hawbern ulryka peadar

[Annette Fazzari]

What is SABSA and Why You Should Learn It

SABSA is a methodology for developing risk-driven enterprise information security and information assurance architectures and for delivering security infrastructure solutions that support critical business initiatives. It is an open standard, comprising a number of frameworks, models, methods and processes, free for use by all, with no licensing required for end-user organisations who make use of the standard in developing and implementing architectures and solutions[^1^].

SABSA is unique in that it fulfils all of the following criteria:

• It is vendor-neutral and can be applied to any industry sector and any organisation[^1^].

• It is scalable and can be used for the development of architectures and solutions at any level of granularity of scope, from a project of limited scope to an entire enterprise architectural framework[^1^].

• It does not replace or compete with any other information risk or information security standard â rather it provides an overarching framework that enables all other existing standards to be integrated under the single SABSA framework, enabling joined up, end-to-end architectural solutions[^1^].

• It fills the gap for âsecurity architectureâ and âsecurity service managementâ by integrating seamlessly with other standards such as TOGAF and ITIL[^1^].

• It is based on a business-driven approach that aligns security needs with business objectives and risks[^2^].

• It provides a structured approach to the steps and processes involved in developing security architectures. It also considers how some of the major business issues likely to be encountered can be resolved[^3^].

If you want to learn more about SABSA and how it can help you design and implement effective security solutions for your organisation, you can download the SABSA white paper[^1^] or the book Enterprise Security Architecture: A Business-Driven Approach[^3^] from the SABSA Institute website. You can also find various resources, such as case studies, webinars, articles and podcasts on the website. Additionally, you can enroll in one of the official SABSA training courses offered by accredited training organisations around the world.

SABSA is a valuable methodology for any information security professional who wants to enhance their skills and knowledge in security architecture and service management. By learning SABSA, you will be able to deliver security solutions that are aligned with your business needs and goals, and that can adapt to changing risks and opportunities.

One of the key components of SABSA is the SABSA matrix, which is a six-by-six matrix that defines the layers and domains of security architecture. The six layers are:

• Contextual â This layer defines the business context and drivers for security, such as the business vision, mission, goals, objectives, strategies and tactics. It also identifies the key stakeholders and their expectations and requirements for security.

• Conceptual â This layer defines the security concepts and principles that guide the design and implementation of security solutions. It also defines the security services and capabilities that are needed to support the business objectives and requirements.

• Logical â This layer defines the logical security architecture, which is a high-level design of the security solutions that are based on the security concepts and principles. It also defines the security functions and mechanisms that are needed to deliver the security services and capabilities.

• Physical â This layer defines the physical security architecture, which is a detailed design of the security solutions that are based on the logical security architecture. It also defines the security components and devices that are needed to implement the security functions and mechanisms.

• Component â This layer defines the component security architecture, which is a specification of the security components and devices that are based on the physical security architecture. It also defines the configuration and integration of the security components and devices.

• Operational â This layer defines the operational security architecture, which is a plan for the operation and management of the security solutions that are based on the component security architecture. It also defines the security processes and procedures that are needed to monitor and maintain the security components and devices.

The six domains are:

• Business View â This domain defines the business attributes and outcomes of security, such as the business risks, opportunities, benefits, costs and value of security.

• Architectâs View â This domain defines the architectural attributes and outcomes of security, such as the architectural vision, objectives, principles, policies and standards of security.

• Designerâs View â This domain defines the design attributes and outcomes of security, such as the design criteria, requirements, specifications and models of security.

• Builderâs View â This domain defines the build attributes and outcomes of security, such as the build methods, tools, techniques and practices of security.

• Implementerâs View â This domain defines the implementation attributes and outcomes of security, such as the implementation plans, schedules, resources and deliverables of security.

• Managerâs View â This domain defines the management attributes and outcomes of security, such as the management goals, objectives, strategies and tactics of security.

The SABSA matrix provides a comprehensive framework for developing and documenting security architectures that cover all aspects of security from business to operational level. It also provides a common language and structure for communicating and collaborating with different stakeholders involved in security projects.

51082c0ec5