SABSA overview

SABSAcourses

An overview of the SABSA Methodology

SABSA Foundation 2010 2

What is SABSA?

The world’s leading free-use and open-source security architecture development and management method

Methodology for developing business-driven, risk and opportunity focused enterprise security & information assurance architectures, and for delivering security infrastructure & service management solutions that traceably support critical business initiatives

Development, maintenance, certification and accreditation is governed by the SABSA Institute

Sherwood Applied Business Security Architecture


What is SABSA?

Comprised of a number of integrated frameworks, models, methods and processes, including:Business Requirements Engineering Framework (also known as

Attributes Profiling)Risk & Opportunity Management FrameworkPolicy Architecture FrameworkSecurity Services-Oriented Architecture FrameworkGovernance FrameworkSecurity Domain FrameworkThrough-life Security Service & Performance Management

Sherwood Applied Business Security Architecture


What is SABSA?

White Paper originally authored by John Sherwood 1995 First use in global financial messaging (S.W.I.F.T.net) 1995 SABSA Textbook (CMP / Elsevier version) by John Sherwood, Andrew

Clark & David Lynas, 2005 “Enterprise Security Architecture: A Business-driven Approach” ISBN 1-57820-318-X

Adopted as UK MoD Information Assurance Standard 2007 Certification programme introduced March 2007

SABSA History & Development

http://www.cmpbooks.com/product/1461


Why is SABSA So Successful?

In UK “Institute” has a protected and highly-regulated status SABSA Institute is a formal non-profit ‘Community-of-

Interest’ CorporationSABSA Intellectual Property can never be soldUnderwrites free-use status in perpetuityGuarantees protected on-going developmentIndependently certifies & accredits SABSA Architects to

provide confidence & assurance to industry, government & the professional community

Institute Status



FEATURE ADVANTAGEBusiness-driven Value-assured

Risk-focused Prioritised & proportional responses

Comprehensive Scalable scope

Modular Agility - ease of implementation & management

Open Source (protected) Free use, open source, global standard

Auditable Demonstrates compliance

Transparent Two-way traceability

Features & Advantages Summary



Each of the seven primary features and advantages can be interpreted and customised into key “elevator pitch” messages and unique selling points (USPs) for specific stakeholders or customers

There is a case study example created for eight stakeholders / job titles at a global bank in the reference document “SABSA Features, Advantages & Benefits Summary”

Unique Selling Points & “Elevator Pitches”



Real ‘professionals’ (such as pilots and doctors) are not certified by their professional body based on knowledgeThey are required to demonstrate application of skillCareer progression is achieved by ‘doing’ not ‘knowing’

Certification by the SABSA Institute is competency-based It delivers to stakeholders the assurance, trust and

confidence that a professional has demonstrated the skill and ability to use the SABSA method in the real world

Competency-based Professional Certification


How is SABSA Used?

Enterprise Security ArchitectureEnterprise Architecture Individual solutions-based ArchitecturesSeamless security integration & alignment with other

frameworks (including TOGAF, ITIL, ISO27000 series, Zachman, DoDAF, CobIT, NIST, etc.)

Filling the security architecture and security service management gaps in other frameworks

Applications of SABSA


How is SABSA Used?

Business requirements engineeringSolutions traceabilityRisk & Opportunity Management Information AssuranceGovernance, Compliance & AuditPolicy Architecture



How is SABSA Used?

Security service management IT Service management Security performance management, measures & metricsService performance management, measures & metricsOver-arching decision-making framework for end-to-end

solutions



Who Uses SABSA?

As SABSA is free-use and registration is not required, we do not have a definitive list of user organisations

However, we do know the profiles of the thousands of professionals who have qualified as SABSA Chartered Architects

There are SABSA Chartered Architects at Foundation Level (SCF) in more than 50 countries, on every continent, and from every imaginable business sector

SABSA User Base


Who Uses SABSA?

