SlideShare a Scribd company logo

SABSA Implementation(Part III)_ver1-0

Download as PPTX, PDF
Maganathin Veeraragaloo, profile picture
Maganathin Veeraragaloo

This document discusses strategies for implementing the SABSA framework for security architecture. It outlines aligning various frameworks and methods such as risk management, controls, performance reporting, and defense in depth layering with SABSA. A multi-tiered controls strategy is described that provides proportional capabilities to deter, prevent, contain, detect, track, and recover from risks. This strategy models controls against risk assessments to determine the appropriate control response based on risk proportionality.

1 of 17
Downloaded 505 times
1
2
3
4
5
6
7
8
9
10
11
12
Most read
13
14
15
Most read
16
Most read
17
SABSA Implementation Generic Approach PART III
ARCHITECTURAL STRATEGIES
Scope: Strategy & Planning Phase - Process
Alignment, Integration & Compliance Strategy • Understand what needs to be aligned, to what purpose, and where it is positioned within the SABSA framework • Business model or business process framework • Legislation, regulation or governance frameworks • Risk management methods, assurance framework or audit approach • IT Architecture framework or method • Controls framework, library or standard • Performance management & reporting framework • Etc.
Strategy & Planning Phase Alignment
Risk Management Method Alignment
Performance & Reporting Methods
Control Objectives Libraries & Standards
Controls Frameworks & Libraries
Generic Defense in Depth Layering
SABSA Defence-in-Depth Principles • No single point of failure • The architectural structure of the controls set improves security – The value of the whole is greater than the sum of the individual parts – Combinations of sensible measures in a collection of well designed control domains can deliver reasonable security • Without ‘rocket science’ • Without over-expenditure – The control domain structures themselves add value to overall security
Multi-tiered Controls Strategy - Capabilities • Over-investment in preventative measures results in prevention of business and opportunity • SABSA multi-tiered control strategy provides assurance of security capabilities (in design or in review/audit): – Risk-proportional capability to Deter – Risk-proportional capability to Prevent – Risk-proportional capability to Contain – Risk-proportional capability to Detect – Risk-proportional capability to Track – Risk-proportional capability to Recover – Risk-proportional capability to Assure the other capabilities
SABSA Multi-tiered Control Strategy
Application of Multi-tiered Controls In Risk • The multi-tiered controls strategy is modeled against the risk assessment to determine proportional and appropriate response • Contributes to selection of the right control in the right place at the right time • Enables further removal of subjectivity in selection of Risk Treatments • Facilitates construction of databases and risk management tools that respond to definitive risk scenarios with definitive control decisions • Increases speed and ease of use of Risk Assessment
Application of SABSA Multi-tier Control
Application of Multi-tiered Control Strategy
END OF PART III

More Related Content

PPTX
SABSA Implementation(Part I)_ver1-0
Maganathin Veeraragaloo
 
PPTX
SABSA Implementation(Part V)_ver1-0
Maganathin Veeraragaloo
 
PDF
Security review using SABSA
Maganathin Veeraragaloo
 
PDF
SABSA vs. TOGAF in a RMF NIST 800-30 context
David Sweigert
 
PPTX
SABSA Implementation(Part IV)_ver1-0
Maganathin Veeraragaloo
 
PPTX
SABSA Implementation(Part VI)_ver1-0
Maganathin Veeraragaloo
 
PPTX
SABSA Implementation(Part II)_ver1-0
Maganathin Veeraragaloo
 
PPTX
SABSA overview
SABSAcourses
 
SABSA Implementation(Part I)_ver1-0
Maganathin Veeraragaloo
 
SABSA Implementation(Part V)_ver1-0
Maganathin Veeraragaloo
 
Security review using SABSA
Maganathin Veeraragaloo
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
David Sweigert
 
SABSA Implementation(Part IV)_ver1-0
Maganathin Veeraragaloo
 
SABSA Implementation(Part VI)_ver1-0
Maganathin Veeraragaloo
 
SABSA Implementation(Part II)_ver1-0
Maganathin Veeraragaloo
 
SABSA overview
SABSAcourses
 

What's hot (20)

PPTX
Modelling Security Architecture
narenvivek
 
PDF
Enterprise Security Architecture
Kris Kimmerle
 
PPT
SABSA - Business Attributes Profiling
SABSAcourses
 
PDF
SABSA white paper
SABSAcourses
 
PPTX
Adaptive Enterprise Security Architecture
SABSAcourses
 
PPTX
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
Allen Baranov
 
PPTX
Security architecture frameworks
John Arnold
 
PPTX
Enterprise Security Architecture Design
Priyanka Aash
 
PDF
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
PDF
Practical Enterprise Security Architecture
Priyanka Aash
 
