Changing the Security Landscape

 SABSA Institute
What is SABSA?
Sherwood Applied Business Security Architecture
 The world’s leading free-use and open-source security
architecture development and management method
 Methodology for developing business-driven, risk and
opportunity focused enterprise security & information
assurance architectures, and for delivering security
infrastructure & service management solutions that
traceably support critical business initiatives
 Development, maintenance, certification and accreditation
is governed by the SABSA Institute

 SABSA Foundation 2010 1

What is SABSA?
Sherwood Applied Business Security Architecture
 Comprised of a number of integrated frameworks, models, methods
and processes, including:
 Business Requirements Engineering Framework (also known as
Attributes Profiling)
 Risk & Opportunity Management Framework
 Policy Architecture Framework
 Security Services-Oriented Architecture Framework
 Governance Framework
 Security Domain Framework
 Through-life Security Service & Performance Management

 SABSA Foundation 2010 2

What is SABSA?
SABSA History & Development

 White Paper originally authored by John Sherwood 1995

 First use in global financial messaging (S.W.I.F.T.net) 1995
 SABSA Textbook (CMP / Elsevier version) by John Sherwood, Andrew
Clark & David Lynas, 2005
 “Enterprise Security Architecture: A Business-driven Approach”
 ISBN 1-57820-318-X
 Adopted as UK MoD Information Assurance Standard 2007
 Certification programme introduced March 2007
 Upcoming publications:
 SABSA Pocket Guide (Van Haren)
 SABSA Textbook (Van Haren)

 SABSA Foundation 2010 3

Why is SABSA So Successful?
Institute Status
 In UK “Institute” has a protected and highly-regulated status
 SABSA Institute is a formal non-profit ‘Community-of-
Interest’ Corporation
 SABSA Intellectual Property can never be sold
 Underwrites free-use status in perpetuity
 Guarantees protected on-going development
 Independently certifies & accredits SABSA Architects to
provide confidence & assurance to industry, government
& the professional community
 SABSA Foundation 2010 4
Why is SABSA So Successful?
Features & Advantages Summary

FEATURE ADVANTAGE
Business-driven Value-assured
Risk-focused Prioritised & proportional responses
Comprehensive Scalable scope
Modular Agility - ease of implementation & management
Open Source (protected) Free use, open source, global standard
Auditable Demonstrates compliance
Transparent Two-way traceability

 SABSA Foundation 2010 5

Why is SABSA So Successful?
Unique Selling Points & “Elevator Pitches”
 Each of the seven primary features and advantages can
be interpreted and customised into key “elevator pitch”
messages and unique selling points (USPs) for specific
stakeholders or customers
 There is a case study example created for eight
stakeholders / job titles at a global bank in the reference
document “SABSA Features, Advantages & Benefits
Summary”

 SABSA Foundation 2010 6

Why is SABSA So Successful?
Competency-based Professional Certification
 Real ‘professionals’ (such as pilots and doctors) are not
certified by their professional body based on knowledge
 They are required to demonstrate application of skill
 Career progression is achieved by ‘doing’ not ‘knowing’
 Certification by the SABSA Institute is competency-based
 It delivers to stakeholders the assurance, trust and
confidence that a professional has demonstrated the skill
and ability to use the SABSA method in the real world

 SABSA Foundation 2010 7

How is SABSA Used?
Applications of SABSA
 Enterprise Security Architecture
 Enterprise Architecture
 Individual solutions-based Architectures
 Seamless security integration & alignment with other
frameworks (including TOGAF, ITIL, ISO27000 series,
Zachman, DoDAF, CobIT, NIST, etc.)
 Filling the security architecture and security service
management gaps in other frameworks

 SABSA Foundation 2010 8

How is SABSA Used?
Applications of SABSA
 Business requirements engineering
 Solutions traceability
 Risk & Opportunity Management
 Information Assurance
 Governance, Compliance & Audit
 Policy Architecture

 SABSA Foundation 2010 9

How is SABSA Used?
Applications of SABSA
 Security service management
 IT Service management
 Security performance management, measures & metrics
 Service performance management, measures & metrics
 Over-arching decision-making framework for end-to-end
solutions

