SABSA Foundation

• CIO / CISO / CRO / CIRO
• IT Strategists and Planners
• IT Architects
• IT Development Managers and Project Leaders
• Software Managers and Architects
• Computer / Information Security Managers, Advisors, Consultants & Practitioners
• IT Line Managers
• IT Service Delivery Managers
• Risk Managers
• Internal and External Auditors

SABSA Key Points

SABSA is used extensively by global business and governments around the world.

• SABSA provides a world-leading approach to the development and deployment of solutions to manage cyber risk, assurance and security in a globally accelerating digital business environment.
• Since the launch of the SABSA certification program in 2007, InfoSec professionals in 43 countries have obtained SABSA Certification
• Top-tier banks around the globe have adopted SABSA for their security architecture framework
• Major Government departments – particularly those concerned with defence, security and law enforcement – have adopted SABSA
• The SABSA Institute and The Open Group have announced collaboration in the development of the next generation TOGAF. This joint development puts SABSA Business Attributes Profiling (BAP) at the heart of the TOGAF Architecture Development Method (ADM) for requirements management – not just for security, but also for all aspects of business requirements definition.

F1 – Security Strategy and Planning

This module provides participants with a comprehensive understanding of how the SABSA framework delivers successful security strategy and architecture. Through a series of innovative presentations, case studies and workshops, you will develop the skills to use the most proven security architecture design and management processes and find out how to develop a comprehensive strategy for the creation of a security architecture that genuinely meets the needs of your organisation.

• Define enterprise security architecture, its role, objectives and benefits
• Describe the SABSA model, architecture matrix, service management matrix and terminology
• Describe SABSA principles, framework, approach and lifecycle
• Use business goals and objectives to engineer information security requirements
• Create a business attributes taxonomy
• Apply key architectural defence-in-depth concepts
• Explain security engineering principles, methods and techniques
• Use an architected approach to design an integrated compliance framework
• Describe and design appropriate policy architecture
• Define security architecture value proposition, measures and metrics

F2 – Security Service Management and Design

This module leverages the strategy defined in Foundation Module One to create the roadmap to design, deliver and support a set of consistent and high-quality security services.

Covering the good practice lifecycle, participants will find out how to design, deliver and support a comprehensive security services architecture that integrates fully and seamlessly with their existing IT management and business infrastructure and practices.

1. • Use SABSA to create an holistic framework to align and integrate standards
   • Describe roles, responsibilities, decision-making and organisational structure
   • Explain the integration of SABSA into a service management environment
   • Define Security Services
   • Describe the placement of security services within ICT Infrastructure
   • Create a SABSA Trust Model
   • Describe and model security associations intra-domain and inter-domain
   • Explain temporal factors in security and sequence security services
   • Determine an appropriate start-up approach for SABSA Architecture
   • Apply SABSA Foundation level competencies to your own environment

This 5-day Foundation Certificate program has been designed to provide participants with a thorough coverage of the knowledge required for the SABSA Foundation Level Certificate. It is structured in two modules:

• Module F1: Security Strategy & Planning
• Module F2: Security Service Management

This module provides participants with a comprehensive understanding of how the SABSA framework delivers successful security strategy and architecture. Through a series of innovative presentations, case studies and workshops, you will develop the skills to use the most proven security architecture design and management processes and find out how to develop a comprehensive strategy for the creation of a security architecture that genuinely meets the needs of your organisation:

1. Information Security Strategy, Benefits and Objectives

• Security: A Cultural Legacy as a Business Constraint
• Technical Legacy of Tactical Point Solutions
• Security Strategy, Tactics and Operations
• Critical Success Factors for Business, IT and Security
• Measuring and Prioritising Business Risk
• Enabling Business and Empowering Customers
• Adding Value to the Core Product
• Protecting Relationships and Leveraging Trust

