nerdexam
(ISC)2

CISSP-ISSAP · Question #15

You work as a CSO (Chief Security Officer) for Tech Perfect Inc. You want to perform the following tasks: Develop a risk-driven enterprise information security architecture. Deliver security infrastru

The correct answer is B. Sherwood Applied Business Security Architecture. Sherwood Applied Business Security Architecture (SABSA) is the correct answer because it is specifically designed to develop risk-driven enterprise information security architectures and align security infrastructure with business initiatives - matching both stated objectives of

Security Architecture Modeling

Question

You work as a CSO (Chief Security Officer) for Tech Perfect Inc. You want to perform the following tasks: Develop a risk-driven enterprise information security architecture. Deliver security infrastructure solutions that support critical business initiatives. Which of the following methods will you use to accomplish these tasks?

Options

  • AService-oriented architecture
  • BSherwood Applied Business Security Architecture
  • CService-oriented modeling framework
  • DService-oriented modeling and architecture

How the community answered

(31 responses)
  • B
    94% (29)
  • C
    3% (1)
  • D
    3% (1)

Explanation

Sherwood Applied Business Security Architecture (SABSA) is the correct answer because it is specifically designed to develop risk-driven enterprise information security architectures and align security infrastructure with business initiatives - matching both stated objectives of the CSO exactly. SABSA uses a layered business-driven approach (similar to TOGAF but security-focused) that traces security controls directly back to business risk and strategy.

The three distractors - Service-Oriented Architecture (A), Service-Oriented Modeling Framework (C), and Service-Oriented Modeling and Architecture (D) - are all software/IT design methodologies concerned with structuring applications as interoperable services. They have nothing to do with enterprise security architecture or risk management, making them easy to eliminate once you recognize the "service-oriented" prefix as an IT design concept, not a security one.

Memory tip: Think SABSA = Security Architecture Backed by Business Strategy. If a question mentions "risk-driven" + "enterprise security architecture" + "business alignment" together, that combination is the SABSA signature - no other common framework checks all three boxes simultaneously.

Topics

#SABSA#Enterprise architecture#Risk-driven design#Business alignment

Community Discussion

No community discussion yet for this question.

Full CISSP-ISSAP Practice