 SABSA Foundation 2010 10

Who Uses SABSA?
SABSA User Base
 As SABSA is free-use and registration is not required, we
do not have a definitive list of user organisations
 However, we do know the profiles of the thousands of
professionals who have qualified as SABSA Chartered
Architects
 There are SABSA Chartered Architects at Foundation
Level (SCF) in more than 40 countries, on every
continent, and from every imaginable business sector

 SABSA Foundation 2010 11

Who Uses SABSA?
Growth & Standardisation
 SABSA is a standard (formal & de facto) world-wide,
including:
 UK Ministry of Defence - Information Assurance Standard
 Canadian Government - Architecture Development Standard
 The Open Group – TOGAF Security Standard
 USA Government – NIST Security Standard for SmartGrid
 Finance Sector – including European Central Bank & Westpac
 And is widely referenced as a recommended approach,
including:
 ISACA - CISM Study Guides & Examinations
 IT Governance Institute – Executive Guide to Governance

 SABSA Foundation 2010 12

Where is SABSA Used?
SABSA Demographics
 SABSA is used world-wide and SABSA Chartered
Architects exist in more than 40 countries, including those
shown on the next slide:

 SABSA Foundation 2010 13

Where is SABSA Used?
Europe
SABSA Demographics Belgium, Finland, France
Germany, Hungary, Ireland
Italy, Netherlands, Poland
Portugal, Slovakia, Spain
Sweden, United Kingdom

Americas
Argentina Asia Pacific
Canada Australia, China, Hong Kong
Colombia India, Korea, Malaysia,
Mexico New Zealand, Philippines, Singapore
United States Taiwan, Thailand, Vietnam
Africa & Middle East
Algeria, Bahrain
Oman, Saudi Arabia
South Africa
United Arab Emirates
 SABSA Foundation 2010 14
When is SABSA Used?
SABSA as a Through-Life Solution Framework
 SABSA is used ‘through-life’ – throughout the entire
lifecycle from business requirements engineering to
managing the solutions delivered

Business View Contextual Architecture Strategy &

Architect’s View Conceptual Architecture Planning
Designer’s View Logical Architecture
Manage &
Builder’s View Physical Architecture Design
Measure
Tradesman’s View Component Architecture
Service Manager’s View Operational Architecture Implement
 SABSA Foundation 2010 15
Independent Assessment of Frameworks
 Independent assessment on behalf of UK Government (Jan 2007)
 Assessed Information Assurance and Architecture frameworks
 Open source e.g. SABSA
 Proprietary e.g. Gartner
 Provider e.g. IBM MASS
 Pre-existing in-house methodologies and frameworks
 SABSA top-scored in every assessment category
 Discriminating factors included
 Comprehensive, flexible and adaptable
 Competency development and training
 Non-proprietary / open source
 Business and risk focus
 No ties to specific vendors or suppliers
 No ties to specific standards or technologies
 Enables open competition
 SABSA Foundation 2010 16
The Problem of Architecture

 SABSA Foundation 2010 17

The Issue with Architectural Strategy

 Every morning in Africa, a Gazelle wakes up.

It knows it must run faster than the fastest
lion…….or it will be killed.
 Every morning in Africa, a Lion wakes up. It
knows it must run faster than the slowest
Gazelle …….or it will die of starvation.
 Is it better to be a Lion or a Gazelle?

Business View – Survival Strategy

When the sun comes up in Africa, it doesn’t matter what shape you are:
If you want to survive, what matters is that you’d better be running!

 SABSA Foundation 2010 18

The Importance of a Framework

 SABSA Foundation 2010 19

SABSA Architecture Guiding Principles

 Architecture must not presuppose any particular:

 Cultures or operating regimes
 Management style
 Set of management processes
 Management standards
 Technical standards
 Technology platforms

