sabsa implementation(part vi)_ver1-0
TRANSCRIPT
![Page 1: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/1.jpg)
SABSA Implementation
Generic Approach
PART VI
![Page 2: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/2.jpg)
TIME & PERFORMANCEMANAGEMENT CONCEPTS
![Page 3: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/3.jpg)
Scope: Strategy & Planning Phase -Time
![Page 4: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/4.jpg)
Lifecycle Alignment – Demming to SABSA
![Page 5: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/5.jpg)
Architecture Strategy & Planning Phase
![Page 6: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/6.jpg)
Architecture Design Phase
![Page 7: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/7.jpg)
Implementation Phase & Approach
• Implementation is an important part of the lifecycle but the SABSA Matrix does not define a specific implementation layer– No need to re-invent Prince2 or PMI etc.
• Notoriously difficult to gain business support and budget for pure infrastructure projects
• Rare that a major strategic enterprise-wide security architecture is implemented as a single project
• More likely (and more sensible) is that the architecture provides a blue-print and a road-map that guides a whole series of separate implementation projects, each of which is driven by a specific business initiative and funded by a budget associated with that initiative
![Page 8: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/8.jpg)
Manage & Measure Phase – Lifecycle Overlay
• SABSA Architecture traceably abstracts from pure Business Context to:– Pure technical deployment in the Component layer– Pure management in the Service Management layer
• The Service Management layer defines all aspects of security management and constructs the means to manage and incorporate change by being presented vertically across the other layers:– Strategy (Context & Concept Layers)– Tactics (Logical, Physical, & Component Layers)– Operations (Security Service Management Matrix)
![Page 9: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/9.jpg)
Manage & Measure Phase – SSM Matrix
![Page 10: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/10.jpg)
SABSA Development Process
![Page 11: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/11.jpg)
SABSA Risk Management Process Overview
![Page 12: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/12.jpg)
Risk Management and the SABSA Matrix
![Page 13: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/13.jpg)
SABSA Risk Management Activities
![Page 14: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/14.jpg)
SABSA Lifecycle Domain Risk Perspectives
![Page 15: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/15.jpg)
Process Improvement Framework –SABSA Maturity Profile (SMP)
• Coordinates SABSA process information from all parts of the business– Demonstrates due diligence to senior management, auditors and regulators
• Based on Capability Maturity Modelling (CMM) concepts– Qualitative measurement technique for maturity of processes– Six domains mapped onto the SABSA Matrix– Consistent, objective 5-point maturity scale
• Identifies, measures and reports compliance practices– Against the SABSA framework, model and processes– Provides a gap analysis to drive a SABSA improvement programme
• Can be implemented through a web-enabled tool for– Ease of use, wide involvement, quick responses
• Regular use tracks progress and measures changes– Benchmarking against target maturity
![Page 16: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/16.jpg)
SABSA Maturity Profile Process Areas
SMP Process Areas and SMP Process Activities
• Each of the six SMP domains is decomposed into six SMP Process Areas
• These SMP Process Areas map onto the six cells of the row of the SABSA
• Matrix corresponding to the particular SMP domain
• The SMP Process Activities are then derived by overlaying the SABSA
• Service Management Matrix onto the SMP Process Areas
![Page 17: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/17.jpg)
SMP Maturity Levels
![Page 18: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/18.jpg)
SMP Generic Practices
![Page 19: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/19.jpg)
Performance Management Framework
Defining Business-driven Performance Targets
![Page 20: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/20.jpg)
Architecture Measurement Categories
• Completeness– Do we have all of the
components?– Do they form an integrated
system?
• Assurance– Does the system run
smoothly?– Are we assured that it is
properly assembled?– Is the system fit-for-purpose?
• Compliance– Do we maintain the system?
– Do we follow the architecture roadmap
– Do we comply with the rules?
• Performance– Is the system properly tuned?– Do the components work
together?– Do we operate the system
correctly?
• Justification & significance– Does the system have
business value?
![Page 21: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/21.jpg)
Measurement Approaches
• High level statements of the approach to obtaining a measurement
• Appropriate to the business need
• In the language of the intended audience
• Culturally specific
![Page 22: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/22.jpg)
Measurement Guidelines
• Measurement should be a repeatable process (for comparison & prediction)
• Measurement should have a clear communications role
• Tracking performance
• Assigning resources
• Measurement should yield quantifiable metrics (percentage, average, numbers, values, etc.)
![Page 23: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/23.jpg)
Metrics Guidelines
• Data used to calculate metrics should be readily obtainable
• Metrics may (should) be calculated independently of parties with vested interest
• The type of metric used may change in line with the maturity of the security process e.g. when you are highly compliant, consider changing from conformance measure to significance measure
• Performance metric / trend should be tested prior to going ‘live’
• Expectations management is key
![Page 24: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/24.jpg)
Types of Metric
• Soft Metrics– Usually qualitative
– Subjective
– Open to interpretation and opinion (usually of the authority setting the target or of an official compliance agent such as a regulator or auditor)
• Hard Metrics– Usually quantitative
– Objective
– Fixed, not open to opinion or interpretation
![Page 25: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/25.jpg)
Types of Metric
• Descriptive– Describes the current-state of the object / attribute
being measured
• Comparative– Describes the current-state of the object / attribute
being measured in comparison with a similar object / attribute relating to a different place and/or time
• Predictive– Describes the current-state of the object / attribute
being measured in relation to its trend in order to project and predict afuture state
![Page 26: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/26.jpg)
Conceptual Measures & Metrics Framework
![Page 27: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/27.jpg)
SABSA Vitality Framework
![Page 28: SABSA Implementation(Part VI)_ver1-0](https://reader033.vdocuments.mx/reader033/viewer/2022042505/55a5a4b71a28ab08108b45bf/html5/thumbnails/28.jpg)
END OF PART VI