Changing the Security Landscape

SABSA Institute
What is SABSA?
Sherwood Applied Business Security Architecture
The worlds leading free-use and open-source security
architecture development and management method
Methodology for developing business-driven, risk and
opportunity focused enterprise security & information
assurance architectures, and for delivering security
infrastructure & service management solutions that
traceably support critical business initiatives
Development, maintenance, certification and accreditation
is governed by the SABSA Institute

SABSA Foundation 2010 2

What is SABSA?
Sherwood Applied Business Security Architecture
Comprised of a number of integrated frameworks, models, methods
and processes, including:
Business Requirements Engineering Framework (also known as
Attributes Profiling)
Risk & Opportunity Management Framework
Policy Architecture Framework
Security Services-Oriented Architecture Framework
Governance Framework
Security Domain Framework
Through-life Security Service & Performance Management

SABSA Foundation 2010 3

What is SABSA?
SABSA History & Development

White Paper originally authored by John Sherwood 1995

First use in global financial messaging (S.W.I.F.T.net) 1995
SABSA Textbook (CMP / Elsevier version) by John Sherwood, Andrew
Clark & David Lynas, 2005
Enterprise Security Architecture: A Business-driven Approach
ISBN 1-57820-318-X
Adopted as UK MoD Information Assurance Standard 2007
Certification programme introduced March 2007
Upcoming publications:
SABSA Pocket Guide (Van Haren)
SABSA Textbook (Van Haren)
SABSA Foundation 2010 4
Why is SABSA So Successful?
Institute Status
In UK Institute has a protected and highly-regulated status
SABSA Institute is a formal non-profit Community-of-
Interest Corporation
SABSA Intellectual Property can never be sold
Underwrites free-use status in perpetuity
Guarantees protected on-going development
Independently certifies & accredits SABSA Architects to
provide confidence & assurance to industry, government
& the professional community
SABSA Foundation 2010 5
Why is SABSA So Successful?
Features & Advantages Summary

FEATURE ADVANTAGE
Business-driven Value-assured
Risk-focused Prioritised & proportional responses
Comprehensive Scalable scope
Modular Agility - ease of implementation & management
Open Source (protected) Free use, open source, global standard
Auditable Demonstrates compliance
Transparent Two-way traceability

SABSA Foundation 2010 6

Why is SABSA So Successful?
Unique Selling Points & Elevator Pitches
Each of the seven primary features and advantages can
be interpreted and customised into key elevator pitch
messages and unique selling points (USPs) for specific
stakeholders or customers
There is a case study example created for eight
stakeholders / job titles at a global bank in the reference
document SABSA Features, Advantages & Benefits
Summary

SABSA Foundation 2010 7

Why is SABSA So Successful?
Competency-based Professional Certification
Real professionals (such as pilots and doctors) are not
certified by their professional body based on knowledge
They are required to demonstrate application of skill
Career progression is achieved by doing not knowing
Certification by the SABSA Institute is competency-based
It delivers to stakeholders the assurance, trust and
confidence that a professional has demonstrated the skill
and ability to use the SABSA method in the real world

SABSA Foundation 2010 8

How is SABSA Used?
Applications of SABSA
Enterprise Security Architecture
Enterprise Architecture
Individual solutions-based Architectures
Seamless security integration & alignment with other
frameworks (including TOGAF, ITIL, ISO27000 series,
Zachman, DoDAF, CobIT, NIST, etc.)
Filling the security architecture and security service
management gaps in other frameworks

SABSA Foundation 2010 9

How is SABSA Used?
Applications of SABSA
Business requirements engineering
Solutions traceability
Risk & Opportunity Management
Information Assurance
Governance, Compliance & Audit
Policy Architecture

SABSA Foundation 2010 10

How is SABSA Used?
Applications of SABSA
Security service management
IT Service management
Security performance management, measures & metrics
Service performance management, measures & metrics
Over-arching decision-making framework for end-to-end
solutions