2. Introduction to SABSA Best Practice

• Information Security and its Role in the Modern Enterprise
• Enterprise Security Architecture: Definition and Principles
• The History of SABSA Development
• Introduction to the SABSA Model
• The Business View of Security: Contextual Architecture
• The Architect's View of Security: Conceptual Architecture
• The Designer's View of Security: Logical Architecture
• The Builder's View of Security: Physical Architecture
• The Tradesman's View of Security: Component Architecture
• The Service Manager's View of Security: Operational Architecture
• Traceability from Business Requirements to Deployed Solutions
• The SABSA Matrix and Service Management Matrix

3. Business Requirements & How To Define Them

• Business Goals, Success Factors and Operational Risks
• Business Processes and the Need for Security
• Location Dependence of Enterprise Security Needs
• Organisation and Relationships Affecting Enterprise Security
• Time Dependency of Enterprise Security
• Collecting Enterprise Requirements for Security
• Creating a Business Attributes Profile
• Defining Control Objectives

4. Strategic Concepts & How To Apply Them

• Managing Complexity
• Systems Engineering for Security
• Architectural Layering
• End-to-End Security
• Defence-in-Depth Models
• Security Domains
• Security Associations
• Trust Modelling
• Organisation & Workflow
• Infrastructure Strategy
• Management Strategy

5. The Strategy Programme & Architecture Delivery

• The SABSA Development Process
• The SABSA Lifecycle
• Strategy and Concept Phase Processes and Sub-processes
• Design Phase Processes and Sub-processes
• Implement Phase Processes and Sub-processes
• Manage and Measure Phase Processes and Sub-processes
• Scope, Deliverables and Project Sequencing

6. Managing The Strategic Programme

• Introduction to Return on Investment & Return of Value
• Defining the Benefits and Value Propositions
• Selling the Benefits
• Getting Sponsorship and Budget
• Building the Team
• Team Competency Assessment & Development
• Programme Planning and Management
• 'Fast Track' Start-up Programmes
• Collecting the Information You Need
• Gaining Consensus on the Conceptual Architecture
• Strategic Architecture Governance, Compliance and Maintenance
• Identifying Quick Wins and Gaining Long Term Confidence

This module leverages the strategy defined in Foundation Module One to create the roadmap to design, deliver and support a set of consistent and high-quality security services. Covering the good practice lifecycle, participants will find out how to design, deliver and support a comprehensive security services architecture that integrates fully and seamlessly with their existing IT management and business infrastructure and practices:

1. The SABSA Security Management Framework

• SABSA in the I.T. Lifecycle
• Using SABSA To Integrate Other Methods, Models & Standards
• SABSA and the ITIL Framework
• SABSA and CobIT
• SABSA and Project Management Standards
• SABSA and ISO Security Standards
• SABSA and IT Architecture

2. Security Policy Management

• Policy Principles
• Policy Content, Hierarchy & Architecture
• Security Policy Making
• Information & Systems Classification
• Third Party & Outsourcing Strategy & Policy Management

3. Operational Risk Management

• The Meaning of Risk
• Risk Philosophy & Methodology
• Corporate Governance & Enterprise Risk Management
• Risk Measurement and Risk Assessment
• Risk Mitigation
• Risk Appetite
• Risk Management Tools
• Measuring Success of Risk Management

4. Security Organisation & Responsibilities

• Security Governance
• Security Culture Development, Training & Awareness
• Ownership & Custody
• Service Provider & Customer Roles in Security Management
• Enterprise Audit & Review Framework

5. Assurance of Operational Continuity

• Business Continuity Planning
• Contingency Planning
• Crisis Management
• Business Recovery Planning

6. Systems Assurance

• Technical Assurance of Security Correctness & Completeness
• Managing the Assurance Process for Systems & Software Development
• Assuring Integrity and Acceptable Use of Systems & Software
• Principles of Multi-phased Testing

7. Security Services Architecture

• Information as the Logical Representation of Business
• Logical Entities & Their Relationships
• Using Trust Models to Define Security Services
• Security Domains, Domain Definitions & Associations
• Security Processing Cycle

8. Security Infrastructure Services

• Security Rules, Practices & Procedures
• Security Mechanisms
• User Security
• Platform & Network Security
• Infrastructure for Service Delivery
• Technical Standards & Components