SlideShare a Scribd company logo

SABSA Implementation(Part III)_ver1-0

Download as PPTX, PDF
Maganathin Veeraragaloo
Maganathin Veeraragaloo

This document discusses strategies for implementing the SABSA framework for security architecture. It outlines aligning various frameworks and methods such as risk management, controls, performance reporting, and defense in depth layering with SABSA. A multi-tiered controls strategy is described that provides proportional capabilities to deter, prevent, contain, detect, track, and recover from risks. This strategy models controls against risk assessments to determine the appropriate control response based on risk proportionality.

1 of 17
SABSA Implementation Generic Approach PART III
ARCHITECTURAL STRATEGIES
Scope: Strategy & Planning Phase - Process
Alignment, Integration & Compliance Strategy • Understand what needs to be aligned, to what purpose, and where it is positioned within the SABSA framework • Business model or business process framework • Legislation, regulation or governance frameworks • Risk management methods, assurance framework or audit approach • IT Architecture framework or method • Controls framework, library or standard • Performance management & reporting framework • Etc.
Strategy & Planning Phase Alignment
Risk Management Method Alignment
Performance & Reporting Methods
Control Objectives Libraries & Standards
Controls Frameworks & Libraries
Generic Defense in Depth Layering
SABSA Defence-in-Depth Principles • No single point of failure • The architectural structure of the controls set improves security – The value of the whole is greater than the sum of the individual parts – Combinations of sensible measures in a collection of well designed control domains can deliver reasonable security • Without ‘rocket science’ • Without over-expenditure – The control domain structures themselves add value to overall security
Multi-tiered Controls Strategy - Capabilities • Over-investment in preventative measures results in prevention of business and opportunity • SABSA multi-tiered control strategy provides assurance of security capabilities (in design or in review/audit): – Risk-proportional capability to Deter – Risk-proportional capability to Prevent – Risk-proportional capability to Contain – Risk-proportional capability to Detect – Risk-proportional capability to Track – Risk-proportional capability to Recover – Risk-proportional capability to Assure the other capabilities
SABSA Multi-tiered Control Strategy
Application of Multi-tiered Controls In Risk • The multi-tiered controls strategy is modeled against the risk assessment to determine proportional and appropriate response • Contributes to selection of the right control in the right place at the right time • Enables further removal of subjectivity in selection of Risk Treatments • Facilitates construction of databases and risk management tools that respond to definitive risk scenarios with definitive control decisions • Increases speed and ease of use of Risk Assessment
Application of SABSA Multi-tier Control
Application of Multi-tiered Control Strategy
END OF PART III

Recommended

SABSA Implementation(Part II)_ver1-0
SABSA Implementation(Part II)_ver1-0SABSA Implementation(Part II)_ver1-0
SABSA Implementation(Part II)_ver1-0Maganathin Veeraragaloo
 
SABSA Implementation(Part I)_ver1-0
SABSA Implementation(Part I)_ver1-0SABSA Implementation(Part I)_ver1-0
SABSA Implementation(Part I)_ver1-0Maganathin Veeraragaloo
 
SABSA Implementation(Part V)_ver1-0
SABSA Implementation(Part V)_ver1-0SABSA Implementation(Part V)_ver1-0
SABSA Implementation(Part V)_ver1-0Maganathin Veeraragaloo
 
SABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSAcourses
 
Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecturenarenvivek
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitectureKris Kimmerle
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy Allen Baranov
 
Security review using SABSA
Security review using SABSASecurity review using SABSA
Security review using SABSAMaganathin Veeraragaloo
 

Recommended

SABSA Implementation(Part II)_ver1-0
SABSA Implementation(Part II)_ver1-0SABSA Implementation(Part II)_ver1-0
SABSA Implementation(Part II)_ver1-0Maganathin Veeraragaloo
 
SABSA Implementation(Part I)_ver1-0
SABSA Implementation(Part I)_ver1-0SABSA Implementation(Part I)_ver1-0
SABSA Implementation(Part I)_ver1-0Maganathin Veeraragaloo
 
SABSA Implementation(Part V)_ver1-0
SABSA Implementation(Part V)_ver1-0SABSA Implementation(Part V)_ver1-0
SABSA Implementation(Part V)_ver1-0Maganathin Veeraragaloo
 
SABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSAcourses
 
Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecturenarenvivek
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitectureKris Kimmerle
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy Allen Baranov
 
