[2600] action item 481 - removing data access control rules from Common PP and replicating those rules in the SFR packages
At the Lexington meeting (see comment #4 in
http://grouper.ieee.org/groups/2600/comment-tracking/P2600X_2008_10_v02.pdf),
I identified two issues with the data access control rules that are in
an SFP table in the Common PP.
One issue was that I thought there were some configurations in which the
common rules would be difficult to satisfy, but on further review, I no
longer think that is an issue.
The other issue was identified by Mr. Hirota of Canon who suggested that
the data access control rules would be more clearly stated and
understandable if we took the two rules out of the Common PP and
replicated them in each of the applicable SFR packages (PRT, SCN, CPY,
FAX, and DSR). If you would like to see how that would look, I created a
snippet of the current tables and the proposed reorganization, here:
http://grouper.ieee.org/groups/2600/presentations/Plantation2008/ProposedDataACSFPs-40a.doc.
Since I no longer believe that there is a technical issue with the rules
in the Common PP, I don't think that the structural change is necessary
and it is preferable to avoid making changes to the PPs since they are
already in the evaluation process. On the other hand, this would not
represent a technical change, so if it really improves understanding of
the PP, then perhaps it is worth doing.
I promised to discuss this on the email list, so... what do you all think?
--
Regards,
Brian Smithson
Project Manager, Security Research
PMP, SSCP, CISSP, CISA, ISO 27000 PA
Advanced Imaging and Network Technologies
Ricoh Americas Corporation
(408)346-4435