530754456aca926e2469c437a35393f8.ppt
- Количество слайдов: 51
Changing the Security Landscape SABSA Institute
What is SABSA? Sherwood Applied Business Security Architecture l The world’s leading free-use and open-source security architecture development and management method l Methodology for developing business-driven, risk and opportunity focused enterprise security & information assurance architectures, and for delivering security infrastructure & service management solutions that traceably support critical business initiatives l Development, maintenance, certification and accreditation is governed by the SABSA Institute SABSA Foundation 2010 1
What is SABSA? Sherwood Applied Business Security Architecture l Comprised of a number of integrated frameworks, models, methods and processes, including: l Business Requirements Engineering Framework (also known as Attributes Profiling) l Risk & Opportunity Management Framework l Policy Architecture Framework l Security Services-Oriented Architecture Framework l Governance Framework l Security Domain Framework l Through-life Security Service & Performance Management SABSA Foundation 2010 2
What is SABSA? SABSA History & Development l White Paper originally authored by John Sherwood 1995 l First use in global financial messaging (S. W. I. F. T. net) 1995 l SABSA Textbook (CMP / Elsevier version) by John Sherwood, Andrew Clark & David Lynas, 2005 l “Enterprise Security Architecture: A Business-driven Approach” l ISBN 1 -57820 -318 -X l Adopted as UK Mo. D Information Assurance Standard 2007 l Certification programme introduced March 2007 l Upcoming publications: l SABSA Pocket Guide (Van Haren) l SABSA Textbook (Van Haren) SABSA Foundation 2010 3
Why is SABSA So Successful? Institute Status l In UK “Institute” has a protected and highly-regulated status l SABSA Institute is a formal non-profit ‘Community-of. Interest’ Corporation l SABSA Intellectual Property can never be sold l Underwrites free-use status in perpetuity l Guarantees protected on-going development l Independently certifies & accredits SABSA Architects to provide confidence & assurance to industry, government & the professional community SABSA Foundation 2010 4
Why is SABSA So Successful? Features & Advantages Summary FEATURE ADVANTAGE Business-driven Value-assured Risk-focused Prioritised & proportional responses Comprehensive Scalable scope Modular Agility - ease of implementation & management Open Source (protected) Free use, open source, global standard Auditable Demonstrates compliance Transparent Two-way traceability SABSA Foundation 2010 5
Why is SABSA So Successful? Unique Selling Points & “Elevator Pitches” l Each of the seven primary features and advantages can be interpreted and customised into key “elevator pitch” messages and unique selling points (USPs) for specific stakeholders or customers l There is a case study example created for eight stakeholders / job titles at a global bank in the reference document “SABSA Features, Advantages & Benefits Summary” SABSA Foundation 2010 6
Why is SABSA So Successful? Competency-based Professional Certification l Real ‘professionals’ (such as pilots and doctors) are not certified by their professional body based on knowledge l They are required to demonstrate application of skill l Career progression is achieved by ‘doing’ not ‘knowing’ l Certification by the SABSA Institute is competency-based l It delivers to stakeholders the assurance, trust and confidence that a professional has demonstrated the skill and ability to use the SABSA method in the real world SABSA Foundation 2010 7
How is SABSA Used? Applications of SABSA l l Enterprise Security Architecture Enterprise Architecture Individual solutions-based Architectures Seamless security integration & alignment with other frameworks (including TOGAF, ITIL, ISO 27000 series, Zachman, Do. DAF, Cob. IT, NIST, etc. ) l Filling the security architecture and security service management gaps in other frameworks SABSA Foundation 2010 8
How is SABSA Used? Applications of SABSA l l l Business requirements engineering Solutions traceability Risk & Opportunity Management Information Assurance Governance, Compliance & Audit Policy Architecture SABSA Foundation 2010 9
