Running head: SHERWOOD APPLIED BUSINESS SECURITY ARCHITECTURE MODEL
The Sherwood Applied Business Security Architecture (SABSA) Model
The Sherwood Applied Business Security Architecture (SABSA) Model was originally developed from the assurance, security, and information risk domains. It is one of the leading methodologies for creating business operational risk-based architectures. Its focus is on making security an enabler for the business enterprise rather than being perceived as being an obstacle for inconveniencing the operating activities of the organization. Other than establishing the framework of understanding the objectives of the business, SABSA also provides the means of designing some of the security programs that supports the business objectives and drivers (Ritchot, 2013).
SABSA integrates with the company’s existing frameworks rather than replacing or interfering with them. The reason for that is because it is not associated with supplier hence making it vender-neutral. The model treats risks as not only threats but also as opportunities for the business. It is the first methodology to introduce a reliable way of measuring the business risk appetite and monitoring the business operational performance against the appetite (Ritchot, 2013). The SABSA model is also scalable which means it can be introduced with a small scope and rolled out to other areas and systems incrementally as slow or as fast as the company can handle.
By defining the business drivers and attributes, an understanding of the business is achieved. It is through this understanding which assists it in developing the security architecture. A business driver is determined by the top levels of the business and is associated with the business’ strategies, the day-to-day operational plans, and other fundamental elements which are vital to its success. An attribute can be found by understanding the business drivers since it essential component of the tactical objectives that need to be secured by the available security architecture. The SABSA framework is a layered approach which corresponds to different organizational player’s views as they relate to specification, designing, reconstructing, and operating security architecture. Below is a diagram which Sherwood, Clark, & Lynas (2009), outlines as well as indicating the views and the correlation to the different layers of the architecture:
Sherwood, Clark, & Lynas (2009), describe each of the views as:
- The Business View is typically the description of the organization’s context which in return assists in designing, building, operating its secure system.
- The Architect’s View assists in defining the business’s concepts and principles. In the lower layers, this aid in guiding the selection as well as the configuration of its physical and tactical items
- The Designer’s View is the identification and specification of the logical architectural items of a system. This is important because it assists in modeling the business organization as a system consisting of major architectural security elements as services. As a result of that, it becomes possible to describe the flow of control as well as the relationship which exists amongst these elements (Ritchot, 2013).
- The Builder’s View is as a section in which logical design comes to life through the choice and assembly of the physical elements.
- The Tradesman’s View deals with components such as system standards, interface specifications, hardware, and software.
- The Service Manager View deals with the operation, maintenance, and monitoring of how well the architecture is meeting such requirements. As depicted in the diagram above, this view/layer overlaps the other views/layers so as to make it possible to interpret with the other layers.
The SABSA Master Matrix is a six-by-six matrix which combines the six layers discussed above with a vertical analyses is the one which will assist in answering the six questions, specifically; what kind of assets?, why are some of the motivating factors?, how some of the process & technology are related to this architecture?, who are the individuals to be associated in managing this structure?, which location will it be operated from?, and at what time will be operated?. It is this questions which be used in accomplishing its operating capabilities (Sherwood et al., 2009). An example of this matrix is shown below:
The six layers are the rows; the six questions are the columns in the matrix. The following specific questions, according to Sherwood et al., (2009), need to be answered in each of the layers:
- What kind of operations are we trying to do using this structure? These are some of the operations which are dependent on this architecture.
- Why are we trying to utilize this layer? The objective behind this is to enable the application of its security protocols.
- How are we trying to do it? These will be dependent on the functions and processes that are required to maintain security protocols.
- Who is involved? The aspects of the business and the people are the ones who will be involved in enhancing security.
- What is the appropriate time for doing this? The locations where security is involved.
- At what place is appropriate for doing all these? The time-bound/time-related ate the features which are associated which its security layers.
These questions will help keep the focus on the real needs of the business and allow the security architecture to address some of the operational requirements which supports the activities of the business. Within the SABA methodology, the main attribute is the SABA Business Attribute Profile. The Business Attributes Profile is a taxonomy which was created based on commonly recurring themes and was designed to be customizable to represent a unique organization with unique requirements. Following is a diagram of taxonomy from Sherwood eta l., (2009):
The Profile allows the selection of only the relevant attributes for the specific business needs of the company and allows the addition of those that are missing; thereby the requirements are translated, standardized, and normalized into the SABSA format.
When the focus is on the business requirements and the drivers identified by the top-level executives, the security architecture developed will address the requirements and help mitigate the risk (Van Haren Publishing, (n.d.). The Sherwood Applied Business Security Architecture model is a methodology that helps to identify the business requirements and drivers through the Master Matrix. In return, it becomes possible to identify the attributes to be protected through the Business Attribute Profile.
References
Ritchot, B. (2013). An Enterprise Security Program and Architecture to Support Business Drivers. Technology Innovation Management Review, 25. Retrieved from http://165.193.178.96/login?url=http%3a%2f%2fsearch.ebscohost.com%2flogin.aspx%3fdirect%3dtrue%26db%3dedb%26AN%3d91683065%26site%3deds-live
Sherwood, J., Clark, A., & Lynas, D. (2009). Enterprise security architecture [White paper]. Retrieved December 26, 2018 from http://www.sabsa.org
Van Haren Publishing. (n.d.). SABSA – in 3 Minutes. [Blog] Retrieved December 26, 2018, from www.vanharen.net/blog/enterprise-architecture/sabsa-in-3-minutes/.