I was unaware of SABSA until recently. SABSA uses a matrix (shown below) for developing risk-driven enterprise information security architectures. SABSA attempts to assist an organization in answering What, Why, How, Who, Where, and When.
National Institute of Standards and Technology. (2014). Framework for Improving Critical Infrastructure Cybersecurity (version 1). Retrieved from the National Institute of Standards and Technology Web site: -framework-021214.pdf
sabsa security architecture framework pdf 14
The SABSA Institute envisions a global business world of the future, leveraging the power of digital technologies, enabled in the management of information risk, information assurance, and information security through the adoption of SABSA as the framework and methodology of first choice for commercial, industrial, educational, government, military, and charitable enterprises, regardless of industry sector, nationality, size, or socio-economic status, and leading to enhancements in social well-being and economic success.
[11] An Enterprise Architecture and Data Quality Framework, Jerome Capirossi, NATEA Consulting and Pascal Rabier, La Mutuelle Generale, 2007; accessed at: -regulation2.telecom-paristech.fr/wp-content/uploads/2007/05/DEDM13_An-Enterprise-Architecture-and-Data-quality-framework.pdf.
[13] TOGAF and SABSA Integration: How SABSA and TOGAF complement each other to create better architectures, White Paper (W117), published by The Open Group, October 2011; refer to: www.opengroup.org/library/w117.
Security design principles describe a securely architected system hosted on cloud or on-premises datacenters (or a combination of both). Application of these principles dramatically increases the likelihood your security architecture assures confidentiality, integrity, and availability.
While some frameworks offer flexibility, others take a more prescriptive approach. Probably the cybersecurity framework most often cited by professionals, the CIS Controls framework lists twenty mission-critical controls across three categories:
The CIS Controls framework then goes even further to define three implementation groups. Implementation Group 1 is for organizations with limited resources and cybersecurity expertise. Implementation Group 2 is for organizations with moderate resources and cybersecurity expertise. Implementation Group 3 is for mature organizations with significant resources and cybersecurity expertise.
Published on December 7, 2020, the ENISA National Capabilities Assessment Framework provides the Member States a way to engage in self-assessments so that they can identify their maturity level. The framework offers a way for countries to assess their cybersecurity capabilities, ultimately giving them guidelines for setting national strategies.
SAML is a standard that defines a framework for exchanging security information between online business partners. Developed by the Security Services Technical Committee, SAML is an XML-based framework that supports business communications for user authentication, entitlement, and attribute information. Organizations can apply it to human and machine entities, partner companies, or other enterprise applications. Organizations most often use SAML for web single-sign-on (SSO), attribute-based authorization, and securing web services.
Furthermore, the very genre of musing on frameworks is extremely popular among various EA writers. For example, the academic literature offers tens of papers devoted to analysing, comparing and formulating selection criteria for EA frameworks2. Gartner alone issued nearly a dozen of several hundred dollars-worth reports with its advice on how to analyse, choose and deal with EA frameworks properly3. Local consulting companies and software tool vendors offer their own comparisons and framework selection guidelines as well.
So, what do we know about popular EA frameworks besides these speculations? While all the previous analyses compared only the claims and promises of EA frameworks (e.g. which frameworks propose more guidance on which aspects of an EA practice), this article compares their practical consequences and outcomes (e.g. whether EA frameworks in fact delivered on their promises and what their real value is). In particular, the article focuses on the four most widely known EA frameworks: the Zachman Framework, FEAF, DoDAF and TOGAF.
The Department of Defense Architecture Framework (DoDAF) emerged in the mid-2000s as a common approach to architecture for the U.S. Department of Defense (DoD) and represents an evolution of the earlier C4ISR framework born in the 1990s17. DoDAF defines the views that should be covered in architecture, specific products that should be created to describe them and the steps that should be followed to develop these deliverables.
Currently, DoDAF can arguably be helpful, at best, as a loose catalogue of diverse models some of which occasionally might be found useful or inspiring by experienced architects, and predominantly in the realm of solution architecture. No sane human beings should ever consider the prescriptions of DoDAF seriously as an actionable guidance for their EA practice, as DoD did.
The Open Group Architecture Framework (TOGAF) was created by The Open Group in the mid-1990s from the materials of the earlier TAFIM framework22, which itself was based on some earlier models initiated in the mid-1980s. TOGAF provides an end-to-end, holistic guidance for an EA practice including the steps and sub-steps required to develop architecture (ADM), a comprehensive collection of artifacts and deliverables necessary to describe architecture (ACF), governance and maturity models, as well as many other diverse recommendations22. Presently, TOGAF has achieved the status of the most popular EA framework and is regarded by many as a de facto industry standard in enterprise architecture.
Similarly to FEAF and DoDAF, TOGAF follows fundamentally the same mechanistic step-by-step logic as all the previous architecture planning methodologies (e.g. BSP, Method/1 and Information Engineering) that discredited themselves long ago and, therefore, offers essentially nothing new and simply cannot work successfully in practice23. For instance, exactly the same well-known problems associated with all formal architecture methodologies had been reported earlier regarding TAFIM and ultimately led to its retirement (and thus to the emergence of TOGAF):
The discussion above presented a realistic view and analysis of the four most prominent EA frameworks from a pragmatic, practical standpoint. A comparison of the top four EA frameworks is briefly summarised in Figure 1.
As it requires a rich imagination, unshakeable faith or strong commercial motivation to find any resemblance between how successful EA practices actually work and what popular EA frameworks prescribe, these frameworks do not deserve to be discussed seriously, but only to be derided and thrown out. Do not try to implement EA frameworks and, please, beware of the next fads! 2ff7e9595c
Comments