Security Architecture Artifacts
Security Architecture artifacts are valuable tools for maintaining consistency and traceability in security design. Design artifacts describe how the security controls are positioned, and how they relate to the overall security Architecture. These controls serve the purpose to maintain the system’s quality attributes, among them confidentiality, integrity, availability, accountability and assurance.
Sherwood Applied Business Security Architecture (SABSA) is a framework for developing risk-driven enterprise information security and information assurance architectures. The six layers are contextual architecture, conceptual architecture, logical architecture, physical architecture, component architecture, and security service management architecture. The security service management architecture is overlaid vertically over the five layers. (orbussoftware.com, n.d.)
Below are examples of how Security Service Management pertains to each layer:
Contextual architecture: this is a description of the business context. A good example of security service management in this layer would understand the IT security industry regulations to contextualize. (Sherwood et al., n.d.)
Conceptual architecture is the overall concept by which the enterprise's business requirements are met. A good example of security service management about this layer would be determining what electronic information or assets must be protected and why and how it will be protected.
Logical architecture: or the designer's view. The concept is visionary, but this is the layer where the vision is turned into a logical structure to create a natural system. A good example of security service management is specifying the logical security services. A healthcare provider will need proper backup databases regulated by HIPPA to protect patient information.
Physical architecture: the logical service is now expressed in terms of physical security mechanisms and servers that deliver these services. A good example of security service management about this layer would be specifying security mechanisms like encryption, access control, digital signatures, virus scanning, etc.
The component architecture is about successfully assembling professionals with the right skills to achieve our secure system architecture. A good example of security service management for this layer is deploying encryption or access control.
Contextual architecture: this is a description of the business context. A good example of security service management in this layer would understand the IT security industry regulations to contextualize. (Sherwood et al., n.d.)
Conceptual architecture is the overall concept by which the enterprise's business requirements are met. A good example of security service management about this layer would be determining what electronic information or assets must be protected and why and how it will be protected.
Logical architecture: or the designer's view. The concept is visionary, but this is the layer where the vision is turned into a logical structure to create a natural system. A good example of security service management is specifying the logical security services. A healthcare provider will need proper backup databases regulated by HIPPA to protect patient information.
Physical architecture: the logical service is now expressed in terms of physical security mechanisms and servers that deliver these services. A good example of security service management about this layer would be specifying security mechanisms like encryption, access control, digital signatures, virus scanning, etc.
The component architecture is about successfully assembling professionals with the right skills to achieve our secure system architecture. A good example of security service management for this layer is deploying encryption or access control.
Coursework
| security_architecture_final_paper.pdf |
This artifact is an overarching project that addresses topics covered in CSOL 520 (Conceptual Security Architecture, Logical Security Architecture, Physical Security Architecture, Component Security Architecture and Operations).
Reflections
Enterprise Security Architecture is a consistent and traceable blueprint of how information technology infrastructure will be utilized across organizations to help meet the business strategy. This blueprint can help establish a clear framework for technology solutions, standards, and policies an organization uses to align its information technology security initiative with business objectives.
I was prompted to select the final paper in course CSOL 520 as a coursework artifact because these projects combine all the pieces with building an overarching security architecture that closely follows the initiative described in the SABSA framework. Enterprise architecture development requires input from all stakeholders involved in the organization. And the final project would be a great example of approaches to developing a blueprint.
Many security and information technology professionals view security architectures as nothing more than security policies, controls, and monitoring. Today’s infrastructures have changed, and security is different from before. Hence, every security professional is responsible for understanding business objectives and supporting them by implementing proper controls that can be simply justified to stakeholders and linked to the business risks. Security professionals must adhere to and refer to the security blueprint in decision-making. Still, ethically it’s our moral obligation to study the needs of the business and voice out outdated implementations (Ghaznavi, n.d.).
I was prompted to select the final paper in course CSOL 520 as a coursework artifact because these projects combine all the pieces with building an overarching security architecture that closely follows the initiative described in the SABSA framework. Enterprise architecture development requires input from all stakeholders involved in the organization. And the final project would be a great example of approaches to developing a blueprint.
Many security and information technology professionals view security architectures as nothing more than security policies, controls, and monitoring. Today’s infrastructures have changed, and security is different from before. Hence, every security professional is responsible for understanding business objectives and supporting them by implementing proper controls that can be simply justified to stakeholders and linked to the business risks. Security professionals must adhere to and refer to the security blueprint in decision-making. Still, ethically it’s our moral obligation to study the needs of the business and voice out outdated implementations (Ghaznavi, n.d.).
References
Ghaznavi, R. (n.d.). Enterprise Security Architecture—A Top-down Approach. ISACA. Retrieved February 20, 2023, from https://www.isaca.org/resources/isaca-journal/issues/2017/volume-4/enterprise-security-architecturea-top-down-approach
Orbussoftware. (n.d.). What is SABSA? Orbus Software. Retrieved February 20, 2023, from https://www.orbussoftware.com/solutions/governance-risk-and-compliance/sabsa/what-is-sabsa
SABSA. (n.d.). Lorem ipsum dolor sit amet, consectetuer adipiscing elit. SABSAcourses. Retrieved February 20, 2023, from
Ghaznavi, R. (n.d.). Enterprise Security Architecture—A Top-down Approach. ISACA. Retrieved February 20, 2023, from https://www.isaca.org/resources/isaca-journal/issues/2017/volume-4/enterprise-security-architecturea-top-down-approach
Orbussoftware. (n.d.). What is SABSA? Orbus Software. Retrieved February 20, 2023, from https://www.orbussoftware.com/solutions/governance-risk-and-compliance/sabsa/what-is-sabsa
SABSA. (n.d.). Lorem ipsum dolor sit amet, consectetuer adipiscing elit. SABSAcourses. Retrieved February 20, 2023, from