Module F1: Security Strategy & Planning
THE SABSA FRAMEWORK
1. Information Security Strategy, Benefits and Objectives
- Security: A Cultural Legacy as a Business Constraint
- Technical Legacy of Tactical Point Solutions
- Security Strategy, Tactics and Operations
- Critical Success Factors for Business, IT and Security
- Measuring and Prioritising Business Risk
- Enabling Business and Empowering Customers
- Adding Value to the Core Product
- Protecting Relationships and Leveraging Trust
2. Introduction to SABSA Best Practice
- Information Security and its Role in the Modern Enterprise
- Enterprise Security Architecture: Definition and Principles
- The History of SABSA Development
- Introduction to the SABSA Model
- The Business View of Security: Contextual Architecture
- The Architect’s View of Security: Conceptual Architecture
- The Designer’s View of Security: Logical Architecture
- The Builder’s View of Security: Physical Architecture
- The Tradesman’s View of Security: Component Architecture
- The Service Manager’s View of Security: Operational Architecture
- Traceability from Business Requirements to Deployed Solutions
- The SABSA Matrix and Service Management Matrix
INFORMATION SECURITY STRATEGY
3. Business Requirements & How To Define Them
- Business Goals, Success Factors and Operational Risks
- Business Processes and the Need for Security
- Location Dependence of Enterprise Security Needs
- Organisation and Relationships Affecting Enterprise Security
- Time Dependency of Enterprise Security
- Collecting Enterprise Requirements for Security
- Creating a Business Attributes Profile
- Defining Control Objectives
4. Strategic Concepts & How To Apply Them
- Managing Complexity
- Systems Engineering for Security
- Architectural Layering
- End-to-End Security
- Defence-in-Depth Models
- Security Domains
- Security Associations
- Trust Modelling
- Organisation & Workflow
- Infrastructure Strategy
- Management Strategy
SABSA PRACTITIONER GUIDE
5. The Strategy Programme & Architecture Delivery
- The SABSA Development Process
- The SABSA Lifecycle
- Strategy and Concept Phase Processes and Sub-processes
- Design Phase Processes and Sub-processes
- Implement Phase Processes and Sub-processes
- Manage and Measure Phase Processes and Sub-processes
- Top-down Decomposition of the SABSA Model
- Scope, Deliverables and Project Sequencing
6. Managing The Strategic Programme
- Introduction to Return on Investment & Return of Value
- Defining the Benefits and Value Propositions
- Selling the Benefits
- Getting Sponsorship and Budget
- Building the Team
- Team Competency Assessment & Development
- Programme Planning and Management
- ‘Fast Track’ Start-up Programmes
- Collecting the Information You Need
- Gaining Consensus on the Conceptual Architecture
- Strategic Architecture Governance, Compliance and Maintenance
- Identifying Quick Wins and Gaining Long Term Confidence
Module F2: Security Service Management
THE SABSA SECURITY MANAGEMENT FRAMEWORK
1. The SABSA Security Management Framework
- SABSA in the I.T. Lifecycle
- Using SABSA To Integrate Other Methods, Models & Standards
- SABSA and the ITIL Framework
- SABSA and CobIT
- SABSA and Project Management Standards
- SABSA and ISO Security Standards
- SABSA and IT Architecture
THE SABSA SECURITY POLICY AND RISK MANAGEMENT FRAMEWORK
2. Security Policy Management
- Policy Principles
- Policy Content, Hierarchy & Architecture
- Security Policy Making
- Information & Systems Classification
- Third Party & Outsourcing Strategy & Policy Management
3. Operational Risk Management
- The Meaning of Risk
- Risk Philosophy & Methodology
- Corporate Governance & Enterprise Risk Management
- Risk Measurement and Risk Assessment
- Risk Mitigation
- Risk Appetite
- Risk Management Tools
- Measuring Success of Risk Management
THE SABSA INTEGRATED ASSURANCE MANAGEMENT FRAMEWORK
4. Security Organisation & Responsibilities
- Security Governance
- Security Culture Development, Training & Awareness
- Ownership & Custody
- Service Provider & Customer Roles in Security Management
- Enterprise Audit & Review Framework
5. Assurance of Operational Continuity
- Business Continuity Planning
- Contingency Planning
- Crisis Management
- Business Recovery Planning
6. Systems Assurance
- Technical Assurance of Security Correctness & Completeness
- Managing the Assurance Process for Systems & Software Development
- Assuring Integrity and Acceptable Use of Systems & Software
- Principles of Multi-phased Testing
SECURITY SERVICES DESIGN
7. Security Services Architecture
- Information as the Logical Representation of Business
- Logical Entities & Their Relationships
- Using Trust Models to Define Security Services
- Security Domains, Domain Definitions & Associations
- Security Processing Cycle
8. Security Infrastructure Services
- Security Rules, Practices & Procedures
- Security Mechanisms
- User Security
- Platform & Network Security
- Infrastructure for Service Delivery
- Technical Standards & Components
SECURITY SERVICES DELIVERY & SUPPORT
9. Operational Security Services
- Incident Management
- Incident Response
- Problem Management
- Change Management
- Continuity, Crisis & Recovery Management
10. Security Administration & Management
- Security Service Management
- Security Mechanism Management
- Security Component Management
- System Management & Administration
- User Management & Administration
- Security Audit Management
- Security Operations
- Product Evaluation & Selection
SECURITY SERVICES PERFORMANCE MEASUREMENT
11. Return on Investment & Return of Value
- Return on Investment
- Net Present Value
- Internal Rate of Return
- Defining Value Metrics
- Business Attributes & Return of Value
12. Security Measures & Metrics
- Why Do We Need Measures & Metrics
- Measurement Approaches
- Defining Metrics
- Benchmarking Security
- Remedial Project Planning
- Maturity Models Applied to Security