Security review using SABSA
Security review using SABSASecurity review using SABSA
Security review using SABSAMaganathin Veeraragaloo
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture DesignPriyanka Aash
 
SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0Maganathin Veeraragaloo
 
SABSA Implementation(Part IV)_ver1-0
SABSA Implementation(Part IV)_ver1-0SABSA Implementation(Part IV)_ver1-0
SABSA Implementation(Part IV)_ver1-0Maganathin Veeraragaloo
 
SABSA overview
SABSA overviewSABSA overview
SABSA overviewSABSAcourses
 
SABSA white paper
SABSA white paperSABSA white paper
SABSA white paperSABSAcourses
 
Information Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationInformation Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationSeccuris Inc.
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitecturePriyanka Aash
 
Compliance to Enablement - SABSA & GDPR
Compliance to Enablement - SABSA & GDPRCompliance to Enablement - SABSA & GDPR
Compliance to Enablement - SABSA & GDPRSABSAcourses
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextDavid Sweigert
 
Adaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureAdaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureSABSAcourses
 
Security-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureSecurity-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureThe Open Group SA
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Priyanka Aash
 
SABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSAcourses
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitecturePriyanka Aash
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) Priyanka Aash
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architectureMubashirAslam5
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworksJohn Arnold
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
implementation_of_a_risk-based_process_safety_management_system_framework.pptx
implementation_of_a_risk-based_process_safety_management_system_framework.pptximplementation_of_a_risk-based_process_safety_management_system_framework.pptx
implementation_of_a_risk-based_process_safety_management_system_framework.pptxzeidali3
 

More Related Content

What's hot

Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture DesignPriyanka Aash
 
Information Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationInformation Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationSeccuris Inc.
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitecturePriyanka Aash
 
Compliance to Enablement - SABSA & GDPR
Compliance to Enablement - SABSA & GDPRCompliance to Enablement - SABSA & GDPR
Compliance to Enablement - SABSA & GDPRSABSAcourses
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextDavid Sweigert
 
Adaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureAdaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureSABSAcourses
 
Security-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureSecurity-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureThe Open Group SA
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Priyanka Aash
 
SABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSAcourses
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitecturePriyanka Aash
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) Priyanka Aash
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architectureMubashirAslam5
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworksJohn Arnold
 

What's hot (20)

Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
 
SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0
 
SABSA Implementation(Part IV)_ver1-0
SABSA Implementation(Part IV)_ver1-0SABSA Implementation(Part IV)_ver1-0
SABSA Implementation(Part IV)_ver1-0
 
SABSA overview
SABSA overviewSABSA overview
SABSA overview
 
SABSA white paper
SABSA white paperSABSA white paper
SABSA white paper
 
Information Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationInformation Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your Organziation
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 
Compliance to Enablement - SABSA & GDPR
Compliance to Enablement - SABSA & GDPRCompliance to Enablement - SABSA & GDPR
Compliance to Enablement - SABSA & GDPR
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 context
 
Adaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureAdaptive Enterprise Security Architecture
Adaptive Enterprise Security Architecture
 
Security-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureSecurity-by-Design in Enterprise Architecture
Security-by-Design in Enterprise Architecture
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
 
SABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summary
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
Security architecture
Security architectureSecurity architecture
Security architecture
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architecture
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
 

Similar to SABSA Implementation(Part III)_ver1-0

SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
implementation_of_a_risk-based_process_safety_management_system_framework.pptx
implementation_of_a_risk-based_process_safety_management_system_framework.pptximplementation_of_a_risk-based_process_safety_management_system_framework.pptx
implementation_of_a_risk-based_process_safety_management_system_framework.pptxzeidali3
 
Introduction to SABSA for BAs - Sac Valley IIBA 09.20.17 FINAL.pdf
Introduction to SABSA for BAs - Sac Valley IIBA 09.20.17 FINAL.pdfIntroduction to SABSA for BAs - Sac Valley IIBA 09.20.17 FINAL.pdf
Introduction to SABSA for BAs - Sac Valley IIBA 09.20.17 FINAL.pdfssuserc3fe80
 
HITRUST Certification
HITRUST CertificationHITRUST Certification
HITRUST CertificationControlCase
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Effective Strategies for Software Architecture Auditing
Effective Strategies for Software Architecture AuditingEffective Strategies for Software Architecture Auditing
Effective Strategies for Software Architecture AuditingCerebrum
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security BlueprintZefren Edior
 