SABSA Foundation 2010 11

Who Uses SABSA?
SABSA User Base
As SABSA is free-use and registration is not required, we
do not have a definitive list of user organisations
However, we do know the profiles of the thousands of
professionals who have qualified as SABSA Chartered
Architects
There are SABSA Chartered Architects at Foundation
Level (SCF) in more than 40 countries, on every
continent, and from every imaginable business sector

SABSA Foundation 2010 12

Who Uses SABSA?
Growth & Standardisation
SABSA is a standard (formal & de facto) world-wide,
including:
UK Ministry of Defence - Information Assurance Standard
Canadian Government - Architecture Development Standard
The Open Group TOGAF Security Standard
USA Government NIST Security Standard for SmartGrid
Finance Sector including European Central Bank & Westpac
And is widely referenced as a recommended approach,
including:
ISACA - CISM Study Guides & Examinations
IT Governance Institute Executive Guide to Governance
SABSA Foundation 2010 13
Where is SABSA Used?
SABSA Demographics
SABSA is used world-wide and SABSA Chartered
Architects exist in more than 40 countries, including those
shown on the next slide:

SABSA Foundation 2010 14

Where is SABSA Used?
Europe
SABSA Demographics Belgium, Finland, France
Germany, Hungary, Ireland
Italy, Netherlands, Poland
Portugal, Slovakia, Spain
Sweden, United Kingdom

Americas
Argentina Asia Pacific
Canada Australia, China, Hong Kong
Colombia India, Korea, Malaysia,
Mexico New Zealand, Philippines, Singapore
United States Taiwan, Thailand, Vietnam
Africa & Middle East
Algeria, Bahrain
Oman, Saudi Arabia
South Africa
United Arab Emirates
SABSA Foundation 2010 15
When is SABSA Used?
SABSA as a Through-Life Solution Framework
SABSA is used through-life throughout the entire
lifecycle from business requirements engineering to
managing the solutions delivered

Business View Contextual Architecture Strategy &

Architects View Conceptual Architecture Planning
Designers View Logical Architecture
Manage &
Builders View Physical Architecture Design
Measure
Tradesmans View Component Architecture
Service Managers View Operational Architecture Implement
SABSA Foundation 2010 16
Independent Assessment of Frameworks
Independent assessment on behalf of UK Government (Jan 2007)
Assessed Information Assurance and Architecture frameworks
Open source e.g. SABSA
Proprietary e.g. Gartner
Provider e.g. IBM MASS
Pre-existing in-house methodologies and frameworks
SABSA top-scored in every assessment category
Discriminating factors included
Comprehensive, flexible and adaptable
Competency development and training
Non-proprietary / open source
Business and risk focus
No ties to specific vendors or suppliers
No ties to specific standards or technologies
Enables open competition

SABSA Foundation 2010 17

The Problem of Architecture

SABSA Foundation 2010 18

The Issue with Architectural Strategy

Every morning in Africa, a Gazelle wakes up.

It knows it must run faster than the fastest
lion.or it will be killed.
Every morning in Africa, a Lion wakes up. It
knows it must run faster than the slowest
Gazelle .or it will die of starvation.
Is it better to be a Lion or a Gazelle?

Business View Survival Strategy

When the sun comes up in Africa, it doesnt matter what shape you are:
If you want to survive, what matters is that youd better be running!
SABSA Foundation 2010 19
The Importance of a Framework

SABSA Foundation 2010 20

SABSA Architecture Guiding Principles

Architecture must not presuppose any particular:

Cultures or operating regimes
Management style
Set of management processes
Management standards
Technical standards
Technology platforms

SABSA Foundation 2010 21

SABSA Architecture Guiding Principles

Architecture must meet YOUR unique set of business requirements

Architecture must provide sufficient flexibility to incorporate choice and change of policy,
standards, practices, or legislation
ISO 27001, ACSI 33, DSD ISR, HIPAA, ISF Code, CobIT, SOx, PCI, NIST, etc
ITIL, TNN, ISO 9000, etc
AS / NZS 4360, Basel ii, ISO 27005, etc
Balanced scorecards, capability maturity models, ROI, NPV, etc
When a question is asked starting with Is this Architecture compatible / compliant
with.? a good Architecture framework with automatically have the answer Yes
A good architecture provides the roadmap for joining together all of your
requirements, whatever they might be, or become
It does not replace ITIL or ISO 27001 or NIST etc but rather enables their
deployment and effective integration into the corporate culture

