OM-BP-0021: Provide Clear Guidelines on The Scope of Security versus Business Policy Rules (Best Practice)
- David Doret
ID
OM-BP-0021
Status
Active
Best Practice
Provide Clear Guidelines on The Scope of Security versus Business Policy Rules.
Rationale
Bad Practices
Implementation Details
Quotes
5 Business or Security Decision
An extension to the policy-modeling exercise is the process of detennining what decisions to extract from the business application . Under the surface, entitlement management products have rule engines that make decisions based on a policy and specific inputs . This equation works for security or business decisions - how do you tell them apart in your organization? For example, a security rule may state that updates to the generalIedger system can only occur during normal business hours by authorized users from a secure network location. A business rule may state that currency traders can trade their normal limit until the firm's exposure reaches a certain threshold for a particular currency. Entitlement management systems can handle both instances, but an enterprise has to decide where to draw the line between security and business decisions. Once you begin to extract policy decisions from an application, you have to decide how far to go so that implementers in your organization have the guidelines to follow. In the absence of clear guidclines, there is the prospect of endless debates - and limited deployment progress.
(Gebel and Wang, 2010, p. 118-119)
Bibliography
Related Best Practices
N/A
Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.
This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.
