does an it auditor need sabsa? - vurore

People that make IT secure

Does an IT auditor need SABSA?

David Fagan E-mail: [email protected] telephone: +31-6-51135488

SABSA = Sherwood Applied Business Security Architecture


Why SABSA?

»  Setting the scene…

»  SABSA: •  Case study: Paul Kocher •  Case study: Project 1426 •  Case study: AEC

»  Key messages…


1960s

Batch

1970s

Mul0-‐func0on

1980s

OLTP

1990s Personal Computer

Corporate computing in the 20th century…


Messaging ‘bus’

‘Front Office’ applications

‘Back Office’ applications Content Management Systems

‘End user’

Corporate computing in the 21st century…




‘End user’

Business Services ‘bus’





‘End user’

IaaS / PaaS / SaaS



Deg

ree

of Busi

nes

s Tr

ansf

orm

atio

n

Range of Potential Benefits

Low

H

igh

Low High

Localised Exploitation

Internal Integration

Business Process Redesign

Business Network Redesign

Business Scope Redefinition

Evolutionary Levels

Revolutionary Levels

Source: “The corporation of the 1990s: Information technology and organizational transformation” edited by Michael S. Scott Morton

20th / 21st century IT-induced reconfiguration…


A new World…

»  21st century technology: •  Mobile computing •  The Internet •  Cloud Computing •  Etc.

»  19th century protection: •  Old laws •  The ‘hardened’ perimeter

»  Today’s generation has been raised on computers… •  Hackers / Crackers / Phreakers

»  Cyber crime: •  No physical contact between

villain and victim


In the early days even forensics was easy!

Behold: My new forensics toolkit with real-time, on-line, access to information!


Some organisations… …need to seriously review their policies


Some organisations… …are wasting up to 75% of their security budget


What if your assets were… …misused, disclosed, unavailable, modified, destroyed, stolen/copied?

»  Money

»  Data

»  Intellectual property

»  IT systems

»  Documents / Information

»  Corporate brand, image, and reputation


SABSA history…


SABSA architecture framework…


2-D SABSA architecture framework…


SABSA master matrix…


SABSA service management matrix…


2-D SABSA master matrices…


SABSA takes you back to basics: What is security actually for?

»  Is your security designed to keep threats out?

»  Or is your security designed to give legitimate users appropriate access quickly and with minimum fuss?


SABSA addresses ‘security’ .vs. ‘inconvenience’… …and the need to make security transparent to users

»  High security = inconvenience

»  Convenience = low security

»  The challenge is to ensure appropriate security with maximum convenience: •  Well balanced security policy •  Meeting business demand •  Conforming to the business

risk appetite


SABSA clarifies the building blocks for security…

»  Physical access control •  Based on identity and context

»  Logical access control •  Based on “need-to-know”

authorisation

»  Guaranteeing: •  Confidentiality •  Integrity •  Availability •  Traceability (secure audit trails)

•  Non-repudiation •  Etc.


SABSA helps assess the threatscape: …internal, external, physical, logical

»  What threat(s) are we trying to protect ourselves against? •  Why?

»  What countermeasures can we deploy? •  What is their chance of success? •  What is the cost of

implementation? •  What is the cost of not doing

anything? –  Likelihood of the threat becoming real? –  Damage caused if it does?


SABSA helps define the right countermeasures: …internal, external, physical, logical

»  Make intrusion more difficult: •  The aim is to gain time

–  No holes / “backdoors” –  Onion ring security “shells”

»  Make it easier to detect intrusion: •  The aim is to catch the

intruders on their way in •  To know what intruders did

(if they got in)


SABSA shows that standards are not enough!!!

»  Most suggest what may be managed

»  Few advise how to manage

»  Almost all start with a custom analysis of risk-driven business requirements

»  Some contain controls libraries

»  Almost none are written from the an holistic and structured point of view

»  Almost every organisation needs to adapt them to their specific business sector, culture, terminology, and national legislative and regulatory requirements

»  To succeed we need an overarching framework and methodology that ties it all together to design, deliver, and support end-to-end secure processes


Why SABSA?





Case study: Paul Kocher Cryptography Research, Inc. (http://www.cryptography.com/)

Paul Kocher has gained an international reputation for his research and innovative designs in cryptography.

An active contributor to major conferences and leading security initiatives, Paul has designed numerous cryptographic applications and protocols which are successfully deployed in real world systems.

His accomplishments include discovering timing attacks and Differential Power Analysis (including techniques for preventing against these vulnerabilities), helping author the widely used SSL 3.0 standard, and leading the design of the record-breaking DES Key Search machine.