 SABSA Foundation 2010 20

SABSA Architecture Guiding Principles

 Architecture must meet YOUR unique set of business requirements

 Architecture must provide sufficient flexibility to incorporate choice and change of policy,
standards, practices, or legislation
 ISO 27001, ACSI 33, DSD ISR, HIPAA, ISF Code, CobIT, SOx, PCI, NIST, etc
 ITIL, TNN, ISO 9000, etc
 AS / NZS 4360, Basel ii, ISO 27005, etc
 Balanced scorecards, capability maturity models, ROI, NPV, etc
 When a question is asked starting with “Is this Architecture compatible / compliant
with….?” a good Architecture framework with automatically have the answer “Yes”
 A good architecture provides the roadmap for joining together all of your
requirements, whatever they might be, or become
 It does not replace ITIL or ISO 27001 or NIST etc but rather enables their
deployment and effective integration into the corporate culture

 SABSA Foundation 2010 21

 Built to Drive Complex Design Solutions
 SABSA influenced in 1995 by need to enhance ISO 7498-2
SABSA Views
Business
ISO 7498-1 ISO 7498-2 Contextual Architecture
Driven
Applications Applications Requirements
Conceptual Architecture & Strategy
Presentation Presentation Logical
Session Session
Security
Services Logical Architecture
Transport Transport

Network Network Physical

Link Link
Security Physical Architecture
Mechanisms Detailed
Physical Physical

Component Architecture Custom

Specification
Service
Operational Architecture
Management

 SABSA Foundation 2010 22

Architecture Reconsidered

Business View Contextual Architecture

Architect’s View Conceptual Architecture
Designer’s View Logical Architecture
Builder’s View Physical Architecture
Tradesperson’s View Component Architecture
Service Manager’s View Operational Architecture
 SABSA Foundation 2010 23
Vertical Analysis:
Six Honest Serving Security Men

What are we trying to do at this layer?

What The assets, goals & objectives to be protected & enhanced
Why are we doing it?
Why The risk & opportunity motivation at this layer
How are we trying to do it?
How The processes required to achieve security at this layer
Who is involved?
Who The people and organisational aspects of security at this layer
Where are we doing it?
Where The locations where we are applying security at this layer
When are we doing it?
When The time related aspects of security at this layer

 SABSA Foundation 2010 24

The SABSA Matrix
Assets Motivation Process People Location Time
(What) (Why) (How) (Who) (Where) (When)
Business
Business Business Business Business Business
Contextual Decisions Risk Processes Governance Geography
Time
Dependence

Business Risk Strategies for Time

Roles & Domain
Conceptual Knowledge & Management Process
Responsibilities Framework
Management
Risk Strategy Objectives Assurance Framework

Risk
Information Process Maps Entity & Trust Calendar &
Logical Assets
Management
& Services Framework
Domain Maps
Timetable
Policies

Risk
Data Process Human ICT Processing
Physical Assets
Management
Mechanisms Interface Infrastructure Schedule
Practices

Risk Management Personnel Locator Step Timing

ICT Process Tools
Component Components
Tools &
& Standards
Management Tools & & Sequencing
Standards Tools & Standards Standards Tools

Service Operational Process Time &

Service Delivery Risk Delivery
Personnel Management of
Performance
Management Management Environment
Management Management Management Management

 SABSA Foundation 2010 25

 Architecture Strategy & Planning Phase

Assets Motivation Process People Location Time

(what) (why) (how) (who) (where) (when)

Business Business Business Business Business Business Time

Decisions Risk Processes Governance Geography Dependence

Contextual Taxonomy of
Opportunities Inventory of Organisational
Inventory of
Time Dependencies
Business Assets, Buildings, Sites,
& Threats Operational Structure & the of Business
Including Goals Territories,
Inventory Processes Extended Enterprise Objectives
& Objectives Jurisdictions etc.

Business
Risk Management Strategies for Roles & Time Management
Knowledge & Domain Framework
Objectives Process Assurance Responsibilities Framework
Risk Strategy
Conceptual
Process Mapping
Enablement Owners, Custodians Security Domain Through-life Risk
Business Attributes Framework;
& Control Objectives; & Users; Service Concepts & Management
Profile Architectural Strategies
Policy Architecture Providers & Customers Framework Framework
for ICT

 SABSA Foundation 2010 26

Architecture Design Phase
Assets Motivation Process People Location Time
(what) (why) (how) (who) (where) (when)

Risk Management Process Maps Entity & Trust Calendar &

Information Assets Domain Maps
Policies & Services Framework Timetable

Logical Information Flows; Domain Definitions;

