Download SABSA Module F2: Complete Solutions and Exercises and more Exams Advanced Education in PDF only on Docsity!
SABSA MODULE F2 WITH COMPLETE SOLUTIONS 100%
VERIFIED 2025 UPDATE!!
Which 2 actions does the Relying Party perform in the trust broker model? - ANSWER 1. Authenticates identity
- Checks authorisation
Which two (2) actions does the Claimant perform in the trust brokering model - ANSWER
- Claims identity
- Claims authority
Where in the SABSA Architecture Matrix is Personnel Management Tools & Standards located? - ANSWER Component Layer, People (Who) Column
Where in the SABSA Architecture Matrix are Risk Management Objectives and enablement and control objectives located? - ANSWER Conceptual layer, Motivation (Why) column
What type of attribute is Trust? - ANSWER Trust is a Relational business attribute not a technical one.
What objectives/outcomes exist at the Logical Architecture layer in the Motivation (Why) column of the SABSA Matrix? - ANSWER Risk Management Policies; Domain Policies
What objectives/outcomes exist at the Logical Architecture layer in the Location (Where) column of the SABSA Matrix? - ANSWER Domain Maps Domain Definitions; Inter-domain associations & interactions
What objectives/outcomes exist at the Contextual Architecture layer in the Motivation (Why) column of the SABSA Matrix? - ANSWER Business Risk - Opportunities & Threats Inventory
What objectives/outcomes exist at the Conceptual Architecture layer in the Motivation (Why) column of the SABSA Matrix? - ANSWER Risk Management Objectives; Enablement & Control Objectives Policy Architecture
What objectives/outcomes exist at the Conceptual Architecture layer in the Assets (What) column of the SABSA Matrix? - ANSWER Business Attributes Profile
What is the main difference between the Owner role and Trustee role in the SABSA Governance model? - ANSWER The Owner role is primarily ACCOUNTABLE for the performance of assets (attributes) within a specific domain. The Trustee role is RESPONSIBLE for the performance of assets (attributes) within a specific domain. Trustee is a delegated authority role. Consults domain owner on risk appetite.
Describe the concept of the SABSA Business Attributes Profile - ANSWER It is the heart of the SABSA methodology. The Business Attributes Profile is the 'requirements engineering' technique that makes SABSA truly unique and provides linkage between business requirements and technology / process design.
What are the four (4) SABSA start-up approaches? - ANSWER 1. Executive Interview Approach
- Analysis followed by validation
- SABSA Fast-Track
- Blended Approach
List the two high-level categories of the SABSA Policy Framework - ANSWER 1. Enterprise Policy
Describe the Design Phase Management Layer - ANSWER Manager's view of ICT Systems Concerned with management processes & activities
SABSA fills the gaps by being _______ and _________ - ANSWER compatible and aligned
** It doesn't replace other frameworks ** It builds on their strengths by adding security in a fully aligned way
Define the ITIL Service Lifecycle of Service Strategy - ANSWER Strategy & Planning :
- Define contextual & conceptual security architecture
Define the ITIL Service Lifecycle of Service Design - ANSWER Design :
- Define Logical, Physical & Component security Architeture
Define the ITIL Service Lifecycle of Service Transition - ANSWER Implementation
Define the ITIL Service Lifecycle of Service Operation - ANSWER Manage & Measure
Define the ITIL Service Lifecycle of Continual Service Improvement - ANSWER It's a not stopping loop between Strategy & Planning -> Design -> Implement -> Manage & Measure -> ...
What is the objective of Release & Deployment Management? - ANSWER To build, test and deliver the capabilities and resources to provide the required services
What is a Release? - ANSWER It is a set of now or changed CIs (Configuration Items) that will be release into production together
A project exists to : _______ & ___________ - ANSWER - Improve current capabilities or performance
- Introduce new capabilities
Define the Knowledge Management - ANSWER Improves the quality of decision making by ensuring that reliable information is available during the service lifecycle
__________________ is aggregated and contextualised through the SABSA Architecture layers - ANSWER Knowledge
True or False : It is rare that a major strategic enterprise-wide security architecture is implemented as a single project - ANSWER True
Define the SABSA Fast-Track - ANSWER Full scope experience & proof of concept Limited financial liability & commitment Requires access to full team & stake holders Covers full-scope of SABSA in a short time frame
Describe the Domain Policy Authority - ANSWER Operates within the risk appetite parameters of the super domain Is compliant with the super domain policy Has vested interest in risk performance within their own domain Deploys specific controls & enablers to manage risk according to the architecture layer at which their domain exists
Name a few control considerations - ANSWER Legislation Sectoral regulation
Management Activity Controls : Management of Infrastructure & Environment
PDF 50 - Risk & Policy Management Architecture Risk Level : Risks & Opportunities to System Components & Configurations Policy Level : ___________ Control Level : __________ Management Activity Controls : __________ - ANSWER Risk Level : Risks & Opportunities to System Components & Configurations Policy Level : Managed by Standards for Tools & Products Control Level : Security Components Management Activity Controls : Management of Components, Products & Standards
TRUE or FALSE: Business risks & opportunities exist traceably through every layer of the architecture? - ANSWER True
PDF 55 Name the SABSA Multi-tiered Control Strategy - ANSWER Deter Prevent Contain Detect & Notify Evidence & Track Recover & Restore Assure
Name every architected control layers - ANSWER 1. Control Services
- Service Management
- Control Mechanisms
- Infrastructure & Environment Management
- Control Components
- Management of Products & Component Standards
In SABSA Risk Management, what is the Primary Risk Threshold? - ANSWER The Primary Risk Threshold is the most important because it has the greatest consequence. It is the moving of attribute performance from a warning level to an unacceptable level. From Amber to Red.
