MindMap Gallery SABSA Self Study
This is a mind map about "SABSA Self Study".
Edited at 2020-12-23 10:02:57SABSA Self Study
Domain Models
Security Domain
Set of elements subjected to a commonsecurity policy
Owned by a single Policy Authority
Can exist in multidimensions
Domain Registration Authority
Sets policy for the domain
Establishes identity and verifies credentials
Domain certification Authority
Provides chain of trust
Receives and certifies public keys
Types of domains
Subdomain
Set of elements under a single policy authorityand complies with a higher authority
Superdomain
A domain that contains one or more compliantsubdomains
Peer domain
Domains that share a common superdomainpolicy
Logical domain
Logical classification/department/line ofbusiness
Convert the enterprise policy to a moregranular one that can be understood locally
Can have multiple physical domain
Physical domain
Set of physical elements
Can have multiple logical domains
Serve the needs of the logical domain
Isolated domain
Enforces its own selfcontained policy
Boundary must be explicit
Trust is constant in the domain
Has no interdomain associations
Independent domain
Enforces its own selfcontained policy
Boundary must be explicit
Trust is constant in the domain
Trust between domains is not constant
Has gateway for interdomain associations
Physical access control contains many cells thathave their own parameters
Honeycomb domain
Contains many cells that have their ownparameter
Each cell has independent access policy
Combined domain
Combines independent/isolated domain withhoneycomb domain
Strengthin depth provision
Resolves variable trust and binary gatewayissues
Common in classified systems requiringclearance
Multitiered domain
Layered model of domains
New policy at each boundry
Communication
Interdomain policy associations
Simple
Interactions between two independentdomains or a superdomain and a subdomain
Complex
Via trusted third party domain
Domains must adhere to third party policy
Using mutually agreed policy
Policy authorities from the two domains agreeon a common policy
Is difficult to implement due to risk conflicts
Policy authorities enforces their policyindependently at the boundary/gateway
Attributes
Can be domain specific
Conceptual abstraction of a real requirement
Are multitier
Distribute responsibilities downwards
Aggregate performance upwards
Must be measurable
Articulate performance targets relative to thetargets of superdomains
Can be mapped to control objectives of variousstandards/regulations to achieve compliance toa number of standards/regulations
Examples
Business attributes
Reputable
Accurate
Security attributes
Integrity
Authentication
User attributes
Accessible
Accurate
Reliable
Regulatory attributes
Admissible
Compliant
Regulated
Service Architecture
Topdown process analysis
Vertical security consistency
Accurate representation of conceptual attributeat each layer
Horizontal security consitency
Process layers
Metaprocess
Contextual layer
Strategic view of process
Conceptual layer
Information flows and transformations
Logical layer
Data flows and system interaction
Physical layer
Protocols and step sequences
Component layer
Security services generally represented usingSOA model
Information types
Static
No changes in short term
Dynamic
Changes in short term
Service types
Implicit
Services in the same domain
Subtypes
Primary
Selfcontained in an element of the domain
Secures the element from within
E.g: authentication, authorization
Secondary
Operate between elements in a domain
Secures the communication between thelements
E.g: confidentiality, nonrepudation
Explicit
Services that are explicitly requested from onedomain to another
Service placement
Layer concept
Must be properly integrated and aligned
Trust exists by default between each layers
Layers
Processing layer
Antivirus & other security controls, local userauthentication, local services, backups andchange controls
Information transfer layer
Network
Data Management Subsystem
Middleware
Service management
Set of specialized organizational capabilities ateach layer
Matches business requirements for controlsand enablers
Make available the security capability andresources in a highly usable form
All activities in each layer need to be defined
Governance Model
Steps
Strategy & Planning
Develop business strategy
Set goals, objectives and expectations
Set performance targets, risk appetite
Set policy to meet objectives and targets
Design
Design process
Design systems
Design staffing model
Design controls and enablers
Implement
Establish process
Implement systems
Appoint and train people
Establish controls and enablers
Manage & Measure
Manage processes and operations
Manage people and systems
Monitor KRIs and KPIs
RACI model
Model
Responsible
Who is responsible for the activity
Accountable
Who is accountable for the activity
Consulted
Whose opinion is sought
Informed
Who are updated about the activity
All roles must be defined
Changes based on domain
Complexity directly proportional to the numberof level in domain
Can be extended with additional roles
Ex: Ownership, Assurance, Delegations
Ownership
Multifaceted
Depends on the position in the governancemodel and domain model
Can be of
asset
liability
cannot be deligated
impact
Owner
Sets goals, risk appetite and performancetargets
Accountable for performance of assets in thedomain
Trustee
Also called steward
Responsible for performance of assets in thedomain
Can set policy on behalf of domain authority orowner
Custodian
Policy authority not delegated
Responsible for performance of assets in thedomain
Complies with policies already set
Compliance role
To check and report on policy compliance andrisk appetite
Reports to the owner of the domain
Audit role
Appointed by thesuperdomain
Responsible for auditing performance of assetsin a subdomain
Reports to the owner of the superdomain
Trust Concepts
Terms
Claimant
One who is trusted
Ex: customer
Relying party
One who is relying on the trust
Ex: vendor
Types
Oneway trust
Unidirectional trust relationship
One party trusts the other
Twoway trust
Bidirectional trust relationship
Both parties trust each other
Transitive trust
Also known as passthrough trust
Uses a trusted third party
Third party performs the registration
Can be oneway or twoway
Mutual authentication
Direction of trust
In the direction of dependancy
Strength of trust
Is the strength of registration process
Complex trust relationships
Decomposed to simple trust relationships foranalysis
Contextual Layer
Gather business requirements
Define business drivers for security
Define business attributes
Map business drives and attributes
Types of goals
Strategic goals Defined in Contextual andConceptual layers
Longterm goals and plans
Have no end
Tactical goals Defined in Logical, Physicaland Component layers
Mediumterm goals and plans
Address an immediate problems
Operational goals Defined in Operations layer
Daytoday goals and plans
Based on business processes containingrepetitive procedures