Introduction
I passed my SABSA Chartered Foundation (SCF) certification recently. I loved the SABSA methodology and learnt a lot from it. In this post, I am sharing some of the top highlights.
Table of Content
- What is SABSA
- About SABSA SCF Certification
- Top Learnings from the course and certification
- Conclusion
What is SABSA
SABSA is a methodology for developing risk-driven enterprise information security and information assurance architectures for delivering security solutions. It comprises a number of frameworks, models, methods and processes.
You can refer to SABSA Executive Summary page for more details about SABSA.
About SABSA SCF Certification
SABSA has three levels of certification.
- SABSA Chartered Foundation (SCF) Certificate
- SABSA Chartered Practitioner (SCP) Certificate
- SABSA Chartered Master (SCM) Certificate
More details about them can be found at sabsa certification page.
SCF Certification includes 5 days of training (you can opt for either virtual or physical) and 2 multiple choice questions exams with 48 questions in each exam. Suprisingly training was quite interactive and there were practical workshops as well. Passing rate is 75%. In my opinion, the exam itself is not difficult to pass.
Top Learnings from the course and certification
Focussed on Business driven security solutions
SABSA stresses that every security measure or solution should be business driven and it should be possible to describe the Impact or benefit of that security solution directly on the business.
Two way end to end traceability and accountability
SABSA ensures traceability from business vision to business requirement to strategy to planning and to implementation of a security measure. It also sets the accountability for the same at various levels. This traceability exists in both direction i.e. from business vision to implementation and vice versa.
Concept of Positive Risk along with Negative Risk
Usually in security we consider only the negative risks that can take place but SABSA encourages us to imagine the positive side as well in order to enable the business even better. Along with threat modelling, opportunity modelling should also be considered. For example – when designing security solutions or comparing security solutions, we should also consider how they can create positive risks or opportunities for business.
Easy to integrate with other frameworks
It is created to be very flexible and can be fit with other frameworks like TOGAF and ITIL with ease.
Highly measurable with attributes
A unique feature of SABSA is that it is attribute-based. It associates every entity (assets, risks, processes, etc.) with a set of attributes, creating a highly connected map of how these entities relate to each other and the business. All these attributes must be measured based on which a security scorecard or dashboard should be published to stakeholders.
Balance Security with all other attributes of the business
SABSA advocates that good security architecture is one which balances security with all other attributes of the business like performance, usability, cost etc.
Conclusion
Overall SABSA is a really helpful methodology that every technical leader in security should consider studying at least once. If one cannot go for certification there are other resources to study it but the 5 day class (included with certification) really helps as it can get very theoretical if one study by themselves. Those resources are :-
- For quicker study refer to SABSA whitepaper – https://sabsacourses.com/wp-content/uploads/2021/02/TSI-W100-SABSA-White-Paper.pdf
- For more in-depth study refer to a book named Enterprise Security Architecture: A Business-Driven Approach by John Sherwood
Feel free to contact me on LinkedIn in case you have any feedback or questions on SABSA certification or this post.