Capability (C073):— representing_information

Capability (C073):— representing_information_controls

Date: 2012/05/23 17:46:55
Revision: 1.7

Cover Contents Intro.Overview Info. model Issues

Business overview

This section provides a business level overview of this capability.

An information control specifies what may or may not be done with information by a particular party in a particular context. For example, an organization may impose the rule that information classified as "confidential" may not be held on any computer connected to the internet. The meaning of any particular control depends on the particular processes of the businesses and organizations using it, rather than any perceived meaning of the name of the control, and is outside the scope of this capability.

In a highly interconnected environment, it is essential that informamation carries any associated information control embedded in it, rather than relying on a separate source for the control information, which may become detached in any transfer process. The aim of this capability is to descibe how information controls are identified and linked to the information they apply to.

The model provides for two sorts of information control: security classification and information rights. Security classification supports the traditional approach used in national and commercial security of marking a document with a security classification. Information rights provide a more general approach, which defines the right, the person and organization the right applies to, and the items that it applies to. This can support both simple requirements, such as the definition of copyright, to the more complex controls of who sees what found in shared data environments.

The definition of any particular set of information rights or security classifications is outside the scope of this capability.

In a network data model, such as Ap 239, it is necessary not only to identify the particular entity the control applies to, but also the implied scope of that control. For example, when a security classification is applied to a document, it is not merely the name and number that are so classified, but rather the whole content of the document. However, this does not imply that any other document which may happen to be cross-referenced is also so classified. That is, the security classification spreads down only some of the links between information particles. The specification of the scope of the information contol depends very much on the thing it is applied to. Hence, it is not the responsibility of this capability to identify the scope of the control, but that of that of the business using this capability.

This version of the capability describes only the basics, that is, the definition of security classification and copyright.

Information model overview

This section provides an overview of the information model that supports this capability.

Security Classification

The security classification model is shown below in figure 1, and consists of a Security_classification and a express_ref linkend="security_classification:arm:Security_classification_arm.Security_classification_assignment"/>. The security level is identified by classification using assiging_classification
Error C1: Capability assiging_classification not in dex_index.xml
for security classifications defined through a reference library, or Assigning_codes
Error C1: Capability Assigning_codes not in dex_index.xml
for security classifications defined outside of the reference library. The attributes of Security_classification are set to /IGNORE.

If required, a description of the classification can be applied using the capability assigning_descriptors
Error C1: Capability assigning_descriptors not in dex_index.xml
, and a reference to any document containing the procedures which define the meaning of the security classification can be applied using a Document_assignment as described inreferencing_documents
Error C1: Capability referencing_documents not in dex_index.xml

The assignment of the security classification to some particular item can approved, using the capability C019: assigning_approvals.

Instantiating a Security Classification

Figure 2 below provides an instance diagram of the application of the security classification "unrestricted" - defined as a code - to a version of a document. The classification is given the description "the distribution of this information is not restricted", and the document "PLCS security codes" is cited as the source. This is applied to the document "Representing Information Controls", and this application has been approved.

Information Rights

The information rights model is shown below in figure 3. It consists of three main entities:

Information_right - which identifies the right;
Information_usage_right - which applies the right to a person or organization;
Applied_information_usage_right - which provides the link to the items to which the right applies.

In addition, Information_usage_right_relationship relates two usages of the rights.

The attributes of the model are set to /IGNORE. Both Information_right and Information_usage_right may be given identifiers, as described in C001: assigning_identifiers, and other textual information applied through assigning_descriptors
Error C1: Capability assigning_descriptors not in dex_index.xml
.

An Information_usage_right is either generally applicable, as with copyright, or may be restricted to particular Organizations or Person_in_organization. The right may also be time restricted by a Date_or_date_time_assignment as described in C036: assigning_date_time The right may also be subject to a contract.