URL: http://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=18199&ICS1=35&ICS2=100&ICS3=1
From
http://www.csa-intl.org:
The
Security Frameworks are intended to address the application of security
services in an Open Systems environment, where the term Open Systems is taken
to include areas such as Database, Distributed Applications, ODP
and OSI. The Security Frameworks are concerned with defining the means of
providing protection for systems and objects within systems, and with the
interactions between systems. The Security Frameworks are not concerned with
the methodology for constructing systems or mechanisms.
The
Security Frameworks address both data elements and sequences of operations (but
not protocol elements) that are used to obtain specific security services.
These security services may apply to the communicating entities of systems as
well as to data exchanged between systems, and to data managed by systems.
In
the case of Access Control, accesses may either be to a system (i.e. to an
entity that is the communicating part of a system) or within a system. The
information items that need to be presented to obtain the access, as well as
the sequence of operations to request the access and for notification of the
results of the access, are considered to be within the scope of the Security
Frameworks. However, any information items and operations that are dependent
solely on a particular application and that are strictly concerned with local
access within a system are considered to be outside the scope of the Security
Frameworks.
Many
applications have requirements for security to protect against threats to
resources, including information, resulting from the interconnection of Open
Systems. Some commonly known threats, together with the security services and
mechanisms that can be used to protect against them, in an OSI environment, are
described in CCITT Rec. X.800 / ISO 7498-2.
The
process of determining which uses of resources within an Open System
environment are permitted and, where appropriate, preventing unauthorized
access is called access control. This Recommendation / International Standard
defines a general framework for the provision of access control services.
This
Security Framework:
(a)
defines the basic concepts for access control;
(b) demonstrates the manner in which the basic concepts of access control can
be specialized to
support some commonly recognized access control services and
mechanisms;
(c) defines these services and corresponding access control mechanisms;
(d) identifies functional requirements for protocols to support these access
control services and
mechanisms;
(e) identifies management requirements to support these access control services
and
mechanisms;
(f) addresses the interaction of access control services and mechanisms with
other security services and mechanisms.
As
with other security services, access control can be provided only within the
context of a defined security policy for a particular application. The
definition of access control policies is outside the scope of this
Recommendation / International Standard, however, some
characteristics of access control policies are discussed.
It
is not a matter for this Recommendation / International Standard to specify
details of the protocol exchanges which may need to be performed in order to
provide access control services.
This
Recommendation / International Standard does not specify particular mechanisms
to support these access control services or the details of security management
services and protocols.
A
number of different types of standard can use this framework including:
(a)
standards that incorporate the concept of access control;
(b) standards that specify abstract services that include access control;
(c) standards that specify uses of an access control service;
(d) standards that specify the means of providing access control within an Open
System
environment; and
(e) standards that specify access control mechanisms.
Keywords:
|