SABSA Asset Architecture and Management

Questions and Answers

What is the primary focus of the facilitated workshop approach to SABSA start-up?

Validating the security architecture with Executive Management

Foreseeing difficulties and managing expectations

Identifying key allies and opponents in the organization

Creating deliverables for all SABSA Architecture Layers (correct)

Which of the following is NOT a characteristic of the Fast-Track facilitated workshop approach?

Creates deliverables for multiple SABSA Architecture Layers

Requires week-long access to Executive Management (correct)

Involves pre-selling of ideas

Focuses on politics and diplomacy

What is the primary benefit of using the Fast-Track facilitated workshop approach?

It saves time and resources (correct)

It ensures Executive Management buy-in

It identifies key security concerns

It creates a detailed security architecture

What is the purpose of understanding the 'buttons' of stakeholders in the organization?

To know how to 'push' them to agree to the security architecture (D)

Why is it important to identify key allies and opponents in the organization?

To build a coalition to support the security architecture (A)

What is the purpose of the sample interview scripts provided in the appendices?

To provide a starting point for stakeholder interviews (A)

What is the time limit for answering the competency domain questions?

2 minutes 30 seconds (B)

What is the purpose of the recap and capture step in the facilitated workshop approach?

To create a summary of the workshop outcomes (A)

What is the primary purpose of information in the SABSA framework?

To contribute to business knowledge for decision-making (A)

Which layer of the SABSA Matrix is concerned with the Information Assets?

Logical (D)

What are the three types of assets in the SABSA framework?

Information, Logical, and Component (A)

What is the role of SABSA techniques in Release and Knowledge Management?

To align with established frameworks and standards (B)

What are the characteristics of Data Assets?

Raw facts, figures, and events (A)

What is the relationship between the Conceptual Attributes and the asset properties?

The asset properties derive from the Conceptual Attributes (C)

What is the purpose of the SABSA Architecture Design Phase layers?

To describe the characteristics and deliverables of the SABSA Architecture Design Phase layers (A)

What is the primary value of information in the SABSA framework?

Contribution to business knowledge for decision-making (A)

What is the primary purpose of the SABSA Assurance Framework?

To explain the application of risk management and its relationship with risk level (B)

What is the role of a Domain Policy Authority in the SABSA architecture?

To operate within the risk appetite parameters of the super domain (B)

What is the relationship between risk levels and policy levels in the SABSA architecture?

Risk levels and policy levels are associated through the SABSA contextual and conceptual layers (C)

What is the purpose of risk metadata management in the SABSA architecture?

To manage risk data and risk registers (A)

What is the relationship between business risks and opportunities in the SABSA architecture?

Business risks and opportunities exist traceably through every layer of the architecture (D)

What is the role of actuarial data in the SABSA architecture?

To summarize the possible applications of pure risk, appetite thresholds, and dynamic thresholds (C)

What is the purpose of risk analysis tools in the SABSA architecture?

To analyze and monitor risk at the conceptual layer (C)

What is the role of dynamic thresholds in the SABSA architecture?

To summarize the possible applications of pure risk, appetite thresholds, and actuarial data (D)

What is the purpose of automatic equipment identification?

To authenticate connections from specific locations (B), To verify the identities of components and equipment (C)

What is the focus of the risk and policy management architecture?

Business risks and opportunities to logical domains (A)

What is the primary concern in the FIFE business context?

Information confidentiality in storage and in transit (A), Information integrity in storage and in transit (B)

What is the purpose of the logical services in the architecture controls and enablers?

To provide message origin authentication and message integrity (A), To manage credentials issuance and session authentication (B), To enable non-repudiation and replay protection (C), To manage stored data integrity and confidentiality (D)

What is the purpose of the ORM architecture inheritance and re-use?

To establish first enterprise attributes and control objectives (A), To reuse established attributes and controls in subsequent projects (C), To create a traceable layer-map from business requirements to controls (D)

What is the purpose of the SABSA risk assessment?

To identify risks and opportunities in logical domains (C)

What is the purpose of the integrated controls and enablers library?

To model the MTCS library (D)

What is the focus of the business attributes in the FIFE business context?

All of the above (D)

What is the primary purpose of modeling controls to achieve performance targets?

To achieve the desired risk appetite thresholds (C)

What is the benefit of reusing 'standard' solutions in the ORM architecture?

