| Capability (C073):— representing_information_controls | Date: 2012/05/23 17:46:55 Revision: 1.7 |
An information control specifies what may or may not be done with information by a particular party in a particular context. For example, an organization may impose the rule that information classified as "confidential" may not be held on any computer connected to the internet. The meaning of any particular control depends on the particular processes of the businesses and organizations using it, rather than any perceived meaning of the name of the control, and is outside the scope of this capability.
In a highly interconnected environment, it is essential that informamation carries any associated information control embedded in it, rather than relying on a separate source for the control information, which may become detached in any transfer process. The aim of this capability is to descibe how information controls are identified and linked to the information they apply to.
The model provides for two sorts of information control: security classification and information rights. Security classification supports the traditional approach used in national and commercial security of marking a document with a security classification. Information rights provide a more general approach, which defines the right, the person and organization the right applies to, and the items that it applies to. This can support both simple requirements, such as the definition of copyright, to the more complex controls of who sees what found in shared data environments.
This version of the capability describes only the basics, that is, the definition of security classification and copyright.
© OASIS 2010 — All rights reserved