Entity Schema; Start Times,
Inventory of Functional Inter-domain
Domain Policies Trust Models; Lifetimes &
Information Assets Transformations; Associations &
Privilege Profiles Deadlines
SOA Inter-actions

Risk Management
Data Assets Process Mechanisms Human Interface ICT Infrastructure Processing Schedule
Practices

Physical
Applications,
User Interface to ICT Timing & Sequencing
Data Dictionary & Risk Management Middleware; Host Platforms
Systems; Access of Processes &
Data Inventory Rules & Procedures Systems; Security & Networks Layout
Control Systems Sessions
Mechanisms

Risk Management Process Tools Personnel Man’nt Locator Tools Step Timing &
ICT Components
Tools & Standards & Standards Tools & Standards & Standards Sequencing Tools

Component Risk Analysis Tools; Identities, Job

ICT Products, Time Schedules;
Risk Registers; Tools & Protocols Descriptions; Roles; Nodes, Addresses
Data Repositories & Clocks; Timers &
Risk Monitoring, for Process Delivery Functions; Actions & Other Locators
Processors Interrupts
Reporting & Treatment & ACLs

 SABSA Foundation 2010 27

Design Framework
(Service Management View)
Contextual Security Architecture

Management Architecture
Conceptual Security Architecture

Security Service
Logical Security Architecture

Physical Security Architecture

Component Security Architecture

 SABSA Foundation 2010 28
 SABSA Service Management Architecture
Assets Motivation Process People Location Time
(What) (Why) (How) (Who) (Where) (When)
Service Operational Process Time &
Personnel Management of
Delivery Risk Delivery Performance
Management Environment
Management Management Management Management
The row above is a repeat of Layer 6 of the main SABSA Matrix.
The five rows below are an exploded overlay of how this Layer 6 relates to each of these other Layers

Business Driver Business Risk Service Relationship Point-of-Supply Performance

Contextual
Definitions Assessment Management Management Management Management
Service
Proxy Asset Developing ORM Service Delivery Service Service Level
Conceptual Management
Definitions Objectives Planning Portfolio Definitions
Roles
Service Service
Asset Policy Service Delivery Evaluation
Logical Customer Catalogue
Management Management Management Management
Support Management
Service Service
Asset Security Operational Risk Operations
Physical User Support Resources Performance
& Protection Data Collection Management
Protection Data Collection
Security Service
Tool Tool Personnel
Component ORM Tools Management Monitoring
Protection Deployment Deployment
Tools Tools
 SABSA Foundation 2010 29
Built to Integrate Management Practices
 SABSA Service Management designed to comply with, integrate, and
enable management best practice of the day
Code of Practice
Code of Practice For Information
ITIL
For Information Designed-in Security
Technology then Management
Service
ISO 20000
Management

BS7799(1) BS7799(2)
Service (controls library) (ISMS)
Operational Architecture
Management

ISO 17799
Compatible (controls library)
now
ISO 27001 ISO 27002
(ISMS) (controls library)

 SABSA Foundation 2010 30

 SABSA Top-Down Process Analysis
Contextual: Meta-Processes
Vertical Security Consistency

Conceptual: Strategic View of Process

Logical: Information Flows & Transformations

Physical: Data Flows & System Interactions

Component: Protocols & Step Sequences

Horizontal Security Consistency

 SABSA Foundation 2010 31
Traceability For Completeness

Security
Contextual Conceptual Logical Physical Component
Service
Security Security Security Security Security
Management
Architecture Architecture Architecture Architecture Architecture
Architecture

 Every business requirement for security is met and the

residual risk is acceptable to the business appetite

 SABSA Foundation 2010 32

 Traceability For Justification

Security
Contextual Conceptual Logical Physical Component
Service
Security Security Security Security Security
Management
Architecture Architecture Architecture Architecture Architecture
Architecture

 Every operational or technological security element can be

justified by reference to a risk-prioritised business
requirement.