It saves time and effort in subsequent projects (D)

What is the purpose of the Integrated Controls & Enablers Library?

To model the appropriate controls to achieve performance targets (A)

What is the relationship between the attributes and performance thresholds in the ORM architecture?

The attributes are required to achieve the performance thresholds (A)

What is the purpose of identifying the attributes required by project #2?

To identify new attributes required by the project (C)

What is the benefit of using the MTCS modelled approach?

It provides a standardized approach to risk assessment (D)

What is the purpose of the ORM architecture inheritance and re-use?

To save time and effort in subsequent projects (C)

What is the relationship between the risk assessment and the performance targets?

The risk assessment is used to achieve the performance targets (A)

Study Notes

Asset Architecture & Asset Management

• Asset Architecture consists of three layers: Logical, Physical, and Component
• The SABSA Matrix is a design phase that has three layers: Logical, Physical, and Component
• Logical Assets include Information Assets and Logical Asset Management, which involves Inventory of Information Assets, Information Model of the Business, and Knowledge Management
• Physical Assets include Data Assets and Physical Asset Management, which involves Data Dictionary & Data Storage Devices Inventory, Change Management, and Platform & Data Storage Management
• Component Assets include Products and Tools, including Data Repositories and Processors, and Component Management, which involves Product & Component Standards Management

Competency Objectives for Section 12

• Describe the characteristics and deliverables of the SABSA Architecture Design Phase layers
• Explain the constructs and characteristics of assets at logical, physical, and component layers
• Identify the role of SABSA techniques for security in Release & Knowledge Management
• List and define possible start-up approaches to SABSA Enterprise Security Architecture

Constructs & Characteristics of Assets

• Data Assets are raw facts, figures, and events collected by observation and recording, and stored in a specific location
• Information Assets are transformed data that is qualitative, and have context and meaning through organization and presentation
• Asset Value in SABSA is achieved if it has certain properties such as Accuracy, Completeness, Timeliness, Availability, and Relevance

Relationship With Conceptual Assets

• Business Drivers for Security are derived from the Conceptual Attributes
• The purpose of information is to contribute to business knowledge for decision-making
• Attributes in the Conceptual Layer include Accuracy, Completeness, Timeliness, and Availability

Risk & Policy Management Architecture

• Policy Management Architecture includes Policy Publication & Compliance Management, Risk Management Practices, and Risk Data Management
• Risk Management Practices include Risk Analysis Tools, Risk Registers, Risk Monitoring & Reporting, and Risk Metadata Management
• Risk Data Management includes Risk Management Components & Standards, and Risk Procedure Management

Competency Objectives for Section 13

• List the requirements for architected controls in Risk & Policy Management Architecture
• Explain the association of architected controls with SABSA Contextual & Conceptual layers
• Describe the structure and objectives of the SABSA Assurance Framework
• Explain the application of the SABSA Assurance Framework and its relationship with Risk Level### Risk and Policy Management Architecture
• Business risks and opportunities are associated with logical domains, physical environment, and infrastructure domains
• Risk level is linked to policy level and control level, which includes activity controls
• Security services are managed at each layer, including security mechanisms and infrastructure and environment management
• Risks and opportunities are managed by standards for tools and products, and security components and configurations

Architectural Control Distribution Case Study

• Business context involves interactions between government departments
• Business drivers for security include information confidentiality and integrity in storage and transit
• Business attributes include confidentiality, integrity, authenticity, and assurance
• Architecture controls and enablers include logical services, physical mechanisms, and component activities
• Logical services include credentials issuance, session authentication, and message origin authentication
• Physical mechanisms include SSL, VPNs, disk encryption, and file hashing
• Component activities include user credential management, certificate management, and key management

ORM Architecture Inheritance and Re-use

• SABSA risk assessment establishes enterprise attributes, control and enablement objectives, and risk register
• The risk assessment creates a traceable layer-map from business requirements to controls
• The layer-map becomes the current-state SABSA enterprise security architecture
• Subsequent SABSA risk assessments can re-use the existing architecture, inheriting controls and enablers from the current-state architecture
• New attributes and performance thresholds required by subsequent projects can be enhanced and added to the existing architecture

Description

This quiz covers the design phase of asset architecture and management, including scope and temporal factors. It is based on the SABSA Institute's framework for security architecture and risk management.