Business Continuity requires Security Architecture

Business Continuity requires Security Architecture

Artikel erschienen in IT Magazine 2016/09

SABSA: Enterprise Security Architecture

SABSA is a proven methodology for developing risk-driven enterprise information security and assurance architectures and enabling secured information systems that support critical business initiatives. Adopted worldwide by organizations of all sizes, it is an open standard, comprising a number of different stakeholders in the process of specifying, designing, constructing and using the business system.
At each layer, the six fundamental questions are answered: "What, Why, How, Who, Where and When". As an example we have shown below the high level answers to these questions "What" and "Why" applied to the Contextual (Business) and Conceptual (Architect) layers.

One of the strengths of SABSA is its attribute model enabling requirements engineering to span the full IS security lifecycle. Another crucial notion is "security domain Framework", where a security domain is defined as a set of elements subject to a common security policy. Among other SABSA elements, these two models, coupled with the risk management framework, enable the methodological construction of the building blocks for a secured and architectured information system.

The linkage between ISO 22301 and SABSA

As an example, the figure below shows how a cyber-attack can use the vulnerabilities of a given domain (surrounded by an orange colored ellipse) to find a way to attack another domain of the organization and hence causing by cascade a major discontinuity of the business activities. In order to avoid such situations, there are various possibilities to link ISO 22301 to SABSA. A straightforward way is to adopt SABSA’s attribute, risk, domain modeling.

During the planning phase of ISO 22301, the requirements and the expectations of the interested parties can be expressed via the SABSA attributes (at the Contextual and Conceptual layers).

During the operations phase of ISO 22301, the SABSA risk management framework (the WHY column of the schema at the left) enables the expression of the risks and opportunities via the attribute profiles. This then enables the creation of the security and various domain policies. Coupled with the outcome of the BIA, the security domains can now inherently integrate the continuity and security services that will protect the organization from various cyber-attacks.

Neuen Kommentar erfassen

Anti-Spam-Frage Wie hiess im Märchen die Schwester von Hänsel?