SABSA Self Study

SABSA Self Study
Contextual Layer
Gather business requirements
Define business drivers for security
Define business attributes
Map business drives and attributes
Types of goals
Strategic goals Defined in Contextual and
Conceptual layers
Longterm goals and plans
Have no end
Tactical goals Defined in Logical, Physical
and Component layers
Mediumterm goals and plans
Address an immediate problems
Operational goals Defined in Operations layer
Daytoday goals and plans
Based on business processes containing
repetitive procedures
Trust Concepts
Terms
Claimant
One who is trusted
Ex: customer
Relying party
One who is relying on the trust
Ex: vendor
Types
Oneway trust
Unidirectional trust relationship
One party trusts the other
Twoway trust
Bidirectional trust relationship
Both parties trust each other
Transitive trust
Also known as passthrough trust
Uses a trusted third party
Third party performs the registration
Can be oneway or twoway
Mutual authentication
Direction of trust
In the direction of dependancy
Strength of trust
Is the strength of registration process
Complex trust relationships
Decomposed to simple trust relationships for
analysis
Governance Model
Steps
Strategy & Planning
Develop business strategy
Set goals, objectives and expectations
Set performance targets, risk appetite
Set policy to meet objectives and targets
Design
Design process
Design systems
Design staffing model
Design controls and enablers
Implement
Establish process
Implement systems
Appoint and train people
Establish controls and enablers
Manage & Measure
Manage processes and operations
Manage people and systems
Monitor KRIs and KPIs
RACI model
Model
Responsible
Who is responsible for the activity
Accountable
Who is accountable for the activity
Consulted
Whose opinion is sought
Informed
Who are updated about the activity
All roles must be defined
Changes based on domain
Complexity directly proportional to the number
of level in domain
Can be extended with additional roles
Ex: Ownership, Assurance, Delegations
Ownership
Multifaceted
Depends on the position in the governance
model and domain model
Can be of
asset
liability
cannot be deligated
impact
Owner
Sets goals, risk appetite and performance
targets
Accountable for performance of assets in the
domain
Trustee
Also called steward
Responsible for performance of assets in the
domain
Can set policy on behalf of domain authority or
owner
Custodian
Policy authority not delegated
Responsible for performance of assets in the
domain
Complies with policies already set
Compliance role
To check and report on policy compliance and
risk appetite
Reports to the owner of the domain
Audit role
Appointed by thesuperdomain
Responsible for auditing performance of assets
in a subdomain
Reports to the owner of the superdomain
Service Architecture
Topdown process analysis
Vertical security consistency
Accurate representation of conceptual attribute
at each layer
Horizontal security consitency
Process layers
Metaprocess
Contextual layer
Strategic view of process
Conceptual layer
Information flows and transformations
Logical layer
Data flows and system interaction
Physical layer
Protocols and step sequences
Component layer
Security services generally represented using
SOA model
Information types
Static
No changes in short term
Dynamic
Changes in short term
Service types
Implicit
Services in the same domain
Subtypes
Primary
Selfcontained in an element of the domain
Secures the element from within
E.g: authentication, authorization
Secondary
Operate between elements in a domain
Secures the communication between the
lements
E.g: confidentiality, nonrepudation
Explicit
Services that are explicitly requested from one
domain to another
Service placement
Layer concept
Must be properly integrated and aligned
Trust exists by default between each layers
Layers
Processing layer
Antivirus & other security controls, local user
authentication, local services, backups and
change controls
Information transfer layer
Network
Data Management Subsystem
Middleware
Service management
Set of specialized organizational capabilities at
each layer
Matches business requirements for controls
and enablers
Make available the security capability and
resources in a highly usable form
All activities in each layer need to be defined
Domain Models
Security Domain
Set of elements subjected to a common
security policy
Owned by a single Policy Authority
Can exist in multidimensions
Domain Registration Authority
Sets policy for the domain
Establishes identity and verifies credentials
Domain certification Authority
Provides chain of trust
Receives and certifies public keys
Types of domains
Subdomain
Set of elements under a single policy authority
and complies with a higher authority
Superdomain
A domain that contains one or more compliant
subdomains
Peer domain
Domains that share a common superdomain
policy
Logical domain
Logical classification/department/line of
business
Convert the enterprise policy to a more
granular one that can be understood locally
Can have multiple physical domain
Physical domain
Set of physical elements
Can have multiple logical domains
Serve the needs of the logical domain
Isolated domain
Enforces its own selfcontained policy
Boundary must be explicit
Trust is constant in the domain
Has no interdomain associations
Independent domain
Enforces its own selfcontained policy
Boundary must be explicit
Trust is constant in the domain
Trust between domains is not constant
Has gateway for interdomain associations
Physical access control contains many cells that
have their own parameters
Honeycomb domain
Contains many cells that have their own
parameter
Each cell has independent access policy
Combined domain
Combines independent/isolated domain with
honeycomb domain
Strengthin depth provision
Resolves variable trust and binary gateway
issues
Common in classified systems requiring
clearance
Multitiered domain
Layered model of domains
New policy at each boundry
Communication
Interdomain policy associations
Simple
Interactions between two independent
domains or a superdomain and a subdomain
Complex
Via trusted third party domain
Domains must adhere to third party policy
Using mutually agreed policy
Policy authorities from the two domains agree
on a common policy
Is difficult to implement due to risk conflicts
Policy authorities enforces their policy
independently at the boundary/gateway
Attributes
Can be domain specific
Conceptual abstraction of a real requirement
Are multitier
Distribute responsibilities downwards
Aggregate performance upwards
Must be measurable
Articulate performance targets relative to the
targets of superdomains
Can be mapped to control objectives of various
standards/regulations to achieve compliance to
a number of standards/regulations
Examples
Business attributes
Reputable
Accurate
Security attributes
Integrity
Authentication
User attributes
Accessible
Accurate
Reliable
Regulatory attributes
Admissible
Compliant
Regulated
8