SABSA
From Wikipedia, the free encyclopedia
SABSA (Sherwood Applied Business Security Architecture) is a framework and methodology for Enterprise Security Architecture and Service Management. It was developed independently from the Zachman framework, but has a similar structure.
SABSA is a model and a methodology for developing risk-driven enterprise information security architectures and for delivering security infrastructure solutions that support critical business initiatives. The primary characteristic of the SABSA model is that everything must be derived from an analysis of the business requirements for security, especially those in which security has an enabling function through which new business opportunities can be developed and exploited.
The process analysis the business requirements at the outset, and creates a chain of traceability through the strategy and concept, design, implementation, and ongoing ‘manage and measure’ phases of the lifecycle to ensure that the business mandate is preserved. Framework tools created from practical experience further support the whole methodology.
The model is layered, with the top layer being the business requirements definition stage. At each lower layer a new level of abstraction and detail is developed, going through the definition of the conceptual architecture, logical services architecture, physical infrastructure architecture and finally at the lowest layer, the selection of technologies and products (component architecture).
The SABSA model itself is generic and can be the starting point for any organization, but by going through the process of analysis and decision-making implied by its structure, it becomes specific to the enterprise, and is finally highly customized to a unique business model. It becomes in reality the enterprise security architecture, and it is central to the success of a strategic program of information security management within the organization.
[edit] The SABSA Matrix for Security Architecture Development
Assets (WHAT) | Motivation (WHY) | Process (HOW) | People (WHO) | Location (WHERE) | Time (WHEN) | |
---|---|---|---|---|---|---|
Contextual | The Business | Business Risk Model | Business Process Model | Business Organization and Relationships | Business Geography | Business Time Dependencies |
Conceptual | Business Attributes Profile | Control Objectives | Security Strategies and Architectural Layering | Security Entity Model and Trust Framework | Security Domain Model | Security-Related Lifetime and Deadlines |
Logical | Business Information Model | Security Policies | Security Services | Entity Schema and Privilege Profiles | Security Domain Definitions and Associations | Security Processing Cycle |
Physical | Business Data Model | Security Rules, Practices and Procedures | Security Mechanisms | Users, Applications and User Interface | Platform and Network Infrastructure | Control Structure Execution |
Component | Detailed Data Structures | Security Standards | Security Products and Tools | Identities, Functions, Actions and ACLs | Processes, Nodes, Addresses and Protocols | Security Step Timing and Sequencing |
Operational | Assurance of Operational Continuity | Operational Risk Management | Security Service Management and Support | Application and User Management and Support | Security of Sites and Platforms | Security Operations Schedule |