SABSA Foundation 2010 22

 Built to Drive Complex Design Solutions
SABSA influenced in 1995 by need to enhance ISO 7498-2

SABSA Views
Business
ISO 7498-1 ISO 7498-2 Contextual Architecture
Driven
Applications Applications Requirements
Presentation Presentation Logical
Conceptual Architecture & Strategy

Session Session
Security
Services Logical Architecture
Transport Transport

Network Network Physical

Link Link
Security Physical Architecture
Mechanisms Detailed
Physical Physical

Component Architecture Custom

Specification
Service
Operational Architecture
Management

SABSA Foundation 2010 23

Architecture Reconsidered

Business View Contextual Architecture

Architects View Conceptual Architecture
Designers View Logical Architecture
Builders View Physical Architecture
Tradespersons View Component Architecture
Service Managers View Operational Architecture
SABSA Foundation 2010 24
Vertical Analysis:
Six Honest Serving Security Men
What are we trying to do at this layer?
What The assets, goals & objectives to be protected & enhanced
Why are we doing it?
Why The risk & opportunity motivation at this layer
How are we trying to do it?
How The processes required to achieve security at this layer
Who is involved?
Who The people and organisational aspects of security at this layer
Where are we doing it?
Where The locations where we are applying security at this layer
When are we doing it?
When The time related aspects of security at this layer

SABSA Foundation 2010 25

The SABSA Matrix
Assets Motivation Process People Location Time
(What) (Why) (How) (Who) (Where) (When)
Business
Business Business Business Business Business
Contextual Decisions Risk Processes Governance Geography
Time
Dependence

Business Risk Strategies for Time

Roles & Domain
Conceptual Knowledge & Management Process
Responsibilities Framework
Management
Risk Strategy Objectives Assurance Framework

Risk
Information Process Maps Entity & Trust Calendar &
Logical Assets
Management
& Services Framework
Domain Maps
Timetable
Policies

Risk
Data Process Human ICT Processing
Physical Assets
Management
Mechanisms Interface Infrastructure Schedule
Practices

Risk Management Personnel Locator Step Timing

ICT Process Tools
Component Components
Tools &
& Standards
Management Tools & & Sequencing
Standards Tools & Standards Standards Tools

Service Operational Process Time &

Service Delivery Risk Delivery
Personnel Management of
Performance
Management Management Environment
Management Management Management Management

SABSA Foundation 2010 26

 Architecture Strategy & Planning Phase

Assets Motivation Process People Location Time

(what) (why) (how) (who) (where) (when)

Business Business Business Business Business Business Time

Decisions Risk Processes Governance Geography Dependence

Contextual Taxonomy of
Opportunities Inventory of Organisational
Inventory of
Time Dependencies
Business Assets, Buildings, Sites,
& Threats Operational Structure & the of Business
Including Goals Territories,
Inventory Processes Extended Enterprise Objectives
& Objectives Jurisdictions etc.

Business
Risk Management Strategies for Roles & Time Management
Knowledge & Domain Framework
Objectives Process Assurance Responsibilities Framework
Risk Strategy
Conceptual
Process Mapping
Enablement Owners, Custodians Security Domain Through-life Risk
Business Attributes Framework;
& Control Objectives; & Users; Service Concepts & Management
Profile Architectural Strategies
Policy Architecture Providers & Customers Framework Framework
for ICT

SABSA Foundation 2010 27

Architecture Design Phase
Assets Motivation Process People Location Time
(what) (why) (how) (who) (where) (when)

Risk Management Process Maps Entity & Trust Calendar &

Information Assets Domain Maps
Policies & Services Framework Timetable

Logical Information Flows; Domain Definitions;

Entity Schema; Start Times,
Inventory of Functional Inter-domain
Domain Policies Trust Models; Lifetimes &
Information Assets Transformations; Associations &
Privilege Profiles Deadlines
SOA Inter-actions

