Sherwood Applied Business Security Architecture Explained

SABSA (Sherwood Applied Business Security Architecture) is a model and methodology for developing a risk-driven enterprise information security architecture and service management, to support critical business processes. It was developed independently from the Zachman Framework, but has a similar structure. The primary characteristic of the SABSA model is that everything must be derived from an analysis of the business requirements for security, especially those in which security has an enabling function through which new business opportunities can be developed and exploited.

The process analyzes the business requirements at the outset, and creates a chain of traceability through the strategy and concept, design, implementation, and ongoing ‘manage and measure’ phases of the lifecycle to ensure that the business mandate is preserved. Framework tools created from practical experience further support the whole methodology.

The model is layered, with the top layer being the business requirements definition stage. At each lower layer a new level of abstraction and detail is developed, going through the definition of the conceptual architecture, logical services architecture, physical infrastructure architecture and finally at the lowest layer, the selection of technologies and products (component architecture).

The SABSA model itself is generic and can be the starting point for any organization, but by going through the process of analysis and decision-making implied by its structure, it becomes specific to the enterprise, and is finally highly customized to a unique business model. It becomes in reality the enterprise security architecture, and it is central to the success of a strategic program of information security management within the organization.

SABSA is a particular example of a methodology that can be used both for IT (information technology) and OT (operational technology) environments.

SABSA matrix

Assets (What)Motivation (Why)Process (How)People (Who)Location (Where)Time (When)
ContextualThe businessBusiness risk modelBusiness process modelBusiness organization and relationshipsBusiness geographyBusiness time dependencies
ConceptualBusiness attributes profileControl objectivesSecurity strategies and architectural layeringSecurity entity model and trust frameworkSecurity domain modelSecurity-related lifetime and deadlines
LogicalBusiness information modelSecurity policiesSecurity servicesEntity schema and privilege profilesSecurity domain definitions and associationsSecurity processing cycle
PhysicalBusiness data modelSecurity rules, practices and proceduresSecurity mechanismsUsers, applications and user interfacePlatform and network infrastructureControl structure execution
ComponentDetailed data structuresSecurity standardsSecurity products and toolsIdentities, functions, actions and ACLsProcesses, nodes, addresses and protocolsSecurity step timing and sequencing
OperationalAssurance of operational continuity Operational risk managementSecurity service management and supportApplication and user management and supportSecurity of sites and platformsSecurity operations schedule

Note: The above is the original SABSA Matrix, which is still valid today, but it has been expanded by a comprehensive service management matrix and updated in some detail and terminology areas. In the words of David Lynas, SABSA author, "The SABSA Matrix and the SABSA Service Management Matrix have not been updated since the late 90s. We have redesigned them to deliver the improvements your feedback has requested over the years. We have not fundamentally changed the structure or principles of the matrices (very few elements have changed position) but have focused on terminology update and consistency." The new versions can be downloaded (along with the 2009 revision of the SABSA White Paper and other important documents like the SABSA Certification Roadmap) at the SABSA Members' Web Site.

References

External links

Notes and References

  1. Web site: Bruce . Glen . 17 March 2023 . The SABSA Institute Recommendations for the NIST Cyber Security Framework version 2.0 . NIST.gov.