PDF
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Craig Martin
 
PPTX
Enterprise Security Architecture
Priyanka Aash
 
PPTX
Conceptual security architecture
MubashirAslam5
 
PDF
Security-by-Design in Enterprise Architecture
The Open Group SA
 
PDF
Enterprise Security Architecture
Priyanka Aash
 
PDF
TOGAF 9 - Security Architecture Ver1 0
Maganathin Veeraragaloo
 
PPTX
What is a secure enterprise architecture roadmap?
Ulf Mattsson
 
PDF
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
PDF
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
ParishSummer
 
PPTX
ISA/IEC 62443: Intro and How To
Jim Gilsinn
 
Modelling Security Architecture
narenvivek
 
Enterprise Security Architecture
Kris Kimmerle
 
SABSA - Business Attributes Profiling
SABSAcourses
 
SABSA white paper
SABSAcourses
 
Adaptive Enterprise Security Architecture
SABSAcourses
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
Allen Baranov
 
Security architecture frameworks
John Arnold
 
Enterprise Security Architecture Design
Priyanka Aash
 
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
Practical Enterprise Security Architecture
Priyanka Aash
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Craig Martin
 
Enterprise Security Architecture
Priyanka Aash
 
Conceptual security architecture
MubashirAslam5
 
Security-by-Design in Enterprise Architecture
The Open Group SA
 
Enterprise Security Architecture
Priyanka Aash
 
TOGAF 9 - Security Architecture Ver1 0
Maganathin Veeraragaloo
 
What is a secure enterprise architecture roadmap?
Ulf Mattsson
 
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
ParishSummer
 
ISA/IEC 62443: Intro and How To
Jim Gilsinn
 
Ad

Similar to SABSA Implementation(Part III)_ver1-0 (20)

PPTX
**"Effective Cloud Service Strategy for Growth"**
rp6336567
 
PPT
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
PPTX
implementation_of_a_risk-based_process_safety_management_system_framework.pptx
zeidali3
 
PDF
What Are the Best Practices for IT Infrastructure Operations.pdf
jacobb271995
 
PDF
Introduction to SABSA for BAs - Sac Valley IIBA 09.20.17 FINAL.pdf
ssuserc3fe80
 
PPTX
HITRUST Certification
ControlCase
 
PPTX
uses_and_benefits_of_framework based on NIST
tofen73610
 
PPTX
ASSET INTEGRITY MANAGEMENT SYSTEM-BOOK.pptx
Rachmat Boerhan
 
PPTX
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
PPTX
IT Security Bachelor in information technology.pptx
MahmadKasimAnsari
 
PPTX
Isms
penetration Tester
 
PDF
Effective Strategies for Software Architecture Auditing
Cerebrum
 
PPTX
ESA for Business
Maganathin Veeraragaloo
 
PPTX
Information Security Blueprint
Zefren Edior
 
PDF
Cissp classroom program ievision
IEVISION IT SERVICES Pvt. Ltd
 
PPT
Internal financial control - how ready are you - Webinar
Ali Zeeshan
 
PPT
Secure Software Development Models and Methods integrated with CMMI.ppt
Neha Sharma
 
PPTX
Webinar | Asset Management Health Check
Stork
 
PDF
CISSP Training Program
IEVISION IT SERVICES Pvt. Ltd
 
PDF
Establishing the Core of an Effective Technology Risk Management Program
Amna Awan
 
**"Effective Cloud Service Strategy for Growth"**
rp6336567
 
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
implementation_of_a_risk-based_process_safety_management_system_framework.pptx
zeidali3
 
What Are the Best Practices for IT Infrastructure Operations.pdf
jacobb271995
 
Introduction to SABSA for BAs - Sac Valley IIBA 09.20.17 FINAL.pdf
ssuserc3fe80
 
HITRUST Certification
ControlCase
 
uses_and_benefits_of_framework based on NIST
tofen73610
 
ASSET INTEGRITY MANAGEMENT SYSTEM-BOOK.pptx
Rachmat Boerhan
 
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
IT Security Bachelor in information technology.pptx
MahmadKasimAnsari
 
Isms
penetration Tester
 
Effective Strategies for Software Architecture Auditing
Cerebrum
 
ESA for Business
Maganathin Veeraragaloo
 
Information Security Blueprint
Zefren Edior
 
Cissp classroom program ievision
IEVISION IT SERVICES Pvt. Ltd
 
Internal financial control - how ready are you - Webinar
Ali Zeeshan
 
Secure Software Development Models and Methods integrated with CMMI.ppt
Neha Sharma
 
Webinar | Asset Management Health Check
Stork
 
CISSP Training Program
IEVISION IT SERVICES Pvt. Ltd
 
Establishing the Core of an Effective Technology Risk Management Program
Amna Awan
 