Risk Management
Data Assets Process Mechanisms Human Interface ICT Infrastructure Processing Schedule
Practices

Physical
Applications,
User Interface to ICT Timing & Sequencing
Data Dictionary & Risk Management Middleware; Host Platforms
Systems; Access of Processes &
Data Inventory Rules & Procedures Systems; Security & Networks Layout
Control Systems Sessions
Mechanisms

Risk Management Process Tools Personnel Mannt Locator Tools Step Timing &
ICT Components
Tools & Standards & Standards Tools & Standards & Standards Sequencing Tools

Component Risk Analysis Tools; Identities, Job

ICT Products, Time Schedules;
Risk Registers; Tools & Protocols Descriptions; Roles; Nodes, Addresses
Data Repositories & Clocks; Timers &
Risk Monitoring, for Process Delivery Functions; Actions & Other Locators
Processors Interrupts
Reporting & Treatment & ACLs

SABSA Foundation 2010 28

 Design Framework
(Service Management View)
Contextual Security Architecture

Management Architecture
Conceptual Security Architecture

Security Service
Logical Security Architecture

Physical Security Architecture

Component Security Architecture

SABSA Foundation 2010 29
 SABSA Service Management Architecture
Assets Motivation Process People Location Time
(What) (Why) (How) (Who) (Where) (When)
Service Operational Process Time &
Personnel Management of
Delivery Risk Delivery Performance
Management Environment
Management Management Management Management
The row above is a repeat of Layer 6 of the main SABSA Matrix.
The five rows below are an exploded overlay of how this Layer 6 relates to each of these other Layers

Business Driver Business Risk Service Relationship Point-of-Supply Performance

Contextual
Definitions Assessment Management Management Management Management
Service
Proxy Asset Developing ORM Service Delivery Service Service Level
Conceptual Management
Definitions Objectives Planning Portfolio Definitions
Roles
Service Service
Asset Policy Service Delivery Evaluation
Logical Customer Catalogue
Management Management Management Management
Support Management
Service Service
Asset Security Operational Risk Operations
Physical User Support Resources Performance
& Protection Data Collection Management
Protection Data Collection
Security Service
Tool Tool Personnel
Component ORM Tools Management Monitoring
Protection Deployment Deployment
Tools Tools
SABSA Foundation 2010 30
Built to Integrate Management Practices
SABSA Service Management designed to comply with, integrate, and enable management best practice of the day

Code of Practice
Code of Practice ITIL For Information
For Information Designed-in Security
Technology then Management
Service
ISO 20000
Management

BS7799(1) BS7799(2)
Service (controls library) (ISMS)
Operational Architecture
Management

ISO 17799
Compatible (controls library)
now
ISO 27001 ISO 27002
(ISMS) (controls library)
SABSA Foundation 2010 31
 SABSA Top-Down Process Analysis
Contextual: Meta-Processes
Vertical Security Consistency

Conceptual: Strategic View of Process

Logical: Information Flows & Transformations

Physical: Data Flows & System Interactions

Component: Protocols & Step Sequences

Horizontal Security Consistency

SABSA Foundation 2010 32
Traceability For Completeness

Security
Contextual Conceptual Logical Physical Component
Service
Security Security Security Security Security
Management
Architecture Architecture Architecture Architecture Architecture
Architecture

Every business requirement for security is met and the

residual risk is acceptable to the business appetite

SABSA Foundation 2010 33

 Traceability For Justification

Security
Contextual Conceptual Logical Physical Component
Service
Security Security Security Security Security
Management
Architecture Architecture Architecture Architecture Architecture
Architecture

Every operational or technological security element can be

justified by reference to a risk-prioritised business
requirement.