How is SABSA Used? Applications of SABSA l l l Security service management IT Service management Security performance management, measures & metrics Service performance management, measures & metrics Over-arching decision-making framework for end-to-end solutions SABSA Foundation 2010 10
Who Uses SABSA? SABSA User Base l As SABSA is free-use and registration is not required, we do not have a definitive list of user organisations l However, we do know the profiles of the thousands of professionals who have qualified as SABSA Chartered Architects l There are SABSA Chartered Architects at Foundation Level (SCF) in more than 40 countries, on every continent, and from every imaginable business sector SABSA Foundation 2010 11
Who Uses SABSA? Growth & Standardisation l SABSA is a standard (formal & de facto) world-wide, including: l l l UK Ministry of Defence - Information Assurance Standard Canadian Government - Architecture Development Standard The Open Group – TOGAF Security Standard USA Government – NIST Security Standard for Smart. Grid Finance Sector – including European Central Bank & Westpac l And is widely referenced as a recommended approach, including: l ISACA - CISM Study Guides & Examinations l IT Governance Institute – Executive Guide to Governance SABSA Foundation 2010 12
Where is SABSA Used? SABSA Demographics l SABSA is used world-wide and SABSA Chartered Architects exist in more than 40 countries, including those shown on the next slide: SABSA Foundation 2010 13
Where is SABSA Used? SABSA Demographics Europe Belgium, Finland, France Germany, Hungary, Ireland Italy, Netherlands, Poland Portugal, Slovakia, Spain Sweden, United Kingdom Americas Asia Pacific Argentina Canada Colombia Mexico United States Australia, China, Hong Kong India, Korea, Malaysia, New Zealand, Philippines, Singapore Taiwan, Thailand, Vietnam Africa & Middle East Algeria, Bahrain Oman, Saudi Arabia South Africa United Arab Emirates SABSA Foundation 2010 14
When is SABSA Used? SABSA as a Through-Life Solution Framework l SABSA is used ‘through-life’ – throughout the entire lifecycle from business requirements engineering to managing the solutions delivered Business View Contextual Architecture Architect’s View Conceptual Architecture Designer’s View Logical Architecture Builder’s View Physical Architecture Tradesman’s View Component Architecture Service Manager’s View Operational Architecture SABSA Foundation 2010 Strategy & Planning Manage & Measure Design Implement 15
Independent Assessment of Frameworks l Independent assessment on behalf of UK Government (Jan 2007) l Assessed Information Assurance and Architecture frameworks l Open source e. g. SABSA l Proprietary e. g. Gartner l Provider e. g. IBM MASS l Pre-existing in-house methodologies and frameworks l SABSA top-scored in every assessment category l Discriminating factors included l Comprehensive, flexible and adaptable l Competency development and training l Non-proprietary / open source l Business and risk focus l No ties to specific vendors or suppliers l No ties to specific standards or technologies l Enables open competition SABSA Foundation 2010 16
The Problem of Architecture SABSA Foundation 2010 17
The Issue with Architectural Strategy l Every morning in Africa, a Gazelle wakes up. It knows it must run faster than the fastest lion……. or it will be killed. l Every morning in Africa, a Lion wakes up. It knows it must run faster than the slowest Gazelle ……. or it will die of starvation. l Is it better to be a Lion or a Gazelle? Business View – Survival Strategy When the sun comes up in Africa, it doesn’t matter what shape you are: If you want to survive, what matters is that you’d better be running! SABSA Foundation 2010 18
The Importance of a Framework SABSA Foundation 2010 19
SABSA Architecture Guiding Principles l Architecture must not presuppose any particular: l Cultures or operating regimes l Management style l Set of management processes l Management standards l Technical standards l Technology platforms SABSA Foundation 2010 20
