SABSA (Sherwood Applied Business Security Architecture) is a model and methodology for developing a risk-driven enterprise information security architecture and service management, to support critical business processes. It was developed independently from the Zachman Framework, but has a similar structure. The primary characteristic of the SABSA model is that everything must be derived from an analysis of the business requirements for security, especially those in which security has an enabling function through which new business opportunities can be developed and exploited.
The process analyzes the business requirements at the outset, and creates a chain of traceability through the strategy and concept, design, implementation, and ongoing ‘manage and measure’ phases of the lifecycle to ensure that the business mandate is preserved. Framework tools created from practical experience further support the whole methodology.
The model is layered, with the top layer being the business requirements definition stage. At each lower layer a new level of abstraction and detail is developed, going through the definition of the conceptual architecture, logical services architecture, physical infrastructure architecture and finally at the lowest layer, the selection of technologies and products (component architecture).
The SABSA model itself is generic and can be the starting point for any organization, but by going through the process of analysis and decision-making implied by its structure, it becomes specific to the enterprise, and is finally highly customized to a unique business model. It becomes in reality the enterprise security architecture, and it is central to the success of a strategic program of information security management within the organization.
SABSA is a particular example of a methodology that can be used both for IT (information technology) and OT (operational technology) environments.
SABSA matrixedit
Assets (What)
Motivation (Why)
Process (How)
People (Who)
Location (Where)
Time (When)
Contextual
The business
Business risk model
Business process model
Business organization and relationships
Business geography
Business time dependencies
Conceptual
Business attributes profile
Control objectives
Security strategies and architectural layering
Security entity model and trust framework
Security domain model
Security-related lifetime and deadlines
Logical
Business information model
Security policies
Security services
Entity schema and privilege profiles
Security domain definitions and associations
Security processing cycle
Physical
Business data model
Security rules, practices and procedures
Security mechanisms
Users, applications and user interface
Platform and network infrastructure
Control structure execution
Component
Detailed data structures
Security standards
Security products and tools
Identities, functions, actions and ACLs
Processes, nodes, addresses and protocols
Security step timing and sequencing
Operational
Assurance of operational continuity
Operational risk management
Security service management and support
Application and user management and support
Security of sites and platforms
Security operations schedule
Note: The above is the original SABSA Matrix, which is still valid today, but it has been expanded by a comprehensive service management matrix and updated in some detail and terminology areas. In the words of David Lynas, SABSA author, "The SABSA Matrix and the SABSA Service Management Matrix have not been updated since the late 90s. We have redesigned them to deliver the improvements your feedback has requested over the years. We have not fundamentally changed the structure or principles of the matrices (very few elements have changed position) but have focused on terminology update and consistency." The new versions can be downloaded (along with the 2009 revision of the SABSA White Paper and other important documents like the SABSA Certification Roadmap) at the SABSA Members' Web Site.
Referencesedit
The SABSA Method
John Sherwood, Andrew Clark, David Lynas (2004) “Enterprise Security Architecture: A Business-Driven Approach” ISBN 9781578203185 (ISBN 157820318X)
External linksedit
SABSA website
The SABSA Institute
The SABSA Institute Recommendations for the NIST Cyber Security Framework version 2.0 [1]
^Bruce, Glen (17 March 2023). "The SABSA Institute Recommendations for the NIST Cyber Security Framework version 2.0" (PDF). NIST.gov.
January 01, 1970
sherwood, applied, business, security, architecture, this, article, relies, excessively, references, primary, sources, please, improve, this, article, adding, secondary, tertiary, sources, find, sources, news, newspapers, books, scholar, jstor, april, 2013, le. This article relies excessively on references to primary sources Please improve this article by adding secondary or tertiary sources Find sources Sherwood Applied Business Security Architecture news newspapers books scholar JSTOR April 2013 Learn how and when to remove this message This article is written like a personal reflection personal essay or argumentative essay that states a Wikipedia editor s personal feelings or presents an original argument about a topic Please help improve it by rewriting it in an encyclopedic style January 2011 Learn how and when to remove this message SABSA Sherwood Applied Business Security Architecture is a model and methodology for developing a risk driven enterprise information security architecture and service management to support critical business processes It was developed independently from the Zachman Framework but has a similar structure The primary characteristic of the SABSA model is that everything must be derived from an analysis of the business requirements for security especially those in which security has an enabling function through which new business opportunities can be developed and exploited The process analyzes the business requirements at the outset and creates a chain of traceability through the strategy and concept design implementation and ongoing manage and measure phases of the lifecycle to ensure that the business mandate is preserved Framework tools created from practical experience further support the whole methodology The model is layered with the top layer being the business requirements definition stage At each lower layer a new level of abstraction and detail is developed going through the definition of the conceptual architecture logical services architecture physical infrastructure architecture and finally at the lowest layer the selection of technologies and products component architecture The SABSA model itself is generic and can be the starting point for any organization but by going through the process of analysis and decision making implied by its structure it becomes specific to the enterprise and is finally highly customized to a unique business model It becomes in reality the enterprise security architecture and it is central to the success of a strategic program of information security management within the organization SABSA is a particular example of a methodology that can be used both for IT information technology and OT operational technology environments SABSA matrix editAssets What Motivation Why Process How People Who Location Where Time When Contextual The business Business risk model Business process model Business organization and relationships Business geography Business time dependencies Conceptual Business attributes profile Control objectives Security strategies and architectural layering Security entity model and trust framework Security domain model Security related lifetime and deadlines Logical Business information model Security policies Security services Entity schema and privilege profiles Security domain definitions and associations Security processing cycle Physical Business data model Security rules practices and procedures Security mechanisms Users applications and user interface Platform and network infrastructure Control structure execution Component Detailed data structures Security standards Security products and tools Identities functions actions and ACLs Processes nodes addresses and protocols Security step timing and sequencing Operational Assurance of operational continuity Operational risk management Security service management and support Application and user management and support Security of sites and platforms Security operations schedule Note The above is the original SABSA Matrix which is still valid today but it has been expanded by a comprehensive service management matrix and updated in some detail and terminology areas In the words of David Lynas SABSA author The SABSA Matrix and the SABSA Service Management Matrix have not been updated since the late 90s We have redesigned them to deliver the improvements your feedback has requested over the years We have not fundamentally changed the structure or principles of the matrices very few elements have changed position but have focused on terminology update and consistency The new versions can be downloaded along with the 2009 revision of the SABSA White Paper and other important documents like the SABSA Certification Roadmap at the SABSA Members Web Site References editThe SABSA Method John Sherwood Andrew Clark David Lynas 2004 Enterprise Security Architecture A Business Driven Approach ISBN 9781578203185 ISBN 157820318X External links editSABSA website The SABSA Institute The SABSA Institute Recommendations for the NIST Cyber Security Framework version 2 0 1 Bruce Glen 17 March 2023 The SABSA Institute Recommendations for the NIST Cyber Security Framework version 2 0 PDF NIST gov Retrieved from https en wikipedia org w index php title Sherwood Applied Business Security Architecture amp oldid 1219059688, wikipedia, wiki, book, books, library,
