November 9, 2010 Security Conference Call
Contents
Security Working Group Meeting
Attendees
- Mike Davis Security Co-chair
- Jon Farmer
- Suzanne Gonzales-Webb CBCC Co-chair
- John Moehrke Security Co-chair
- Diana Proud-Madruga
- [mailto: Ken Salyards]
- Tony Weida
- Craig Winter
Agenda and Meeting Minutes
1. Roll Call, Approve previous week's Meeting Minutes & Accept Agenda, Action Item Review (not covered in today's meeting)
- Meeting minutes reviewed and approved as written (no objections were noted)
2. Security-Privacy Ontology (Tony Weida)
Tony is working with a new build and will be using the new build from this point forward. When selecting language as part of the build (with pop-up) and specifying English, will add ^^ at the end of the some of the words. (It may have been there all along, recommended using default language)
New: You can export L’doc – will build HTML pages and pop them up for you in the browser, so that you can look at classes and other things. There are some glitches, but this a possibility for use with people who do not have protégé—to look at a particular ontology (classes referenced in that ontology, etc) there are super class links so that you can move up in the hierarchy, but (per Tony) it’s not the best navigation.
The second thing under’ misc views’ is there L’doc view that is available; (A hyper-text readable document is available using the second thing)
- Ontology browser has release notes and getting started information. You can
- paste in URL and it will make it browsable for you.
If I copy the shortcut (so I have the url that I want) return to the previous page, paste it in and click ‘load’ into the ontology browser when it works, it’s a useful tool for review-- http://owl.cs.manchester.ac.uk/brower/ontologies/ (site hosted by Manchester University, UK) load URL into: load Ontologies: (specify the physical location of your ontology box., it smart enough to recognize that if there is another ontology imported it can find them in the same directory--will build inclusion properties
- A user will only need to supply the ontology they are using and the tool is smart enough to look in the same directory and see if another ontology is linked; it will import and will build inclusion relationship properties for the supplied ontology
SOURCE Properties, description property, if you open the class property you will see values for source and description (doesn’t appear in Manchester browser)see comment^^Plain Literal Change/Discontinue Radiology Order tab: applies only to only those things that apply the C/D Radiology.
Role Set, User Assignment Set, in going through the descriptions--not all are great descriptions, I’m hoping for review and feedback on. When I’ve written [denovo]—this class has been created for this ontology and its meant to say that so far I’ve written this information in rather than taken the description from a source. (Notes and have used “[ ]” for provisional things that I’ve commented on—not from a source) Jon – if you have this here, then it should also be in the source, it’s the source of the notion, rather than the source of the verbiage. Sources of the description vs. the source of the class.
3. Sub-Agenda Item: Security and Privacy Ontology – overlap, duplicate glitch found. We had been hoping to put out the next version but found a glitch in the way the structural roles were imported into the VHA Ontology. It turns out the same name appeared in the same row in the role catalog… we have discussed would redo the import of the VHA ontology (structural role definitions) and append the suffix at the end of the names (where needed) to be able to distinguish them Jon – Suzanne and I briefly spoke on this briefly and I will show her some of these instances and get her take on how to proceed. (ACTION ITEM), discussion to occur offline Tony – note: it doesn’t seem to affect the base securityandprivacy.owl ontology.
(From above Ontology Browser v1.2.0) Another option if the Manchester site is deemed too unstable, we could also use a Tomcat instance—if necessary. Meaning we could implement an ontology browser on the server of our choice to allow others to review the work that Tony has done. New ontology version to be posted by Tony (ACTION ITEM)
4.Security-Privacy DAM, Vocabulary Harmonization spreadsheet Update
Security-Privacy DAM, Vocabulary Harmonization spreadsheet Update ADD (need link or spreadsheet from Mike Davis)
The DAM has a bunch of classes and attributes of the classes. The project here is to look at the classes and find ISO references or US-realm references that can be linked to these classes in some say. I wanted to find some references that define what classes were; attributes were, to establish a baseline of definitions so we have a leg when we talk about this. The focus is on 'green' row—security role, user identity, location, provider organization and then the class information references.
ISO 15816, security information objects for access control; which has direct references for our stuff. If you were to go to ITU (telecommunication standardization sector of ITU—international telecommunication union), there is standard X.841, which is identical to 15816. This can be gotten at ITU site for no cost. (On ITU site you can search for ISO standards and download an ITU version)
Also, X.681. these are some of the sources I’ve looked at. What was interesting was some of the definitions. In 841 we have the idea of information which is an information object class. Which says 'what it is' information object fields, info object sets and things like this. ITU-T X.841, values fix noted by the specification. I don’t know that we explicitly defined it in the information itself so I want to get a handle on this.
15186, also talked about security information objects, security info object class comprises values class identify one or more data set identifies. The statement of the semantics associated with the use of the class. Bear this in mind, applying this to these particular classes here, have to do with information references. I’m taking this information reference in ISO terms as the same thing as a security info object class. (what we’re calling information reference) there were some additional definitions (in CCITT)i.e. there is a definition for a security label—labels do not mean printed labels but information that is bound to a resource that names or designates a security attribute about this resource (X.800 CCITT Rec. X.800 and ISO/IEC 7498-2 what are the different security attributes security label – the marking bound to a resource (which may be a data unit) that name or designated the security attributes of that resource.