He has recently focused on developing anti-piracy technologies for securing digital content. Paul was elected to the National Academy of Engineering in 2009.

Paul founded Cryptography Research and leads the company as its President & Chief Scientist.

He previously held positions at RSA Security and was a founding member of Valicert, Inc. (now Tumbleweed).

He holds a B.S. degree from Stanford University.


Case study: Paul Kocher Cryptography Research, Inc. (http://www.cryptography.com/)

>95% chance < 48 hours

Cost of attack

Probab

ility

of su

cces

s H

igh

Low

High Low

Factor 1024-bit RSA key Reverse engineer

Coerce an employee

Try glitching the CPU

Test for known bugs

Check in all caches


Case study: Differential Power Analysis …simple power consumption @ microcode / CPU level

Source: Paul Kocher


Case study: Differential Power Analysis …get the soldering iron out and build a prototype

Source: Paul Kocher


Case study: Differential Power Analysis …simple power consumption @ algorithm level

Power trace of an RSA operation

Source: Paul Kocher


Case study: Differential Power Analysis …simple power consumption @ protocol / algorithm level

Source: Paul Kocher

Power trace of an RSA operation Zooming in on the multiply and reading off key bits


Steal expensive car Reverse engineer

Coerce an employee

Car jacking

>95% chance < 12 hours

Stealing keys

Complexity creates low hanging fruit… …stealing an expensive car

Cost of attack

Probab

ility

of su

cces

s H

igh

Low

High Low


Some wise words to remember…

“Insecurity appears as complexity increases…

…because our ability to understand elements of a system creates a false impression that we understand the system.”

Paul Kocher President & Chief Scientist

Cryptography Research, Inc.


The Jericho forum: the 11 guiding principles…

1.  The scope and level of protection should be specific and appropriate to the asset at risk

2.  Security mechanisms must be pervasive, simple, scalable, and easy to manage

3.  Assume context at your peril!

4.  Devices and applications must communicate using open, secure protocols

5.  All devices must be capable of maintaining their security policy on a mistrusted network

6.  All people, processes, and technology must have declared and transparent levels of trust for any transaction to take place


The Jericho forum: the 11 guiding principles…

7.  Mutual trust assurance levels must be determinable

8.  Authentication, authorisation, and accountability must interoperate/exchange outside your locus/area of control

9.  Access to data should be controlled by the security attributes of the data itself

10.  Data privacy (and security of any asset of sufficiently high value) requires a segregation of duties/privileges

11.  By default data must be appropriately secured when stored, in transit, and in use


For a successful security solution we need:

»  An holistic approach…


Why SABSA?





SABSA case study: Project 1426… …taking the risk out of same day money transfers


SABSA case study: Project 1426… …taking the risk out of same day money transfers

»  The ‘bank’ already had a business process for ‘same day money transfer’ (SDMT):

•  Providing services to corporate customers for them to make high value payments: –  Typical payment size is several million Euros –  Same day settlement

•  Partly automated, partly manual processing

•  Core server application on the Bank mainframe computer

•  PC based payment workstations in customer offices –  Branded as Business Online (BOL)

•  Branch based terminals

•  Group office based terminals for receipt and entry of faxed instructions


Project 1426 requirements… …from the boardroom

»  Traceability: •  Visible justification of controls based

on business case •  Visible demonstration of completeness

of control set

»  Transparent business driven process: •  Repeatable •  Consistent •  Objective •  Auditable

»  Risk reporting (current status and forecasting): •  Based on business defined security

performance goals by risk owners •  Reports risks of missing performance

targets •  Dashboard / scorecard compatibility •  Granular drill-down from aggregated

scores •  Real-time objective measurement

feeds •  Forecasting by tracking trends


Risk mitigation strategy…

»  Design and implement full end-to-end automation of the SDMT process, thus eliminating manual process steps and providing straight-through-processing

»  Proceed in two phases •  Project 1426 phase 1: Design and build SDMT terminal application •  Project 1426 phase 2: Convert and integrate BOL

»  Specify detailed business requirements for SDMT security using SABSA

»  Design and build against the SABSA specification of requirements

»  Retain Sherwood Associates Limited (SAL) to carry out an independent review of the SDMT high level design: •  To ensure full two-way traceability between business requirements and the solution

architecture and design •  To deliver a final security review report and a letter of assurance


The assignment:

