Motivation
The industry has generally adopted TOGAF ADM as the method for delivering an enterprise architecture for an organisation. However, this relegates risk and security to "just another set of requirements" to be collected, rather than a set of qualities that are needed throughout. SABSA is an enterprise architecture framework that concentrates on risk and security. In the real world both are needed so integration is required, but in the longer term TOGAF needs to accommodate security and risk as qualities.
TOGAF & SABSA Integration
In response to recognition of the lack of true security and risk processes, views, and support for explicit security related requirements and verification work has been undertaken by the The Open Group and SABSA organization to integrate the two.
The core of any enterprise architecture is deriving the detail of how the requirements have been made into physical artifacts, so TOGAF puts Requirements Management in the center of the Architecture Development Method (ADM), and SABSA integration starts here. The SABSA Business Attribute Profile and Control Objectives feed the TOGAF Requirements Management phase with security and risk requirements that integrate with the wider requirements. The requirements are expressed in TOGAF terms for Requirements Management and the Business Attribute Profile attributes are added to them to form the requirements catalog.
Influences from the SABSA Logical Layer Security Services Catalog provide the security components of the TOGAF Business Architecture and Information Systems Architecture at different levels. These are initially driven by the Business Attribute Profile and also drive the Architecture Vision goals, principles, drivers and concerns from a security and risk perspective.
The Business Attribute Profile is formed in the SABSA Strategy and Planning Phase, and this feeds the requirements management but inputs primarily to the Architecture Vision and Business Architecture phases in the TOGAF ADM. The SABSA Design Phase primarily influences the TOGAF Information System Architectures phase, and the Technology Architecture Phase. As would be expected, the SABSA Implement Phase primarily influences the end of the TOGAF Migration Phase and input to the Implementation Governance phase. The SABSA Manage and Measure Phase does influence the Architecture Change Management and Governance to some extent, but more shows the need to ensure that changes to the architecture in general need monitoring for continual traceability.
For details as to how the two key frameworks for the security architect are integrated are available in the TOGAF and SABSA Integration White Paper from the SABSA Institute and The Open Group.
No comments:
Post a Comment