The policy in the information object is about all-defining policy 17186, these would be attributes (11 attributes) … that have to do with the object which should conflate that to the user. What the user is asserting is the attribute is what is required to access the object (as defined by the policy)
The question is WHO is authorized. They must have some role (identify information on that person—required as part of accessing the objects i.e. provider) looking at this (DAM) there is questions where it is in the model and 15816; it says that the user identity is part of the attribute of the sec info object. As show here, that relationship is a little obscure. The allocation of the roles, etc is related back to the policy. I almost which we had put in information reference … (add) there is something we may need to add in the future.
Role user identity, provider org, location of the user, these are linked into other policy, base policy, jurisdiction policy, etc
3rd – the security markings required to show on any printed or displayed material. The security partings I take to mean sensitivity.
John M – I read this as an ‘obligation to display’
Jon F - This seems to me as the assertion by the user as required by the policy. (On the right is the security policy)
Mike - This is a work in progress. The Information Model is about access control policy, other policy about audit, etc., are really not in scope of the authorization policy, but it has to do with the sensitivity itself (i.e. sickle cell, HIV, etc) where we might treat the data differently, and the patient policy may refer to it in that way. An attribute to the security object is sensitivity. There are other ISO references that refer to this as well
John – I understand how you read it, I read it more like obligations than context.
Mike – I don’t disagree with you, but its part of the policy nonetheless attributes of policy, whether presented in the policy or some other form
John – I agree with you. These are attributes of policy; I just don’t understand why you come up with the word 'sensitivity.'
Jon – I may have a suggestion for that: In the military, there are clearance of users and classifications of data. Outside of the military in the general sense, we have credentials of the user and the sensitivities of the data.
John - Those are the first two rows.
Jon - When Mike adds the 'yes/no' in CLAIM column is that answering the question, is that attribute relevant to data consent? What do you mean by the heading called ‘claim’?
Mike – the model that I had in my mind, is as a requester making a request of a provider for information that the provider holds--that’s the use case. The requester is providing a claim about their attributes. That could be a SAML attribute assertion, he’s presenting in order to against a known policy—you have to have this role or this location…the attributes are the information objects--these are a listing of the attributes per the ISO 15816—to see if the request is going to present that attribute.
I agree with your comments in respect to #3 (Is it in the scope of the claim.) I’m just reporting what 15186 says, attributes of the security information object, that’s how it’s presented so the encipherment of the object is said to protected health information and has to be protected. That class of data is labeled as such—claiming encipherment…or not---not protected i.e. anonymized data. Nevertheless there is an attribute that is associated with the attribute that says something about the routing encipherment. Do not send protected information to the New York Times, etc
- - protection against unauthorized copying – we could see this and talk about this with respect to DRM. There are protections that information object shouldn’t’ be copied, redistributed, etc so that’s how I read that
That class of data is labeled as such, protected health information. There is an attribute in the policy associated with the objected, routing encipherment… it’s just a label for an attribute for the information object. There are 11 of these.
Eleven Attributes found in ISO 15186
link or spreadsheet needed from Mike Davis
# | Attribute | (Relavent to Data Consent?) | Header | |
1. | protection against unauthorized copying | Yes or No | . | |
2. | text (need to add) | Yes or No | . | |
3. | the security markings required to show on any printed or displayed material | Yes or No | . | |
4. | Routing and enciphering requirements for data transmitted bet systems | No | . | |
5. | Requirements for protection against unauthorized copying | No | . | |
6. | Methods for storage of data (don’t store on thumb drives, etc) | No | . | |
7. | Enciphering algorithms to be used (specification for the information object, if its encrypted with a certain algorithm) | No | . | |
8. | Methods of authenticating entities (we know that the info object, biometrics required? PKI credential good enough? Regarding the level assurance of that entity—called out in the SAML assertion | Yes | . | |
9. | Whether operations on the object are to be audited. Audited | No | . | |
10. | whether preventing repudiation of receipt of an object b y recipties is required | Yes | . | |
11. | Whether; and whose, digital signatures are required to authenticate the data | Yes or No | . | |
When I present the data to the requested my CA signature, the recipient knows that it’s not in transit and the data is sealed. The end user wouldn’t’ know if intermediate points like the PHR, didn’t get that information and modify it before sending it to the receiver. What does this mean? It means that it provides a reasonable set of security information objects that goes back to 15816 that provides a basis for us to back to the information model at how it represent and organized. If we go forward here (Work in progress), 11 attribute of 15816 that conclude things in the IM, we have an identifier type for the IM we have the confidentiality code, we have the integrity code which is the digital signature a lot of these things we do have, clinical condition and other attributes etc that we’ve put in, including information about the patient that would be necessary for a healthcare policy. I’m just starting with the notion of liking 15816 to this class and incorporating the definitions of explicitly what a class is, and the attributes as well, so to specifically link to an ISO definition. That’s what I’ve done so far and proposing that we use definitions from ISO of the class and then the 11 attributes of the security information objects. So far this are the only standard that describes this. if we can use these for our purposes that would be useful If we find something else that’s fine too, but were I am is whereat looking at this
Meeting adjorned.
Action Items
- (MDavis) Contact folks (Canadians) to gather information on SKMT and its authority is as well as ISO WG-4 members.
- (group) Security-Privacy DAM, vocabulary harmonization spreadsheet (in progress)
- (Tony) Prepare, post latest version of Security-Privacy Ontology to GForge. Notify members of new posting so that they may provide comment.