Sherwood Applied Business Security Architecture
   HOME

TheInfoList



Click Here for Items Related To - Sherwood Applied Business Security Architecture
OR:
Sherwood Applied Business Security Architecture on:   [Wikipedia]   [Google]   [Amazon]

SABSA (Sherwood Applied Business Security Architecture) is a
model A model is an informative representation of an object, person or system. The term originally denoted the plans of a building in late 16th-century English, and derived via French and Italian ultimately from Latin ''modulus'', a measure. Models c ...
and
methodology In its most common sense, methodology is the study of research methods. However, the term can also refer to the methods themselves or to the philosophical discussion of associated background assumptions. A method is a structured procedure for bri ...
for developing a
risk In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value (such as health, well-being, wealth, property or the environme ...
-driven
enterprise information security architecture Enterprise information security architecture (ZBI) is a part of enterprise architecture focusing on information security throughout the enterprise. The name implies a difference that may not exist between small/medium-sized businesses and larger ...
and
service management Service management in the manufacturing context, is integrated into supply chain management as the intersection between the actual sales and the customer point of view. The aim of high-performance service management is to optimize the service- ...
, to support critical
business processes A business process, business method or business function is a collection of related, structured activities or tasks by people or equipment in which a specific sequence produces a service or product (serves a particular business goal) for a parti ...
. It was developed independently from the
Zachman Framework The Zachman Framework is an enterprise ontology and is a fundamental structure for enterprise architecture which provides a formal and structured way of viewing and defining an enterprise. The ontology is a two dimensional classification sche ...
, but has a similar structure. The primary characteristic of the SABSA model is that everything must be derived from an analysis of the business requirements for security, especially those in which security has an enabling function through which new business opportunities can be developed and exploited. The process analyzes the business requirements at the outset, and creates a chain of
traceability Traceability is the capability to trace something. In some cases, it is interpreted as the ability to verify the history, location, or application of an item by means of documented recorded identification. Other common definitions include the capab ...
through the strategy and concept, design, implementation, and ongoing ‘manage and measure’ phases of the lifecycle to ensure that the business mandate is preserved. Framework tools created from practical experience further support the whole methodology. The model is layered, with the top layer being the business requirements definition stage. At each lower layer a new level of abstraction and detail is developed, going through the definition of the conceptual architecture, logical services architecture, physical infrastructure architecture and finally at the lowest layer, the selection of technologies and products (component architecture). The SABSA model itself is generic and can be the starting point for any organization, but by going through the process of analysis and decision-making implied by its structure, it becomes specific to the enterprise, and is finally highly customized to a unique business model. It becomes in reality the enterprise security architecture, and it is central to the success of a strategic program of information security management within the organization. SABSA is a particular example of a methodology that can be used both for IT (information technology) and OT (operational technology) environments.


SABSA matrix

{, class="wikitable" , - ! ! Assets (What) ! Motivation (Why) ! Process (How) ! People (Who) ! Location (Where) ! Time (When) , - ! Contextual , The business , Business risk model , Business process model , Business organization and relationships , Business geography , Business time dependencies , - ! Conceptual , Business attributes profile , Control objectives , Security strategies and architectural layering , Security entity model and trust framework , Security domain model , Security-related lifetime and deadlines , - ! Logical , Business information model , Security policies , Security services , Entity schema and privilege profiles , Security domain definitions and associations , Security processing cycle , - ! Physical , Business data model , Security rules, practices and procedures , Security mechanisms , Users, applications and user interface , Platform and network infrastructure , Control structure execution , - ! Component , Detailed data structures , Security standards , Security products and tools , Identities, functions, actions and ACLs , Processes, nodes, addresses and protocols , Security step timing and sequencing , - ! Operational , Assurance of operational continuity , Operational risk management , Security service management and support , Application and user management and support , Security of sites and platforms , Security operations schedule Note: The above is the original SABSA Matrix, which is still valid today, but it has been expanded by a comprehensive service management matrix and updated in some detail and terminology areas. In the words of David Lynas, SABSA author, ''"The SABSA Matrix and the SABSA Service Management Matrix have not been updated since the late 90s. We have redesigned them to deliver the improvements your feedback has requested over the years. We have not fundamentally changed the structure or principles of the matrices (very few elements have changed position) but have focussed on terminology update and consistency."'' The new versions can be downloaded (along with the 2009 revision of the SABSA White Paper and other important documents like the SABSA Certification Roadmap) at th
SABSA Members' Web Site


References


The SABSA Method


External links


SABSA website

The SABSA Institute
Enterprise architecture Computer security