TOGAF® and SABSA®
Integration
How SABSA and TOGAF complement each
other to create better architectures
A White Paper by:
The Open Group TOGAF-SABSA Integration Working Group,
comprising leading representatives from the SABSA Institute and
members of The Open Group Architecture and Security Forums
October 2011
TOGAF® and SABSA® Integration
Copyright © 2011 The Open Group and The SABSA Institute
The Open Group hereby authorizes you to use this document for any purpose, PROVIDED THAT any copy
of this document which you make shall retain all copyright and other proprietary notices contained herein.
This document may contain other proprietary notices and copyright information.
Nothing contained herein shall be construed as conferring by implication, estoppel, or otherwise any license
or right under any patent or trademark of The Open Group or any third party. Except as expressly provided
above, nothing contained herein shall be construed as conferring any license or right under any copyright of
The Open Group.
Note that any product, process, or technology in this document may be the subject of other intellectual
property rights reserved by The Open Group, and may not be licensed hereunder.
This document is provided "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. Some
jurisdictions do not allow the exclusion of implied warranties, so the above exclusion may not apply to you.
Any publication of The Open Group may include technical inaccuracies or typographical errors. Changes
may be periodically made to these publications; these changes will be incorporated in new editions of these
publications. The Open Group may make improvements and/or changes in the products and/or the programs
described in these publications at any time without notice.
Should any viewer of this document respond with information including feedback data, such as questions,
comments, suggestions, or the like regarding the content of this document, such information shall be deemed
to be non-confidential and The Open Group shall have no obligation of any kind with respect to such
information and shall be free to reproduce, use, disclose and distribute the information to others without
limitation. Further, The Open Group shall be free to use any ideas, concepts, know-how, or techniques
contained in such information for any purpose whatsoever including but not limited to developing,
manufacturing, and marketing products incorporating such information.
Boundaryless Information Flow™ is a trademark and ArchiMate®, Jericho Forum®, Making Standards Work®,
Motif®, OSF/1®, The Open Group®, TOGAF®, UNIX®, and the ``X'' device are registered trademarks of The
Open Group in the United States and other countries.
COBIT® is a registered trademark of the Information Systems Audit and Control Association and the IT
Governance Institute.
ITIL® and M_o_R® are registered trademarks of the Office of Government Commerce in the United
Kingdom and other countries.
SABSA® is a registered trademark of the SABSA Institute.
All other brand, company, and product names are used for identification purposes only and may be
trademarks that are the sole property of their respective owners.
TOGAF® and SABSA® Integration
Document No.: W117
Published by The Open Group and the SABSA Institute, October 2011.
Any comments relating to the material contained in this document may be submitted to:
The Open Group, 44 Montgomery St. #960, San Francisco, CA 94104
(ogspecs@opengroup.org)
or to:
The SABSA Institute, 17 Ensign House, Admirals Way, Canary Wharf, London E14 9XQ, UK
(info@sabsa.org)
www.opengroup.org
A W h i t e P a p e r P u b l i s h e d b y T h e O p e n G r o u p
2
TOGAF® and SABSA® Integration
Table of Contents
Executive Summary
Introduction
Overview of TOGAF-SABSA Integration
Operational Risk and its Relevance to Enterprise Architecture
A Central Role for Requirements Management
Creating an Enterprise Architecture with Integrated Security
Appendix A: Glossary
Appendix B: TOGAF Benefits for SABSA Practitioners
References
About The Open Group
About the SABSA Institute
About the SABSA-TOGAF Integration Working Group
4
6
7
17
21
29
48
51
56
57
57
58
www.opengroup.org
A W h i t e P a p e r P u b l i s h e d b y T h e O p e n G r o u p
3
TOGAF® and SABSA® Integration
Boundaryless Information Flow
achieved through global interoperability
in a secure, reliable, and timely manner
Executive Summary
This White Paper documents an approach to enhance the TOGAF enterprise architecture methodology with
the SABSA security architecture approach and thus create one holistic architecture methodology. The
following aspects are highlighted:
• Overview of TOGAF and SABSA integration – why bolster TOGAF with security architecture and why
use SABSA?
