← Blog

Foundations Redesign: Capability Model, Archive, and Structural Cleanup

Tobias Christen

The Foundations section of OSA has undergone a significant structural redesign. This post documents the decisions made, the rationale behind them, and the resulting changes.

Context

The Foundations section serves as the conceptual backbone of OSA — the principles, models, and frameworks that underpin the pattern catalogue. Over time, the section accumulated pages of varying relevance and lacked a clear hierarchy. Two issues prompted the redesign:

  • The Security Capability Model, a major new addition defining 13 capability areas across 52 strategic and 207 architectural sub-capabilities, needed to be integrated and given prominence.
  • The OSA Landscape page, while historically important, had been superseded by the pattern catalogue and TRIDENT Explorer as the primary navigation tools. It needed to be deprioritised without being deleted.

Decision 1: Security Capability Model (CA-13 and Structural Changes)

The original capability model (v0.4) had 12 capability areas with 48 L1 and 192 L2 capabilities. Analysis revealed a critical weakness: backup and recovery appeared exactly once — a single L2 sub-capability (Immutable Backup & Offline Storage) under CA-12. Given that ransomware is consistently the number one cyber risk for most organisations, this was insufficient.

Options Considered

  • Option A — Merge within CA-12: Expand the existing Incident Response & Business Continuity area with additional backup L2s. Rejected because it conflates incident response (reactive) with IT service continuity (proactive architectural design).
  • Option C — New CA-13: Create a dedicated IT Service Continuity & Recovery capability area. Selected because it gives backup, high-availability architecture, and adversarial recovery the structural weight they deserve.

Resulting Structure

CA-13 IT Service Continuity & Recovery was added with 4 L1 strategic capabilities and 15 L2 architectural sub-capabilities:

  • L1 1: Defined HA Architecture Tiers Matched to Service Level Classes (3 L2s)
  • L1 2: IT Services Mapped, Prioritised and Designed to Fail Over (3 L2s)
  • L1 3: Backup Architecture That Attackers Cannot Reach or Destroy (3 L2s)
  • L1 4: Recovery Tested, Proven and Executable Under Adversarial Conditions (6 L2s)

Additionally, cross-references were added to existing capability areas:

  • CA-08 L2: Retention, Archival & Disposal Policy became Retention, Backup Classification & Disposal Policy
  • CA-09 L2: Cloud Storage Security Controls became Cloud Storage Security & Cross-Region Backup Replication
  • CA-12 L1 4: Refocused from backup to continuous improvement (Every Incident Leaves the Organisation Stronger)

The model version was bumped to 0.5. Final counts: 13 CAs, 52 L1s, 207 L2s.

Decision 2: Overview Diagram Replaces Quick Reference Table

An SVG overview diagram was created to provide a visual map of all 13 capability areas across the three phases (Foundation, Protect, Operate). With the diagram in place, the Quick Reference table became redundant — it provided the same information (CA IDs, titles, ZTA pillar, CSF functions, pattern references) that is already visible in both the diagram and each CA detail card header. The table was removed.

Decision 3: Archive Section for Superseded Pages

Rather than deleting the OSA Landscape page, an archive mechanism was introduced:

  • A boolean archived flag was added to the foundations.json data model
  • The Foundations index page now filters entries into an active grid and a muted Archive section
  • The Archive section sits below the Definitions section at the bottom of the page, with grey styling (slate border, reduced opacity) to visually distinguish it from active content
  • The OSA Landscape was marked as the first archived page

This approach is data-driven — any future foundation page can be archived by setting archived: true in its JSON entry. The page itself remains fully functional and accessible via its URL; it is simply deprioritised in the navigation.

Decision 4: Capability Model Promoted to Top Position

The Security Capability Model was moved to the first position in the foundations.json array, making it the first tile visitors see on the Foundations page. This reflects its role as the primary structural framework for understanding OSA — it answers the question "what must an organisation be able to do?" before the other pages explain how.

Summary of Changes

  • Added CA-13 IT Service Continuity & Recovery (4 L1s, 15 L2s) to the capability model
  • Cross-referenced backup and recovery into CA-08, CA-09, and CA-12
  • Added SVG overview diagram to the capability model page
  • Removed the redundant Quick Reference table
  • Created an Archive section on the Foundations index page
  • Moved the OSA Landscape to the Archive section
  • Promoted the Security Capability Model to the top of the Foundations grid
  • Capability model version bumped from 0.4 to 0.5

Impact

These changes do not affect any URLs — all existing links continue to work. The OSA Landscape remains accessible at /foundations/osa-landscape. The capability model is now the primary entry point for understanding the structural organisation of security capabilities across OSA.

Explore the Security Capability Model | Browse all Foundations

Tobias Christen — Open Security Architecture