[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: definition of policy
I was sending off our governance section to assist a sponsor in getting a handle on policy as part of governance, and I noticed that the governance section doesn't define policy. I believe this was intentional so as not to step on the policy section. However, the policy section tweaks the RM definition of policy and this doesn't adequately reflect policy as already included in the governance section models. RM: A policy represents some constraint or condition on the use, deployment or description of an owned entity as defined by any participant. Section 4.4.2 (under Policies and Contracts Model): A policy
represents some constraint or condition on the use, deployment or description
of a resource as defined by a participant or, more generally, a stakeholder. Side issue: the model added in section 4.4.2 includes Obligation and Permission as types of Policy Constraints (both with positive connotations) but not Prohibition (with a negative connotation) which is an obvious constraint. The policy definition emphasizes constraint -- a seeming lean towards the negative side. These definitions seem much narrower than would be implied in the governance section, but with some additional words, we may be able to finesse the problem. Recall section 5.1.2 defines governance as Governance is the concept of prescribing conditions and constraints consistent with satisfying common goals and the structures and processes needed to define and respond to actions taken towards realizing those goals. The example in the governance section to differentiate Policy, Rule, and Regulation says For example,
Leadership could set a Policy that all authorized parties should have access to
data, the Governance Body would promulgate a Rule that PKI certificates are
required to establish identity of authorized parties, and Management can
specify a Regulation of who it deems to be a recognized PKI issuing body. A number of rules may be required to
satisfy a given policy; the carrying out of a rule may contribute to several
policies being realized. To support the governance section, I need a policy discussion to say something like A policy is the formal characterization of the conditions that are deemed necessary to exist or the actions identified to lead to such conditions in order to realize the goals which governance is attempting to satisfy. Policies may identify required conditions or actions or may prescribe limitations or other constraints on permitted conditions or actions. For example, a policy may prescribe that safeguards must be in place to prevent unauthorized access to sensitive material. It may also prohibit use of computers for activities unrelated to the specified work assignment. Rules and Regulations (as defined *elsewhere*) specify the details of how policy is to be realize. If I was adding this to the governance section, it would come before the first mention of policy in section 5.1.2.1. The connection is governance to policy may still be under-specified even with this definition somewhere. For example, I need to enhance the definition of Leadership in section 5.1.2.2 to say Leadership The underlined phrase is what needs to be added. Now handling this obviously needs to be coordinated with other sections, so let's begin coordinating. This will also be extremely important in the governance discussions with TOG. Ken ----------------------------------------------------------------------------- Ken Laskey MITRE Corporation, M/S H305 phone: 703-983-7934 7515 Colshire Drive fax: 703-983-1379 McLean VA 22102-7508 |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]