Policy Management in a COA



Similar documents
IM and Presence. Skype for Business 2015 users. Legend. Skype for Business 2015 users. Active Directory Domain Services.

How To Improve Your Salary At The Finance Sector Union Of Ustralia

Core Fittings C-Core and CD-Core Fittings

Microsoft Dynamics NAV 2013 R2 Feature Comparison Tool

CA SiteMinder. SDK Overview. r6.0 SP6/6.x QMR 6. Second Edition

South East of Process Main Building / 1F. North East of Process Main Building / 1F. At 14:05 April 16, Sample not collected

AAdobe Systems Incorporated. Controlling Access to Adobe Creative Cloud Services INTRODUCTION SYNOPSIS

STATEMENT OF WORK FOR HIPAA SECURITY RISK ANALYSIS

Work Breakdown Structure

FM Administration Assistant Customer Services EHA

HIPAA Security: Complying with the HIPAA Security Rule Implementation Specifications Are You Correctly Addressing Them?

Chartered Institute of Management Accountants. Chartered Institute of Management Accountants. Syllabus overview

Executive County Administrators

Qualification details

INFORMATION SYSTEMS EXAMINATIONS BOARD

COMAH Competent Authority

Mitra Innovation Leverages WSO2's Open Source Middleware to Build BIM Exchange Platform

FEDERAL ACQUISITION REGULATION (FAR) AND DEPARTMENT OF DEFENSE FAR (DFAR) SUPPLEMENT ARE INCORPORATED BY REFERENCE HEREIN:

Government of India Ministry of Communications & Information Technology Department of Electronics & Information Technology (DeitY)

Standards in health informatics

Job Description. Director of Operations, UK Payments Administration Ltd

THE BRITISH LIBRARY. Unlocking The Value. The British Library s Collection Metadata Strategy Page 1 of 8

CS2Bh: Current Technologies. Introduction to XML and Relational Databases. The Relational Model. The relational model

Using Your Personal Information

Data Management Software

PRINCE2 Passport Sample Papers

Series B Information on the Transposition of Directive 2006/24/EC

HIPAA and HITECH Act. Compliance Guide

Enterprise Application Integration (EAI) Techniques

Guidance on Risk Management, Internal Control and Related Financial and Business Reporting

VERITAS File Server Edition Managing Consolidated File Servers for Performance and Availability

Data ownership within governance: getting it right

Managing Complex Outsourced Projects

Data analytics the changing use of data within Internal Audit

NIR-Online Getting Started Guide

Office for Nuclear Regulation

What happens when you sign up to the ZoneFox Service?

Specialisation International Law

Data Integration and Exchange. L. Libkin 1 Data Integration and Exchange

An Introduction to the ECSS Software Standards

VMware AlwaysOn Desktop Design Guide

NC DIGITAL MEDIA COMPUTING

This policy applies to all policies and procedures and supporting documentation such as work instructions and templates at the Whyalla City Council.

HIPAA compliance. Guide. and HIPAA compliance. gotomeeting.com

Digital Rights Management - The Difference Between DPM and CM

Management of Physical Assets

Understanding unit-linked funds

STAR Deutschland GmbH

Business Continuity Management Policy and Framework

IMS 11: Moving Your Business Forward

Principal Lecturer in Mental Health Nursing. School of Health and Social Care, College of Social Science

Describing Electronic Health Records Using XML Schema

Institutional Repositories: Staff and Skills requirements

Programming Languages

BARNET AND SOUTHGATE COLLEGE JOB DESCRIPTION

INFORMATION GOVERNANCE STRATEGY NO.CG02

IP HEALTHCHECK SERIES. NoN-DISCLoSuRE AgREEmENTS. Intellectual Property Office is an operating name of the Patent Office

Energy Efficient Systems

An Introduction to the PRINCE2 project methodology by Ruth Court from FTC Kaplan

User Equipment and Enterprise Mobility Infrastructure

Social Care, Health and Housing Substance Misuse Team. How can we help?

I. Personal data and its use in the business to business environment.

Certa Qualification Unit Report

Kanban vs Scrum. Henrik Kniberg - Crisp AB Agile coach & Java guy. A practical guide. Deep Lean, Stockholm May 19, 2009

ANSYS EKM Overview. What is EKM?

Mapping and Geographic Information Systems Professional Services

Certification of Electronic Health Record systems (EHR s)

Transcription:

Policy Management in a O John rnold hief Security rchitect, UK apgemini The ig Picture for usiness Technology apgemini 2009 ndy Mulholland 1

De-Perimeterised Organisations People Devices Movements between organisations are built-in Policies Organisation Information Risks ontracts & Processes The ig Picture for usiness Technology apgemini 2009 ndy Mulholland 2

Security Policy - Terminology Human Readable Security Policy is a security policy that is intended to be interpreted by humans in making security decisions. E.g. a security procedure Machine Readable Security Policy is a security policy that is intended to be interpreted by computer programs in making security decisions. E.g. an L Governance Policy is a policy that describes how a human or machine readable policy is determined or agreed. E.g. Most ISO27001 security policies. In collaboration with lient or Partner logo DOUMENT TITLE opyright apgemini 2008 ll Rights Reserved 3

urrent security policy approaches and the problems with them Machine readable policies tend to be lists rather than rules Machine readable policies are designed to be enforced by infrastructure rather than applications Machine readable policies not linked to business requirements pplication security policies are embedded into application code Organisations assume their policies are their own Use of Ls per resource Difficult to change as business needs change. One size fits all approach; cannot relate policies to business benefit Policies do not implement requirements properly and it is not clear how to change them May not meet business requirements. Difficult to change as business needs change Untrue where organisations handle information on behalf of someone else, the original information owner is a stakeholder in the policy Enormous number of Ls to manage In collaboration with lient or Partner logo DOUMENT TITLE opyright apgemini 2008 ll Rights Reserved 4

Handling policies better a new policy enforcement architecture User gent redentials/ Identity ccess Request/ ccess Response Policy Enforcement Point Decision Request/ Decision Response uthentication Service ttributes ttribute & uthentication uthority ttributes Policy Decision Point Policies Policy dministration Point Policies Policy uthority In collaboration with lient or Partner logo DOUMENT TITLE opyright apgemini 2008 ll Rights Reserved 5 22 nd 5

Handling policies better rich policy language Replace Ls by a machine readable policy expressed in a rich policy language rich policy language expresses access decisions in terms of the relevant contract states, e.g. this asset can be accessed by a direct employee of grade 4 and above, or any employee of a joint venture of a particular type There is a standard for expressing security policies: XML benefit of using standard security policies a policy for an asset can be specified once, then actioned by many different organisations as they pass the asset around The ig Picture for usiness Technology apgemini 2009 ndy Mulholland 6

Handling policies better more realistic governance patterns Security policy governance is the process whereby security policies are specified, tested and agreed. Some common patterns: reator control Subject ontrol N-man rule ontent based control ccountability orporate record Many information assets have more than one stakeholder and hence more than one policy stakeholder. The ig Picture for usiness Technology apgemini 2009 ndy Mulholland 7

Handling security policies better - security policy as a service Most organisations arent capable, or motivated, to develop their own security policies It would be better for suitably qualified organisations to specialise in creating standard security policy services to cover areas such as ompliance Hardening Product-specific policies This requires standardisation of the policy decision and query language (e.g. XML) but also of the enforcement hooks to be put into applications. The ig Picture for usiness Technology apgemini 2009 ndy Mulholland 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information