•  Part 1: To assist the Bank to create a set of business requirements for SDMT security and a traceable, auditable means to translate these into technical and process design criteria: –  Business drivers –  Business attributes –  Measurement approaches, metrics

and performance targets –  Perform a risk assessment against

the Business Attributes Profile –  Specify control objectives and

security services

•  The bank then worked with its own internal architecture and design team to develop a high level design for automating the system

•  Part 2: Perform the detailed security review of the high level design: –  Review all functional specification

and high level design documents for the project

–  Review the risk assessment against the Business Attribute Profile for the project

–  Review the security services required to mitigate all identified risks and meet the control objectives

–  Identify all security services and their respective mechanisms in the project documentation

–  Perform a gap analysis of security services and mechanisms

–  Assist the bank architecture and design team to close the gaps

–  Deliver a final review report and letter of assurance


Business Assets

Assess the business risk: …internal, external, physical, logical

Threat Vulnerability Impact

Likelihood

Business Risk


Prioritising the business risk: …define ‘likelihood’

Low Medium High

Med

ium

Hig

h Lo

w

Rare Unlikely Possible

Unlikely Possible Likely

Possible Likely Almost certain

Threat

Vu

lnera

bilit

y


Prioritising the business risk: …combine ‘likelihood’ with ‘impact’

Low Medium High

Poss

ible

Hig

h Lo

w

Negligible Risk

Acceptable Risk

Acceptable Risk

Acceptable Risk

Significant Risk

Significant Risk

Acceptable Risk

Significant Risk Critical Risk

Impact

Lik

eli

ho

od


Prioritising the business risk: …combine ‘likelihood’ with ‘impact’

Low Medium High

Poss

ible

Hig

h Lo

w

No action required

Monitor to ensure stability



Appropriate actions required




Immediate actions required

Impact

Lik

eli

ho

od


Defining business risk appetite: …finally, setting key risk indicator (KRI) thresholds

Primary KRI threshold

Risk appetite for catastrophic events (1 in N years)

Impact

L

ikeli

ho

od

Secondary KRI threshold


Risk mitigation… …total costs

Level of control

Cost

Cost of Losses

Cost of Controls H

igh

Low

High Low

LEAN

DEMAND


Risk mitigation… …complexity and strategy

Level of control

Cost

Cost of Losses

Cost of Controls H

igh

Low

High Low

‘defence in depth’

‘bas

elin

e’

‘spec

ial tr

eatm

ents

’


Defence in depth: multi-tiered security policy…

Prediction

Deterrence

Prevention

Containment

Detection & Notification

Recovery / Restoration

Audit &

Ass

ura

nce

Colle

ctio

n o

f fo

rensi

c ev

iden

ce

Trac

king &

Tra

cing


Types of risk mitigation…

Hig

h Lo

w

Severity of loss

Freq

uen

cy o

f lo

ss

µ µ + σ µ + 2σ CI = 95%

µ + 3σ CI = 99%

µ + 4σ CI = 99.9%

High Low Severity of loss



Hig

h Lo

w

Severity of loss

Freq

uen

cy o

f lo

ss


µ µ + σ µ + 2σ CI = 95%

µ + 3σ CI = 99%

µ + 4σ CI = 99.9%

Severe losses Catastrophic losses



Hig

h Lo

w

Severity of loss

Freq

uen

cy o

f lo

ss


µ µ + σ µ + 2σ CI = 95%

µ + 3σ CI = 99%

µ + 4σ CI = 99.9%

Expected losses Unexpected losses



Hig

h Lo

w

Severity of loss

Freq

uen

cy o

f lo

ss


µ µ + σ µ + 2σ CI = 95%

µ + 3σ CI = 99%

µ + 4σ CI = 99.9%

Capital financing (balance sheet)

Transfer / Accept Operating expenses



Hig

h Lo

w

Severity of loss

Freq

uen

cy o

f lo

ss


µ µ + σ µ + 2σ CI = 95%

µ + 3σ CI = 99%

µ + 4σ CI = 99.9%

Operating expenses

Unexpected losses Expected losses


Prediction

Containment



Deterrence


Prevention

Audit &

Ass

ura

nce

Colle

ctio

n o

f fo

rensi

c ev

iden

ce

Trac

king &

Tra

cing



Hig

h Lo

w

Severity of loss

Freq

uen

cy o

f lo

ss


µ µ + σ µ + 2σ CI = 95%

µ + 3σ CI = 99%

µ + 4σ CI = 99.9%

Capital financing (balance sheet)



