The Role of the Architect
The Conceptual Security Architecture layer also known as the Architects View is the binding agent between the business requirements and the technology used to enable security. This is the "big picture" and contains a profile of the business attributes (See Figure 3 below) and the risk objectives. The architect is responsible for constructing the vision on how the overall design of the system will look and how the elements will interoperate with one another.
This role is also responsible for establishing the design rules. In this case it will include what needs to be protected, rationale for why it needs to be protected and the overall strategies that will be employed. Interestingly, this is not strictly a static view, it includes time-phasing. For example, expiration of deadlines of keys, certificates, passwords and sessions are included to provide further guidance at this level versus leaving this to be determined at lower levels in the SABSA model (Sherwood, 2009). This level should be consumable for anyone at any level and easily explainable.
Example - Conceptual Security Architecture
Figure 3 - This diagram illustrates an example of leveraging the Conceptual Layer to identify business requirements, drivers and attributes for a real estate agency.