How to use OSA

What does OSA provide?

OSA offers readily re-usable material on several abstraction layers. On the top level, OSA provides an overall landscape, actors (soon coming) as well as a terminology and taxonomy. On the next level OSA provides security patterns and finally OSA provides a threat modeling and a (NIST based) controls catalog.

Relevance of the OSA landscape

The OSA landscape is just one possible way of slicing and dicing through the different topics of security. The OSA landscape intentionally combines different abstraction levels because we believe that architecture is a synonym for a certain type of design and that this type of design can be applied on different levels.

Selecting a pattern

You will probably be in the position where you found the OSA page when you were looking for a solution to an acute architectural problem that your company faces. Possibly you decided to rely on the pattern just as a check-list, maybe you then found that the visualization supports your needs for documentation as well. The next step of adaption could be that in another situation you find another pattern that fits. Now you already benefit from the consistent set of actors (a.k.a roles) that underlies the patterns.

Selecting the controls

Naturally the amount of controls that you want to implement in your environment depends on your risk-appetite, your budget (which again relates to your risk-appetite) and your security policies (that layout a baseline, and hence again relate to your risk-appetite).

Mapping the controls catalog

At a later stage you find it convenient that the OSA controls catalog is already mapped to ISO and COBIT. The mapping to those standards comes handy when you have to respond to an internal audit or a controls review project.

Advanced steps

If you are interested in a full DB extract (for example of the controls catalog) or further discussions on how to apply OSA do not hesitate to contact This email address is being protected from spambots. You need JavaScript enabled to view it.