Next: 3.1.2 Coordination of Policies
Up: 3.1 Metapolicies by Hosmer
Previous: 3.1 Metapolicies by Hosmer
Contents
Implicit information exists in most cases either as an informal or as
a formal statement. Examples of implicit information are the scope,
description, structure, interrelationships, control, and rendering of
policies. Metapolicies make this information explicit. The following
kinds of metapolicies which specify implicit information are mentioned
by Hosmer:
- Policy Description Metapolicy
- defines the structure of the policy presentation, the elements which
make up the policy, the name, type, and length information of the
elements, etc. Table
![[*]](http://www.nm.informatik.uni-muenchen.de/common/icons/latex2html-97.1/cross_ref_motif.gif)
shows an example of a Policy
Description Metapolicy. Besides other possible information,
information about the required signers and modifiers is contained in
the example. This indicates who may approve changes to a policy
element and who may modify the element. In the last line of the
example metapolicy these are, for instance, the System Manager and
the System Security Officer (SSO). The criticality code is an
indicator for the impact a change will have on the rest of the policy
and/or the security of the system.
Table 3.1:
Policy Description Metapolicy [Hosm 92]
|
Policy Description |
Data Type |
Length |
Criticality |
Req. Signer |
Modifier |
|---|
|
Policy Name |
Alphanumeric |
20 |
30 |
Scty DOD |
SSO |
|
Policy Type |
Alphanumeric |
5 |
30 |
None |
SSO |
|
Authority |
Alphanumeric |
30 |
50 |
Scty DOD |
SSO |
|
Start Date |
Date |
6 |
20 |
President |
SSO |
|
Expiration Date |
Date |
6 |
25 |
President |
SSO |
|
Informal Model |
Alphanumeric |
900 |
20 |
None |
SSO |
|
Formal Model |
ZED |
1500 |
40 |
Sys Manager |
SSO |
|
...
|
|
|
|
|
|
|
- Policy Constraint Metapolicy
- The constraints put on a policy are specified with a Policy
Constraint Metapolicy. It may consist of the time of execution, the
restrictions on the application domain, time limitations like
expiration date, exemption of certain users or roles from the policy,
and may specify whether the policy must be executed in combination
with other policies.
- Organization Control Metapolicy
- With metapolicies of this kind, information needed for working with a
policy in an organisation is made explicit . In
table , an example of an organizational control
metapolicy is shown. With the help of this metapolicy, for example
the owner and the creator of the policy is described, when its
expiration date is, and what processes are used for its distribution,
renewal, and modification. Also included may be the policy assurance
status, legal status, and the source of the policy.
Table 3.2:
Organizational Control Metapolicy [Hosm 92]
![\begin{table}\centering\shadowbox{%\begin{minipage}[c]{\textwidth}
\centering\...
...Commercial Software: \>all MLS products
\end{tabbing}\end{minipage}}
\end{table}](img17.gif) |
- Automated Information System (AIS) Metapolicy
- With this kind of metapolicy, information necessary for the
computer-oriented processing of the policy is specified. It contains
details needed to describe and control the implementation of the
policy and it may include constraints on the implementation
mechanisms, requirements for configuration management and audit, etc.
- Domain Interface Metapolicy
- This metapolicy specifies rules when data labelled for one policy
domain must be transferred to another policy domain. They are used for
the automated transfer.
Next: 3.1.2 Coordination of Policies
Up: 3.1 Metapolicies by Hosmer
Previous: 3.1 Metapolicies by Hosmer
Contents
Copyright Munich Network Management Team