SABSA Architecture Guiding Principles l Architecture must meet YOUR unique set of business requirements l Architecture must provide sufficient flexibility to incorporate choice and change of policy, standards, practices, or legislation l ISO 27001, ACSI 33, DSD ISR, HIPAA, ISF Code, Cob. IT, SOx, PCI, NIST, etc l ITIL, TNN, ISO 9000, etc l AS / NZS 4360, Basel ii, ISO 27005, etc l Balanced scorecards, capability maturity models, ROI, NPV, etc l When a question is asked starting with “Is this Architecture compatible / compliant with…. ? ” a good Architecture framework with automatically have the answer “Yes” l A good architecture provides the roadmap for joining together all of your requirements, whatever they might be, or become l It does not replace ITIL or ISO 27001 or NIST etc but rather enables their deployment and effective integration into the corporate culture SABSA Foundation 2010 21
Built to Drive Complex Design Solutions l SABSA influenced in 1995 by need to enhance ISO 7498 -2 SABSA Views ISO 7498 -1 ISO 7498 -2 Applications Presentation Session Transport Network Link Physical Logical Security Services Physical Security Mechanisms Contextual Architecture Conceptual Architecture Business Driven Requirements & Strategy Logical Architecture Physical Architecture Component Architecture Operational Architecture SABSA Foundation 2010 Detailed Custom Specification Service Management 22
Architecture Reconsidered Business View Architect’s View Designer’s View Builder’s View Tradesperson’s View Service Manager’s View SABSA Foundation 2010 Contextual Architecture Conceptual Architecture Logical Architecture Physical Architecture Component Architecture Operational Architecture 23
Vertical Analysis: Six Honest Serving Security Men What Why How Who Where When SABSA Foundation 2010 What are we trying to do at this layer? The assets, goals & objectives to be protected & enhanced Why are we doing it? The risk & opportunity motivation at this layer How are we trying to do it? The processes required to achieve security at this layer Who is involved? The people and organisational aspects of security at this layer Where are we doing it? The locations where we are applying security at this layer When are we doing it? The time related aspects of security at this layer 24
The SABSA Matrix Assets (What) Motivation (Why) Process (How) People (Who) Location (Where) Time (When) Contextual Business Decisions Business Risk Business Processes Business Governance Business Geography Business Time Dependence Conceptual Business Knowledge & Risk Strategy Risk Management Objectives Strategies for Process Assurance Roles & Responsibilities Domain Framework Time Management Framework Logical Information Assets Risk Management Policies Process Maps & Services Entity & Trust Framework Domain Maps Calendar & Timetable Physical Data Assets Risk Management Practices Process Mechanisms Human Interface ICT Infrastructure Processing Schedule Component ICT Components Risk Management Tools & Standards Process Tools & Standards Personnel Management Tools & Standards Locator Tools & Standards Step Timing & Sequencing Tools Service Delivery Management Operational Risk Management Process Delivery Management Personnel Management of Environment Time & Performance Management SABSA Foundation 2010 25
Architecture Strategy & Planning Phase Assets (what) People (who) Location (where) Time (when) Business Risk Business Processes Business Governance Business Geography Business Time Dependence Taxonomy of Business Assets, Including Goals & Objectives Opportunities & Threats Inventory of Operational Processes Organisational Structure & the Extended Enterprise Inventory of Buildings, Sites, Territories, Jurisdictions etc. Time Dependencies of Business Objectives Business Knowledge & Risk Strategy Conceptual Process (how) Business Decisions Contextual Motivation (why) Risk Management Objectives Strategies for Process Assurance Roles & Responsibilities Domain Framework Time Management Framework Security Domain Concepts & Framework Through-life Risk Management Framework Process Mapping Enablement Owners, Custodians Business Attributes Framework; & Control Objectives; & Users; Service Profile Architectural Strategies Policy Architecture Providers & Customers for ICT SABSA Foundation 2010 26
