World Library  
Flag as Inappropriate
Email this Article

Sherwood Applied Business Security Architecture

Article Id: WHEBN0013113344
Reproduction Date:

Title: Sherwood Applied Business Security Architecture  
Author: World Heritage Encyclopedia
Language: English
Subject: Enterprise architecture
Collection:
Publisher: World Heritage Encyclopedia
Publication
Date:
 

Sherwood Applied Business Security Architecture

SABSA (Sherwood Applied Business Security Architecture) is a framework and methodology for enterprise security architecture and service management. It was developed independently from the Zachman Framework, but has a similar structure.

SABSA is a model and a methodology for developing risk-driven enterprise information security architectures and for delivering security infrastructure solutions that support critical business initiatives. The primary characteristic of the SABSA model is that everything must be derived from an analysis of the business requirements for security, especially those in which security has an enabling function through which new business opportunities can be developed and exploited.

The process analyzes the business requirements at the outset, and creates a chain of traceability through the strategy and concept, design, implementation, and ongoing ‘manage and measure’ phases of the lifecycle to ensure that the business mandate is preserved. Framework tools created from practical experience further support the whole methodology.

The model is layered, with the top layer being the business requirements definition stage. At each lower layer a new level of abstraction and detail is developed, going through the definition of the conceptual architecture, logical services architecture, physical infrastructure architecture and finally at the lowest layer, the selection of technologies and products (component architecture).

The SABSA model itself is generic and can be the starting point for any organization, but by going through the process of analysis and decision-making implied by its structure, it becomes specific to the enterprise, and is finally highly customized to a unique business model. It becomes in reality the enterprise security architecture, and it is central to the success of a strategic program of information security management within the organization.

SABSA is a particular example of a methodology that can be used both for IT (information technology) and OT (operational technology) environments.

The SABSA matrix for security architecture development

Assets (What) Motivation (Why) Process (How) People (Who) Location (Where) Time (When)
Contextual The business Business risk model Business process model Business organization and relationships Business geography Business time dependencies
Conceptual Business attributes profile Control objectives Security strategies and architectural layering Security entity model and trust framework Security domain model Security-related lifetime and deadlines
Logical Business information model Security policies Security services Entity schema and privilege profiles Security domain definitions and associations Security processing cycle
Physical Business data model Security rules, practices and procedures Security mechanisms Users, applications and user interface Platform and network infrastructure Control structure execution
Component Detailed data structures Security standards Security products and tools Identities, functions, actions and ACLs Processes, nodes, addresses and protocols Security step timing and sequencing
Operational Assurance of operational continuity Operational risk management Security service management and support Application and user management and support Security of sites and platforms Security operations schedule

Note: The above is the original SABSA Matrix, which is still valid today, but it has been expanded by a comprehensive service management matrix and updated in some detail and terminology areas. In the words of David Lynas, SABSA author, "The SABSA Matrix and the SABSA Service Management Matrix have not been updated since the late 90s. We have redesigned them to deliver the improvements your feedback has requested over the years. We have not fundamentally changed the structure or principles of the matrices (very few elements have changed position) but have focussed on terminology update and consistency." The new versions can be downloaded (along with the 2009 revision of the SABSA White Paper and other important documents like the SABSA Certification Roadmap) at the SABSA Members' Web Site.

References

  • The SABSA Method
  • PHP Security and SABSA

External links

  • SABSA website
  • SABSA Institute Community Forum
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and USA.gov, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for USA.gov and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
 
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
 
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.
 


Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.