Deterrence

Prevention


Prediction

Containment



Audit &

Ass

ura

nce

Colle

ctio

n o

f fo

rensi

c ev

iden

ce

Trac

king &

Tra

cing



Hig

h Lo

w

Severity of loss

Freq

uen

cy o

f lo

ss


µ µ + σ µ + 2σ CI = 95%

µ + 3σ CI = 99%

µ + 4σ CI = 99.9%

Transfer / Accept



Deterrence

Prevention

Containment



Prediction


Audit &

Ass

ura

nce

Colle

ctio

n o

f fo

rensi

c ev

iden

ce

Trac

king &

Tra

cing


The SABSA approach…


Where do we start? SABSA appendix 2: Sample business drivers for security

Define Business Attribute

Example: The privacy of customer information should be protected in accordance with relevant privacy or ‘Data Protection’ legislation in each country where the bank operates, and so as to meet the reasonable expectations of the customers for privacy of their information. Unauthorised disclosure should be prevented and attempted unauthorised disclosures should be reported.

Example: Maintaining the privacy of personal and business information that is stored, processed and communicated by the bank’s systems Business Driver

Select Business Attribute(s) Example: Private

Define Metric Type Example: Hard metric based on the number of reported incidents involving unauthorised disclosure of customer information, including unsuccessful attempts

Define Measurement Approach Example: Measure the number of incidents per period and classify each incident by type and severity

Define Performance Target Example: Target 1: Set maximum number of allowable disclosures (= 0) Target 2: Set maximum elapsed time (in minutes) for an attempted incident to be reported Target 3: Set regular reporting cycle for summaries of incidents by type and severity

Collect, Report & Evaluate Metrics

Example: Number of actual disclosures Maximum, minimum and average reporting time for incidents Periodic summaries and analyses of incidents

Assess Risks and Define Control Objectives

Define Security Strategies

Design Security Services, Mechanisms and Components


Two-way traceability… …Business drivers to attributes

Business driver Supporting attributes BD1 Credible, Reputable BD8 Controlled, Governable

Access Controlled, Authenticated, Confidential, Identified, Private

BD17


Two-way traceability… …Attributes to business drivers

Private BD17 Informed BD5, BD30, BD31

Attribute Business driver

Non-repudiable BD3, BD4, BD13, BD14, BD19

Business Attributes

Management Attributes

User Attributes

Operational Attributes

Risk Management Attributes

Technical Strategy Attributes

Flexible / Adaptable

Scalable

Upgradeable Usable

Accessible

Cost-Effective

Efficient

Reliable

Inter-Operable

Trustworthy

Reputable

Business Strategy Attributes

Credible

Confident

Crime-Free

Insurable

Compliant

Confidential

Private

Controlled

Liability Managed

Admissible

Resolvable

Available

Legal / Regulatory Attributes

Enforceable Error-Free

Non-Repudiable

Accountable

Auditable

Traceable

Integrity-Assured

Assurable

Authorised

Governable

Business-Enabled

Protected

Independently Secure

Measured

Legacy-Sensitive

Migratable

Flexibly Secure

Productive

COTS / GOTS

Simple

Providing Investment Re-use

Supportable

Automated

Standards Compliant

Architecturally Open

Future-Proof

Capturing New Risks Multi-Sourced

Extendible

Maintainable

Consistent

Accurate

Current

Supported

Access-controlled

In our sole possession

Change-managed

Informed

Owned

Identified

Authenticated

Time-bound

Timely

Providing Good Stewardship and Custody

Assuring Honesty

Educated & Aware

Motivated

Recoverable

Duty Segregated

Detectable

Brand Enhancing

Competent


Case study: example metrics mapping…

Attribute Pr

ivat

e Business Driver

BD 19

Metric Type

Hard

Measurement Approach Performance Target

Reporting of all disclosure incidents, including number of incidents per period, severity and type of disclosure

Alerts of unauthorized access attempts, to be produced and delivered to IS Operations Manager and Business Owner within 15 minutes.

System to pass review by <insert name of Independent Legal and Forensic Authority> to a degree deemed acceptable by the Head of Group Legal, to prevent prosecution under Data Protection legislation

IS Department to detail the number, severity, and type of unauthorized access attempts to private data, and a monthly report to be produced and delivered to the IS Operations Manager and Business Owner.

Soft Review by independent legal and forensic authority



Attribute

Non-r

epudia

ble

Business Driver

BD 19

Metric Type

Hard


Exception report detailing all incidents of repudiation, produced and delivered to Business Owner for Validation within 15 minutes.

