Information Technology Reference
In-Depth Information
3
The Use of a Security Policies Repository
We propose a Security Policies Repository (SPR), which consists of a knowledge
base storing the security policies of co-operating HIS (Fig. 1). Each HCE is responsi-
ble for developing and maintaining its own security policy. Third parties are not al-
lowed to modify the policies, although they can query the knowledge base and re-
trieve information regarding the policies adopted by the specific HCE. The use of the
SPR aims to:
1. Publicize the security policies of the involved parties (stakeholders).
2. Facilitate conflict detection and resolution.
3. Facilitate the assessment of the security policies' adequacy and effectiveness.
4. Facilitate negotiations aiming to achieve a satisfactory and uniform level of secu-
rity and privacy protection.
5. Monitor the solutions that were provided for reconciling security policies.
The SPR provides a common pre-defined structured framework, as presented in the
following section, for the representation of security policies, based on a common
conceptual model. Furthermore, it provides for a system for storing and managing
security policies. Thus, HCE wishing to join a group of co-operating HCE should
register with the SPR and submit its own security policy. The protection level can
then be assessed either by the co-operating HCE or by an independent third party.
Moreover, policy conflicts can be detected and resolved in a collaborative way. The
SPR is supported by a co-ordination team, which is responsible for maintaining the
SPR and may also provide facilitation services for negotiations between HCE.
Policy
Management
application
Healthcare
Establishment
A'
Local
security team
Co-ordination
support center
Co-ordination
team
Negotiations
Knowledge
Base
SPR
Interface
Local
security team
Healthcare
Establishment
B'
Policy
Management
application
Fig. 1.
The SPR model