Ad

More from Maganathin Veeraragaloo (20)

PPTX
MULTI-CLOUD ARCHITECTURE
Maganathin Veeraragaloo
 
PPTX
Cloud security (domain11 14)
Maganathin Veeraragaloo
 
PPTX
Cloud security (domain6 10)
Maganathin Veeraragaloo
 
PPTX
Cloud Security (Domain1- 5)
Maganathin Veeraragaloo
 
PPTX
BTABOK / ITABOK
Maganathin Veeraragaloo
 
PPTX
Observability
Maganathin Veeraragaloo
 
PPTX
Foresight 4 Cybersecurity
Maganathin Veeraragaloo
 
PPTX
Cybersecurity Capability Maturity Model (C2M2)
Maganathin Veeraragaloo
 
PPTX
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
 
PPTX
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
PPTX
ISO 27005 - Digital Trust Framework
Maganathin Veeraragaloo
 
PPTX
ITIL4 - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
PPTX
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
PPTX
COBIT 2019 - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
PPTX
Open Digital Framework from TMFORUM
Maganathin Veeraragaloo
 
PPTX
Enterprise security architecture approach
Maganathin Veeraragaloo
 
PPTX
Cloud and Data Privacy
Maganathin Veeraragaloo
 
PPTX
XaaS Overview
Maganathin Veeraragaloo
 
PPTX
Multi cloud security architecture
Maganathin Veeraragaloo
 
PPTX
Multi Cloud Architecture Approach
Maganathin Veeraragaloo
 
MULTI-CLOUD ARCHITECTURE
Maganathin Veeraragaloo
 
Cloud security (domain11 14)
Maganathin Veeraragaloo
 
Cloud security (domain6 10)
Maganathin Veeraragaloo
 
Cloud Security (Domain1- 5)
Maganathin Veeraragaloo
 
BTABOK / ITABOK
Maganathin Veeraragaloo
 
Observability
Maganathin Veeraragaloo
 
Foresight 4 Cybersecurity
Maganathin Veeraragaloo
 
Cybersecurity Capability Maturity Model (C2M2)
Maganathin Veeraragaloo
 
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
ISO 27005 - Digital Trust Framework
Maganathin Veeraragaloo
 
ITIL4 - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
COBIT 2019 - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
Open Digital Framework from TMFORUM
Maganathin Veeraragaloo
 
Enterprise security architecture approach
Maganathin Veeraragaloo
 
Cloud and Data Privacy
Maganathin Veeraragaloo
 
XaaS Overview
Maganathin Veeraragaloo
 
Multi cloud security architecture
Maganathin Veeraragaloo
 
Multi Cloud Architecture Approach
Maganathin Veeraragaloo
 

SABSA Implementation(Part III)_ver1-0

  • 3. Scope: Strategy & Planning Phase - Process
  • 4. Alignment, Integration & Compliance Strategy • Understand what needs to be aligned, to what purpose, and where it is positioned within the SABSA framework • Business model or business process framework • Legislation, regulation or governance frameworks • Risk management methods, assurance framework or audit approach • IT Architecture framework or method • Controls framework, library or standard • Performance management & reporting framework • Etc.
  • 5. Strategy & Planning Phase Alignment
  • 10. Generic Defense in Depth Layering
  • 11. SABSA Defence-in-Depth Principles • No single point of failure • The architectural structure of the controls set improves security – The value of the whole is greater than the sum of the individual parts – Combinations of sensible measures in a collection of well designed control domains can deliver reasonable security • Without ‘rocket science’ • Without over-expenditure – The control domain structures themselves add value to overall security
  • 12. Multi-tiered Controls Strategy - Capabilities • Over-investment in preventative measures results in prevention of business and opportunity • SABSA multi-tiered control strategy provides assurance of security capabilities (in design or in review/audit): – Risk-proportional capability to Deter – Risk-proportional capability to Prevent – Risk-proportional capability to Contain – Risk-proportional capability to Detect – Risk-proportional capability to Track – Risk-proportional capability to Recover – Risk-proportional capability to Assure the other capabilities
  • 14. Application of Multi-tiered Controls In Risk • The multi-tiered controls strategy is modeled against the risk assessment to determine proportional and appropriate response • Contributes to selection of the right control in the right place at the right time • Enables further removal of subjectivity in selection of Risk Treatments • Facilitates construction of databases and risk management tools that respond to definitive risk scenarios with definitive control decisions • Increases speed and ease of use of Risk Assessment
  • 15. Application of SABSA Multi-tier Control
  • 16. Application of Multi-tiered Control Strategy
  • 17. END OF PART III