Locators
Time(when)
Calendar &Timetable
Processing Schedule
Start Times, Lifetimes &Deadlines
Timing & Sequencingof Processes &
Sessions
Step Timing &Sequencing Tools
Time Schedules;Clocks; Timers &
Interrupts
SABSA Foundation 2010 26
Design Framework (Service Management View)
Contextual Security Architecture
Conceptual Security Architecture
Logical Security Architecture
Physical Security Architecture
Component Security Architecture
Security Service M
anagement A
rchitecture
SABSA Foundation 2010 27
SABSA Service Management ArchitectureAssets(What)
Process(How)
Location(Where)
People(Who)
Time(When)
Contextual Business DriverDefinitions
ServiceManagement
Point-of-SupplyManagement
RelationshipManagement
PerformanceManagement
Conceptual Proxy AssetDefinitions
Service DeliveryPlanning
ServicePortfolio
ServiceManagement
Roles
Service LevelDefinitions
Logical Service DeliveryManagement
ServiceCatalogue
Management
ServiceCustomerSupport
EvaluationManagement
PhysicalService
ResourcesProtection
User SupportService
PerformanceData Collection
ComponentSecurity
ManagementTools
PersonnelDeployment
ServiceMonitoring
Tools
AssetManagement
Asset Security& Protection
ToolProtection
OperationsManagement
ToolDeployment
Motivation(Why)
Business RiskAssessment
Developing ORMObjectives
PolicyManagement
Operational RiskData Collection
ORM Tools
ServiceDelivery
Management
ProcessDelivery
Management
Management ofEnvironment
PersonnelManagement
Time & PerformanceManagement
OperationalRisk
ManagementThe row above is a repeat of Layer 6 of the main SABSA Matrix.
The five rows below are an exploded overlay of how this Layer 6 relates to each of these other Layers
SABSA Foundation 2010 28
Built to Integrate Management Practices SABSA Service Management designed to comply with, integrate, and
enable management best practice of the day
Operational Architecture ServiceManagement
BS7799(1)(controls library)
BS7799(2)(ISMS)
ISO 17799(controls library)
ISO 27001(ISMS)
ISO 27002(controls library)
ISO 20000
ITILCode of PracticeFor Information
Security Management
Designed-in then
Code of PracticeFor Information
TechnologyService
Management
Compatible now
SABSA Foundation 2010 29
SABSA Top-Down Process AnalysisContextual: Meta-ProcessesVertical S
ecurity Consistency
Horizontal Security Consistency
Conceptual: Strategic View of Process
Logical: Information Flows & Transformations
Physical: Data Flows & System Interactions
Component: Protocols & Step Sequences
SABSA Foundation 2010 30
Traceability For Completeness
Contextual Security
Architecture
Conceptual Security
Architecture
Logical Security
Architecture
Physical Security
Architecture
Component Security
Architecture
Security Service
Management Architecture
Every business requirement for security is met and the residual risk is acceptable to the business appetite
SABSA Foundation 2010 31
Traceability For Justification
Contextual Security
Architecture
Conceptual Security
Architecture
Logical Security
Architecture
Physical Security
Architecture
Component Security
Architecture
Security Service
Management Architecture
Every operational or technological security element can be justified by reference to a risk-prioritised business requirement.
SABSA Foundation 2010 32
The Problem of Defining Security
“Security is the means of achieving acceptable level of residual risks” “The value of the information has to be protected” “This value is determined in terms of confidentiality, integrity & availability”
Availability
SABSA Foundation 2010 33
SABSA Business Attributes Powerful requirements engineering technique Populates the vital ‘missing link’ between business requirements and
technology / process design Each attribute is an abstraction of a business requirement (the goals,
objectives, drivers, targets, and assets confirmed as part of the business contextual architecture)
Attributes can be tangible or intangible Each attribute requires a meaningful name and detailed definition
customised specifically for a particular organisation Each attribute requires a measurement approach and metric to be
defined during the SABSA Strategy & Planning phase to set performance targets for security
The performance targets are then used as the basis for reporting and/or SLAs in the SABSA Manage & Measure phase
SABSA Foundation 2010 34
Sample Taxonomy of ICT AttributesBusiness Attributes
ManagementAttributes
UserAttributes
OperationalAttributes
Risk ManagementAttributes
Technical StrategyAttributes
Flexible / Adaptable
Scalable
Upgradeable
Usable
Accessible
Cost-Effective
Efficient
Reliable
Inter-Operable
Trustworthy
Reputable
Business StrategyAttributes
Credible
Confident
Crime-Free
Insurable
Compliant
Confidential
Private
Controlled
Liability Managed
Admissible
Resolvable
Available
Legal / RegulatoryAttributes
EnforceableError-Free
Non-Repudiable
Accountable
Auditable
Traceable
Integrity-Assured
Assurable
Authorised
Governable