Architecture Design Phase Assets (what) Process (how) People (who) Location (where) Time (when) Information Assets Risk Management Policies Process Maps & Services Entity & Trust Framework Domain Maps Calendar & Timetable Inventory of Information Assets Domain Policies Information Flows; Functional Transformations; SOA Entity Schema; Trust Models; Privilege Profiles Domain Definitions; Inter-domain Associations & Inter-actions Start Times, Lifetimes & Deadlines Data Assets Risk Management Practices Process Mechanisms Human Interface ICT Infrastructure Processing Schedule Data Dictionary & Data Inventory Risk Management Rules & Procedures Applications, Middleware; Systems; Security Mechanisms User Interface to ICT Systems; Access Control Systems Host Platforms & Networks Layout Timing & Sequencing of Processes & Sessions ICT Components Logical Motivation (why) Risk Management Tools & Standards Process Tools & Standards Personnel Man’nt Tools & Standards Locator Tools & Standards Step Timing & Sequencing Tools Identities, Job Descriptions; Roles; Functions; Actions & ACLs Nodes, Addresses & Other Locators Time Schedules; Clocks; Timers & Interrupts Physical Component ICT Products, Data Repositories & Processors SABSA Foundation 2010 Risk Analysis Tools; Risk Registers; Tools & Protocols for Process Delivery Risk Monitoring, Reporting & Treatment 27
Design Framework (Service Management View) Contextual Security Architecture Logical Security Architecture Physical Security Architecture Security Service Management Architecture Conceptual Security Architecture Component Security Architecture SABSA Foundation 2010 28
SABSA Service Management Architecture Assets (What) Motivation (Why) Process (How) Service Delivery Management Operational Risk Management Process Delivery Management People (Who) Location (Where) Time (When) Time & Personnel Management of Performance Management Environment Management The row above is a repeat of Layer 6 of the main SABSA Matrix. The five rows below are an exploded overlay of how this Layer 6 relates to each of these other Layers Contextual Business Driver Definitions Conceptual Proxy Asset Definitions Logical Asset Management Policy Management Service Delivery Management Physical Asset Security & Protection Operational Risk Data Collection Operations Management User Support Component Tool Protection ORM Tools Tool Deployment Personnel Deployment SABSA Foundation 2010 Business Risk Assessment Service Management Developing ORM Service Delivery Objectives Planning Relationship Management Service Management Roles Service Customer Support Point-of-Supply Management Performance Management Service Portfolio Service Level Definitions Service Catalogue Management Service Resources Protection Security Management Tools Evaluation Management Service Performance Data Collection Service Monitoring Tools 29
Built to Integrate Management Practices l SABSA Service Management designed to comply with, integrate, and enable management best practice of the day Code of Practice For Information Technology Service Management Operational Architecture ITIL Designed-in then Code of Practice For Information Security Management ISO 20000 Service Management Compatible now BS 7799(1) (controls library) ISO 17799 (controls library) ISO 27001 (ISMS) SABSA Foundation 2010 BS 7799(2) (ISMS) ISO 27002 (controls library) 30
SABSA Top-Down Process Analysis Contextual: Meta-Processes Vertical Security Consistency Conceptual: Strategic View of Process Logical: Information Flows & Transformations Physical: Data Flows & System Interactions Component: Protocols & Step Sequences Horizontal Security Consistency SABSA Foundation 2010 31
Traceability For Completeness Contextual Security Architecture Conceptual Security Architecture Logical Security Architecture Physical Security Architecture Component Security Architecture Security Service Management Architecture l Every business requirement for security is met and the residual risk is acceptable to the business appetite SABSA Foundation 2010 32
Traceability For Justification Contextual Security Architecture Conceptual Security Architecture Logical Security Architecture Physical Security Architecture Security Component Service Security Management Architecture l Every operational or technological security element can be justified by reference to a risk-prioritised business requirement. SABSA Foundation 2010 33
