This wiki has undergone a migration to Confluence found Here
Difference between revisions of "September 28, 2010 Security Conference Call"
Jump to navigation
Jump to search
Finaversaggi (talk | contribs) m (→Attendees) |
Finaversaggi (talk | contribs) |
||
Line 35: | Line 35: | ||
===3. Updates/Discussion=== | ===3. Updates/Discussion=== | ||
+ | ====Boston WGM Joint Security/CBCC Agenda Discussion – Monday, Q3/Q4==== | ||
+ | *Tentative Agenda is as follows: | ||
+ | **Report Outs | ||
+ | #Security and Privacy Ontology Project – Tony Weida – where we are and where we plan to go. #*Includes a brief demonstration of the tool (Protégé) used to develop the ontology – (30 minutes) | ||
+ | #Status update on the Composite Security and Privacy Domain Analysis Model DSTU R1 post May 2010 ballot reconciliation – Ioana Singureanu (15 minutes) | ||
+ | #NHIN Direct – John Moehrke (10 minutes) | ||
+ | #Federal Identity, Credential, and Access Management (FICAM) – Mike David (10 minutes) | ||
+ | #National Strategy for Trusted Identities in Cyberspace – Mike Davis (10 minutes) | ||
+ | #US and International Realm Report Out on efforts related to building trusted relationships between patients and service providers – Richard Thoreson and International HL7 members TBD (50 minutes) | ||
+ | #Privacy Policy Reference Catalog Project Status – Pat Pyette (10 minutes) | ||
+ | #External Standards Update | ||
+ | #* ISO Draft for Purpose of Use (POU) – Mike Davis (10 minutes) | ||
+ | #*OASIS TC: Language Extensions to XACML - David Staggs (10 minutes) | ||
+ | #*New OASIS Technical Committee – Privacy Management Reference Model (PMRM) – Suzanne Gonzales-Webb (10 minutes) | ||
+ | #*Logical Record Architecture – U.K. project – Allen Hobbs (10 minutes) | ||
+ | ====Security and Privacy Ontology Project Update==== | ||
+ | *A formal peer review for the Security and Privacy Ontology has been proposed. The Boston WGM meeting is not the proper forum to conduct the peer review so it will take place in subsequent regular Tuesday conference calls. | ||
+ | **The criteria for review is being developed along with a peer review form which will be distributed via the Security, CBBC and SOA lists announcing the review and inviting participation. Input to the peer review will be used by Tony to help shape the ontology represented in OWL. | ||
+ | *Tony presented the latest update to the ontology and discussed various specifics of OWL and the Protégé interface | ||
+ | **OntoClean methodology – OntoClean.org. The OntoClean methodology provides a framework for analyzing ontologies based on formal, domain-independent properties of classes (meta-properties). Ideally one would want to automate the analysis of the ontology but the current version of Protégé that we’re using has not been updated to include those features. | ||
+ | **The intent for the ontology is to become a standard to support interoperability. Two major goals: | ||
+ | #To make it easier for a patient to express consent | ||
+ | #To make it easier to express rules for privacy inside engines | ||
+ | *There was some discussion regarding a spreadsheet describing the VA Permission Catalog Tony presented for discussion. Permissions (rows) Functional Roles (columns) | ||
+ | **Mike indicated that he opposes any attempt to map permissions to a particular role. This table presented was created during the development of the permission catalog to drive out the permissions. But it was not intended to assign those to specific functional roles. It was only to discover the roles to include in the catalog. | ||
+ | **The assignment of functional roles is not consistent from one organization to the next | ||
+ | **Actions and Objects | ||
+ | **As an example, this is fine, but it should not be incorporated into the ontology itself | ||
+ | **For interoperability purposes, you can’t pass the name of a functional role and expect to know what that means. | ||
+ | **Tony: So the relationship between a Functional Role and a collection of permissions will be made at the local level and therefore it is appropriate to represent that in the DemoLocal ontology. Tony will migrate those to the demo namespace. | ||
+ | **Mike: Using other Standards (ANSI INCITD), you can mutually agree on an arbitrary set of permissions and assign a common role name to them for interoperability purposes. But we’re not trying to make on a national or international basis, trying to make those assignments. | ||
+ | **Structural Roles are different. They exist at a higher level in the hierarchy and provide only access to high level workflows. At level, it is more all encompassing. | ||
+ | ***A Structural Role is a precursor role. It is the role that you have to have to enter a generalized workflow. Functional roles describe the detailed things that you can do within a workflow. | ||
+ | ***This is an important point to capture – we need to make this clear in the ontology. So this table is not in any sense normative. | ||
+ | *Tony: The fact that were able to divide the ontology into sub ontologies, helps to distinguish what is part of the HL7 standard, versus what’s part of the VA standard or anything else. | ||
+ | *The final topic under discussion today related to using SWRL (Semantic Web Rule Language) | ||
+ | **A way to demonstrate access control decision making | ||
+ | **OWL doesn’t have the power to do pattern matching in a convenient way. But this rule language was designed to work hand-in-hand with OWL | ||
+ | **SWRL Rules can be used to illustrate how people might use elements of the ontology to make access control decisions | ||
+ | **People are requested to think about whether SWRL is appropriate to use in relation to developing the ontology using the Protégé tool. | ||
+ | ---- | ||
+ | The meeting was adjourned at 3 PM EDT | ||
+ | ---- | ||
+ | No significant decisions or motions were made | ||
+ | |||
[[Security|Back to Security Main Page]] | [[Security|Back to Security Main Page]] |
