Compliance to Enablement

Enterprise Security Architecture & GDPR

Maurice Smit

SABSA Instructor &

Principal Consultant

SABSA Framework & Methodology

Methodology for developing business-driven, risk and opportunity focused enterprise security & information assurance architectures, and for delivering security infrastructure solutions that traceably support critical business initiatives

Comprised of a number of integrated frameworks, models, methods and processes

The World’s Leading Security Architecture

Free use methodology and framework

6000+ certified Architects in 50+ countries

Formal regulated professional Institute

Official & de facto standard Government, Finance & Industry

Change the Landscape of Security & Risk Management, Enable Business and Bring Demonstrable Value to Your Security Program

www.SABSA.org

Top 10 SABSA Applications

Security Architecture

Enterprise Architecture

Traceability & Alignment of Solutions to Business Requirements

Enterprise Risk & Opportunity Management

Assurance, Compliance & Audit

Governance & Policy Architecture

Technical Solution Design

Integration & Alignment of approaches, frameworks & standards

Security Service Management / Security Programme Management

Critical National Infrastructure Strategy

Concepts, Models & Frameworks

Business Attributes Profiling

Threat & Opportunity Model

Multi-Tiered Control Strategy

Two-way Traceability

Extended RACI Matrix

Policy Framework

Domain Modelling

Approaches to Traceability

A flawed approach Stakeholder “I need to sell more product”

Security “Then you need a firewall”

A credible approach Collect business drivers, goals and objectives

Stakeholder “I need to sell more product”

Security “We can sell more product if security enhances the core product through higher levels of trust and ease of use

SABSA Business Attributes Profiling

Provide an engineering technique for modelling Business Requirements into normalised, measurable, demonstrable, re-usable, reportable form

The “Things that matter most”

Instinctive to stakeholders at all levels

Measurable to define performance targets and risk appetite

Populates the missing link between Business and Security

SABSA Attributes Profiles

Attributes need a :

Definition

Classification/Category

Measurement Approach

Metrics type

Performance Target

Attributes for Two-way Traceability

Attributes for Threat & Opportunity Management

Attributes for Strategic Planning / Roadmap

Attributes for Executive Reporting

SABSA Applied

Business Targets – Enterprise Strategy

Empower people to stay a step ahead in life and in business

Banking should be possible anytime and anywhere

Customers need to understand their choices, and the implications, both today and for the future

Our strengths include our well-known, strong brand with positive recognition from customers in many countries, strong financial position, omni-channel distribution strategy and international network

We are Honest – We give honest, clear and frank advice to our customers. We respect the law and the rules we set for ourselves. We tell the truth

Business Targets – Enterprise Strategy

Empower people to stay a step ahead in life and in business [Empowered]

Banking should be possible anytime and anywhere [Accessible, Continuous]

Customers need to understand their choices, and the implications, both today and for the future [Informed, Intelligible]

Our strengths include our well-known, strong brand with positive recognition from customers in many countries, strong financial position, omni-channel distribution strategy and international network [Branded, Reputable, Sustainable]

We are Honest – We give honest, clear and frank advice to our customers. We respect the law and the rules we set for ourselves. We tell the truth [Honest, Trustworthy, Compliant]

Business Attributes

Empowered

Branded

Sustainable

Informed

Intelligible

Trustworthy

Honest

Compliant

Reputable

Cascading the Strategy

Integrated Compliance Framework

BalancedScoreCards

CapabilityMaturityModels

Financial ModelsROI/NPV/IRR

ISO27005ISO31000Business

LegislationBusiness

SectorRegulation

Total Quality Framework

Labelling

Big Data

Processing Customer Information

The EU’s General Data Protection Regulation (GDPR) is the most stringent and burdensome privacy mandate in the world. The penalty for major violations can be up to 20 million euros or 4% of your company’s annual global revenue.

You have until May 2018 to centralise unstructured data governance across on-premises and cloud (3rd Party)

GDPR – Example Articles

Once passed the appointment of Data Protection Officer, Legal Basis for Processing, and more like:Right of Access by the Data Subject (15)

Right to Rectification (16)

Right to Erasure/to be Forgotten (17)

Right to Restriction of Processing (18)

Right to Object (21)

Standard of consent

(numbers are articles from : REGULATION (EU) 2016/679 / Directive 95/46/EC)

Standard of Consent

In GDPR Regulation document, page 8:

“(42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular, in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC (1) a declaration of consent pre- formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”

Standard of Consent

In GDPR Regulation document, page 8:

“(42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular, in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC (1) a declaration of consent pre- formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”

GDPR Attributes

Demonstrable

Intelligible

Accessible

Identified

Threat & Opportunity Model

Overall

likelihood

of loss

Likelihood of

threat

materialising

Likelihood of

weakness

exploited

Negative

Outcomes

Threats

Loss Event

Positive

Outcomes

Opportunities

Beneficial Event

Overall

Negative

impact

Overall

benefit

Positive

impact

Overall

likelihood

of benefit

Likelihood of

opportunity

materialising

Likelihood of

strength

exploited

Attributes

Risk Context

Threats and Opportunities to GDPR Attributes

Threat to Demonstrable and Intelligible: Consent is incomplete regarding data actually stored/processed.