The Problem of Defining Security Availability l “Security is the means of achieving acceptable level of residual risks” l “The value of the information has to be protected” l “This value is determined in terms of confidentiality, integrity & availability” SABSA Foundation 2010 34
Security Reconsidered SABSA Foundation 2010 35
SABSA Business Attributes l Powerful requirements engineering technique l Populates the vital ‘missing link’ between business requirements and technology / process design l Each attribute is an abstraction of a business requirement (the goals, objectives, drivers, targets, and assets confirmed as part of the business contextual architecture) l Attributes can be tangible or intangible l Each attribute requires a meaningful name and detailed definition customised specifically for a particular organisation l Each attribute requires a measurement approach and metric to be defined during the SABSA Strategy & Planning phase to set performance targets for security l The performance targets are then used as the basis for reporting and/or SLAs in the SABSA Manage & Measure phase SABSA Foundation 2010 36
Sample Taxonomy of ICT Attributes Business Attributes User Attributes Management Attributes Operational Attributes Risk Management Attributes Legal / Regulatory Attributes Technical Strategy Attributes Business Strategy Attributes Accessible Automated Available Access-controlled Admissible Architecturally Open Brand Enhancing Accurate Change-managed Detectable Accountable Compliant COTS / GOTS Business-Enabled Anonymous Continuous Error-Free Assurable Enforceable Extendible Competent Consistent Controlled Inter-Operable Assuring Honesty Insurable Flexible / Adaptable Confident Current Cost-Effective Productive Auditable Legal Future-Proof Credible Duty Segregated Efficient Recoverable Authenticated Liability Managed Legacy-Sensitive Culture-sensitive Educated & Aware Maintainable Authorised Regulated Migratable Enabling time-to-market Informed Measured Capturing New Risks Resolvable Multi-Sourced Governable Motivated Monitored Confidential Time-bound Scalable Providing Good Stewardship and Custody Protected Supportable Crime-Free Simple Reliable Flexibly Secure Standards Compliant Responsive Identified Traceable Transparent Independently Secure Upgradeable Supported In our sole possession Timely Integrity-Assured Usable Non-Repudiable Providing Investment Re-use Providing Return on Investment Reputable Owned Private SABSA Foundation 2010 Trustworthy 37
Attributes Usage l Attributes must be validated (and preferably created) by senior management & the business stake-holders by report, interview or facilitated workshop l Pick-list of desired requirements l Cross-check for completeness of requirements l Key to traceability mappings l Measurement & operations – contracts, SLAs, performance targets l Return on Investment & Value propositions l Procurement l Risk status summary & risk monitoring l Key to a SABSA integrated compliance tool l Powerful executive communications SABSA Foundation 2010 38
SABSA BAP - the Key to Framework Integration Extract reproduced with permission from Hans Hopman, ISO 27000 committee SABSA Foundation 2010 39
Security Services Value Reconsidered SABSA Foundation 2010 40
Risk Reconsidered - SABSA O. R. M. Negative Outcomes Positive Outcomes Risk Context Threats Assets at Risk Opportunities Likelihood of threat materialising Asset value Likelihood of opportunity materialising Likelihood of weakness exploited Negative impact value Positive impact value Likelihood of strength exploited Overall likelihood of loss Overall loss value Overall benefit value Overall likelihood of benefit Loss Event SABSA Foundation 2010 Beneficial Event 41
Feedback Control Loop System Calls for new parameter settings Control Sub. System Decision Sub. System Reports new state of system SABSA Foundation 2010 Affects state of system Monitoring & Measurement Sub. System 42
SABSA Multi-tiered Control Strategy Deterrence Containment Detection & Notification Evidence Collection & Tracking Audit & Assurance Prevention Recovery & Restoration SABSA Foundation 2010 43
SABSA Operation of Controls Threats exploit Vulnerabilities causing Incidents reduces discovers Deterrent Controls Preventive Controls triggers Detective Controls affecting triggers Assets producing Business Impacts Risk Assessment SABSA Foundation 2010 reduces leads to Corrective Controls Selection of Controls 44