SABSA Foundation 2010 34

The Problem of Defining Security
Availability

Security is the means of achieving acceptable level of residual risks

The value of the information has to be protected
This value is determined in terms of confidentiality, integrity & availability

SABSA Foundation 2010 35

Security Reconsidered

SABSA Foundation 2010 36

SABSA Business Attributes
Powerful requirements engineering technique
Populates the vital missing link between business requirements and technology /
process design
Each attribute is an abstraction of a business requirement (the goals, objectives,
drivers, targets, and assets confirmed as part of the business contextual
architecture)
Attributes can be tangible or intangible
Each attribute requires a meaningful name and detailed definition customised
specifically for a particular organisation
Each attribute requires a measurement approach and metric to be defined during
the SABSA Strategy & Planning phase to set performance targets for security
The performance targets are then used as the basis for reporting and/or SLAs in
the SABSA Manage & Measure phase

SABSA Foundation 2010 37

 Sample Taxonomy of ICT Attributes
Business Attributes

User Management Operational Risk Management Legal / Regulatory Technical Strategy Business Strategy
Attributes Attributes Attributes Attributes Attributes Attributes Attributes
Accessible Automated Available Access-controlled Admissible Architecturally Open Brand Enhancing

Accurate Change-managed Detectable Accountable Compliant COTS / GOTS Business-Enabled

Anonymous Continuous Error-Free Assurable Enforceable Extendible Competent

Consistent Controlled Inter-Operable Assuring Honesty Insurable Flexible / Adaptable Confident

Current Cost-Effective Productive Auditable Legal Future-Proof Credible

Duty Segregated Efficient Recoverable Authenticated Liability Managed Legacy-Sensitive Culture-sensitive

Educated & Aware Maintainable Authorised Regulated Migratable Enabling time-to-market

Informed Measured Capturing New Risks Resolvable Multi-Sourced Governable

Motivated Monitored Confidential Time-bound Scalable Providing Good Stewardship

and Custody
Protected Supportable Crime-Free Simple
Providing Investment
Reliable Flexibly Secure Standards Compliant Re-use

Responsive Identified Traceable Providing Return

on Investment
Transparent Independently Secure Upgradeable
Reputable
Supported In our sole possession

Timely Integrity-Assured

Usable Non-Repudiable

Owned

Private

SABSA Foundation 2010 Trustworthy 38

Attributes Usage
Attributes must be validated (and preferably created) by senior
management & the business stake-holders by report, interview or
facilitated workshop
Pick-list of desired requirements
Cross-check for completeness of requirements
Key to traceability mappings
Measurement & operations contracts, SLAs, performance targets
Return on Investment & Value propositions
Procurement
Risk status summary & risk monitoring
Key to a SABSA integrated compliance tool
Powerful executive communications

SABSA Foundation 2010 39

SABSA BAP - the Key to Framework Integration

Extract reproduced with permission from Hans Hopman, ISO 27000 committee
SABSA Foundation 2010 40
Security Services Value Reconsidered

SABSA Foundation 2010 41

 Risk Reconsidered - SABSA O.R.M.
Negative Risk Context Positive
Outcomes Outcomes

Threats Assets Opportunities

at Risk
Likelihood of Likelihood of
Asset Asset
threat opportunity
value value
materialising materialising

Likelihood of Negative Positive Likelihood of

weakness impact impact strength
exploited value value exploited
Overall Overall Overall Overall
likelihood loss benefit likelihood
of loss value value of benefit

Loss Event Beneficial Event 42

SABSA Foundation 2010
Feedback Control Loop System
Calls for new System
parameter settings

Control Sub-
System

Decision Sub- Affects state of

System system

Monitoring &
Measurement Sub-
Reports new state of System
system

SABSA Foundation 2010 43

SABSA Multi-tiered Control Strategy

Deterrence

Audit & Assurance

Prevention

Containment
Evidence
Detection &
Collection &
Notification
Tracking
Recovery &
Restoration
SABSA Foundation 2010 44
SABSA Operation of Controls
reduces
Threats Deterrent Controls
exploit
reduces
Vulnerabilities Preventive Controls
causing triggers
discovers
Incidents Detective Controls
affecting
Assets triggers

producing
reduces
Business Impacts Corrective Controls

Risk Assessment Selection of Controls

leads to
SABSA Foundation 2010 45
Taxonomy of Cognitive Levels (Foundation)
Competency Level Skill Demonstrated Task Examples