 SABSA Foundation 2010 33

The Problem of Defining Security
Availability

 “Security is the means of achieving acceptable level of residual risks”

 “The value of the information has to be protected”
 “This value is determined in terms of confidentiality, integrity & availability”

 SABSA Foundation 2010 34

Security Reconsidered

 SABSA Foundation 2010 35

SABSA Business Attributes
 Powerful requirements engineering technique
 Populates the vital ‘missing link’ between business requirements and
technology / process design
 Each attribute is an abstraction of a business requirement (the goals,
objectives, drivers, targets, and assets confirmed as part of the
business contextual architecture)
 Attributes can be tangible or intangible
 Each attribute requires a meaningful name and detailed definition
customised specifically for a particular organisation
 Each attribute requires a measurement approach and metric to be
defined during the SABSA Strategy & Planning phase to set
performance targets for security
 The performance targets are then used as the basis for reporting
and/or SLAs in the SABSA Manage & Measure phase
 SABSA Foundation 2010 36
 Sample Taxonomy of ICT Attributes
Business Attributes

User Management Operational Risk Management Legal / Regulatory Technical Strategy Business Strategy
Attributes Attributes Attributes Attributes Attributes Attributes Attributes
Accessible Automated Available Access-controlled Admissible Architecturally Open Brand Enhancing

Accurate Change-managed Detectable Accountable Compliant COTS / GOTS Business-Enabled

Anonymous Continuous Error-Free Assurable Enforceable Extendible Competent

Consistent Controlled Inter-Operable Assuring Honesty Insurable Flexible / Adaptable Confident

Current Cost-Effective Productive Auditable Legal Future-Proof Credible

Duty Segregated Efficient Recoverable Authenticated Liability Managed Legacy-Sensitive Culture-sensitive

Educated & Aware Maintainable Authorised Regulated Migratable Enabling time-to-market

Informed Measured Capturing New Risks Resolvable Multi-Sourced Governable

Motivated Monitored Confidential Time-bound Scalable Providing Good Stewardship

and Custody
Protected Supportable Crime-Free Simple
Providing Investment
Reliable Flexibly Secure Standards Compliant Re-use

Responsive Identified Traceable Providing Return

on Investment
Transparent Independently Secure Upgradeable
Reputable
Supported In our sole possession

Timely Integrity-Assured

Usable Non-Repudiable

Owned

Private

 SABSA Foundation 2010 Trustworthy 37

Attributes Usage
 Attributes must be validated (and preferably created) by senior
management & the business stake-holders by report, interview or
facilitated workshop
 Pick-list of desired requirements
 Cross-check for completeness of requirements
 Key to traceability mappings
 Measurement & operations – contracts, SLAs, performance targets
 Return on Investment & Value propositions
 Procurement
 Risk status summary & risk monitoring
 Key to a SABSA integrated compliance tool
 Powerful executive communications

 SABSA Foundation 2010 38

SABSA BAP - the Key to Framework Integration

Extract reproduced with permission from Hans Hopman, ISO 27000 committee
 SABSA Foundation 2010 39
Security Services Value Reconsidered

 SABSA Foundation 2010 40

 Risk Reconsidered - SABSA O.R.M.
Negative Risk Context Positive
Outcomes Outcomes

Threats Assets Opportunities

at Risk
Likelihood of Likelihood of
Asset Asset
threat opportunity
value value
materialising materialising

Likelihood of Negative Positive Likelihood of

weakness impact impact strength
exploited value value exploited
Overall Overall Overall Overall
likelihood loss benefit likelihood
of loss value value of benefit

Loss Event Beneficial Event 41

 SABSA Foundation 2010
Feedback Control Loop System
Calls for new System
parameter settings

Control Sub-
System

Decision Sub- Affects state of

System system

Monitoring &
Measurement Sub-
Reports new state of System
system

 SABSA Foundation 2010 42

SABSA Multi-tiered Control Strategy

Deterrence

Audit & Assurance

Prevention

Containment
Evidence
Detection &
Collection &
Notification
Tracking
Recovery &
Restoration
 SABSA Foundation 2010 43
SABSA Operation of Controls
reduces
Threats Deterrent Controls
exploit
reduces
Vulnerabilities Preventive Controls
causing triggers
discovers
Incidents Detective Controls
affecting
Assets triggers

producing
reduces
Business Impacts Corrective Controls

Risk Assessment Selection of Controls

leads to
 SABSA Foundation 2010 44
Taxonomy of Cognitive Levels (Foundation)
Competency Level Skill Demonstrated Task Examples

