OM-BP-0021: Provide Clear Guidelines on The Scope of Security versus Business Policy Rules (Best Practice)

Owned by David Doret
25-49-2021
1 min read

ID

OM-BP-0021

Status

Active

Best Practice

Provide Clear Guidelines on The Scope of Security versus Business Policy Rules.

Rationale

 

Bad Practices

 

Implementation Details

 

Quotes

5 Business or Security Decision

An extension to the policy-modeling exercise is the process of detennining what decisions to extract from the business application . Under the surface, entitlement management products have rule engines that make decisions based on a policy and specific inputs . This equation works for security or business decisions - how do you tell them apart in your organization? For example, a security rule may state that updates to the generalIedger system can only occur during normal business hours by authorized users from a secure network location. A business rule may state that currency traders can trade their normal limit until the firm's exposure reaches a certain threshold for a particular currency. Entitlement management systems can handle both instances, but an enterprise has to decide where to draw the line between security and business decisions. Once you begin to extract policy decisions from an application, you have to decide how far to go so that implementers in your organization have the guidelines to follow. In the absence of clear guidclines, there is the prospect of endless debates - and limited deployment progress.

(https://open-measure.atlassian.net/wiki/spaces/BIB/pages/1122566480, p. 118-119)

Bibliography

N/A

Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.

This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.