You may come across a SABSA practitioner exam question asking you to apply or demonstrate how the SABSA method can be applied to solve a business problem “in a complex organization”. What is the definition of a complex organization to be used as an effective basis for the answer to the exam question? The purpose of the practitioner exam is to assess a candidate’s understanding of the SABSA method and demonstrate their proficiency of in applying SABSA using practical scenarios. The target organization proposed for the question needs to have a sufficient level of complexity for the candidate to be able to demonstrate their level of understanding of SABSA that can assessed by the exam reviewer.
Having practitioner-level exam candidates answer questions with essay answers is to reveal the candidates’ understanding of how to apply the SABSA method to solve a business problem. Two foundational constructs of SABSA are the concepts of Domains and Attributes. A Domain is a set of elements subject to a common security policy defined and owned by a single policy authority. A complex organization would involve several Domains including a Superdomain, Peer Domains, Subdomains and perhaps External Domains. An Attribute is a normalized, measurable, in-context definition of what is important. A Domain Authority is accountable for (“owns”) the risk to, and the performance of, the Attributes in a Domain.
The collection of Domains that make up the complex organization provides the foundation for describing how the SABSA method can be applied to manage the complex organization’s risk. The A1 practitioner course, Advanced SABSA Risk, Assurance and Governance, focuses on how risk is effectively managed across a complex organization.
An exam question may ask for multiple interacting or systemically related Domains of a complex organisation as the basis for demonstrating how risk is managed across the multiple Domains and Domain Authorities of this complex organization. The organization used in the exam answer should involve a number of Domains at different levels to be able to demonstrate how risk is managed at and between the various levels of Domains by applying the SABSA method. Higher marks will be awarded for a scenario that incorporates a level of complexity that can effectively demonstrate a more complete understanding of how to apply the breadth of the SABSA method.
A complex organization is used to demonstrate a candidate’s command of the use of multi-tiered Attributes to enable effective risk decisions. Attributes can be used to distribute risk appetite and responsibility down through a Domain hierarchy and used to aggregate performance against Attribute targets upwards through the Domains. Risk dependencies are illustrated and managed by multi-tiered Attributes using Common Attributes (same Attribute with different data at the Domain level) and Contributing Attributes (different but related Attributes at the Domain level) to demonstrate how the responsibility for risk is delegated and performance is aggregated across the Domains. The performance of an Attribute in a Subdomain may impact the performance of Attributes in other Domains, according to the dependencies of the Attributes between the Domains.
Exam graders are looking for a domain architecture that is sufficiently complex to effectively demonstrate the application of the various approaches, tools, and techniques of the SABSA method. A well-defined and sufficiently complex organization will provide the opportunity to describe and apply a broader selection of SABSA method elements, resulting in higher marks.
A complex organization used to identify and illustrate risk dependent multi-tiered decisions, and the governance model and responsibilities. To put it another way. A simplistic organization may not provide the opportunity to effectively answer the question and demonstrate a candidate’s mastery of the method, resulting in lower marks and the potential for failure.