From Glitchdata
Jump to navigation Jump to search

SABSA is a proven methodology for developing business-driven, risk and opportunity focused Security Architectures at both enterprise and solutions level that traceably support business objectives. It is also widely used for Information Assurance Architectures, Risk Management Frameworks, and to align and seamlessly integrate security and risk management into IT Architecture methods and frameworks. SABSA is comprised of a series of integrated frameworks, models, methods and processes, used independently or as an holistic integrated enterprise solution, including:

  • Business Requirements Engineering Framework (known as Attributes Profiling)
  • Risk and Opportunity Management Framework
  • Policy Architecture Framework
  • Security Services-Oriented Architecture Framework
  • Governance Framework
  • Security Domain Framework
  • Through-life Security Service Management & Performance Management Framework

The SABSA Institute develops and maintains the method and certifies and accredits the professional Architects who use it in approximately 50 countries around the world.

The SABSA Matrix

This is for security architecture development...

Assets (What) Motivation (Why) Process (How) People (Who) Location (Where) Time (When)
Contextual The business Business risk model Business process model Business organization and relationships Business geography Business time dependencies
Conceptual Business attributes profile Control objectives Security strategies and architectural layering Security entity model and trust framework Security domain model Security-related lifetime and deadlines
Logical Business information model Security Policies Security services Entity schema and privilege profiles Security domain definitions and associations Security processing cycle
Physical Business data model Security rules, practices and procedures Security mechanisms Users, applications and user interface Platform and network infrastructure Control structure execution
Component Detailed data structures Security Standards Security products and tools Identities, functions, actions and ACLs Processes, nodes, addresses and protocols, Enforcement Points Security step timing and sequencing
Operational Assurance of operational continuity Operational risk management Security service management and support Application and user management and support Security of sites and platforms Security operations schedule