Академический Документы
Профессиональный Документы
Культура Документы
SABSA Institute
What is SABSA?
Sherwood Applied Business Security Architecture
The worlds leading free-use and open-source security
architecture development and management method
Methodology for developing business-driven, risk and
opportunity focused enterprise security & information
assurance architectures, and for delivering security
infrastructure & service management solutions that
traceably support critical business initiatives
Development, maintenance, certification and accreditation
is governed by the SABSA Institute
FEATURE ADVANTAGE
Business-driven Value-assured
Risk-focused Prioritised & proportional responses
Comprehensive Scalable scope
Modular Agility - ease of implementation & management
Open Source (protected) Free use, open source, global standard
Auditable Demonstrates compliance
Transparent Two-way traceability
Americas
Argentina Asia Pacific
Canada Australia, China, Hong Kong
Colombia India, Korea, Malaysia,
Mexico New Zealand, Philippines, Singapore
United States Taiwan, Thailand, Vietnam
Africa & Middle East
Algeria, Bahrain
Oman, Saudi Arabia
South Africa
United Arab Emirates
SABSA Foundation 2010 15
When is SABSA Used?
SABSA as a Through-Life Solution Framework
SABSA is used through-life throughout the entire
lifecycle from business requirements engineering to
managing the solutions delivered
SABSA Views
Business
ISO 7498-1 ISO 7498-2 Contextual Architecture
Driven
Applications Applications Requirements
Presentation Presentation Logical
Conceptual Architecture & Strategy
Session Session
Security
Services Logical Architecture
Transport Transport
Risk
Information Process Maps Entity & Trust Calendar &
Logical Assets
Management
& Services Framework
Domain Maps
Timetable
Policies
Risk
Data Process Human ICT Processing
Physical Assets
Management
Mechanisms Interface Infrastructure Schedule
Practices
Contextual Taxonomy of
Opportunities Inventory of Organisational
Inventory of
Time Dependencies
Business Assets, Buildings, Sites,
& Threats Operational Structure & the of Business
Including Goals Territories,
Inventory Processes Extended Enterprise Objectives
& Objectives Jurisdictions etc.
Business
Risk Management Strategies for Roles & Time Management
Knowledge & Domain Framework
Objectives Process Assurance Responsibilities Framework
Risk Strategy
Conceptual
Process Mapping
Enablement Owners, Custodians Security Domain Through-life Risk
Business Attributes Framework;
& Control Objectives; & Users; Service Concepts & Management
Profile Architectural Strategies
Policy Architecture Providers & Customers Framework Framework
for ICT
Risk Management
Data Assets Process Mechanisms Human Interface ICT Infrastructure Processing Schedule
Practices
Physical
Applications,
User Interface to ICT Timing & Sequencing
Data Dictionary & Risk Management Middleware; Host Platforms
Systems; Access of Processes &
Data Inventory Rules & Procedures Systems; Security & Networks Layout
Control Systems Sessions
Mechanisms
Risk Management Process Tools Personnel Mannt Locator Tools Step Timing &
ICT Components
Tools & Standards & Standards Tools & Standards & Standards Sequencing Tools
Management Architecture
Conceptual Security Architecture
Security Service
Logical Security Architecture
Code of Practice
Code of Practice ITIL For Information
For Information Designed-in Security
Technology then Management
Service
ISO 20000
Management
BS7799(1) BS7799(2)
Service (controls library) (ISMS)
Operational Architecture
Management
ISO 17799
Compatible (controls library)
now
ISO 27001 ISO 27002
(ISMS) (controls library)
SABSA Foundation 2010 31
SABSA Top-Down Process Analysis
Contextual: Meta-Processes
Vertical Security Consistency
Security
Contextual Conceptual Logical Physical Component
Service
Security Security Security Security Security
Management
Architecture Architecture Architecture Architecture Architecture
Architecture
Security
Contextual Conceptual Logical Physical Component
Service
Security Security Security Security Security
Management
Architecture Architecture Architecture Architecture Architecture
Architecture
User Management Operational Risk Management Legal / Regulatory Technical Strategy Business Strategy
Attributes Attributes Attributes Attributes Attributes Attributes Attributes
Accessible Automated Available Access-controlled Admissible Architecturally Open Brand Enhancing
Timely Integrity-Assured
Usable Non-Repudiable
Owned
Private
Extract reproduced with permission from Hans Hopman, ISO 27000 committee
SABSA Foundation 2010 40
Security Services Value Reconsidered
Control Sub-
System
Monitoring &
Measurement Sub-
Reports new state of System
system
Deterrence
Containment
Evidence
Detection &
Collection &
Notification
Tracking
Recovery &
Restoration
SABSA Foundation 2010 44
SABSA Operation of Controls
reduces
Threats Deterrent Controls
exploit
reduces
Vulnerabilities Preventive Controls
causing triggers
discovers
Incidents Detective Controls
affecting
Assets triggers
producing
reduces
Business Impacts Corrective Controls
David Lynas
CEO, SABSA Institute
david.lynas@sabsa.org
(non-commercial only)
david@sabsaservicesinternational.com
SABSA Foundation 2010 51