SABSA is a standard (formal & de facto) world-wide, including:UK Ministry of Defence - Information Assurance StandardCanadian Government - Architecture Development StandardThe Open Group – TOGAF Security StandardUSA Government – NIST Security Standard for SmartGridFinance Sector – including European Central Bank & Westpac

And is widely referenced as a recommended approach, including: ISACA - CISM Study Guides & Examinations IT Governance Institute – Executive Guide to Governance

Growth & Standardisation


Where is SABSA Used?SABSA Demographics

Africa & Middle EastAlgeria, Bahrain

Oman, Saudi ArabiaSouth Africa

United Arab Emirates

AmericasArgentinaCanada

ColombiaMexico

United States

Asia PacificAustralia, China, Hong Kong

India, Korea, Malaysia, New Zealand, Philippines, Singapore

Taiwan, Thailand, Vietnam

EuropeBelgium, Finland, France

Germany, Hungary, IrelandItaly, Netherlands, PolandPortugal, Slovakia, SpainSweden, United Kingdom


When is SABSA Used?

SABSA is used ‘through-life’ – throughout the entire lifecycle from business requirements engineering to managing the solutions delivered

SABSA as a Through-Life Solution Framework

Business View Contextual Architecture

Architect’s View Conceptual Architecture

Designer’s View Logical Architecture

Builder’s View Physical Architecture

Tradesman’s View Component Architecture

Service Manager’s View Operational Architecture

Strategy &Planning

Design

Implement

Manage &Measure


Independent Assessment of Frameworks Independent assessment on behalf of UK Government (Jan 2007) Assessed Information Assurance and Architecture frameworks

Open source e.g. SABSA Proprietary e.g. Gartner Provider e.g. IBM MASS Pre-existing in-house methodologies and frameworks

SABSA top-scored in every assessment category Discriminating factors included

Comprehensive, flexible and adaptable Competency development and training Non-proprietary / open source Business and risk focus No ties to specific vendors or suppliers No ties to specific standards or technologies Enables open competition


The Issue with Architectural Strategy

Every morning in Africa, a Gazelle wakes up. It knows it must run faster than the fastest lion…….or it will be killed.

Every morning in Africa, a Lion wakes up. It knows it must run faster than the slowest Gazelle …….or it will die of starvation.

Is it better to be a Lion or a Gazelle?

Business View – Survival StrategyWhen the sun comes up in Africa, it doesn’t matter what shape you are:

If you want to survive, what matters is that you’d better be running!


SABSA Architecture Guiding Principles

Architecture must not presuppose any particular:Cultures or operating regimesManagement style Set of management processesManagement standardsTechnical standardsTechnology platforms


SABSA Architecture Guiding Principles

Architecture must meet YOUR unique set of business requirements Architecture must provide sufficient flexibility to incorporate choice and change of policy,

standards, practices, or legislation ISO 27001, ACSI 33, DSD ISR, HIPAA, ISF Code, CobIT, SOx, PCI, NIST, etc ITIL, TNN, ISO 9000, etc AS / NZS 4360, Basel ii, ISO 27005, etc Balanced scorecards, capability maturity models, ROI, NPV, etc

When a question is asked starting with “Is this Architecture compatible / compliant with….?” a good Architecture framework with automatically have the answer “Yes” A good architecture provides the roadmap for joining together all of your

requirements, whatever they might be, or become It does not replace ITIL or ISO 27001 or NIST etc but rather enables their

deployment and effective integration into the corporate culture


Built to Drive Complex Design Solutions SABSA influenced in 1995 by need to enhance ISO 7498-2

Applications

Presentation

Session

Transport

Network

Link

Physical

Applications

Presentation

Session

Transport

Network

Link

Physical

ISO 7498-1 ISO 7498-2

LogicalSecurityServices

PhysicalSecurity

Mechanisms

Contextual Architecture

Conceptual Architecture

BusinessDriven

Requirements& Strategy

SABSA Views

Logical Architecture

Physical Architecture

Component Architecture

Operational Architecture ServiceManagement

DetailedCustom

Specification


Architecture Reconsidered

Business View Contextual ArchitectureArchitect’s View Conceptual ArchitectureDesigner’s View Logical ArchitectureBuilder’s View Physical Architecture

Tradesperson’s View Component ArchitectureService Manager’s View Operational Architecture


Vertical Analysis:Six Honest Serving Security Men

What

Why

How

Who

Where

When

What are we trying to do at this layer?The assets, goals & objectives to be protected & enhanced

Why are we doing it?The risk & opportunity motivation at this layer

How are we trying to do it?The processes required to achieve security at this layer

