Menu
Home
Log in / Register
 
Home arrow Computer Science arrow The InfoSec Handbook
< Prev   CONTENTS   Next >

SABSA®

SABSA® is an open, generic, scalable methodology for formulating information security architecture and information assurance architecture, from The SABSA Institute. The beauty of the SABSA methodology is that it bases its information security architecture on business requirements, technology enablers required for business, and business requirements for information security.4 As such, the usual conflict of business users being adversely impacted or not happy with information security is avoided and thus, the usual resistance for information security from the business users.

SABSA specifies a six layered architecture for information security with five vertical layers, namely the Business View or Contextual Security Architecture Layer, the Architect's View or Conceptual Security Architecture Layer, the Designer's View or Logical Security Architecture Layer, the Builder's View or Physical Security Architecture Layer, and the Tradesman's View or Component Security Architecture Layer and a horizontal layer supporting all the layers, i.e., Service Security Management Architecture Layer.4 The SABSA layered structure is depicted for easy reference

in Figure 3-4.

Figure 3-4. SABSA information security architecture

On the Contextual Security Architecture Layer, Business Users provide the business requirements that must be met by the architecture. At the Conceptual Security Architecture layer, an architect provides the overall context by which the business requirements of the organization are to be met. On the Logical Security Architecture layer, the Designers provide a systems engineering model which views the business as a system and delineates it in terms of a system of systems through various sub-systems. On the Physical Security Architecture layer, the builder provides physical security mechanisms and the servers that will be required to provide these services. On the Component Security Architecture layer, the tradesmen work on specifications provided by the builder and work with specialist products and system components which together, build what was expected by the builder. On the Service Security Management Architecture layer, the service manager deals with the system operations and service management work. Each subsequent layer builds on the output of the earlier layer, whereas the sixth layer, i.e. the Service Security Management Architecture layer, provides support to the other five layers. The security layers are described in Table 3-2.4

Table 3-2. The SABSA® Information System Architecture layers

Table 3-3. Advantages and disadvantages of IS frameworks

Framework SABSA® NIST SP 80-39 & 80-53 ISO/IEC 27001:2013

Advantages

1.

Business focused

1.

Business focused

1.

Consideration zone is

2.

3.

Consideration zone is enterprise.

Multi-Layered approach

2.

3.

Consideration zone is organized Well-focused risk

2.

normally organization.

Well-focused risk identification, management

4.

covering essential aspects. Steps provided to clearly

identification, management and

3.

and control framework. Several controls which can

guide the implementation of infrastructure security

control framework built in–multi-tiered

4.

be useful are suggested Each control has been

5.

6.

architecture. Compulsorily involves different views.

Various stakeholders including business users are involved in arriving

at the information security architecture.

risk assessment.

5.

explained in detail

in ISO/IEC 27002:2013.

There are many guidelines by ISO which support the above like ISO/IEC 31000:2009, etc.

Disadvantages

1.

Some risks may not

be considered if the risk assessment methodology used is not robust, as the focus is more on business enablement and business considerations may out-focus the risks.

1.

Success depends upon the involvement of relevant stakeholders with appropriate knowledge, experience and expertise and on identifying the risks appropriately.

1.

No layered focus specified directly but only specified indirectly through the control clauses. Success depends upon involvement of all relevant stakeholders

and the expertise in proper risk assessment and risk treatment.

 
Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
 
Subjects
Accounting
Business & Finance
Communication
Computer Science
Economics
Education
Engineering
Environment
Geography
Health
History
Language & Literature
Law
Management
Marketing
Philosophy
Political science
Psychology
Religion
Sociology
Travel