When it comes to the Contextual Security Architecture, we often want to think in terms of why modern business activities are dependent on information and communication technology. Modern business activities are able to leverage computing systems and expand their global presence as well as improve stakeholder experiences through the use of technology. Unfortunately, these business drivers also pose risks to the business if they are not properly managed. Thus, focusing on how information security enables business activities that would otherwise be too risky helps us to come up with business drivers for security architecture. One example would be the financial and banking industry allowing banking transactions on the Internet. This activity would be too risky without security built into their systems.
Another critical area to think about are safety-critical systems, such as airplanes and energy and city infrastructure systems connected to the Internet. These obviously need to be secured, so must go through what we often describe as an operational risk assessment. Finally, the organizational structures and relationships within company and the location and time-dependencies all relate to business security requirements which we address in our contextual security layer. Sherwood et all show a 36 cell matrix, shown below, of which we are focused on the Contextual Architecture which can be used as a reference (Sherwood, Clark, & Lynas, 2015, pp 42).
Another critical area to think about are safety-critical systems, such as airplanes and energy and city infrastructure systems connected to the Internet. These obviously need to be secured, so must go through what we often describe as an operational risk assessment. Finally, the organizational structures and relationships within company and the location and time-dependencies all relate to business security requirements which we address in our contextual security layer. Sherwood et all show a 36 cell matrix, shown below, of which we are focused on the Contextual Architecture which can be used as a reference (Sherwood, Clark, & Lynas, 2015, pp 42).
From this matrix, we look at the assets (what) and we ask our selves, what do we want to protect, what kind of company are we, what are our primary aims (e.g. protect our reputation)? We then create a business risk model which answers the motivation question to answer why we need to protect these items. Next we determine how we can protect these assets, which is typically done by writing security policies and this creates a business process model. We then ensure we understand the people involved, answering who is involved with protecting the assets and define these within the business organization and relationships. This shows what the structure of the business looks like, how transactions occur, and what systems these transactions go through, often involving communication, transactions, and processes. With these defined we also need to ensure we take into account the location, or where, our business geography exists. Where is the business resides (geographically, laws and regulations) all influence our company. Sometimes we also need to communicate with other areas of the company via remote access, cloud computing, local networks, etc., and thus we need to know what outside 3rd parties come into play within our business. Finally, we consider the timing, or when, these transactions occur, as well as time-gates (hours when certain processes occur), how long they last, what to do with reports and how long to keep reports, and how long it takes to process transactions. One last consideration, is that there are security related questions for detection and protection as well as response and remediation we consider.
It's important to consider our business enablers, such as electronic publishing, on-demand entertainment, value-added information services, remote process control, supply chain management, research and information gathering, and digital business (eCommerce/eBanking/eProcurement/eGovernment). We also consider the assets involved and revenue generation, customer service, market reputation, management control, operating licenses, employee confidence, shareholder confidence, other stakeholders, safety-critical dependencies, remote communication to safety-critical dependencies, and systems assurance. Then we ensure stakeholders understand the motivation, why, of which some examples are brand protection, fraud prevention, loss prevention, business continuity, strategic business development, legal obligations, and confidence of key stakeholders.
In this layer we address risk and SABSA utilizes a specified Risk Assessment Method outlined below. Following this, we are able to move onto the next phase which is the conceptual one, where business attributes are mapped to conceptual attributes to be used in the following phases.
SABSA Risk Assessment Method
Step 1: Determine Assets - Business Drivers and Business Attributes
Step 2: Threat Assessment - Is threat effective (viable) or not?
Step 3: Impact Assessment - H/W/L determination of effect
Step 4: Vulnerability Assessment - Likelihood of success w/out controls
Step 5: Risk Category - Prioritization of risk, risk mapping
References
It's important to consider our business enablers, such as electronic publishing, on-demand entertainment, value-added information services, remote process control, supply chain management, research and information gathering, and digital business (eCommerce/eBanking/eProcurement/eGovernment). We also consider the assets involved and revenue generation, customer service, market reputation, management control, operating licenses, employee confidence, shareholder confidence, other stakeholders, safety-critical dependencies, remote communication to safety-critical dependencies, and systems assurance. Then we ensure stakeholders understand the motivation, why, of which some examples are brand protection, fraud prevention, loss prevention, business continuity, strategic business development, legal obligations, and confidence of key stakeholders.
In this layer we address risk and SABSA utilizes a specified Risk Assessment Method outlined below. Following this, we are able to move onto the next phase which is the conceptual one, where business attributes are mapped to conceptual attributes to be used in the following phases.
SABSA Risk Assessment Method
Step 1: Determine Assets - Business Drivers and Business Attributes
Step 2: Threat Assessment - Is threat effective (viable) or not?
Step 3: Impact Assessment - H/W/L determination of effect
Step 4: Vulnerability Assessment - Likelihood of success w/out controls
Step 5: Risk Category - Prioritization of risk, risk mapping
References
- Sherwood, J., Clark, A., & Lynas, D. (2005). Enterprise Security Architecture - A Business-Driven Approach. Boca Raton: CRC Press.