Observation and recall of information List, define, tell,

Knowledge of facts describe, identify, show,
1 Knowledge Knowledge of major ideas label, collect, examine,
Mastery of subject matter tabulate, quote,
Carry out research to find information name, find, identify

Understand information Summarise, explain,

Grasp meaning
Translate knowledge into new context
2 Comprehension Interpret facts, compare, contrast
Order, group, infer causes
Predict consequences
interpret, contrast,
predict, associate,
distinguish, estimate,
differentiate, discuss,
extend

SABSA Foundation 2010 46

Taxonomy of Cognitive Levels (Practitioner)
Competency Level Skill Demonstrated Task Examples
Apply, demonstrate,
calculate, complete,
Use information
illustrate, show, solve,
3 Application Use methods, concepts, theories in new situations
examine, modify, relate,
Solve problems using required skills or knowledge
change, classify,
experiment, discover

Seeing patterns Analyse, separate,

Organisation of parts order, connect, classify,
4 Analysis Recognition of hidden meanings arrange, divide,
Identification of components compare, select, infer

SABSA Foundation 2010 47

Taxonomy of Cognitive Levels (Master)
Competency Level Skill Demonstrated Task Examples
Combine, integrate, modify,
Use old ideas to create new ones rearrange, substitute,
Generalise from given facts plan, create, build,
5 Synthesis Relate knowledge from several areas design, invent, compose,
Predict, draw conclusions formulate, prepare,
generalise, rewrite
Assess, evaluate,
Compare and discriminate between ideas
decide, rank, grade,
Assess value of theories, presentations
test, measure, recommend,
6 Evaluation Make choices based on reasoned argument
convince, select, judge,
Verify value of evidence
discriminate, support,
Recognise subjectivity
conclude

SABSA Foundation 2010 48

For More Information
SABSA Text Book Enterprise Security Architecture: A
Business-driven Approach
Currently - CMP Books (Elsevier)
Van Haren SABSA Book Store
Accredited Education Provider for Australia
http://www.alc-group.com
http://www.sabsa.org
http://www.sabsa-institute.com/members
SABSA Executive White Paper
SABSA TOGAF White Paper

SABSA Foundation 2010 49

 Quite simply the greatest information
security conference on Earth.

For More Information

John OLeary, President,
OLeary Management Education, USA

SABSA World Congress at COSAC http://www.cosac.net

Sept 30 Oct 4 ..Fly Free to Ireland!!
Totally incredible!! COSAC is by far
The greatest event I have ever had Brilliant! A rare opportunity of the highest
COSAC starts where other events stop. the privilege to attend. standard to gain access to expert opinion
Challenging, professional and hugely useful. Luc de Graeve, CEO, on matters of real importance.
Brian Collins, Chief Scientific Advisor, Sensepost, South Africa Tim Evans, Assistant Commissioner,
Dept for Transport, UK
Australian Electoral Commission
Ive been to dozens of conferences
Exceptional! More interaction and that bill themselves as best. None can
valuable discussion than any other Attending COSAC is one of the most valuable
possibly be as good as COSAC .
conference. Helvi Salminen, CISO, Dan Houser, Principal Security Architect,
decisions an organisation can make. The ultimate
Gemalto, Finland Huntington Bank, USA contribution to knowledge assets.
Richard Nealon, Assurance Reporting Manager,
Year on year COSAC exceeds my Outstanding! The calibre of AIB Group, Ireland
speakers, delegates and the whole
now sky-high expectations for
experience is truly unsurpassed.
professionalism, content and Wonderful! Like discovering
Tadashi Nagamiya, CTO,
organisational excellence. a whole new profession.
InfoSec Corp, Japan
Ahmed Ali, InfoSec Manager, Herve Schmidt, CEO, GASPAR, France
BaTelCo, Bahrain
SABSA Foundation 2010 50
 THANK YOU

David Lynas
CEO, SABSA Institute

david.lynas@sabsa.org
(non-commercial only)

david@sabsaservicesinternational.com
SABSA Foundation 2010 51