Information Technology Reference
In-Depth Information
A Knowledge-Based Repository Model
for Security Policies Management
Spyros Kokolakis
1
, Costas Lambrinoudakis
1
, and Dimitris Gritzalis
2
1
Dept. of Information and Communication Systems Engineering
University of the Aegean, Samos GR-11472, Greece
{sak,clam}@aegean.gr
2
Dept. of Informatics, Athens University of Economics & Business
76 Patission St., Athens GR-10434, Greece
dgrit@aueb.gr
Abstract.
Most organizations currently build customized security policies by
extending the principles and guidelines suggested by generic security policies.
This method cannot guarantee that the resulting policies are compatible, neither
it can ensure that the resulting protection levels are equivalent. We introduce a
Security Policies Repository (SPR), which consists of a knowledge base, stor-
ing multiple security policies in a structured way. The SPR facilitates the juxta-
position of security policies, in order to detect, analyze, and resolve conflicts,
and to compare and negotiate the protection level of each of the co-operating in-
formation systems. Reconciliation of security policies is achieved by means of
developing mutually accepted meta-policies.
1
Introduction
1.1
The Case of Co-operating Healthcare Information Systems
Co-operation among organizations often appears as a prerequisite for increasing com-
petitiveness and effectiveness in both the public and private sectors of the economy.
Interorganizational co-operation entails Information Systems (IS) co-operation, which
usually goes far beyond the mere exchange of data through data networks.
Our research was triggered by the fact that nowadays the exchange of information
between Health Care Establishments (HCE) has become a requirement. This is a spe-
cial case of IS co-operation, with particular privacy-focused and security-related char-
acteristics:
−
Healthcare Information Systems (HIS) process medical data. This type of data
must be complete and accurate, otherwise peoples' health and life are at risk.
Therefore, the protection of medical data integrity is judged to be an essential re-
quirement for any HIS.
−
Medical data should be accessible and ready for immediate use, especially in cases
of emergency. Thus, availability of data is an essential requirement.
−
Many countries have put in force privacy legislation with strict rules regarding the
collection and processing of sensitive data, including medical data. Furthermore,
the physician-to-patient relationship is jeopardized when people do not trust that
their personal health information will be kept confidential, and that these data will
not be utilized for purposes other than medical.