Business-Enabled
Protected
Independently Secure
Measured
Legacy-Sensitive
Migratable
Flexibly Secure
Productive
COTS / GOTS
SimpleProviding InvestmentRe-use
Supportable
Automated
Standards Compliant
Architecturally Open
Future-Proof
Capturing New Risks Multi-Sourced
Extendible
Maintainable
Consistent
Accurate
Current
Supported
Access-controlled
In our sole possession
Change-managed
Informed
Owned
Identified
Authenticated
Time-bound
Timely
Providing Good Stewardshipand Custody
Assuring Honesty
Educated & Aware
Motivated
RecoverableDuty Segregated
Detectable
Brand Enhancing
Competent
Transparent
Responsive
Anonymous Continuous
Monitored
Legal
Regulated
Providing Returnon Investment
Enabling time-to-market
Culture-sensitive
SABSA Foundation 2010 35
Attributes Usage Attributes must be validated (and preferably created) by senior
management & the business stake-holders by report, interview or facilitated workshop
Pick-list of desired requirements Cross-check for completeness of requirements Key to traceability mappings Measurement & operations – contracts, SLAs, performance targets Return on Investment & Value propositions Procurement Risk status summary & risk monitoring Key to a SABSA integrated compliance tool Powerful executive communications
SABSA Foundation 2010 36
SABSA BAP - the Key to Framework Integration
Extract reproduced with permission from Hans Hopman, ISO 27000 committee
SABSA Foundation 2010 37
Security Services Value Reconsidered
SABSA Foundation 2010 38
Risk Context
Assetsat Risk
Overalllikelihood
of loss
Likelihood ofthreat
materialising
Likelihood ofweaknessexploited
NegativeOutcomes
Threats
Loss Event
PositiveOutcomes
Opportunities
Beneficial Event
Overallloss
value
Assetvalue
Negativeimpactvalue
Overallbenefitvalue
Assetvalue
Positiveimpactvalue
Overalllikelihoodof benefit
Likelihood ofopportunity
materialising
Likelihood ofstrengthexploited
Risk Reconsidered - SABSA O.R.M.
SABSA Foundation 2010 39
Feedback Control Loop SystemSystem
Monitoring & Measurement Sub-
System
Decision Sub-System
Control Sub-System
Affects state of system
Reports new state of system
Calls for new parameter settings
SABSA Foundation 2010 40
SABSA Multi-tiered Control Strategy
Deterrence
Prevention
Containment
Detection &Notification
Recovery &Restoration
EvidenceCollection &
Tracking
Audit &
Assurance
SABSA Foundation 2010 41
SABSA Operation of ControlsThreats
Vulnerabilities
Assets
Business Impacts
Incidents
exploit
causing
affecting
producing
Deterrent Controls
Preventive Controls
Detective Controls
Corrective Controls
Risk Assessment Selection of Controls
reduces
leads to
discovers
triggers
triggers
reduces
reduces
SABSA Foundation 2010 42
Taxonomy of Cognitive Levels (Foundation)Competency Level Skill Demonstrated
1 Knowledge
Observation and recall of information Knowledge of facts
Knowledge of major ideas Mastery of subject matter
Carry out research to find information
List, define, tell, describe, identify, show, label, collect, examine,
tabulate, quote, name, find, identify
Task Examples
2 Comprehension
Understand information Grasp meaning
Translate knowledge into new context Interpret facts, compare, contrast
Order, group, infer causes Predict consequences
Summarise, explain, interpret, contrast, predict, associate,
distinguish, estimate, differentiate, discuss,
extend
SABSA Foundation 2010 43
Taxonomy of Cognitive Levels (Practitioner)Competency Level Skill Demonstrated Task Examples
3 ApplicationUse information
Use methods, concepts, theories in new situations Solve problems using required skills or knowledge
Apply, demonstrate, calculate, complete,
illustrate, show, solve, examine, modify, relate,
change, classify, experiment, discover
4 AnalysisSeeing patterns
Organisation of parts Recognition of hidden meanings
Identification of components
Analyse, separate, order, connect, classify,
arrange, divide, compare, select, infer
SABSA Foundation 2010 44
Taxonomy of Cognitive Levels (Master)Competency Level Skill Demonstrated Task Examples
5 SynthesisUse old ideas to create new ones
Generalise from given facts Relate knowledge from several areas
Predict, draw conclusions
Combine, integrate, modify, rearrange, substitute,
plan, create, build, design, invent, compose,
formulate, prepare, generalise, rewrite
6 Evaluation
Compare and discriminate between ideas Assess value of theories, presentations
Make choices based on reasoned argument Verify value of evidence Recognise subjectivity
Assess, evaluate, decide, rank, grade,
test, measure, recommend, convince, select, judge, discriminate, support,
conclude
SABSA Foundation 2010 45
For More InformationSABSA Text Book “Enterprise Security Architecture: A
Business-driven Approach”Currently - CMP Books (Elsevier)Kindle version now available
SABSA Executive White PaperSABSA – TOGAF White PaperSABSA Institute – sabsa.orgSABSA Training & Certification – sabsacourses.com