'Destined to be a classic work on the topic, Enterprise Security Architecture fills a real void in the knowledge base of our industry. In a comprehensive, detailed treatment, Sherwood, Clark and Lynas rightly emphasize the business approach and show how a carefully thought-out and constructed security architecture can help guide the direction and application of scarce resources to real-world concerns. It is lucid, well-organized and obviously keyed to the vast experience base of the authors.' --John O'Leary, educational director, Computer Security Institute
'The timing of this excellent book could not be better. This work should be on the desk of every CIO, ICT Infrastructure Director and Application Development Director.'
--Prof. Brian Collins, vice president, British Computer Society
'This is an excellent and really authoritative work. It has brought my understanding of infosec to an entirely new level.'
--Niels Bjergstrom, editor-in-chief, Information Security Bulletin
Security is too important to be left in the hands of one systems architect or department -- it is the concern of every enterprise. Having a comprehensive plan for making and keeping an enterprise secure is the responsibility of every senior manager, and requires more than the purchase of security software. Enterprise security requires a framework for developing and maintaining a proactive system to provide business assurance and enable new business opportunities.
The authors have designed a much-needed framework for developing enterprise security architecture using key theoretical models and decades of practical experience. The SABSA(r) (Sherwood Applied Business Security Architecture) model is generic and defines a process for architecture development, with each solution unique to the individual business. At the heart of this framework is Business Attribute Profiling, the key step in capturing business requirements, defining measurement approaches and setting performance targets for information system risk management. This approach, lacking for decades in the development of information systems, provides a quantum leap for the many systems architects who have been struggling to achieve this business linkage.
Both technical security personnel and business managers will find this book useful as a tutorial or reference tool. It relates security architecture issues to business requirements using charts and graphs, and includes descriptions of real business situations.
John Sherwood, active in operational risk management for more than a decade and as an information systems professional for more than 30 years, is the Chief Architect of the SABSA(r) model. He is also a visiting lecturer and external examiner at Royal Holloway College, University of London, and has published and lectured extensively around the world on information security and risk management.
Andy Clark is a specialist in information security, evaluation, cryptography, systems engineering and information forensics. He has over 20 years experience in the IT security industry and has provided security architecture consultancy using SABSA(r) both in the commercial and government sectors. He continues to lecture around the world on information security and forensics.
David Lynas has more than 20 years experience in information security during which he has provided strategic advice to major financial, government, and industry clients on every continent. He has been actively involved in the development of the SABSA(r) methodology from its inception. He is a pioneer in using SABSA(r) to measure return on investment in information systems.
