Customer Reviews

Enterprise Security Architecture: A Business-Driven Approach

5 star:		(3)
4 star:		(3)
3 star:		(0)
2 star:		(0)
1 star:		(0)

 

 

This is a particularly interesting book in that it proposes an approach to developing security architectures that are aligned with Business Needs. Most of the other literature that I have seen in this field seems to throw itself into technical detail and try to be a "cookbook" for techies.

The book is in two distinct parts - this first outlines the philosophy and approach of SABSA (Sherwood Applied Security Architecture) and the second draws on the authors' considerable experience in using SABSA in real-life scenarios, giving a set of "standard" services and mechanisms that should be considered when building an Enterprise Security Architecture.

If you are looking just to do techie "black box" security engineering with routers and servers then this book is not really for you. This is a book for those with a responsibility for enterprises where security can be seen as enabling the business rather than fighting it.

Like others with whom I have spoken, I liked the "quick notes" in the left hand column of every page that let's you speed read each chapter. They made it really easy to set a good insight into the subject quickly and focus on the areas that I really wanted to know more about.

One hidden gem in this book is the approach to Measuring Return on investment in security - it opened my eyes to using security as a business enabler.

It is amazing how different books can be. I read dozens of information security management related books, but this one is only I can use in my everyday job. If you are consultant or professional CISO, this book offers tips of how to do things right and how to be efficient. It is information security management bible. Buy hardcover version because you will use it every day.

This book (and the Sherwod/Clark/Lynas philosophy) was developed in parallel to the Zachman Framework (unbeknownst to either groups). If you a familar with Zachman, you will note several consistancies here. Though some may clain this is only a conceptual read, there are many oppurtunities to take pieces of the book and apply it in daily architecture. For example, on page 88, it gives several examples of "Business Attributes" in identifying types of business drivers ranging from user, management, operational, risk management, legal/regulatory, technical strategies and business strategies attributes. Thinking these through (and identifying which key ones are important) early in the stages of security architecture help direct the design in the right way. Also, the book provides several real world examples to help illustrate the "whys".

I had the oppurtunity to attend training given by David Lynas on Enterprise Security Architecture. I would also recommend attending, as David walks through several exercises in how to apply this methodology.

In the end, if you are responsible for any security architecture, using the principles/concepts/methodologies in this book will assist in making more concious, sound, security decison making.

I gave the book 4 stars as it covers the theories of security very well and was somewhat easier to read than the CISSP books. They cover roughly the same topics, but teach differently. If you can read and understand the CISSP books, then this will be a breeze.

First off, I have read this book cover to cover. I have been practicing information security architecture and implementation for 10 years. I really liked the in-depth coverage of information security in general. The mapping of the Zachman Framework cells to the so-called SABSA framework is also impressive, but is simple enough to not warrant a whole chapter to be honest. But what is evident to me might not be so to the novice so I take nothing away from the author here.

However, I am very disappointed with this book from an application of methods standpoint. I was expecting so much more.
At the very least I expected some 'real-world' scenarios to be covered in some detail so the practitioner can use material, techniques presented in the book on the job. In several places, this book comes close to revealing the application of methodology being propounded under the trade name of SABSA but then fails to do so. Time and again, I turned over to the next page in anticipation but was left disappointed and exasperated! The author simply refers the reader to contact him for further details- well that's the point of reading the book isn't it? I bought this book for the details but left with an imitation of the Zachman Framework, which by the way is still more directly applicable to information security than SABSA in my most humble opinion. If I am wrong in having said that, it is because I did not learn how or why based on my reading of this book.

I still give it 4 because I like to round up from 3.5- there is too much good information here for the novice for me to rate it 3.

The Enterprise Security Architecture book plays heavily on the SABSA business model created by one of the Authors. It appears to be a good high-level large business model, and my company has adopted it.

The problem with the approach is that it is very conceptual, and not well defined for actual business practices. I doubt any company has ever actually implemented the SABSA model in their practices yet.

If your willing to charge ahead and define your own processes, this could be a great framework for you. The first third of the book was slow and hard for me to read, but the last two thirds were very logical for my understanding.

Whether or not you decide to use the SABSA model, but book is great reference for a high level enterprise architect or security specialist to suggest better strategies for securing your enterprise.