Who is involved?The people and organisational aspects of security at this layer

Where are we doing it?The locations where we are applying security at this layer

When are we doing it?The time related aspects of security at this layer


Logical Process Maps& Services Domain MapsEntity & Trust

FrameworkCalendar &Timetable

Physical ICTInfrastructure

HumanInterface

ProcessingSchedule

ComponentLocatorTools &

Standards

PersonnelManagement

Tools & Standards

Step Timing& Sequencing

Tools

ServiceManagement

ServiceDelivery

Management

ProcessDelivery

Management

Management ofEnvironment

PersonnelManagement

Time & PerformanceManagement

InformationAssets

DataAssets

ICTComponents

ProcessMechanisms

Process Tools& Standards

Assets(What)

Process(How)

Location(Where)

People(Who)

Time(When)

Contextual BusinessDecisions

BusinessProcesses

BusinessGeography

BusinessGovernance

BusinessTime

Dependence

ConceptualBusiness

Knowledge &Risk Strategy

Strategies forProcess

Assurance

DomainFramework

Roles &Responsibilities

TimeManagementFramework

Motivation(Why)Business

Risk

RiskManagement

Objectives

RiskManagement

Policies

RiskManagement

Practices

Risk ManagementTools &

Standards

OperationalRisk

Management

The SABSA Matrix


Architecture Strategy & Planning Phase

Assets(what)

Contextual

BusinessDecisions

Conceptual

BusinessKnowledge &Risk Strategy

Taxonomy ofBusiness Assets,Including Goals

& Objectives

Business AttributesProfile

Motivation(why)

BusinessRisk

Risk ManagementObjectives

Opportunities& ThreatsInventory

Enablement& Control Objectives;

Policy Architecture

Process(how)

BusinessProcesses

Strategies forProcess Assurance

Inventory ofOperationalProcesses

Process MappingFramework;

Architectural Strategiesfor ICT

People(who)

BusinessGovernance

Roles & Responsibilities

Organisational Structure & the

Extended Enterprise

Owners, Custodians& Users; Service

Providers & Customers

Location(where)

BusinessGeography

Domain Framework

Inventory of Buildings, Sites,

Territories,Jurisdictions etc.

Security DomainConcepts &Framework

Time(when)

Business TimeDependence

Time ManagementFramework

Time Dependenciesof BusinessObjectives

Through-life RiskManagementFramework


Architecture Design PhaseAssets(what)

Logical

Information Assets

Physical

Data Assets

Inventory ofInformation Assets

Data Dictionary &Data Inventory

Component

ICT Components

ICT Products,Data Repositories &

Processors

Motivation(why)

Risk ManagementPolicies

Risk ManagementPractices

Domain Policies

Risk ManagementRules & Procedures

Risk ManagementTools & Standards

Risk Analysis Tools;Risk Registers;

Risk Monitoring, Reporting & Treatment

Process(how)

Process Maps& Services

Process Mechanisms

Information Flows;Functional

Transformations;SOA

Applications,Middleware;

Systems; SecurityMechanisms

Process Tools& Standards

Tools & Protocolsfor Process Delivery

People(who)

Entity & TrustFramework

Human Interface

Entity Schema;Trust Models;

Privilege Profiles

User Interface to ICTSystems; AccessControl Systems

Personnel Man’ntTools & Standards

Identities, Job Descriptions; Roles;Functions; Actions

& ACLs

Location(where)

Domain Maps

ICT Infrastructure

Domain Definitions;Inter-domain

Associations &Inter-actions

Host Platforms& Networks Layout

Locator Tools& Standards

Nodes, Addresses& Other Locators

Time(when)

Calendar &Timetable

Processing Schedule

Start Times, Lifetimes &Deadlines

Timing & Sequencingof Processes &

Sessions

Step Timing &Sequencing Tools

Time Schedules;Clocks; Timers &

Interrupts


Design Framework (Service Management View)

Contextual Security Architecture

Conceptual Security Architecture

Logical Security Architecture

Physical Security Architecture

Component Security Architecture

Security Service M

anagement A

rchitecture


SABSA Service Management ArchitectureAssets(What)

Process(How)

Location(Where)

People(Who)

Time(When)