Revision as of 02:33, 29 September 2010
Contents
Security Working Group Meeting
Attendees
- Allen Hobbs
- Ed Coyne
- Mike Davis Security Co-chair
- Jon Farmer
- Suzanne Gonzales-Webb CBCC Co-chair
- Michelle Johnston
- Vannak Kann
- Milan Petjovic
- Scott Robertson
- David Staggs
- Cliff Thompson
- Richard Thoreson CBCC Co-chair
- Serafina Versaggi scribe
- Tony Weida
- Craig Winter
Agenda
- (05 min) Roll Call, Call for additional agenda items & Accept Agenda
- (20 min) Monday Q3/Q4 Face to Face Agenda Items
- (35 min) Tony Weida: Ontology update
ADMINISTRATIVE NOTE: A new livemeeting link will be sent out after the HL7 Plenary and Working Group meeting Please be on the look out for it, thank you. ~Suzanne
Minutes
1. Action Items
2. Resolutions
3. Updates/Discussion
Boston WGM Joint Security/CBCC Agenda Discussion – Monday, Q3/Q4
- Tentative Agenda is as follows:
- Report Outs
- Security and Privacy Ontology Project – Tony Weida – where we are and where we plan to go. #*Includes a brief demonstration of the tool (Protégé) used to develop the ontology – (30 minutes)
- Status update on the Composite Security and Privacy Domain Analysis Model DSTU R1 post May 2010 ballot reconciliation – Ioana Singureanu (15 minutes)
- NHIN Direct – John Moehrke (10 minutes)
- Federal Identity, Credential, and Access Management (FICAM) – Mike David (10 minutes)
- National Strategy for Trusted Identities in Cyberspace – Mike Davis (10 minutes)
- US and International Realm Report Out on efforts related to building trusted relationships between patients and service providers – Richard Thoreson and International HL7 members TBD (50 minutes)
- Privacy Policy Reference Catalog Project Status – Pat Pyette (10 minutes)
- External Standards Update
- ISO Draft for Purpose of Use (POU) – Mike Davis (10 minutes)
- OASIS TC: Language Extensions to XACML - David Staggs (10 minutes)
- New OASIS Technical Committee – Privacy Management Reference Model (PMRM) – Suzanne Gonzales-Webb (10 minutes)
- Logical Record Architecture – U.K. project – Allen Hobbs (10 minutes)
Security and Privacy Ontology Project Update
- A formal peer review for the Security and Privacy Ontology has been proposed. The Boston WGM meeting is not the proper forum to conduct the peer review so it will take place in subsequent regular Tuesday conference calls.
- The criteria for review is being developed along with a peer review form which will be distributed via the Security, CBBC and SOA lists announcing the review and inviting participation. Input to the peer review will be used by Tony to help shape the ontology represented in OWL.
- Tony presented the latest update to the ontology and discussed various specifics of OWL and the Protégé interface
- OntoClean methodology – OntoClean.org. The OntoClean methodology provides a framework for analyzing ontologies based on formal, domain-independent properties of classes (meta-properties). Ideally one would want to automate the analysis of the ontology but the current version of Protégé that we’re using has not been updated to include those features.
- The intent for the ontology is to become a standard to support interoperability. Two major goals:
- To make it easier for a patient to express consent
- To make it easier to express rules for privacy inside engines
- There was some discussion regarding a spreadsheet describing the VA Permission Catalog Tony presented for discussion. Permissions (rows) Functional Roles (columns)
- Mike indicated that he opposes any attempt to map permissions to a particular role. This table presented was created during the development of the permission catalog to drive out the permissions. But it was not intended to assign those to specific functional roles. It was only to discover the roles to include in the catalog.
- The assignment of functional roles is not consistent from one organization to the next
- Actions and Objects
- As an example, this is fine, but it should not be incorporated into the ontology itself
- For interoperability purposes, you can’t pass the name of a functional role and expect to know what that means.
- Tony: So the relationship between a Functional Role and a collection of permissions will be made at the local level and therefore it is appropriate to represent that in the DemoLocal ontology. Tony will migrate those to the demo namespace.
- Mike: Using other Standards (ANSI INCITD), you can mutually agree on an arbitrary set of permissions and assign a common role name to them for interoperability purposes. But we’re not trying to make on a national or international basis, trying to make those assignments.
- Structural Roles are different. They exist at a higher level in the hierarchy and provide only access to high level workflows. At level, it is more all encompassing.
- A Structural Role is a precursor role. It is the role that you have to have to enter a generalized workflow. Functional roles describe the detailed things that you can do within a workflow.
- This is an important point to capture – we need to make this clear in the ontology. So this table is not in any sense normative.
- Tony: The fact that were able to divide the ontology into sub ontologies, helps to distinguish what is part of the HL7 standard, versus what’s part of the VA standard or anything else.
- The final topic under discussion today related to using SWRL (Semantic Web Rule Language)
- A way to demonstrate access control decision making
- OWL doesn’t have the power to do pattern matching in a convenient way. But this rule language was designed to work hand-in-hand with OWL
- SWRL Rules can be used to illustrate how people might use elements of the ontology to make access control decisions
- People are requested to think about whether SWRL is appropriate to use in relation to developing the ontology using the Protégé tool.
The meeting was adjourned at 3 PM EDT
No significant decisions or motions were made