A few months ago, I decided to attend SABSA training. For a while, it had been something on the radar. I wanted to find a good, recognized certification that spanned both architecture and security. SABSA fits the bill quite perfectly.
The course I attended was taught in Winnipeg of all places, and lead by the great Michael Legary. Due to some administrative problems on a client end, there ended up being only 2 of us in the course. This worked out great as we were able to explore in more detail the various sections and really work to apply the concepts to our current positions. From a professional services perspective, I was interested in how to apply these concepts to our project delivery. SABSAs focus on creating controls/solutions that are both traceable and justifiable in business context is, in my opinion, critical to the success of any project.
In case, at this point, you are wondering what SABSA actually is, please allow me to fill in some details.
SABSA stands for Sherwood Applied Business Security Architecture. It is a methodology for developing business-driven, risk and opportunity focused enterprise security & information assurance architectures. It is comprised of a number of frameworks, models, methods and processes.
The SABSA methodology focuses on delivering the following features:
- It is business-driven in nature
- It is risk focused (both from a threat and opportunity standpoint)
- It is comprehensive (and thus can be scaled from point areas to enterprise wide)
- It is modular (you don't have to big-bang this approach)
- It is open source (well, kinda ;) )
- It is auditable (this is the entire point, justify what you are doing)
- It is transparent (two-way traceability)
There is a ton to SABSA. If you are interested in finding out more, please take a gander at the SABSA Whitepaper (registration required).
One thing I will say, it was a TOUGH exam. I think the level of abstractions that are dealt with in enterprise architecture are hard to grasp over the course of 5 days. I look forward to spending a significant amount of time digesting the course material and integrating it into my day job.