SABSA Practitioner: Architecture & Design

 

 

Module PT1: SABSA Identity and Access Management Architecture - Course Description

 

Presented by David Lynas

 

Identify and Access Management

Identity and access management (I&AM) is arguably the most important and most pervasive concept in the entire field of information security architecture. It addresses a wide range of issues, including:

 

  • Naming schemes for unique identification of entities to which information access privileges are to be granted
  • Entity relationships and trust
  • Security domains and their information access policies
  • Authorisation of entities for future access to selected information resources
  • Authentication of an entity as a pre-requisite to granting a real-time information access request
  • Checking authorisations in real time to support access control decisions
  • Contextual considerations (such as time of day and entity location) in making access control decisions
  • Creating and managing event logs of information access activities for audit, forensic and diagnostic purposes
  • Administering entity registrations and authorisation profiles
  • The application of cryptography for securing remote authentication handshaking protocols
  • Directory services for managing entity-related information such as names, aliases, authorisations and authentication information

 

I&AM strategy and architecture are major considerations for a SABSA-based enterprise security programmes.  The pervasiveness of this topic is evident in the SABSA framework inasmuch as various aspects appear in many different cells of the SABSA Matrix. This topic is the key overarching design discipline for anyone involved in security architecture and design.

Course Overview

This 3-day course provides participants with a practical guide on how to design and implement I&AM strategies and architectures in the wider context of a SABSA-based enterprise information security architecture and risk management programme.  This course is not a technical detail course; it is a course on how to apply SABSA models and processes to developing a network security strategy, policy and architecture.

High-Level Learning Objectives

After attending this course a course attendee will be able to:

 

  • Apply the SABSA framework to define the business requirements for I&AM within a given enterprise
  • Analyse the business requirements to build a SABSA Business Attributes Profile that reflects the needs of the enterprise for I&AM
  • Use the SABSA Business Attributes Profile to create a set of focused control objectives covering all aspects of I&AM
  • Plan, design, implement and manage an I&AM strategy and architecture within the SABSA framework
  • Plan, design, implement and manage I&AM systems and sub-systems at the conceptual, logical, physical and component layers of the SABSA framework
  • Develop and implement SABSA-aligned operational processes for managing identity and access control
  • Apply the SABSA framework as a template against which to audit designs and implementations of I&AM systems and processes

Pre-Requisite Knowledge

There are no pre-requisites for attending this course or for sitting the SABSA Institute PT2 examination on completion of the course. However, attendees will probably benefit most if they have some previous knowledge of the SABSA framework, and for those wishing to be awarded the SABSA Chartered Practitioner Certificate, they will need to complete the SABSA Chartered Foundation Certificate before the Practitioner award can be made.

What a Course Attendee will take away

  • A comprehensive knowledge of the principles and practice of I&AM within the SABSA framework
  • The skill and knowledge to plan, design, implement and manage an I&AM strategy and architecture within the SABSA framework
  • A practical SABSA-based approach to managing business processes for identifying and controlling access by authorised business entities, including individuals, groups and organisations

Who Should Attend

  • CIO / CISO / CTO / CIRO
  • IT Strategists and Planners
  • IT Architects
  • IT Development Managers and Project Leaders
  • Specialist Designers and Developers of Identity and Access Management Systems
  • Software Managers and Architects
  • Computer / Information Security Managers, Advisors, Consultants & Practitioners
  • IT Line Managers
  • IT Service Delivery Managers
  • Internal and External Auditors

Methodology

The course consists of lectures and workshop sessions, supplemented by case studies drawn from a combination of published real life examples and/or practical experience.  In the workshops attendees will work in small groups to synthesise ideas and strategies and to apply the material in the context of case studies and simulations.  Open forum discussions will also feature where appropriate.

 

Lecture content is naturally less intense than in Foundation classes, with more emphasis on practical work.  The course focuses heavily on developing the skills and knowledge for a practitioner through hands-on workshop sessions and discussions, so as to provide the appropriate balance and emphasis on practice rather than theory.

 

During the course many references will be made to Enterprise Security Architecture: A Business Driven Approach (Sherwood, Clark and Lynas, ISBN 1-57820-318-X) for technical details that cannot be covered in full during the lecture programme. Every course attendee will therefore need to have a copy of this book. If you already own one, please bring it with you. If you would like to purchase one from us then please order your copy along with the course.