Contextual Business DriverDefinitions

ServiceManagement

Point-of-SupplyManagement

RelationshipManagement

PerformanceManagement

Conceptual Proxy AssetDefinitions

Service DeliveryPlanning

ServicePortfolio

ServiceManagement

Roles

Service LevelDefinitions

Logical Service DeliveryManagement

ServiceCatalogue

Management

ServiceCustomerSupport

EvaluationManagement

PhysicalService

ResourcesProtection

User SupportService

PerformanceData Collection

ComponentSecurity

ManagementTools

PersonnelDeployment

ServiceMonitoring

Tools

AssetManagement

Asset Security& Protection

ToolProtection

OperationsManagement

ToolDeployment

Motivation(Why)

Business RiskAssessment

Developing ORMObjectives

PolicyManagement

Operational RiskData Collection

ORM Tools

ServiceDelivery

Management

ProcessDelivery

Management

Management ofEnvironment

PersonnelManagement

Time & PerformanceManagement

OperationalRisk

ManagementThe row above is a repeat of Layer 6 of the main SABSA Matrix.

The five rows below are an exploded overlay of how this Layer 6 relates to each of these other Layers


Built to Integrate Management Practices SABSA Service Management designed to comply with, integrate, and

enable management best practice of the day

Operational Architecture ServiceManagement

BS7799(1)(controls library)

BS7799(2)(ISMS)

ISO 17799(controls library)

ISO 27001(ISMS)

ISO 27002(controls library)

ISO 20000

ITILCode of PracticeFor Information

Security Management

Designed-in then

Code of PracticeFor Information

TechnologyService

Management

Compatible now


SABSA Top-Down Process AnalysisContextual: Meta-ProcessesVertical S

ecurity Consistency

Horizontal Security Consistency

Conceptual: Strategic View of Process

Logical: Information Flows & Transformations

Physical: Data Flows & System Interactions

Component: Protocols & Step Sequences


Traceability For Completeness

Contextual Security

Architecture

Conceptual Security

Architecture

Logical Security

Architecture

Physical Security

Architecture

Component Security

Architecture

Security Service

Management Architecture

Every business requirement for security is met and the residual risk is acceptable to the business appetite


Traceability For Justification

Contextual Security

Architecture

Conceptual Security

Architecture

Logical Security

Architecture

Physical Security

Architecture

Component Security

Architecture

Security Service

Management Architecture

Every operational or technological security element can be justified by reference to a risk-prioritised business requirement.


The Problem of Defining Security

“Security is the means of achieving acceptable level of residual risks” “The value of the information has to be protected” “This value is determined in terms of confidentiality, integrity & availability”

Availability


SABSA Business Attributes Powerful requirements engineering technique Populates the vital ‘missing link’ between business requirements and

technology / process design Each attribute is an abstraction of a business requirement (the goals,

objectives, drivers, targets, and assets confirmed as part of the business contextual architecture)

Attributes can be tangible or intangible Each attribute requires a meaningful name and detailed definition

customised specifically for a particular organisation Each attribute requires a measurement approach and metric to be

defined during the SABSA Strategy & Planning phase to set performance targets for security

The performance targets are then used as the basis for reporting and/or SLAs in the SABSA Manage & Measure phase


Sample Taxonomy of ICT AttributesBusiness Attributes

ManagementAttributes

UserAttributes

OperationalAttributes

Risk ManagementAttributes

Technical StrategyAttributes

Flexible / Adaptable

Scalable

Upgradeable

Usable

Accessible

Cost-Effective

Efficient

Reliable

Inter-Operable

Trustworthy

Reputable

Business StrategyAttributes

Credible

Confident

Crime-Free

Insurable

Compliant

Confidential

Private

Controlled

Liability Managed

Admissible

Resolvable

Available

Legal / RegulatoryAttributes

EnforceableError-Free

Non-Repudiable

Accountable

Auditable

Traceable

Integrity-Assured

Assurable

Authorised

Governable

Business-Enabled

Protected

Independently Secure

Measured

Legacy-Sensitive

Migratable

Flexibly Secure

Productive

COTS / GOTS

SimpleProviding InvestmentRe-use

Supportable

Automated

Standards Compliant

Architecturally Open

Future-Proof

Capturing New Risks Multi-Sourced

Extendible

Maintainable

Consistent

Accurate

Current

Supported

Access-controlled

In our sole possession

Change-managed

Informed

Owned

Identified

Authenticated

Time-bound

Timely

Providing Good Stewardshipand Custody

Assuring Honesty

Educated & Aware

Motivated

RecoverableDuty Segregated

Detectable

Brand Enhancing

Competent

Transparent

Responsive

Anonymous Continuous

Monitored

Legal

Regulated

Providing Returnon Investment

Enabling time-to-market

Culture-sensitive


Attributes Usage Attributes must be validated (and preferably created) by senior

management & the business stake-holders by report, interview or facilitated workshop