Taxonomy of Cognitive Levels (Foundation) Competency Level 1 2 Skill Demonstrated Task Examples Knowledge Observation and recall of information Knowledge of facts Knowledge of major ideas Mastery of subject matter Carry out research to find information List, define, tell, describe, identify, show, label, collect, examine, tabulate, quote, name, find, identify Comprehension Understand information Grasp meaning Translate knowledge into new context Interpret facts, compare, contrast Order, group, infer causes Predict consequences Summarise, explain, interpret, contrast, predict, associate, distinguish, estimate, differentiate, discuss, extend SABSA Foundation 2010 45
Taxonomy of Cognitive Levels (Practitioner) Competency Level 3 4 Skill Demonstrated Task Examples Application Use information Use methods, concepts, theories in new situations Solve problems using required skills or knowledge Apply, demonstrate, calculate, complete, illustrate, show, solve, examine, modify, relate, change, classify, experiment, discover Analysis Seeing patterns Organisation of parts Recognition of hidden meanings Identification of components Analyse, separate, order, connect, classify, arrange, divide, compare, select, infer SABSA Foundation 2010 46
Taxonomy of Cognitive Levels (Master) Competency Level 5 6 Skill Demonstrated Task Examples Synthesis Use old ideas to create new ones Generalise from given facts Relate knowledge from several areas Predict, draw conclusions Combine, integrate, modify, rearrange, substitute, plan, create, build, design, invent, compose, formulate, prepare, generalise, rewrite Evaluation Compare and discriminate between ideas Assess value of theories, presentations Make choices based on reasoned argument Verify value of evidence Recognise subjectivity Assess, evaluate, decide, rank, grade, test, measure, recommend, convince, select, judge, discriminate, support, conclude SABSA Foundation 2010 47
For More Information l SABSA Text Book “Enterprise Security Architecture: A Business-driven Approach” l Currently - CMP Books (Elsevier) l Van Haren SABSA Book Store l Accredited Education Provider for Australia – http: //www. alc-group. com l http: //www. sabsa. org l http: //www. sabsa-institute. com/members l SABSA Executive White Paper l SABSA – TOGAF White Paper SABSA Foundation 2010 48
“Quite simply the greatest information security conference on Earth. ” John O’Leary, President, O’Leary Management Education, USA For More Information l SABSA World Congress at COSAC http: //www. cosac. net l Sept 30 – Oct 4 …. . Fly Free to Ireland!! “COSAC starts where other events stop. Challenging, professional and hugely useful. ” Brian Collins, Chief Scientific Advisor, Dept for Transport, UK “Exceptional! More interaction and valuable discussion than any other conference. ” Helvi Salminen, CISO, Gemalto, Finland “Year on year COSAC exceeds my now sky-high expectations for professionalism, content and organisational excellence. ” Ahmed Ali, Info. Sec Manager, Ba. Tel. Co, Bahrain SABSA Foundation 2010 “Totally incredible!! COSAC is by far The greatest event I have ever had the privilege to attend. Luc de Graeve, CEO, Sensepost, South Africa “I’ve been to dozens of conferences that bill themselves as best. None can possibly be as good as COSAC. ” Dan Houser, Principal Security Architect, Huntington Bank, USA “Outstanding! The calibre of speakers, delegates and the whole experience is truly unsurpassed. Tadashi Nagamiya, CTO, Info. Sec Corp, Japan “Brilliant! A rare opportunity of the highest standard to gain access to expert opinion on matters of real importance. ” Tim Evans, Assistant Commissioner, Australian Electoral Commission “Attending COSAC is one of the most valuable decisions an organisation can make. The ultimate contribution to knowledge assets. Richard Nealon, Assurance Reporting Manager, AIB Group, Ireland “Wonderful! Like discovering a whole new profession. Herve Schmidt, CEO, GASPAR, France 49
THANK YOU David Lynas CEO, SABSA Institute david. lynas@sabsa. org (non-commercial only) david@sabsaservicesinternational. com SABSA Foundation 2010 50
530754456aca926e2469c437a35393f8.ppt