Observation and recall of information List, define, tell,

Knowledge of facts describe, identify, show,
1 Knowledge Knowledge of major ideas label, collect, examine,
Mastery of subject matter tabulate, quote,
Carry out research to find information name, find, identify

Understand information Summarise, explain,

Grasp meaning
Translate knowledge into new context
2 Comprehension Interpret facts, compare, contrast
Order, group, infer causes
Predict consequences
interpret, contrast,
predict, associate,
distinguish, estimate,
differentiate, discuss,
extend

 SABSA Foundation 2010 45

Taxonomy of Cognitive Levels (Practitioner)
Competency Level Skill Demonstrated Task Examples
Apply, demonstrate,
calculate, complete,
Use information
illustrate, show, solve,
3 Application Use methods, concepts, theories in new situations
examine, modify, relate,
Solve problems using required skills or knowledge
change, classify,
experiment, discover

Seeing patterns Analyse, separate,

Organisation of parts order, connect, classify,
4 Analysis Recognition of hidden meanings arrange, divide,
Identification of components compare, select, infer

 SABSA Foundation 2010 46

Taxonomy of Cognitive Levels (Master)
Competency Level Skill Demonstrated Task Examples
Combine, integrate, modify,
Use old ideas to create new ones rearrange, substitute,
Generalise from given facts plan, create, build,
5 Synthesis Relate knowledge from several areas design, invent, compose,
Predict, draw conclusions formulate, prepare,
generalise, rewrite
Assess, evaluate,
Compare and discriminate between ideas
decide, rank, grade,
Assess value of theories, presentations
test, measure, recommend,
6 Evaluation Make choices based on reasoned argument
convince, select, judge,
Verify value of evidence
discriminate, support,
Recognise subjectivity
conclude

 SABSA Foundation 2010 47

For More Information
 SABSA Text Book “Enterprise Security Architecture: A
Business-driven Approach”
 Currently - CMP Books (Elsevier)
 Van Haren SABSA Book Store
 Accredited Education Provider for Australia –
http://www.alc-group.com
 http://www.sabsa.org
 http://www.sabsa-institute.com/members
 SABSA Executive White Paper
 SABSA – TOGAF White Paper

 SABSA Foundation 2010 48

 “Quite simply the greatest information
security conference on Earth.”
John O’Leary, President,
For More Information O’Leary Management Education, USA

 SABSA World Congress at COSAC http://www.cosac.net

 Sept 30 – Oct 4 …..Fly Free to Ireland!!
“Totally incredible!! COSAC is by far
The greatest event I have ever had “Brilliant! A rare opportunity of the highest
“COSAC starts where other events stop. the privilege to attend. standard to gain access to expert opinion
Challenging, professional and hugely useful.” Luc de Graeve, CEO, on matters of real importance.”
Brian Collins, Chief Scientific Advisor, Sensepost, South Africa Tim Evans, Assistant Commissioner,
Dept for Transport, UK
Australian Electoral Commission
“I’ve been to dozens of conferences
“Exceptional! More interaction and that bill themselves as best. None can
valuable discussion than any other “Attending COSAC is one of the most valuable
possibly be as good as COSAC.”
conference.” Helvi Salminen, CISO, Dan Houser, Principal Security Architect,
decisions an organisation can make. The ultimate
Gemalto, Finland Huntington Bank, USA contribution to knowledge assets.
Richard Nealon, Assurance Reporting Manager,
“Year on year COSAC exceeds my “Outstanding! The calibre of AIB Group, Ireland
speakers, delegates and the whole
now sky-high expectations for
experience is truly unsurpassed.
professionalism, content and “Wonderful! Like discovering
Tadashi Nagamiya, CTO,
organisational excellence.” a whole new profession.
InfoSec Corp, Japan
Ahmed Ali, InfoSec Manager, Herve Schmidt, CEO, GASPAR, France
BaTelCo, Bahrain
 SABSA Foundation 2010 49
 THANK YOU

David Lynas
CEO, SABSA Institute

david.lynas@sabsa.org
(non-commercial only)

david@sabsaservicesinternational.com
 SABSA Foundation 2010 50