Internal financial control - how ready are you - Webinar
Internal financial control - how ready are you - WebinarInternal financial control - how ready are you - Webinar
Internal financial control - how ready are you - WebinarAli Zeeshan
 
Secure Software Development Models and Methods integrated with CMMI.ppt
Secure Software Development Models and Methods integrated with CMMI.pptSecure Software Development Models and Methods integrated with CMMI.ppt
Secure Software Development Models and Methods integrated with CMMI.pptNeha Sharma
 
Webinar | Asset Management Health Check
Webinar | Asset Management Health CheckWebinar | Asset Management Health Check
Webinar | Asset Management Health CheckStork
 
Establishing the Core of an Effective Technology Risk Management Program
Establishing the Core of an Effective Technology Risk Management ProgramEstablishing the Core of an Effective Technology Risk Management Program
Establishing the Core of an Effective Technology Risk Management ProgramAmna Awan
 
2 Storage Readiness Assessment
2 Storage Readiness Assessment2 Storage Readiness Assessment
2 Storage Readiness AssessmentJeremiah Loscalzo
 
Soa 16 integrated soa governance
Soa 16 integrated soa governanceSoa 16 integrated soa governance
Soa 16 integrated soa governanceVaibhav Khanna
 
Managing an enterprise cyber security program
Managing an enterprise cyber security programManaging an enterprise cyber security program
Managing an enterprise cyber security programabdulkhalid murady
 

Similar to SABSA Implementation(Part III)_ver1-0 (20)

SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
implementation_of_a_risk-based_process_safety_management_system_framework.pptx
implementation_of_a_risk-based_process_safety_management_system_framework.pptximplementation_of_a_risk-based_process_safety_management_system_framework.pptx
implementation_of_a_risk-based_process_safety_management_system_framework.pptx
 
Introduction to SABSA for BAs - Sac Valley IIBA 09.20.17 FINAL.pdf
Introduction to SABSA for BAs - Sac Valley IIBA 09.20.17 FINAL.pdfIntroduction to SABSA for BAs - Sac Valley IIBA 09.20.17 FINAL.pdf
Introduction to SABSA for BAs - Sac Valley IIBA 09.20.17 FINAL.pdf
 
HITRUST Certification
HITRUST CertificationHITRUST Certification
HITRUST Certification
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Isms
IsmsIsms
Isms
 
Effective Strategies for Software Architecture Auditing
Effective Strategies for Software Architecture AuditingEffective Strategies for Software Architecture Auditing
Effective Strategies for Software Architecture Auditing
 
ESA for Business
ESA for BusinessESA for Business
ESA for Business
 
Cloud Strategy First
Cloud Strategy First Cloud Strategy First
Cloud Strategy First
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
 
Cissp classroom program ievision
Cissp classroom program ievisionCissp classroom program ievision
Cissp classroom program ievision
 
Internal financial control - how ready are you - Webinar
Internal financial control - how ready are you - WebinarInternal financial control - how ready are you - Webinar
Internal financial control - how ready are you - Webinar
 
Secure Software Development Models and Methods integrated with CMMI.ppt
Secure Software Development Models and Methods integrated with CMMI.pptSecure Software Development Models and Methods integrated with CMMI.ppt
Secure Software Development Models and Methods integrated with CMMI.ppt
 
Webinar | Asset Management Health Check
Webinar | Asset Management Health CheckWebinar | Asset Management Health Check
Webinar | Asset Management Health Check
 
CISSP Training Program
CISSP Training ProgramCISSP Training Program
CISSP Training Program
 
Establishing the Core of an Effective Technology Risk Management Program
Establishing the Core of an Effective Technology Risk Management ProgramEstablishing the Core of an Effective Technology Risk Management Program
Establishing the Core of an Effective Technology Risk Management Program
 
2 Storage Readiness Assessment
2 Storage Readiness Assessment2 Storage Readiness Assessment
2 Storage Readiness Assessment
 
Soa 16 integrated soa governance
Soa 16 integrated soa governanceSoa 16 integrated soa governance
Soa 16 integrated soa governance
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk Management
 
Managing an enterprise cyber security program
Managing an enterprise cyber security programManaging an enterprise cyber security program
Managing an enterprise cyber security program
 