Audit trails recording the detail of all transaction based information required to provide proof and accountability, available to Business Owner on demand

Soft Independent audit and review with respect to the ability to prevent repudiations that cannot easily be resolved

Reporting of all incidents of unresolved repudiations, including number of incidents per period, severity and type of repudiation

System to pass audit and review by <insert name of Independent Authority> to a degree deemed acceptable by Head of Group Legal to prosecute or defend litigation actions.



Attribute

Info

rmed

Business Driver

BD 19

Metric Type

Hard


Awareness program delivery Adherence to quarterly awareness program plan produced by Business Operations Manager and agreed with Business Owner.

Monthly report on all customer feedback relating to level of awareness produced and delivered to Business Owner and Business Operations Manager.

Soft Focus groups or satisfaction surveys

Report from quarterly customer and non-customer focus groups delivered to Business Owner.


Metric mapping delivers traceability…

Business Requirements

Security Strategies

Security Services

Security Mechanisms

Security Tools & Products

Business Requirements

Security Strategies

Security Services

Security Mechanisms

Security Tools & Products

Are all my business requirements fulfilled?

This is costing us a lot of money.

Why do we need it?


Case study: performance reporting…

Attribute

Private

Informed

Alerts of unauthorized access attempts, to be produced and delivered to IS Operations Manager and Business Owner within 15 minutes.

System to pass review by <insert name of Independent Legal and Forensic Authority> to a degree deemed acceptable by the Head of Group Legal, to prevent prosecution under Data Protection legislation

IS Department to detail the number, severity, and type of unauthorized access attempts to private data, and a monthly report to be produced and delivered to the IS Operations Manager and Business Owner.

Performance Target

Adherence to quarterly awareness program plan produced by Business Operations Manager and agreed with Business Owner.

Monthly report on all customer feedback relating to level of awareness produced and delivered to Business Owner and Business Operations Manager.

Report from quarterly customer and non-customer focus groups delivered to Business Owner.

Performance Report

Business Attributes


User Attributes





Scalable

Upgradeable Usable

Accessible

Cost-Effective

Efficient

Reliable

Inter-Operable

Trustworthy

Reputable


Credible

Confident

Crime-Free

Insurable

Compliant

Confidential

Private

Controlled

Liability Managed

Admissible

Resolvable

Available



Non-Repudiable

Accountable

Auditable

Traceable

Integrity-Assured

Assurable

Authorised

Governable

Business-Enabled

Protected


Measured

Legacy-Sensitive

Migratable

Flexibly Secure

Productive

COTS / GOTS

Simple


Supportable

Automated

Standards Compliant


Future-Proof


Extendible

Maintainable

Consistent

Accurate

Current

Supported

Access-controlled


Change-managed

Informed

Owned

Identified

Authenticated

Time-bound

Timely


Assuring Honesty

Educated & Aware

Motivated

Recoverable

Duty Segregated

Detectable

Brand Enhancing

Competent

Business Attributes


User Attributes





Scalable

Upgradeable Usable

Accessible

Cost-Effective

Efficient

Reliable

Inter-Operable

Trustworthy

Reputable


Credible

Confident

Crime-Free

Insurable

Compliant

Confidential

Private

Controlled

Liability Managed

Admissible

Resolvable

Available



Non-Repudiable

Accountable

Auditable

Traceable

Integrity-Assured

Assurable

Authorised

Governable

Business-Enabled

Protected


Measured

Legacy-Sensitive

Migratable

Flexibly Secure

Productive

COTS / GOTS

Simple


Supportable

Automated

Standards Compliant


Future-Proof


Extendible

Maintainable

Consistent

Accurate

Current

Supported

Access-controlled


Change-managed

Informed

Owned

Identified

Authenticated

Time-bound

Timely


Assuring Honesty

Educated & Aware

Motivated

Recoverable

Duty Segregated

Detectable

Brand Enhancing

Competent

100%

75%

50%

25%

0%


Business requirements Business Attributes Control Areas Business Drivers

Linking business requirements to controls…

“Being a top 2 player in the ???? market in ????”