Pick-list of desired requirements Cross-check for completeness of requirements Key to traceability mappings Measurement & operations – contracts, SLAs, performance targets Return on Investment & Value propositions Procurement Risk status summary & risk monitoring Key to a SABSA integrated compliance tool Powerful executive communications


SABSA BAP - the Key to Framework Integration

Extract reproduced with permission from Hans Hopman, ISO 27000 committee


Security Services Value Reconsidered


Risk Context

Assetsat Risk

Overalllikelihood

of loss

Likelihood ofthreat

materialising

Likelihood ofweaknessexploited

NegativeOutcomes

Threats

Loss Event

PositiveOutcomes

Opportunities

Beneficial Event

Overallloss

value

Assetvalue

Negativeimpactvalue

Overallbenefitvalue

Assetvalue

Positiveimpactvalue

Overalllikelihoodof benefit

Likelihood ofopportunity

materialising

Likelihood ofstrengthexploited

Risk Reconsidered - SABSA O.R.M.


Feedback Control Loop SystemSystem

Monitoring & Measurement Sub-

System

Decision Sub-System

Control Sub-System

Affects state of system

Reports new state of system

Calls for new parameter settings


SABSA Multi-tiered Control Strategy

Deterrence

Prevention

Containment

Detection &Notification

Recovery &Restoration

EvidenceCollection &

Tracking

Audit &

Assurance


SABSA Operation of ControlsThreats

Vulnerabilities

Assets

Business Impacts

Incidents

exploit

causing

affecting

producing

Deterrent Controls

Preventive Controls

Detective Controls

Corrective Controls

Risk Assessment Selection of Controls

reduces

leads to

discovers

triggers

triggers

reduces

reduces


Taxonomy of Cognitive Levels (Foundation)Competency Level Skill Demonstrated

1 Knowledge

Observation and recall of information Knowledge of facts

Knowledge of major ideas Mastery of subject matter

Carry out research to find information

List, define, tell, describe, identify, show, label, collect, examine,

tabulate, quote, name, find, identify

Task Examples

2 Comprehension

Understand information Grasp meaning

Translate knowledge into new context Interpret facts, compare, contrast

Order, group, infer causes Predict consequences

Summarise, explain, interpret, contrast, predict, associate,

distinguish, estimate, differentiate, discuss,

extend


Taxonomy of Cognitive Levels (Practitioner)Competency Level Skill Demonstrated Task Examples

3 ApplicationUse information

Use methods, concepts, theories in new situations Solve problems using required skills or knowledge

Apply, demonstrate, calculate, complete,

illustrate, show, solve, examine, modify, relate,

change, classify, experiment, discover

4 AnalysisSeeing patterns

Organisation of parts Recognition of hidden meanings

Identification of components

Analyse, separate, order, connect, classify,

arrange, divide, compare, select, infer


Taxonomy of Cognitive Levels (Master)Competency Level Skill Demonstrated Task Examples

5 SynthesisUse old ideas to create new ones

Generalise from given facts Relate knowledge from several areas

Predict, draw conclusions

Combine, integrate, modify, rearrange, substitute,

plan, create, build, design, invent, compose,

formulate, prepare, generalise, rewrite

6 Evaluation

Compare and discriminate between ideas Assess value of theories, presentations

Make choices based on reasoned argument Verify value of evidence Recognise subjectivity

Assess, evaluate, decide, rank, grade,

test, measure, recommend, convince, select, judge, discriminate, support,

conclude


For More InformationSABSA Text Book “Enterprise Security Architecture: A

Business-driven Approach”Currently - CMP Books (Elsevier)Kindle version now available

SABSA Executive White PaperSABSA – TOGAF White PaperSABSA Institute – sabsa.orgSABSA Training & Certification – sabsacourses.com

http://www.cmpbooks.com/product/1461