More from Maganathin Veeraragaloo

Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Maganathin Veeraragaloo
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKMaganathin Veeraragaloo
 
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORKCYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORKMaganathin Veeraragaloo
 
Enterprise security architecture approach
Enterprise security architecture approachEnterprise security architecture approach
Enterprise security architecture approachMaganathin Veeraragaloo
 

More from Maganathin Veeraragaloo (20)

MULTI-CLOUD ARCHITECTURE
MULTI-CLOUD ARCHITECTUREMULTI-CLOUD ARCHITECTURE
MULTI-CLOUD ARCHITECTURE
 
Cloud security (domain11 14)
Cloud security (domain11 14)Cloud security (domain11 14)
Cloud security (domain11 14)
 
Cloud security (domain6 10)
Cloud security (domain6 10)Cloud security (domain6 10)
Cloud security (domain6 10)
 
Cloud Security (Domain1- 5)
Cloud Security (Domain1- 5)Cloud Security (Domain1- 5)
Cloud Security (Domain1- 5)
 
BTABOK / ITABOK
BTABOK / ITABOKBTABOK / ITABOK
BTABOK / ITABOK
 
Observability
ObservabilityObservability
Observability
 
Foresight 4 Cybersecurity
Foresight 4 CybersecurityForesight 4 Cybersecurity
Foresight 4 Cybersecurity
 
Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
 
ISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust Framework
 
ITIL4 - DIGITAL TRUST FRAMEWORK
ITIL4 - DIGITAL TRUST FRAMEWORKITIL4 - DIGITAL TRUST FRAMEWORK
ITIL4 - DIGITAL TRUST FRAMEWORK
 
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORKCYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
 
COBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORKCOBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORK
 
Open Digital Framework from TMFORUM
Open Digital Framework from TMFORUMOpen Digital Framework from TMFORUM
Open Digital Framework from TMFORUM
 
Enterprise security architecture approach
Enterprise security architecture approachEnterprise security architecture approach
Enterprise security architecture approach
 
Cloud and Data Privacy
Cloud and Data PrivacyCloud and Data Privacy
Cloud and Data Privacy
 
XaaS Overview
XaaS OverviewXaaS Overview
XaaS Overview
 
Multi cloud security architecture
Multi cloud security architecture Multi cloud security architecture
Multi cloud security architecture
 
Multi Cloud Architecture Approach
Multi Cloud Architecture ApproachMulti Cloud Architecture Approach
Multi Cloud Architecture Approach
 

SABSA Implementation(Part III)_ver1-0

  • 3. Scope: Strategy & Planning Phase - Process
  • 4. Alignment, Integration & Compliance Strategy • Understand what needs to be aligned, to what purpose, and where it is positioned within the SABSA framework • Business model or business process framework • Legislation, regulation or governance frameworks • Risk management methods, assurance framework or audit approach • IT Architecture framework or method • Controls framework, library or standard • Performance management & reporting framework • Etc.
  • 5. Strategy & Planning Phase Alignment
  • 10. Generic Defense in Depth Layering
  • 11. SABSA Defence-in-Depth Principles • No single point of failure • The architectural structure of the controls set improves security – The value of the whole is greater than the sum of the individual parts – Combinations of sensible measures in a collection of well designed control domains can deliver reasonable security • Without ‘rocket science’ • Without over-expenditure – The control domain structures themselves add value to overall security
  • 12. Multi-tiered Controls Strategy - Capabilities • Over-investment in preventative measures results in prevention of business and opportunity • SABSA multi-tiered control strategy provides assurance of security capabilities (in design or in review/audit): – Risk-proportional capability to Deter – Risk-proportional capability to Prevent – Risk-proportional capability to Contain – Risk-proportional capability to Detect – Risk-proportional capability to Track – Risk-proportional capability to Recover – Risk-proportional capability to Assure the other capabilities
  • 14. Application of Multi-tiered Controls In Risk • The multi-tiered controls strategy is modeled against the risk assessment to determine proportional and appropriate response • Contributes to selection of the right control in the right place at the right time • Enables further removal of subjectivity in selection of Risk Treatments • Facilitates construction of databases and risk management tools that respond to definitive risk scenarios with definitive control decisions • Increases speed and ease of use of Risk Assessment
  • 15. Application of SABSA Multi-tier Control
  • 16. Application of Multi-tiered Control Strategy
  • 17. END OF PART III