Developing an information security program using SABSA, ISO 17799

The SABSA model uses different roles that work with these different perspectives:

This is a similar approach as software development. Someone at a software company uncovers a business need to develop a specific software product. (Business owner) The next group gets more granular and develops the necessary functionality of this product that their customer base would require. (Architecture) The next group gets more granular and develops the overall, high-level design for this product. (Designer) The next group gets more granular and develops the technical specifications of the product. (Builder) The next group gets more granular and develops the actual software code for the product. (Tradesman) And the next group configures and maintains the product. (Facilities Manager).

Now, if you are new to security and what is actually required in a security program, this model and approach may make you bleed from the ears. It all depends upon your level of experience and knowledge of security in the first place. If a company is just trying to figure out what should be in its security program, then it should start with ISO 17799. This standard will hold your hand and state, "You need building block A, you need building block B, you need building block C, etc." But as stated before, many if not most companies have many of the building blocks in place, but that does not mean they have security governance. Security governance is the threads that expand and connect all of these building blocks and allow the security program to work as a living organism throughout all of the departments of a company.

If a company has its security building blocks in place, it can evolve past ISO 17799. If the company would like a holistic approach of how to actually integrate security through out the whole enterprise at the different levels, then it can look to the SABSA model.

There is no doubt that the SABSA model is theoretical and academic in nature, which means that it can be difficult for many in the security field to understand and use. But most people in our industry are not accustomed to working from an architectural level down to the component level. Our industry came from technology, so most security professionals only work the Physical, Component and Operational levels.

If a security program is only made up of Physical, Component, and Operational mechanisms, there is no way that security governance is in place. Security governance requires all levels to be working in concert.

Please also remember that the ISO 17799 and SABSA are frameworks that provide guidance. You can use them as starting places to develop your own approach for developing and implementing a security program. If you choose to implement the SABSA model, maybe you don't need six full layers or maybe your organization needs seven layers. Although many people in our industry are not ready to understand and implement the SABSA model, it (or something like it) is where we are going as our need to integrate security into business processes increase, and as governance and oversight is demanded from laws and regulations. If you still need to get your head around ISO 17799, don't look at SABSA. If you understand and have implemented ISO 17799 (or something close) read the book Enterprise Security Architecture, which describes the SABSA model. Don't try and implement it the next day, think about it for a while and ponder how it can help your organization and know that it is just a framework and it is up to you to decide which pieces and parts work for your organization.

About the author:
Shon Harris is a CISSP, MCSE and President of Logical Security, a firm specializing in security educational and training tools. Shon is a former engineer in the Air Force's Information Warfare unit, a security consultant and an author. She has authored two best selling CISSP books, including CISSP All-in-One Exam Guide, and was a contributing author to the book Hacker's Challenge. Shon is also the co-author of Gray Hat Hacking: The Ethical Hacker's Handbook.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Risk Management Strategies,   Security Audit, Compliance and Standards,   ISO 17799,   Information Security Policies, Procedures and Guidelines,   Information Security Management,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Risk Management Strategies Cloud computing security: Choosing a VPN type to connect to the cloud Cloud computing security: Routing and DNS security threats Cloud computing security model overview: Network infrastructure issues How to align an information security framework to your business model When to use open source security tools over commercial products Vulnerability test methods for application security assessments Security book chapter: Applied Security Visualization The 100-day plan: Achieving success as a new security manager Recovering stolen laptops one step at a time How to get information security buy-in from the executive team ISO 17799 How to write a risk methodology that blends business, security needs IT auditing applications and tools for ISO 27002 certification Security survey finds increase in security standards adoption Mix of Frameworks and GRC Satisfy Compliance Overlaps GRC: Over-Hyped or Legit? Is the Orange Book still relevant for assessing security controls? How do ISO 17799 and SAS 70 differ? How to apply ISO 27002 to PCI DSS compliance How to migrate from SAS 70 to ISO 27001 Should ISO 17799 play a role in risk assessment? Information Security Policies, Procedures and Guidelines Twitter risks, Facebook threats trouble security pros Cybersecurity czar candidate questions clout of new position Incident response planning The basics of enterprise GRC project management RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Risk management must include physical-logical security convergence DHS fills National Cybersecurity Center post New partnerships, creative thinking help security bust recession Experts optimistic of Obama cybersecurity plan RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.