Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Formal Security Model for Collaboration in Multi-agency Networks Salem Aljareh Newcastle University, UK Nick Rossiter & Michael Heather Northumbria University,

Published byMarion Hart Modified over 9 years ago

Similar presentations

Presentation on theme: "A Formal Security Model for Collaboration in Multi-agency Networks Salem Aljareh Newcastle University, UK Nick Rossiter & Michael Heather Northumbria University,"— Presentation transcript:

1 A Formal Security Model for Collaboration in Multi-agency Networks Salem Aljareh Newcastle University, UK Nick Rossiter & Michael Heather Northumbria University, UK nick.rossiter@unn.ac.uk

2 13 April 2004 2nd WSIS, Porto Outline Motivation. Security Requirements. UK Security Regulations. Task-based Perspective The CTCP/CTRP model. Categorical Representation. Discussion. Current work. References.

3 13 April 2004 2nd WSIS, Porto Motivation Polices Model Mechanisms Vulnerabilities Threats

4 13 April 2004 2nd WSIS, Porto Security Requirements The origin of security requirements.  Rhetoric.  Concept. Regulations.  Security Policy.

5 13 April 2004 2nd WSIS, Porto UK Security Regulations Personal Data in General:  Data Protection Act. Patient Record:  Caldicott Principles and Recommendations

6 13 April 2004 2nd WSIS, Porto The CTCP/CTRP model Collaboration Task Creation Protocol CTCP Collaboration Task Runtime Protocol CTRP Collaboration task Requirements Policy Material

7 13 April 2004 2nd WSIS, Porto General Principles of our Model  Relationship.  Ownership.  Authorization.  Responsibilities

8 13 April 2004 2nd WSIS, Porto Task-based Perspective as: There is no collaboration without a task. Can address the need-to-know problem. The collaboration task forms the common object between the collaborators. Shared information ownership can be granted to the collaboration task. Tasks are scalable, flexible and dynamic. Explicit responsibility is recognized in the task-based approach.

9 13 April 2004 2nd WSIS, Porto Collaboration Task Creation Protocol Introduction Negotiation Decision Agreement Create Task Rethinking Discard Dismiss

10 13 April 2004 2nd WSIS, Porto Collaboration Task Runtime Protocol Preparation Task Process Assessment Abort Update Init Process End Log CTCP

11 13 April 2004 2nd WSIS, Porto Exceptions -- Three Main Types 1. The task can still continue to its normal end.  Exceptions of this type are handled within CTRP protocol by task update component. 2. The task must be terminated and another task is required to complete the function.  The task in such cases is aborted in CTRP  The task history is used by the CTCP protocol to create another task to redo the function. 3. The task must be terminated and there is no need for any further actions.  Handled within the CTRP protocol through ABORT

12 13 April 2004 2nd WSIS, Porto Coverage of Data Protection Act. Principle 1: Personal data shall be processed fairly and lawfully. Principle 2: Personal data shall be obtained only for one or more specified and lawful purposes. Principle 3: Personal data shall be adequate. Principle 4: Personal data shall be accurate and, where necessary, kept up to date. Principle 5: Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. Principle 6:Personal data shall be processed in accordance with the rights of data subjects under this Act. Principle 7: Appropriate measures shall be taken against unauthorised processing of personal data. Principle 8: Personal data shall not be transferred to a country or territory outside the European Economic Area.

13 13 April 2004 2nd WSIS, Porto Correspondence of DPA Principles and CTCP/CTRP Components Principle CTCPCTRP IntNegDecAgrCrePreProAssLogUpdDisEnd 1  2  3  4  5  6  

14 13 April 2004 2nd WSIS, Porto Coverage of Caldicott Principles Principle 1: Justify the purpose(s) Principle 2: Don't use person-identifiable information unless it is absolutely necessary Principle 3: Use the minimum necessary person-identifiable information Principle 4: Access to person-identifiable information should be on a strict need-to-know basis Principle 5: Everyone with access to person-identifiable information should be aware of their responsibilities. Principle 6: Understand and comply with the law.

15 13 April 2004 2nd WSIS, Porto Correspondence of Caldicott Principles and CTCP/CTRP Components Principle CTCPCTRP IntNegDecAgrCrePreProAssLogUpdDisEnd 1  2  3  4  5  6  7  8 

16 13 April 2004 2nd WSIS, Porto Categorical Model of Security System

17 13 April 2004 2nd WSIS, Porto Correspondence -- categorical: CTCP/CTRP model  corresponds to the protocol CTCP whereby a limit C X B A is selected for a particular purpose C/B through negotiation. Existential functor  is a type constraint: there must exist for all policy rules in C X B A an entry in the system C/B. Universal quantifier functor  corresponds to the protocol CTRP: all the rules held in the negotiated policy are applied.

