[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [soa-rm-ra] definition of policy
Please check the draft of the governance and management
section I sent out From: Ken Laskey [mailto:klaskey@mitre.org] Sent: Friday, February 20, 2009 4:21 PM To: soa-rm-ra@lists.oasis-open.org RA Subject: [soa-rm-ra] definition of policy Importance: High I was sending off our governance section to assist a sponsor in getting a
handle on policy as part of governance, and I noticed that the governance
section doesn't define policy. I believe this was intentional so as not to
step on the policy section. However, the policy section tweaks the RM
definition of policy and this doesn't adequately reflect policy as already
included in the governance section models.
RM:
A policy represents some constraint or condition on the
use, deployment or description of an owned entity as defined by any
participant. Section 4.4.2 (under Policies and Contracts Model):
A policy represents some
constraint or condition on the use, deployment or description of a resource as
defined by a participant or, more generally, a stakeholder.
Side issue: the model added in section 4.4.2 includes Obligation and
Permission as types of Policy Constraints (both with positive connotations) but
not Prohibition (with a negative connotation) which is an obvious
constraint. The policy definition emphasizes constraint -- a seeming lean
towards the negative side.
These definitions seem much narrower than would be implied in the
governance section, but with some additional words, we may be able to finesse
the problem.
Recall section 5.1.2 defines governance as
Governance is the concept
of prescribing conditions and constraints consistent with satisfying common
goals and the structures and processes needed to define and respond to actions
taken towards realizing those goals.
The example in the governance section to differentiate Policy, Rule, and
Regulation says
For
example, Leadership could set a Policy that all authorized parties should have
access to data, the Governance Body would promulgate a Rule that PKI
certificates are required to establish identity of authorized parties, and
Management can specify a Regulation of who it deems to be a recognized PKI
issuing body. A number of rules may
be required to satisfy a given policy; the carrying out of a rule may contribute
to several policies being realized.
To support the governance section, I need a policy discussion to say
something like
A policy is the formal characterization of the conditions that are deemed necessary to exist or the actions identified to lead to such conditions in order to realize the goals which governance is attempting to satisfy. Policies may identify required conditions or actions or may prescribe limitations or other constraints on permitted conditions or actions. For example, a policy may prescribe that safeguards must be in place to prevent unauthorized access to sensitive material. It may also prohibit use of computers for activities unrelated to the specified work assignment. Rules and Regulations (as defined *elsewhere*) specify the details of how policy is to be realize. If I was adding this to the governance section, it would come before the
first mention of policy in section 5.1.2.1. The connection is governance
to policy may still be under-specified even with this definition somewhere.
For example, I need to enhance the definition of Leadership in section
5.1.2.2 to say
Leadership The underlined phrase is what needs to be added.
Now handling this obviously needs to be coordinated with other sections, so
let's begin coordinating. This will also be extremely important in the
governance discussions with TOG.
Ken -----------------------------------------------------------------------------
Ken Laskey
MITRE Corporation, M/S H305 phone: 703-983-7934
7515 Colshire Drive
fax: 703-983-1379
McLean VA 22102-7508
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]