Раскройте весь потенциал своих проектов.
Показать всю карту
Копировать/изменить Копировать

SABSA Concepts

Другое
Sonny Chiu
Начать. Это бесплатно
или регистрация c помощью Вашего email-адреса
Похожие Интеллект-Карты План Интеллект-Карты
SABSA Concepts создатель Mind Map: SABSA Concepts

1. Introduction

1.1. Sherwood Applied Business Security Architecture

1.2. An Enterprise Security Architecture framework

1.3. Authors

1.3.1. John Sherwood

1.3.2. Andy Clark

1.3.3. David Lynas

1.4. Published initially in 1995

1.5. First book published in 2005

1.6. First used in 1995 for designing global financial messaging system

1.7. Major changes to the framework due to recent technological developments

1.8. Open use with no royality

1.9. Attribution required if used

2. Asset

2.1. Types

2.1.1. Data assets

2.1.1.1. No meaning; chunks of information and not human understandable

2.1.1.2. No context

2.1.1.3. Stored in specific location (Physical)

2.1.2. Information assets

2.1.2.1. Meaning and understandable to humans

2.1.2.2. Has context

2.1.2.3. Can be stored in multiple locations (Logical)

2.1.3. Management assets

2.1.3.1. Contain management information about other assets

2.1.3.2. Operations / Service Management layer

2.2. Transformation

2.2.1. Data converted into information

2.2.2. Can cross multiple logical domains

2.2.3. Performed by people, processes or services

2.3. Value

2.3.1. Achieved through its properties

2.3.2. Ex:

2.3.2.1. Accuracy and completeness

2.3.2.2. Timelines and availability

2.3.2.3. Relevance

3. Architecture Process

3.1. Black Box Model

3.2. Control System Concept

3.2.1. Control sub-system

3.2.1.1. Controls the system

3.2.2. Monitoring and measurement sub-system

3.2.2.1. Measures the state of the system

3.2.3. Decision sub-system

3.2.3.1. Makes decisions based on measurements

3.3. Feedback Control Loop System

3.3.1. Control sub-system affects system state

3.3.2. System state monitored and measured by monitoring and measurement sub-system

3.3.3. Monitoring and measurement sub-system reports about the new state to decision sub-system

3.3.4. Decision sub-system decides and requests for new parameter settings from the control sub-system

3.4. Layered Security Concepts

3.4.1. Defense-in-depth layering

3.4.1.1. Follow 80-20 rule in each domain

3.4.1.2. Risk in the inner most domain gets reduces to high extenr

3.4.1.3. Risk levels

3.4.1.3.1. at initial domain

3.4.1.3.2. at second domain

3.4.1.3.3. at third domain

3.4.1.3.4. at Nth domain

3.4.2. Strength-in-depth layering

3.4.3. Capability-based layering

3.5. Multi-tiered Control Strategy

3.5.1. Stages

3.5.1.1. Deterrence

3.5.1.2. Prevention

3.5.1.3. Containment

3.5.1.4. Detection and Notification

3.5.1.4.1. Evidence collection and tracking

3.5.1.5. Recovery and restoration

3.5.1.6. Assurance

3.5.2. Helps in selecting the correct control

3.5.3. Removes subjectivity in selecting controls for risk treatment

4. Approach

4.1. Phases

5. Layers

5.1. Contextual Layer/Architecture

5.1.1. Business view

5.2. Conceptual Layer/Architecture

5.2.1. Architect's view

5.3. Logical Layer/Architecture

5.3.1. Designer's view

5.4. Physical Layer/Architecture

5.4.1. Builder's view

5.5. Component Layer/Architecture

5.5.1. Tradesman's view

5.6. Operations (Service Management) Layer/Architecture

5.6.1. Service Manager's view

6. Advantages of SABSA

6.1. Alignment with other standards and regulations

6.2. Layered framework

6.3. Business driven

6.4. Top-down approach

6.5. Provides two-way traceability

6.5.1. Completeness

6.5.2. Justification

6.6. Risk focused

6.7. Knowledge aggregated and contextualized through various layers

7. Advantages of a framework

7.1. Manage complexity

7.2. Lower TCO (Total Cost of Ownership)

7.3. Provide roadmap

7.4. Make design decisions

8. The six Questions

8.1. What

8.1.1. What are we trying to do at this layer

8.1.1.1. assets, goals, objectives

8.2. Why

8.2.1. Why are we doing it?

8.2.1.1. Risk/Opportunity motivation

8.3. How

8.3.1. How are we trying to do it?

8.3.1.1. Process

8.4. Who

8.4.1. Who is involved?

8.4.1.1. People

8.5. Where

8.5.1. Where are we doing it?

8.5.1.1. Location

8.6. When

8.6.1. When are we doing it?

8.6.1.1. Time

9. Lifecycle

9.1. Security must demonstrably support business strategy

9.1.1. Strategy & Planning

9.1.2. Design

9.1.3. Implement

9.1.4. Manage & Measure

9.2. Comparison with PDCA cycle

9.2.1. Plan

9.2.1.1. Strategy & Planning

9.2.1.2. Design

9.2.2. Do

9.2.2.1. Implement

9.2.3. Check

9.2.3.1. Manage and Measure

9.2.4. Act

9.2.4.1. Manage and Measure

9.3. Alignment with ITIL v3

9.3.1. Service Strategy

9.3.1.1. Strategy & Planning

9.3.2. Service Design

9.3.2.1. Design

9.3.3. Service Transition

9.3.3.1. Implement

9.3.4. Service Operation

9.3.4.1. Manage and Measure'

9.3.5. Continued Service Improvement

9.3.5.1. Full Cycle

10. Controls

10.1. No controls library of its own

10.2. Control libraries

10.2.1. NIST SP800-53

10.2.2. ISO 27001

10.2.3. PCI DSS

10.2.4. COBIT

10.2.5. ISF Code

10.2.6. SOX/SSAE 16

10.2.6.1. SOC 1

10.2.6.2. SOC 2

10.2.7. HIPAA

10.2.8. SANS

10.2.9. OSA

10.2.9.1. 170 controls based on NIST 800-53

10.2.9.2. Visualization of security patterns