18 13 April 2004 2nd WSIS, Porto Use of Petri Net Notation Increasingly used in security area Suitable for situations with:  concurrency,  asynchronicity,  distribution,  parallelism  non-determinism. Model states and transitions

19 13 April 2004 2nd WSIS, Porto Types of Petri Nets Simple ones may not be adequate More complex examples:  Timed Petri-Nets  Stochastic Petri-Nets  Coloured Petri Nets

20 13 April 2004 2nd WSIS, Porto Discussion Sources of the security requirements sources. Coverage of general security regulation and medical security regulation. Software engineering principles are met (Maximal cohesion, low coupling and efficient execution). Balance between Category Theory and Petri Nets

21 13 April 2004 2nd WSIS, Porto Case Studies Case study multi-agency security requirements in the Electronic Health Record. Testing our model against the EHR security requirements.

22 13 April 2004 2nd WSIS, Porto References Aljareh, S., J. Dobson and Rossiter N. Satisfaction of Health Record Security Principles through Collaborative Protocols, 8th International Congress in Nursing Informatics. Brazil 20-25 June 2003. Aljareh, S., & Rossiter N., 2001, Toward security in multi-agency clinical information services, Proceedings Workshop on Dependability in Healthcare Informatics, Edinburgh, 22nd-23rd March 2001, 33-41. Aljareh S., Rossiter N. A Task-based Security Model to facilitate Collaboration in Trusted Multi-agency Networks. In proceedings of ACM-SAC2002, Symposium on Applied Computing, 10–14 March 2002, Madrid pp 744-749.

Download ppt "A Formal Security Model for Collaboration in Multi-agency Networks Salem Aljareh Newcastle University, UK Nick Rossiter & Michael Heather Northumbria University,"

Similar presentations

NATIONAL INFORMATION GOVERNANCE BOARD

NATIONAL INFORMATION GOVERNANCE BOARD
Administrative Systems and the Law What you need to know to produce an oral presentation for Unit 7 When the presentations will take place Resources you.

Administrative Systems and the Law What you need to know to produce an oral presentation for Unit 7 When the presentations will take place Resources you.
Information Governance An Introduction. Information Governance Outline What is Information Governance What initiatives does IG cover.

Information Governance An Introduction. Information Governance Outline What is Information Governance What initiatives does IG cover.
Introduction to Information Governance (IG)

Introduction to Information Governance (IG)
Information Governance Peter McKenzie Information Governance Manager NHS Tayside

Information Governance Peter McKenzie Information Governance Manager NHS Tayside
TEAM 4 Case Study Mauritius: Mrs Nandini Kissoon-Luckputtya

TEAM 4 Case Study Mauritius: Mrs Nandini Kissoon-Luckputtya
Confidentiality & Records Management. What is Information Governance? What is Records Management?

Confidentiality & Records Management. What is Information Governance? What is Records Management?
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
University of Sunderland Professionalism and Personal Skills Unit 11 Professionalism and Personal Skills Computer Legislation.

University of Sunderland Professionalism and Personal Skills Unit 11 Professionalism and Personal Skills Computer Legislation.
Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal.

Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal.
The Data Protection Act The Data Protection Act controls how your personal information is used by organisations, businesses or the government. Everyone.

The Data Protection Act The Data Protection Act controls how your personal information is used by organisations, businesses or the government. Everyone.
DATA PROTECTION AND PATIENT CONFIDENTIALITY IN RESEARCH Nic Drew Data Protection Manager University Hospital of Wales  2074 6677  2074 5626 

DATA PROTECTION AND PATIENT CONFIDENTIALITY IN RESEARCH Nic Drew Data Protection Manager University Hospital of Wales   
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
The Data Protection Act

The Data Protection Act
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
The Legal Framework Can you work out which slide each bullet point should go on?!

The Legal Framework Can you work out which slide each bullet point should go on?!
CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.

CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.
The Information Commissioner’s Office David Evans.

The Information Commissioner’s Office David Evans.
Implementation of Security and Confidentiality in GP Practices.

Implementation of Security and Confidentiality in GP Practices.

Similar presentations

Ads by Google