In SABSA Risk Management, what is the Secondary Risk Threshold? - ANSWER The secondary risk threshold is the early warning sign when Attribute performance crosses over from an acceptable performance level to a warning level. From Green to Amber.
Define Pure Risk, Current and Target - ANSWER Pure Risk : 100% vulnerability, 100% weakness Current : Residual risk exceeds appetite Target : All residual risk within appetite
Define Assurance Management in SABSA - ANSWER It is the process of managing assurance, including governing, planning and executing an enterprise assurance programme
Define Assurance - ANSWER Providing confirmation and confidence that the enterprise risks are being adequately managed and that residual information risk is within the risk appetite or risk tolerance of the organisation
Describe the SABSA Assurance Framework - ANSWER It has a cubic form. SABSA Matrix :
- Assets
- Risk Management
- Process
TRUE or FALSE : The Physical Layer contains procedures as the mechanisms to implement policy within each domain - ANSWER True
Describe the SABSA concept of a Security Service - ANSWER Business-driven requirements organised into a consistent, logical/functional specification. Specified independently of the technical (physical) mechanisms used to deliver them.
SABSA Top-Down Process Analysis consists of which two (2) types of security consistency? - ANSWER Vertical Consistency Horizontal Consistency
What is the concept of Security? - ANSWER To support the business objectives To protect business assets
Define the Primary Security Services - ANSWER Primary Security Services are wholly embedded within a domain element Self-contained within the element to provide security functionality that secures the element
List the four (4) types of SABSA security services - ANSWER 1. Primary
- Secondary
- Implicit
- Explicit
Define the Secondary Security Services - ANSWER Secondary Security Services operate between elements in a domain They secure the communications between the elements
Define the Implicit Security Services - ANSWER Implicit Security Services are implicit in a domain - they secure the domain from within
Define the Explicit Security Services - ANSWER Explicit Security Services are explicitly requested from one domain to another
Where is the Application security services? - ANSWER Within the application code or located so that services can be called through an API from another location such as middleware
Where is the Middleware security services? - ANSWER Within the middleware itself
Where is the Data management security services? - ANSWER Provided within the databases and possibly considered as part of the middleware security services
Where is the Network security services? - ANSWER Within the Network
Where is the Platform security services? - ANSWER Within the individual platforms
Name the Application Security Services types - ANSWER Primary (authorisation, authentification, access control, audit, administration) & Secondary - Applications layer of communications (confidentiality, integrity, authenticity, non-repudiation)
PDF 96 SABSA Concept of Security Service Value - ANSWER
Define the SABSA Concept of Security Service Management - ANSWER Set of specialised organisational capabilities for providing value to customers in the form of security services
- Process enablers may differ from layer to layer
- To ensure Security Service Levers meet the highest level requirements, each layer may require a unit-based Security SLA
Which one of the following is the most correct statement of Security Service value from the customer's perspective?
A. Value is created by services that meet the customer's enablement objectives to reduce the customer's risk exposures B. Value is created by services that meet the customer's control objectives to increase the customer's opportunities C. Value is created by services that meet the customer's enablement and control objectives D. Value is created by standardised service package that can be provided to all customers simultaneously - ANSWER C
TRUE or FALSE: Trust within a domain is constant due to common registration? - ANSWER True
Describe the One-Way Trust - ANSWER The Relying Party (trusting) trusts the claimant (trusted)
Describe the Two-Way Trust - ANSWER Both parties trust each other
Describe the Transitive Trust - ANSWER The Relying Party trusts a Third Party/Trust Broker who trusts the Claimant, which means the Relying Party now trusts the Claimant
TRUE or FALSE : All registered entities within a given domain trust one another within the domain policy - ANSWER True
Name the technical mechanism needed to support trusted interaction - ANSWER Mutual
Authentication
Define the Trust Modelling in SABSA - ANSWER A clear specification of the business requirements for Trust, Security & Control
What are the four (4) logical relationships in authentication? - ANSWER 1. Direct Authentication
- Indirect In-Line Authentication
- Online Authentication
- Offline Authentication
Who is the customer of trust? - ANSWER The Relaying Party
Name the Business Entity Relationships - ANSWER Unilateral : One party broadcasts information, others may recieved it at their choice
Bilateral : Two parties make a specific contract
Multilateral : Group membership controlled by agreed rules
Which one of the following statements about Authority Roles is True?
