This is a known issue within the Open Group. Given this, the TOGAF-SABSA Integration project started in May 2010 as a joint initiative of both the Architecture Forum and the Security Forum of The Open Group, and the SABSA Institute.
For the detailed outputs of this project see: “How SABSA and TOGAF complement each other to create better architectures” available on the opengroup.org site.
SABSA and TOGAF are culturally and philosophically very similar, both being business-focused and both having a vision of architecture as an enterprise-wide blueprint. They have different roots and different histories, however, and therefore the actual frameworks are not identical.
However, the biggest differences is that TOGAF is more of a general purpose framework meant to be extended or used as an EA platform to be customized while SABSA is primarily focused on risk management and security architecture as shown below:
Each time a particular link is made, it is possible to dispute it when viewing it from a different angle. Mappings that seem obvious for one person make no sense to the other. No trivial, single mapping exists between TOGAF and SABSA that seems logical to all. Making the integration work requires a degree of “can do” attitude and some rules-of-thumb which avoid lengthy detailed discussions without a logical resolution.
A high-level mapping to the SABSA approach and the TOGAF ADM are shown below:
SABSA Defined
The SABSA Institute is the professional member and certification body for Enterprise Security Architects of all specialisms and at all career levels. It governs the ongoing development and management of SABSA intellectual property and the associated certification and education programs worldwide. The SABSA Institute envisions a global business world of the future, leveraging the power of digital technologies, enabled in the management of information risk, information assurance, and information security through the adoption of SABSA as the framework and methodology of first choice for commercial, industrial, educational, government, military, and charitable enterprises, regardless of industry sector, nationality, size, or socio-economic status, and leading to enhancements in social well-being and economic success. Further information on the SABSA Institute can be found at www.sabsa.org.
SABSA is a framework for developing risk- driven enterprise information security and information assurance architectures and for delivering security infrastructure solutions.
Resources
TOGAF 9, an Open Group Standard - www.opengroup.org/togaf
SABSA Blue Book: Enterprise Security Architecture: A Business-Driven Approach - www.sabsa-library.org/index.php?language=en
SABSA White Paper - www.sabsa.org/whitepaperrequest.aspx?pub=Enterprise+Security+Architecture
ISO/IEC 27005:2011: Information Technology – Security Techniques – Information Security Risk Management - ISO/IEC 31010:2009: Risk Management – Risk Assessment Techniques.
Risk Taxonomy, Technical Standard (C081) - www.opengroup.org/bookstore/catalog/c081.htm
Open Information Security Management Maturity Model (O-ISM3) - www.opengroup.org/bookstore/catalog/c102.htm
Comments