Saturday, April 8, 2023

Sherwood Applied Business Architecture (SABSA)

 

The Sherwood Applied Business Architecture (SABSA) framework is a methodology for developing security architectures and implementing risk management strategies in complex organizations. It was created by John Sherwood in the 1990s and has since been further developed and refined by a community of security professionals.

SABSA is a business-driven framework that aims to align security with the overall objectives of an organization. It provides a structured approach to developing security architectures that are based on a thorough understanding of the organization's business processes, information assets, and stakeholders.

The SABSA framework is structured around six layers, each of which addresses a specific aspect of the security architecture:

  1. The Business Layer: This layer defines the organization's overall mission, goals, and objectives. It identifies the key business processes and stakeholders and establishes the context for the security architecture.
  2. The Information Layer: This layer defines the information assets that the organization needs to protect. It includes information classification, ownership, and management.
  3. The Application Layer: This layer defines the applications that support the organization's business processes and the security controls that must be implemented to protect them.
  4. The Technology Layer: This layer defines the underlying IT infrastructure that supports the applications and the security controls that must be implemented to protect it.
  5. The Physical Layer: This layer defines the physical assets that support the IT infrastructure, such as buildings, data centers, and network equipment.
  6. The People Layer: This layer defines the human resources that are involved in the operation and management of the security architecture. It includes policies, procedures, and training programs for staff.

The SABSA framework provides a structured approach to developing security architectures that are based on a thorough understanding of the organization's business processes, information assets, and stakeholders. By aligning security with business objectives, SABSA helps organizations to achieve their goals while managing risk effectively.

The SABSA Business Layer is the first layer of the SABSA framework and is one of the most important layers because it sets the context for the entire security architecture.

The Business Layer defines the organization's overall mission, vision, goals, and objectives, and identifies the key business processes and stakeholders. It provides a top-level view of the organization's business functions, strategies, and governance structures, and establishes the foundation for the rest of the security architecture.

In particular, the Business Layer in the SABSA framework focuses on the following areas:

  1. Business Drivers: This includes identifying the internal and external factors that drive the organization's business processes, such as market trends, regulatory requirements, and customer needs.
  2. Business Objectives: This includes defining the organization's goals and objectives in terms of business outcomes, such as revenue growth, cost reduction, and customer satisfaction.
  3. Business Processes: This includes identifying the key business processes and activities that are critical to achieving the organization's business objectives.
  4. Business Information: This includes identifying the information assets that are critical to the organization's business processes and activities, such as customer data, financial information, and intellectual property.
  5. Stakeholders: This includes identifying the stakeholders who are involved in the organization's business processes and activities, such as customers, employees, partners, regulators, and shareholders.

By understanding the business drivers, objectives, processes, information, and stakeholders, the SABSA framework can help to ensure that the security architecture is aligned with the organization's business goals and objectives. This alignment is critical to achieving a balance between security and business requirements, and to ensuring that security measures are not seen as an impediment to business operations.

In the SABSA Security Framework, the Information Layer is the second layer of the framework and is responsible for defining the information assets that need to be protected. The Information Layer builds on the foundation established by the Business Layer and focuses on identifying and categorizing the organization's information assets.

The Information Layer in the SABSA framework typically includes the following components:

  1. Information Classification: This includes identifying the different types of information that the organization uses and establishing a classification scheme based on the sensitivity and criticality of the information. Information may be classified into different levels, such as public, internal, confidential, and restricted.
  2. Information Ownership: This includes identifying the stakeholders who are responsible for the information assets, including business units, departments, and individuals.
  3. Information Management: This includes defining policies and procedures for managing the information assets, including data governance, data quality, and data lifecycle management.
  4. Information Access: This includes defining policies and procedures for granting access to the information assets, including authentication, authorization, and access controls.
  5. Information Sharing: This includes defining policies and procedures for sharing information within the organization and with external stakeholders, including partners, customers, and regulators.

By defining and categorizing the organization's information assets, the Information Layer provides the foundation for the rest of the security architecture. It ensures that the security controls are aligned with the sensitivity and criticality of the information assets and that the access controls and sharing policies are consistent with the organization's business objectives and compliance requirements.

In the SABSA Security Framework, the Application Layer is the third layer of the framework and is responsible for defining the security controls that are required to protect the applications that support the organization's business processes.

The Application Layer builds on the foundation established by the Business and Information Layers and focuses on identifying the applications that are critical to the organization's business processes and activities, and the security controls that need to be implemented to protect them.