A. The Certification Authority establishes trust and authorises participation in a domain B. The Registration Authority issues credentials to trusted parties C. The Certification Authority makes trust decisions on behalf of the domain owner D. The Registration Authority establishes trust and authorises participation in a domain - ANSWER D
Name the SABSA Method to model and check that the solutions made by the security
___________________ Associations are used to define the services required between domains according to a specific relationship - ANSWER Inter-domain
Which Inter-domain Policy association has no inter-domain? - ANSWER Isolated Policy
Which Inter-domain Policy association is derived from, and compliant with, super domain but has specialised local interpretation authorised by super domain authority? - ANSWER Subdomain policy
Which Inter-domain Policy association has domains in which each authority manages their own risk by enforcing their own policy at the gateway/boundary? - ANSWER Independent Domain Policy?? (144)
Which Inter-domain Policy association has on or multiple subdomain policies? - ANSWER Superdomain policy
The two independent domain authorities act collectively to agree/negotiate a common policy for a shared domain - ANSWER Mutually Agreed Policy
Name the domain in which the Trusted Third Party mandates policy for all associations - no local interpretation is permitted - ANSWER A special type of subdomain
Concept used when one independent domain policy authority must exert control over another in order to successfully manage their own risk. - ANSWER Extended Domain Concept
**The dominant policy authority extends his domains into another - the stronger domain implants its policy into the territory of another as a special subdomain
TRUE or FALSE : The extended application domain excludes the external logical components. - ANSWER False, it includes them
The Extended Domain concept applies to which type of security domain?
A. Isolated Domain B. Independent Domain C. Subdomain D. Superdomain - ANSWER B. Independent Domain
OSI Layers? PDF 160 - ANSWER
TRUE or FALSE : OSI Layers are independent by design - ANSWER True
Web Service Architecture - PDF 168 - ANSWER
Inter-domain associations are modelled in which column of which SABSA Matrix? - ANSWER Where column
Which one of the following statements about the use of Security Associations to model requirements at the SABSA logical layer is FALSE?
A. A security associations describes the logical security relationship between two entities B. A fully engineered set of security associations combines to deliver the required Attribute end-to-end of the business process, irrespective of which domain boundaries are crossed, or how many C. The scope of a single security association is intra-domain, inter-domain or end-to-end of a business process D. Security associations provide a logical specification of attributes and trust requirements. - ANSWER C. The scope of a single security association is intra-domain, inter-domain or end-to-end of a business process
There's a Trusted 3rd Party (Authority Claim AI & Verification AI) that exchanges AI with both of them
TRUE or FALSE: The Security Processing Cycle involves security management activities, but not automated processes. - ANSWER False, it also involves automated processes (closing down sessions, messages with time-to-live, etc.)
In the Authentification Relashionship, which one of the following represents the use of Authentication Information in the correct sequence?
A. Claim AI, Exchange AI, Verification AI B. Exchange AI, Claim AI, Verification AI C. Verification AI, Claim AI, Exchange AI D. Claim AI, Verification AI, Exchange AI - ANSWER A. Claim AI, Exchange AI, Verification AI
Which one of the following is not a temporal consideration when architecting the Security Processing Cycle :
A. Time-to-live messages B. Close of session C. Credentials renewal cycle D. Public Key certificate attribute extensions - ANSWER D. Public Key certificate attribute extensions
In SABSA, what are Security Associations? - ANSWER Security Associations are a logical representation of the business requirements for trust and security.
Relating to Business Entity Relationships, group membership controlled by agreed rules is referred to as what kind of relationship? - ANSWER Multilateral relationships
Security does not exist in _____________ it is a property of something else (assets) - ANSWER isolation
The Strategy & Planning phase of the SABSA Lifecycle contains which two layers of the SABSA Architecture Model? - ANSWER Contextual Layer Conceptual Layer
TRUE or FALSE: A single Logical Domain operates (or can operate) on multiple Physical Domains? - ANSWER True - Because logical domains are not tied to physical locations and can span multiple domains (departments, business lines, information classification...etc)
TRUE or FALSE : In the SABSA Lifecycle, Business Attributes are inherited from higher levels to lower levels? - ANSWER True
TRUE or False : In the SABSA Lifecycle, Business Attributes cannot feed upwards to contribute to the higher level profiles - ANSWER False, it can contribute to the higher level profiles
Voir PDF 11, 12, 13, 14 - ANSWER
Which SABSA architectures align and enhance the Business Security Architecture? - ANSWER Contextual Conceptual
Which SABSA architectures align and enhance the Systems Security Architecture? - ANSWER Logical Physical Component
