SABSA
SABSA is a proven methodology for developing business-driven, risk and opportunity focused Security Architectures at both enterprise and solutions level that traceably support business objectives. It is also widely used for Information Assurance Architectures, Risk Management Frameworks, and to align and seamlessly integrate security and risk management into IT Architecture methods and frameworks. SABSA is comprised of a series of integrated frameworks, models, methods and processes, used independently or as an holistic integrated enterprise solution, including:
- Business Requirements Engineering Framework (known as Attributes Profiling)
- Risk and Opportunity Management Framework
- Policy Architecture Framework
- Security Services-Oriented Architecture Framework
- Governance Framework
- Security Domain Framework
- Through-life Security Service Management & Performance Management Framework
The SABSA Institute develops and maintains the method and certifies and accredits the professional Architects who use it in approximately 50 countries around the world.
The SABSA Matrix
This is for security architecture development...
Assets (What) | Motivation (Why) | Process (How) | People (Who) | Location (Where) | Time (When) | |
---|---|---|---|---|---|---|
Contextual | The business | Business risk model | Business process model | Business organization and relationships | Business geography | Business time dependencies |
Conceptual | Business attributes profile | Control objectives | Security strategies and architectural layering | Security entity model and trust framework | Security domain model | Security-related lifetime and deadlines |
Logical | Business information model | Security Policies | Security services | Entity schema and privilege profiles | Security domain definitions and associations | Security processing cycle |
Physical | Business data model | Security rules, practices and procedures | Security mechanisms | Users, applications and user interface | Platform and network infrastructure | Control structure execution |
Component | Detailed data structures | Security Standards | Security products and tools | Identities, functions, actions and ACLs | Processes, nodes, addresses and protocols, Enforcement Points | Security step timing and sequencing |
Operational | Assurance of operational continuity | Operational risk management | Security service management and support | Application and user management and support | Security of sites and platforms | Security operations schedule |
Related