The basics of SABSA
SABSA is a framework for developing risk-driven enterprise information security and information assurance architectures and for delivering security infrastructure solutions that support critical business initiatives. It is an open standard, comprising a number of frameworks, models, methods and processes, free for use by all, with no licensing required for end-user organizations who make use of the standard in developing and implementing architectures and solutions.
Although SABSA grew up in the information risk / assurance / security domain it is now widely recognized as the leading methodology for developing business operational risk based architectures in general. SABSA is now the Open Group’s frame- work of choice for integrating with TOGAF® to fulfill not only the need for a security architecture development methodology but, more importantly, to apply SABSA’s Business Attributes Profiling method across the entire enterprise architecture domain as a means to engage with stakeholders and manage business requirements. It adds value to the TOGAF ADM by providing a robust, repeatable, consistent process for aligning business requirements with the development of operational capabilities in the form of people, processes and technology solutions. It brings to TOGAF a defined method for ‘requirements management’, something that has been lacking in previous releases of TOGAF up to and including TOGAF version 9.
SABSA does not replace or compete with other risk-based standards and methods – rather it provides an overarching framework that enables all other existing standards to be integrated under the single SABSA framework, enabling joined up, end-to-end architectural solutions. Thus ISO 2700x, CobiT®, ISF SoGP®, ITIL®, etc. and industry standards such as ETSI standards, Basel III and Solvency II are all capable of being brought together into a SABSA-based integrated compliance framework.
In terms of risk philosophy SABSA aligns fully with ISO 31000, COSO® and M_o_R®, all of which present the concept of risk as being one of uncertainty of outcome, with risks embracing both (positive) opportunities and (negative) threats.
To do business is to take risk by evaluating the risk/reward balance and setting risk appetite to a level that is comfortable for the risk taker. With this philosophy in mind, all business decisions are risk management decisions, and it is from this standpoint that SABSA views the world. Risk is good for business, so long as it is maintained within the organization’s risk appetite. SABSA is the first architectural development methodology to introduce a reliable method for measuring risk appetite and monitoring operational performance against that appetite. It achieves this through application of the Business Attributes Profiling technique, which produces as output a customized balanced scorecard.
Other key features of SABSA include:
- SABSA IPR is owned, governed and protected by The SABSA Institute.
- The SABSA framework is not related to any IT solutions supplier or other type of supplier and is completely vendor-neutral.
- The SABSA framework is scalable, that is, it can be introduced in a small scope and then rolled out to subsequent areas and systems, and thus implemented incrementally.
- The SABSA framework may be used in any industry sector and in any organization whether privately or publicly owned, including commercial, industrial, government, military or charitable organizations.
- The SABSA framework can be used for the development of architectures and solutions at any level of granularity of scope, from a project of limited scope to an entire enterprise architectural framework.
- The SABSA framework is continually maintained and developed and up-to-date versions are published from time to time.
The SABSA Model covers the whole lifecycle of operational capabilities (Figure 31.2) and comprises six layers.
For each horizontal layer there is also a vertical analysis based on the six questions: What (assets)? Why (motivation)? How (process and technology)? Who (people)? Where (location)? When (time)? This leads to a six-by-six cell matrix called the SABSA Master Matrix
The sixth layer, the service management layer, is overlaid on the other five layers and further vertically analyzed to produce the five-by-six cell SABSA Service Management Matrix.
Target audience of the method
CIO, CRO, IT strategists and planners, IT architects, IT development managers and project leaders, software managers and architects, network managers and architects, information security managers, advisors, consultants and practitioners, auditors.
Scope and constraints
SABSA is a generic architectural development framework that can be used for the operational-risk-based development and maintenance of operational capabilities in any type of business organization.
The SABSA model is generic and can be the starting point for any organization, but by going through the process of analysis and decision-making implied by its structure, it becomes specific to the enterprise, and is finally highly customized to a unique business model. It becomes the enterprise operational risk management architecture. SABSA is not a cookbook full of ready-to-cook recipes – rather it is a guiding framework for those who would be the chef de cuisine so that they can devise their own recipes to satisfy their customers’ appetites.
To gain the full benefits of SABSA an organization needs to move on from a small scope proof-of-concept project towards adopting SABSA on an enterprise-wide level. This of course requires buy-in and support at the most senior executive levels, which can be a challenge to those who champion the adoption of the framework.