40 Questions
What is the primary focus of the facilitated workshop approach to SABSA start-up?
Creating deliverables for all SABSA Architecture Layers
Which of the following is NOT a characteristic of the Fast-Track facilitated workshop approach?
Requires week-long access to Executive Management
What is the primary benefit of using the Fast-Track facilitated workshop approach?
It saves time and resources
What is the purpose of understanding the 'buttons' of stakeholders in the organization?
To know how to 'push' them to agree to the security architecture
Why is it important to identify key allies and opponents in the organization?
To build a coalition to support the security architecture
What is the purpose of the sample interview scripts provided in the appendices?
To provide a starting point for stakeholder interviews
What is the time limit for answering the competency domain questions?
2 minutes 30 seconds
What is the purpose of the recap and capture step in the facilitated workshop approach?
To create a summary of the workshop outcomes
What is the primary purpose of information in the SABSA framework?
To contribute to business knowledge for decision-making
Which layer of the SABSA Matrix is concerned with the Information Assets?
Logical
What are the three types of assets in the SABSA framework?
Information, Logical, and Component
What is the role of SABSA techniques in Release and Knowledge Management?
To align with established frameworks and standards
What are the characteristics of Data Assets?
Raw facts, figures, and events
What is the relationship between the Conceptual Attributes and the asset properties?
The asset properties derive from the Conceptual Attributes
What is the purpose of the SABSA Architecture Design Phase layers?
To describe the characteristics and deliverables of the SABSA Architecture Design Phase layers
What is the primary value of information in the SABSA framework?
Contribution to business knowledge for decision-making
What is the primary purpose of the SABSA Assurance Framework?
To explain the application of risk management and its relationship with risk level
What is the role of a Domain Policy Authority in the SABSA architecture?
To operate within the risk appetite parameters of the super domain
What is the relationship between risk levels and policy levels in the SABSA architecture?
Risk levels and policy levels are associated through the SABSA contextual and conceptual layers
What is the purpose of risk metadata management in the SABSA architecture?
To manage risk data and risk registers
What is the relationship between business risks and opportunities in the SABSA architecture?
Business risks and opportunities exist traceably through every layer of the architecture
What is the role of actuarial data in the SABSA architecture?
To summarize the possible applications of pure risk, appetite thresholds, and dynamic thresholds
What is the purpose of risk analysis tools in the SABSA architecture?
To analyze and monitor risk at the conceptual layer
What is the role of dynamic thresholds in the SABSA architecture?
To summarize the possible applications of pure risk, appetite thresholds, and actuarial data
What is the purpose of automatic equipment identification?
To authenticate connections from specific locations
What is the focus of the risk and policy management architecture?
Business risks and opportunities to logical domains
What is the primary concern in the FIFE business context?
Information confidentiality in storage and in transit
What is the purpose of the logical services in the architecture controls and enablers?
To provide message origin authentication and message integrity
What is the purpose of the ORM architecture inheritance and re-use?
To establish first enterprise attributes and control objectives
What is the purpose of the SABSA risk assessment?
To identify risks and opportunities in logical domains
What is the purpose of the integrated controls and enablers library?
To model the MTCS library
What is the focus of the business attributes in the FIFE business context?
All of the above
What is the primary purpose of modeling controls to achieve performance targets?
To achieve the desired risk appetite thresholds
What is the benefit of reusing 'standard' solutions in the ORM architecture?
It saves time and effort in subsequent projects
What is the purpose of the Integrated Controls & Enablers Library?
To model the appropriate controls to achieve performance targets
What is the relationship between the attributes and performance thresholds in the ORM architecture?
The attributes are required to achieve the performance thresholds
What is the purpose of identifying the attributes required by project #2?
To identify new attributes required by the project
What is the benefit of using the MTCS modelled approach?
It provides a standardized approach to risk assessment
What is the purpose of the ORM architecture inheritance and re-use?
To save time and effort in subsequent projects
What is the relationship between the risk assessment and the performance targets?
The risk assessment is used to achieve the performance targets
Study Notes
Asset Architecture & Asset Management
- Asset Architecture consists of three layers: Logical, Physical, and Component
- The SABSA Matrix is a design phase that has three layers: Logical, Physical, and Component
- Logical Assets include Information Assets and Logical Asset Management, which involves Inventory of Information Assets, Information Model of the Business, and Knowledge Management
- Physical Assets include Data Assets and Physical Asset Management, which involves Data Dictionary & Data Storage Devices Inventory, Change Management, and Platform & Data Storage Management
- Component Assets include Products and Tools, including Data Repositories and Processors, and Component Management, which involves Product & Component Standards Management
Competency Objectives for Section 12
- Describe the characteristics and deliverables of the SABSA Architecture Design Phase layers
- Explain the constructs and characteristics of assets at logical, physical, and component layers
- Identify the role of SABSA techniques for security in Release & Knowledge Management
- List and define possible start-up approaches to SABSA Enterprise Security Architecture
Constructs & Characteristics of Assets
- Data Assets are raw facts, figures, and events collected by observation and recording, and stored in a specific location
- Information Assets are transformed data that is qualitative, and have context and meaning through organization and presentation
- Asset Value in SABSA is achieved if it has certain properties such as Accuracy, Completeness, Timeliness, Availability, and Relevance
Relationship With Conceptual Assets
- Business Drivers for Security are derived from the Conceptual Attributes
- The purpose of information is to contribute to business knowledge for decision-making
- Attributes in the Conceptual Layer include Accuracy, Completeness, Timeliness, and Availability
Risk & Policy Management Architecture
- Policy Management Architecture includes Policy Publication & Compliance Management, Risk Management Practices, and Risk Data Management
- Risk Management Practices include Risk Analysis Tools, Risk Registers, Risk Monitoring & Reporting, and Risk Metadata Management
- Risk Data Management includes Risk Management Components & Standards, and Risk Procedure Management
Competency Objectives for Section 13
- List the requirements for architected controls in Risk & Policy Management Architecture
- Explain the association of architected controls with SABSA Contextual & Conceptual layers
- Describe the structure and objectives of the SABSA Assurance Framework
- Explain the application of the SABSA Assurance Framework and its relationship with Risk Level### Risk and Policy Management Architecture
- Business risks and opportunities are associated with logical domains, physical environment, and infrastructure domains
- Risk level is linked to policy level and control level, which includes activity controls
- Security services are managed at each layer, including security mechanisms and infrastructure and environment management
- Risks and opportunities are managed by standards for tools and products, and security components and configurations
Architectural Control Distribution Case Study
- Business context involves interactions between government departments
- Business drivers for security include information confidentiality and integrity in storage and transit
- Business attributes include confidentiality, integrity, authenticity, and assurance
- Architecture controls and enablers include logical services, physical mechanisms, and component activities
- Logical services include credentials issuance, session authentication, and message origin authentication
- Physical mechanisms include SSL, VPNs, disk encryption, and file hashing
- Component activities include user credential management, certificate management, and key management
ORM Architecture Inheritance and Re-use
- SABSA risk assessment establishes enterprise attributes, control and enablement objectives, and risk register
- The risk assessment creates a traceable layer-map from business requirements to controls
- The layer-map becomes the current-state SABSA enterprise security architecture
- Subsequent SABSA risk assessments can re-use the existing architecture, inheriting controls and enablers from the current-state architecture
- New attributes and performance thresholds required by subsequent projects can be enhanced and added to the existing architecture
This quiz covers the design phase of asset architecture and management, including scope and temporal factors. It is based on the SABSA Institute's framework for security architecture and risk management.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free