The Application Layer in the SABSA framework typically includes the following components:

  1. Application Identification: This includes identifying the applications that support the organization's business processes and activities and assessing their criticality to the organization's operations.
  2. Application Architecture: This includes defining the architecture of the applications, including their components, interfaces, and dependencies.
  3. Application Security Requirements: This includes defining the security requirements for the applications, including confidentiality, integrity, availability, and non-repudiation.
  4. Application Security Controls: This includes identifying the security controls that need to be implemented to protect the applications, including access controls, encryption, logging, and monitoring.
  5. Application Security Testing: This includes testing the applications to ensure that they meet the security requirements and that the security controls are working effectively.

By defining the security controls required to protect the applications, the Application Layer ensures that the security measures are aligned with the organization's business processes and objectives. It also helps to ensure that the applications are secure and reliable, and that they can support the organization's business operations without interruption or compromise.

In the SABSA Security Framework, the Technology Layer is the fourth layer of the framework and is responsible for defining the security controls that are required to protect the underlying technology infrastructure that supports the organization's applications and business processes.

The Technology Layer builds on the foundation established by the Business, Information, and Application Layers, and focuses on identifying the technology components that are critical to the organization's operations, and the security controls that need to be implemented to protect them.

The Technology Layer in the SABSA framework typically includes the following components:

  1. Technology Identification: This includes identifying the technology components that support the organization's applications and business processes, including servers, networks, storage devices, and other IT infrastructure.
  2. Technology Architecture: This includes defining the architecture of the technology components, including their components, interfaces, and dependencies.
  3. Technology Security Requirements: This includes defining the security requirements for the technology components, including confidentiality, integrity, availability, and non-repudiation.
  4. Technology Security Controls: This includes identifying the security controls that need to be implemented to protect the technology components, including firewalls, intrusion detection and prevention systems, security information and event management systems, and other security technologies.
  5. Technology Security Testing: This includes testing the technology components to ensure that they meet the security requirements and that the security controls are working effectively.

By defining the security controls required to protect the technology infrastructure, the Technology Layer ensures that the security measures are aligned with the organization's business processes and objectives. It also helps to ensure that the technological components are secure and reliable, and that they can support the organization's business operations without interruption or compromise.

In the SABSA Security Framework, the Physical Layer is the fifth and final layer of the framework and is responsible for defining the security controls that are required to protect the physical environment where the organization's technology infrastructure and business processes are located.

The Physical Layer builds on the foundation established by the Business, Information, Application, and Technology Layers, and focuses on identifying the physical assets that are critical to the organization's operations, and the security controls that need to be implemented to protect them.

The Physical Layer in the SABSA framework typically includes the following components:

  1. Asset Identification: This includes identifying the physical assets that are critical to the organization's operations, including buildings, data centers, servers, and other IT infrastructure.
  2. Asset Architecture: This includes defining the architecture of the physical assets, including their location, access points, and environmental factors.
  3. Asset Security Requirements: This includes defining the security requirements for the physical assets, including physical security, environmental control, and disaster recovery.
  4. Asset Security Controls: This includes identifying the security controls that need to be implemented to protect physical assets, including access controls, surveillance systems, and environmental monitoring systems.
  5. Asset Security Testing: This includes testing the physical assets to ensure that they meet the security requirements and that the security controls are working effectively.

By defining the security controls required to protect the physical environment, the Physical Layer ensures that the security measures are aligned with the organization's business processes and objectives. It also helps to ensure that the physical assets are secure and reliable, and that they can support the organization's business operations without interruption or compromise.

 

The People Layer is not an official layer of the SABSA Security Framework, as the framework only includes five layers: Business, Information, Application, Technology, and Physical. However, some SABSA practitioners may refer to the "People Layer" as a way to describe the importance of considering the human factors in a comprehensive security architecture.

The People Layer refers to the individuals who use, manage, and support the organization's technology infrastructure and business processes. This includes employees, contractors, vendors, and other stakeholders who interact with the organization's systems and data.

The People Layer is critical to the success of a security architecture, as humans can be both a vulnerability and a safeguard. On one hand, humans can make mistakes, fall victim to social engineering attacks, or intentionally engage in malicious activity. On the other hand, humans can also be trained to recognize and respond to security threats, implement best practices for data protection, and support security policies and procedures.

Therefore, the People Layer may be addressed in each of the other five layers of the SABSA framework. For example, the Business Layer may consider the organization's security culture and policies, the Information Layer may consider data classification and access controls, the Application Layer may consider secure coding practices and user authentication, the Technology Layer may consider network security and intrusion detection systems, and the Physical Layer may consider access controls and physical security measures.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

DORA: HOW US BASED FINANCIAL FIRMS NEED TO PREPARE FOR ICT GOVENANCE

  What is DORA and ICT Governcnace? There are many laws and regulations that affect many global business entities.   International banking...