Establish 50% market share growth over the next 5 years

Achieve Net Promoter Score (NPS) of >40%

Operations

IT

Process Quality

Portfolio Quality

Operations

IT

Internal Governance

Clarity of Customer Risk

Operational Excellence

Risk Managed

Funding Costs

Operational Efficiency

Customer Satisfaction

Cost Efficiency


What Project 1426 delivered…

  Traceability: •  Visible justification of controls based

on business case •  Visible demonstration of completeness

of control set

  Transparent business driven process: •  Repeatable •  Consistent •  Objective •  Auditable

  Risk reporting (current status and forecasting): •  Based on business defined security

performance goals by risk owners •  Reports risks of missing performance

targets •  Dashboard / scorecard compatibility •  Granular drill-down from aggregated

scores •  Real-time objective measurement

feeds •  Forecasting by tracking trends



»  Traceability: •  Visible justification of controls based on

business case •  Visible demonstration of completeness of

control set


»  Risk reporting (current status and forecasting): •  Based on business defined security

performance goals by risk owners •  Reports risks of missing performance targets •  Dashboard / scorecard compatibility •  Granular drill-down from aggregated scores •  Real-time objective measurement feeds •  Forecasting by tracking trends


Why SABSA?





Case study: Australian Electoral Commission… …taking the risk out of electronic voting

Case study: Australian Electoral Commission… …AEC attributes taxonomy

Impartiality Integrity Respect Service Transparency

Electors Candidates Scrutineers

Media

Senior Management

Operations Staff

Sta

kehold

ers

Core Values

Secrecy of the Vote

Confidence & Perception

Privacy Accessibility & Deliberation

Timeliness of the Result

Transparency

Reputation Compliance Governability

Equity

Financial Viability

Auditability

Accuracy

Anonymity

Authentication

Integrity

Verifiability

Availability

Reliability

Future & Legacy Sensitivity

Modularity


Case study: Australian Electoral Commission… …in support of business mission

»  SABSA attributes-driven risk management database

»  Periodic and real-time information

»  Acceptable impact metrics / performance targets set for each asset

»  Used for vendor evaluation

»  Mandated for all IT Projects

»  Multi-use by wide variety of stakeholders



»  A framework that can be uniquely tailored to the organisation’s needs •  Not requiring the organisation to adapt to

the framework


Why SABSA?






»  An holistic approach…

»  Traceability: •  Visible justification of controls based on business case •  Visible demonstration of completeness of control set


»  Risk reporting (current status and forecasting): •  Based on business defined security performance goals by

risk owners •  Reports risks of missing performance targets •  Dashboard / scorecard compatibility •  Granular drill-down from aggregated scores •  Real-time objective measurement feeds •  Forecasting by tracking trends

»  A framework that can be uniquely tailored to the organisation’s needs

•  Not requiring the organisation to adapt to the framework


IT security: an holistic approach…

»  IT security is always a (supporting) part of an overall security policy

»  There is no such thing as an “absolutely secure” IT system

»  The most secure IT system is one that is switched off •  But even that is NOT secure

»  The challenge is to ensure appropriate security with maximum convenience


To manage complexity (with an holistic approach)… …a security framework is required

»  SABSA doesn’t replace: •  ASL •  BiSL •  CobiT •  IAF •  ITIL •  Prince2 •  TOGAF •  etc.

»  SABSA is a complete security framework that compliments existing frameworks: •  Allowing all aspects of security to

be implemented and managed


SABSA will help you… …not knowingly take significant (and unnecessary) risks


SABSA will help you… …understand the risks you are taking


SABSA will help you… …adapt to the ever changing security threatscape


SABSA will help you… …achieve completeness of protection


SABSA will help you… …focus on high risks


SABSA will help you… …exploit available ‘intelligence’

Ensign Johnson suddenly comes to the alarming realisation that he is the only red-shirt in the landing party.


SABSA will help you… …move at the speed of business


SABSA will help you… …quickly re-use and re-deploy


SABSA will help you… …know when to persevere and when to give up


SABSA will help you… …deal with things that go wrong that should never go wrong


SABSA will help you… …adapt your procedures dynamically as the situation demands

Come on! Jump! It can‘t go wrong every 0me...


SABSA will help you… …manage when the expected happens


SABSA will help you… …manage when the unexpected happens


SABSA will help you… …act systematically not instinctively


SABSA will help you… …seriously review your policies


SABSA will help you… …reduce your security budget and increase its effectiveness


Thank You Ideas to Interconnect BV (i-to-i), Radex Building, Kluyverweg 2a, 2629 HT Delft, The Netherlands.

Ideas to Interconnect BV (i-to-i), De Boerderij, Nijendal 18, 3972 KC Driebergen-Rijsenburg, The Netherlands.

Tel: +31-15-2682513 Fax: +31-15-2682521

Website: http://www.i-to-i.nl

KvK registration: 27187207

We have got what IT takes