• Operational risk and its relevance to enterprise architecture – why incorporating the concept of
operational risk is essential to modern enterprise architecture design.
• A central role for requirements management – how to perform requirements management using SABSA
Business Attribute Profiling.
• Creating an enterprise architecture with integrated security – how to align SABSA concepts to the
TOGAF ADM.
• TOGAF benefits for SABSA practitioners – how to enhance SABSA-based projects by introducing
TOGAF concepts.
This White Paper is intended to guide enterprise and security architects in fully integrating security and risk
management into enterprise-level architectures, to stimulate review comments and inform the global
architecture community of proposed new content from the SABSA perspective for a future edition of the
TOGAF standard.
In December 2005, The Open Group Security Forum submitted a White Paper (W055: Guide to Security
Architecture in TOGAF) to the Architecture Forum expressing similar intent regarding integrating security
and risk management into TOGAF. This was included in TOGAF 9 but not in the integrated manner that the
Security Forum had intended. The Security Forum is revising W055 to submit as complementary to this
TOGAF and SABSA Integration White Paper.
Integrating security and risk management in enterprise architecture strongly supports The Open Group vision
of Boundaryless Information Flow, by informing well justified design decisions which maximize business
opportunity whilst minimizing business risk.
www.opengroup.org
A W h i t e P a p e r P u b l i s h e d b y T h e O p e n G r o u p
4
TOGAF® and SABSA® Integration
Where appropriate, this White Paper includes excerpts from the SABSA Blue Book and SABSA White Paper
update, with the full approval and permission of the SABSA Institute.
www.opengroup.org
A W h i t e P a p e r P u b l i s h e d b y T h e O p e n G r o u p
5
TOGAF® and SABSA® Integration
Introduction
Purpose
Enterprise architecture (including security architecture) is all about aligning business systems and supporting
information systems to realize business goals in an effective and efficient manner (systems being the
combination of processes, people, and technology). One of the important quality aspects of an enterprise
architecture is risk regarding information security and the way this can be managed. For too long, information
security has been considered a separate discipline, isolated from the enterprise architecture. This White Paper
documents an approach to enhance the TOGAF enterprise architecture methodology with the SABSA
security architecture approach and thus create one holistic architecture methodology.
The vision is to support enterprise architects who need to take operational risk management into account, by
providing guidance describing how TOGAF and SABSA can be combined such that the SABSA business
risk and opportunity-driven security architecture approach can be seamlessly integrated into the TOGAF
business strategy-driven approach to develop a richer, more complete enterprise architecture.
There are two main focal points in this White Paper. The first is to describe how SABSA can best be used in
TOGAF-based architecture engagements. Unlike regarding security as a separate product, this White Paper
gives a practical approach that makes the SABSA security requirements and services available as common
TOGAF artifacts.
The second focal point is to show how the requirements management processes in TOGAF can be fulfilled in
their widest generic sense (i.e., not only with regard to security architecture) by application of the SABSA
concept of Business Attribute Profiling to the entire ADM process.
Furthermore, TOGAF also offers significant benefits for a pure SABSA-based architecture project and these
are described in Appendix B: TOGAF Benefits for SABSA Practitioners as guidance for SABSA
practitioners.
Project background
The TOGAF-SABSA integration project started in May 2010 as a joint initiative of both the Architecture
Forum and the Security Forum of The Open Group, and the SABSA Institute. With the publication of this
White Paper the project ends.
