SABSA Concepts

Get Started. It's Free
or sign up with your email address
SABSA Concepts by Mind Map: SABSA Concepts

1. Advantages of a framework

1.1. Manage complexity

1.2. Lower TCO (Total Cost of Ownership)

1.3. Provide roadmap

1.4. Make design decisions

2. Lifecycle

2.1. Security must demonstrably support business strategy

2.1.1. Strategy & Planning

2.1.2. Design

2.1.3. Implement

2.1.4. Manage & Measure

2.2. Comparison with PDCA cycle

2.2.1. Plan

2.2.1.1. Strategy & Planning

2.2.1.2. Design

2.2.2. Do

2.2.2.1. Implement

2.2.3. Check

2.2.3.1. Manage and Measure

2.2.4. Act

2.2.4.1. Manage and Measure

2.3. Alignment with ITIL v3

2.3.1. Service Strategy

2.3.1.1. Strategy & Planning

2.3.2. Service Design

2.3.2.1. Design

2.3.3. Service Transition

2.3.3.1. Implement

2.3.4. Service Operation

2.3.4.1. Manage and Measure'

2.3.5. Continued Service Improvement

2.3.5.1. Full Cycle

3. The six Questions

3.1. What

3.1.1. What are we trying to do at this layer

3.1.1.1. assets, goals, objectives

3.2. Why

3.2.1. Why are we doing it?

3.2.1.1. Risk/Opportunity motivation

3.3. How

3.3.1. How are we trying to do it?

3.3.1.1. Process

3.4. Who

3.4.1. Who is involved?

3.4.1.1. People

3.5. Where

3.5.1. Where are we doing it?

3.5.1.1. Location

3.6. When

3.6.1. When are we doing it?

3.6.1.1. Time

4. Architecture Process

4.1. Black Box Model

4.2. Control System Concept

4.2.1. Control sub-system

4.2.1.1. Controls the system

4.2.2. Monitoring and measurement sub-system

4.2.2.1. Measures the state of the system

4.2.3. Decision sub-system

4.2.3.1. Makes decisions based on measurements

4.3. Feedback Control Loop System

4.3.1. Control sub-system affects system state

4.3.2. System state monitored and measured by monitoring and measurement sub-system

4.3.3. Monitoring and measurement sub-system reports about the new state to decision sub-system

4.3.4. Decision sub-system decides and requests for new parameter settings from the control sub-system

4.4. Layered Security Concepts

4.4.1. Defense-in-depth layering

4.4.1.1. Follow 80-20 rule in each domain

4.4.1.2. Risk in the inner most domain gets reduces to high extenr

4.4.1.3. Risk levels

4.4.1.3.1. at initial domain

4.4.1.3.2. at second domain

4.4.1.3.3. at third domain

4.4.1.3.4. at Nth domain

4.4.2. Strength-in-depth layering

4.4.3. Capability-based layering

4.5. Multi-tiered Control Strategy

4.5.1. Stages

4.5.1.1. Deterrence

4.5.1.2. Prevention

4.5.1.3. Containment

4.5.1.4. Detection and Notification

4.5.1.4.1. Evidence collection and tracking

4.5.1.5. Recovery and restoration

4.5.1.6. Assurance

4.5.2. Helps in selecting the correct control

4.5.3. Removes subjectivity in selecting controls for risk treatment

5. Advantages of SABSA

5.1. Alignment with other standards and regulations

5.2. Layered framework

5.3. Business driven

5.4. Top-down approach

5.5. Provides two-way traceability

5.5.1. Completeness

5.5.2. Justification

5.6. Risk focused

5.7. Knowledge aggregated and contextualized through various layers

6. Asset

6.1. Types

6.1.1. Data assets

6.1.1.1. No meaning; chunks of information and not human understandable

6.1.1.2. No context

6.1.1.3. Stored in specific location (Physical)

6.1.2. Information assets

6.1.2.1. Meaning and understandable to humans

6.1.2.2. Has context

6.1.2.3. Can be stored in multiple locations (Logical)

6.1.3. Management assets

6.1.3.1. Contain management information about other assets

6.1.3.2. Operations / Service Management layer

6.2. Transformation

6.2.1. Data converted into information

6.2.2. Can cross multiple logical domains

6.2.3. Performed by people, processes or services

6.3. Value

6.3.1. Achieved through its properties

6.3.2. Ex:

6.3.2.1. Accuracy and completeness

6.3.2.2. Timelines and availability

6.3.2.3. Relevance

7. Introduction

7.1. Sherwood Applied Business Security Architecture

7.2. An Enterprise Security Architecture framework

7.3. Authors

7.3.1. John Sherwood

7.3.2. Andy Clark

7.3.3. David Lynas

7.4. Published initially in 1995

7.5. First book published in 2005

7.6. First used in 1995 for designing global financial messaging system

7.7. Major changes to the framework due to recent technological developments

7.8. Open use with no royality

7.9. Attribution required if used

8. Controls

8.1. No controls library of its own

8.2. Control libraries

8.2.1. NIST SP800-53

8.2.2. ISO 27001

8.2.3. PCI DSS

8.2.4. COBIT

8.2.5. ISF Code

8.2.6. SOX/SSAE 16

8.2.6.1. SOC 1

8.2.6.2. SOC 2

8.2.7. HIPAA

8.2.8. SANS

8.2.9. OSA

8.2.9.1. 170 controls based on NIST 800-53

8.2.9.2. Visualization of security patterns

9. Approach

9.1. Phases

10. Layers

10.1. Contextual Layer/Architecture

10.1.1. Business view

10.2. Conceptual Layer/Architecture

10.2.1. Architect's view

10.3. Logical Layer/Architecture

10.3.1. Designer's view

10.4. Physical Layer/Architecture

10.4.1. Builder's view

10.5. Component Layer/Architecture

10.5.1. Tradesman's view

10.6. Operations (Service Management) Layer/Architecture

10.6.1. Service Manager's view