Threat to Accessible: Consent is not easily accessible, unclear process for viewing consent.

Opportunity of Demonstrable and Intelligible: Data Subject is informed about what we do in clear and readable words

Opportunity of Accessible: Data Subject and Controller both have quick access to boundaries of

data stored/processed

Multi-Tiered Attributes for Compliant

Threats and Opportunities to Traceable and Labelled

Attribute Threats Opportunities

Traceable - Gathered data is not linked to Data Subject Profile- Gathered data contains other Data Subject information,

disclosing unwanted information

- Provide real-time/efficient processing of Data Subject consent,rejection, deletion.

- Exchange data with 3rd Party/Data subject easily.

Labelled - Storing unstructured data (without real purpose) - Structured and labelled data provides relevant picture of customer using product(s), increasing productivity and product development

- Increase of Trustworthiness due to smooth data processing- Efficient data exchange with 3rd Parties

Multi-Tiered Attributes and Systemic relations

More GDPR

Another GDPR example: Article 72: “[..]secure personal data in a manner that takes account of

the potential risks involved for the interests and rights of the data subject and that prevents, inter alia, discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation [..]

In other words, we need to at least prevent unauthorised access

Attribute Secure in GDPR

Conclusion

Using SABSA techniques, models and concepts can help us demonstrably enable business while showing effect of regulations on elements, goals and targets of the organization.

We showed that with an architected approach, it is possible that compliance can enable business and help achieve goals.

David Lynas Consulting Ltd17 Ensign HouseAdmirals WayLondonE14 9XQUK

@SABSAcourses

davidlynas.com

enterprise@davidlynas.com

+44 (0) 207 863 7834

SABSAcourses

Compliance to Enablement - SABSA & GDPR

Technology

TOGAF and SABSA Integration - delegata.com · TOGAF® and SABSA® Integration How SABSA and TOGAF complement each other to create better architectures A White Paper by: The Open Group

GDPR in plain English | Business Data Prospects · 2020. 7. 22. · GDPR in plain English Keywords: GDPR, Business Data Prospects, BDP Agency, GDPR Advice, Advice, GDPR Plain English,

Enablement Programme Strategy 2015 update Enablement Strategy 2015.… · 3 Enablement programme strategy update 2015 Live, love, do - a new way of thinking and working Enablement

Enterprise Security Architecture - IIBA Sacramento · At the heart of the SABSA methodology is the SABSA Model, a top-down approach that drives the SABSA Development Process. This

Does an IT auditor need SABSA? - Vurore

SABSA overview

SABSA White Paper

SABSA HOLDINGS LIMITED Registration number: …...2017, SABSA Holdings Limited has lodged with the Companies and Intellectual Property Commission all such returns and notices as are

Modeling a SABSA based Security Architecture using ...enterprisemodelingsolutions.com/wp-content/uploads/2017/09/SABSA... · Threat Categories and Threat Agents. ... Role Assignment,

Enablement rollins

SABSA Implementation(Part V)_ver1-0

GDPR digest - tmaclub.com · ARE YOU GDPR READY? {More than a MORTGAGE CLUB} GDPR digest

SABSA Implementation(Part I)_ver1-0

Introduction to SABSA for BAs - Sac Valley IIBA 09.20.17 FINAL · -IIBA BABOK, v3, Ch. 6 Enable the enterprise to address need. SABSASupportstheStrategicWorkofBusinessAnalysts

Sabsa-Togaf Integration

SABSA Implementation(Part III)_ver1-0

SABSA - International Civil Aviation Organization · 2013. 9. 25. · SABSA Item Description Unit SABSA CBI ENSYCO COVAS EMOVIT SERIT CILA PAREDES 1 Joint sealing m $3.79 $5.32 $7.71

SABSA HOLDINGS LIMITED INCOME STATEMENTS for the year … · 2019. 9. 8. · SABSA HOLDINGS LIMITED STATEMENTS OF COMPREHENSIVE INCOME for the year ended 31 March 2015 11 Group Company

GDPR: What’s going on? - necsia.esa-Necsia-GDPR-360... · (ISO27001, GDPR, PCI-DSS) GESTIÓN DE RIESGOS Y DE TERCEROS ... Curso básico GDPR ... concienciación en GDPR

GDPR ENABLEMENT IN PRACTICE - itcsecure.com · •Corporate Governance monitoring and enforcement •Social media monitoring - internal & external where permitted •Ability to freeze