|
The
Security Domain’s policy service is concerned with the management of policies.
The aggregation of the policies contained within and managed by the policy
service comprises a Security Domain’s policy set. This service is also
responsible for the enforcement of the domain’s policy for intra-domain and
inter-domain exchanges. The policy service may be thought of as another
primitive service, which is used by the authorization, audit, identity mapping,
and other services as needed.
The
policy service is a process through which a Security Domain determines its
risks vs. costs in order to protect critical assets. The policy development
must encompass:
· A Requirements
analysis process which is used to determine the critical assets that need
protection, security needs of the Security Domain, technological choices for
implementation, security management and monitoring requirements, audit
capability, and non-repudiation capability.
· The
Implementation process that monitors and tests the policies as they are
implemented. If there are problems detected during implementation, the policy
should be revised and requirements should be revisited.
· The Monitoring
process is responsible for the detection of security attacks, detection of security
breeches, and the performance of the installed security infrastructure. This
process is critical to the overall effectiveness of security.
· The Analysis
process is responsible for determining when the deployed security measures need
to be re-evaluated. This re-evaluation may be required due to environment,
legal, or internally developed metrics.
There
is a relevant body of work that can be found in EPRI Report 1008988, Scoping
Study on Security Processes and Impacts. The following is a summarization of
that work.
|