Next steps
This White Paper intends to communicate current thinking and to elicit comments from the architecture and
security communities. The project results and received comments are submitted via this White Paper to The
Open Group Architecture Forum for their use to create the new security and risk management content for a
scheduled revision of the TOGAF standard and, in particular, the content currently in Chapter 21 regarding
security architecture.
www.opengroup.org
A W h i t e P a p e r P u b l i s h e d b y T h e O p e n G r o u p
6
TOGAF® and SABSA® Integration
Overview of TOGAF-SABSA Integration
It is the common experience of many corporate organizations that information security solutions are often
designed, acquired, and installed on a tactical basis. A requirement is identified, a specification is developed,
and a solution is sought to meet that situation. In this process there is no opportunity to consider the strategic
dimension, and the result is that the organization builds up a mixture of technical solutions on an ad hoc
basis, each independently designed and specified and with no guarantee that they will be compatible and
interoperable. There is often no analysis of the long-term costs, especially the operational costs which make
up a large proportion of the total cost of ownership, and there is no strategy that can be identifiably said to
support the goals of the business.
An approach that avoids these piecemeal problems is the development of an enterprise security architecture
which is business-driven and which describes a structured inter-relationship between the technical and
procedural solutions to support the long-term needs of the business.
An enterprise security architecture does not exist in isolation. It is part of the enterprise. It builds on
enterprise information that is already available in the enterprise architecture, and it also produces information
that should be used by the enterprise architecture. This is why a close integration of security architecture in
the enterprise architecture is beneficial. In the end, doing it right the first time saves costs and increases
effectiveness compared to bolting on security afterwards. This is why security architects are seeking ways to
align with enterprise architects, and this alignment will be easier if both speak the same language. That
language is provided in this White Paper.
What is TOGAF?
TOGAF [1] is an architecture framework which provides the methods and tools for assisting in the
acceptance, production, use, and maintenance of enterprise architecture. It is based on an iterative process
model supported by best practices and a re-usable set of existing architecture assets.
Why does TOGAF need an update on security architecture aspects?
TOGAF has treated security and risk either implicitly through stakeholder requirements or through a limited
set of techniques in Chapter 21 (Security Architecture and the ADM). The Open Group Architecture Forum
and Security Forum agree that the coverage of security and risk can be updated and improved. Specific
objectives envisaged in this White Paper include:
• Guidance on producing business and risk management-based security architectures, which is increasingly
seen as an essential element of enterprise architecture
• Guidance on developing secure architectures to support business outcomes by enabling exploitation of
business opportunities
• Guidance on producing architectures that enable the efficient management of security
Why include SABSA in TOGAF security architecture?
SABSA is a methodology for developing risk-driven enterprise information security and information
assurance architectures and for delivering security infrastructure solutions that support critical business
www.opengroup.org
A W h i t e P a p e r P u b l i s h e d b y T h e O p e n G r o u p
7
TOGAF® and SABSA® Integration
initiatives. It is an open standard, comprising a number of frameworks, models, methods, and processes, free
for use by all, with no licensing required for end-user organizations that make use of the standard in
developing and implementing architectures and solutions.
SABSA is business outcome-based. The fundamental idea behind SABSA is that the security architecture is
there to facilitate the business. This is in line with TOGAF concepts.
At the heart of the SABSA methodology is the SABSA Model, a top-down approach that drives the SABSA
Development Process. This process analyzes the business requirements at the outset, and creates a chain of
traceability through the SABSA Lifecycle phases of Strategy & Planning, Design, Implement, and ongoing
Manage & Measure to ensure that the business mandate is preserved.
SABSA contains framework tools created from practical experience, including the SABSA Matrix and the
SABSA Business Attribute Profile that further support the whole methodology.
SABSA is well described in the “Blue Book” [2]. In addition, new SABSA thinking is published at
www.sabsa.org.
The SABSA artifacts described in this paper mainly refer to the Blue Book; however, it is recommended that
to reflect current thinking which has moved on considerably since the Blue Book was published, users of this
White Paper should refer to the most recently published SABSA materials available at www.sabsa.org [3].
Brief description of the concepts used
This section gives a short background description of the TOGAF and SABSA concepts relevant for this
White Paper.
www.opengroup.org
A W h i t e P a p e r P u b l i s h e d b y T h e O p e n G r o u p
8