Overview#

A policy is simply, An official or prescribed plan or course of action.

A policy itself, provides no compliance and no enforcement.

Guidelines for making an effective Policy are as follows:

• Policy as far as possible should be in writing.
• They should be clearly understood by those who are supposed to implement them.
• They should reflect the objectives of the Organizational Entity.
• To ensure successful implementation of a Policy, the top managers and the subordinates who are supposed to implement them must participate in their formulation.
• Conditions change and policies must also change accordingly. Hence, a Policy must strike reasonable balance between stability and flexibility.
• Different policies in the Organizational Entity should not pull in different directions and should support one another.
• Policies should not be detrimental to the interests of society.
• Policies should be periodically reviewed in order to see whether they are to be modified, changed or completely abandoned.

Policy Structure#

A provider of the Policy is a Policy Information Point.

The digital representation of the Policy is provided by the Policy Information Point to the policy Decision Point which then passes the decision to the Policy Enforcement Point where the access is permitted or denied.

Obviously in some systems, all of the entities:

• Policy Information Point
• Policy Decision Point
• Policy Enforcement Point
• Policy Administration Point

May reside within the same application of the same host.

A Policy Based Management System is one where the system’s operation is determined by a set of Policies evaluated when triggered by an event.

More Information#

There might be more information for this subject on one of the following:

• 2.16.840.1.113730
• AWS IAM
• Access Control
• Access Control Models
• Access Control Policy
• Account Inactivity
• Adaptive Policy-based Access Management
• Authentication Context Class
• Authentication Context Class vs Authentication Method Reference
• Authorization
• Authorization Policy
• Best Practices for LDAP Security
• BeyondCorp
• COPS Usage for Policy Provisioning
• Cache replacement algorithms
• Cloud Access Security Broker
• Common Open Policy Service
• Compliance
• Content-Security-Policy
• Corporate Censorship
• Data Disposal
• Data Policy
• Delegation vs Impersonation
• Device Inventory Service
• Digital Context
• Digital Identity Acceptance Policy
• DirXML Calling Java Example
• Directory Enabled Networks
• Disable-accounts-after-inactivity
• Domain-based Message Authentication, Reporting & Conformance
• Draft-behera-ldap-password-policy
• EDirectory Background Processes
• Enterprise Directory
• Entitlement Example
• Fair Information Practices
• Federal Open Market Committee
• Federal Reserve
• Federal Reserve Board of Governors
• Federated Identity Management
• Glossary Of LDAP And Directory Terminology
• Government
• Group Policy Object
• Group of 20
• HTTP Status Code
• HTTP Strict Transport Security
• IDM and the Organization Dilemma
• IMA Interoperability Framework
• IMA Policies
• IMA Process Architecture
• Identify and Authenticate access to system components
• Identity Federation
• Identity Management Architecture
• Identity State
• Identity Trust Framework
• Identity and Access Management
• IdentityIQ
• Implementation
• Information Lifecycle Management
• Intelligence Agencies
• Internet Society
• Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
• Intruder Detection
• Jspwiki.policy
• Key Management
• Law of Justifiable Parties
• Local Security Authority
• Mandatory Access Control
• NICI
• NIST Cybersecurity Framework
• NIST Privacy Framework
• NIST.SP.800 Computer Security
• Nationwide Health Information Network
• OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens
• OAuth 2.0 Token Exchange
• Ontology
• OpenAM
• Organization Layer
• Organization for Economic Cooperation and Development
• Organizational Censorship
• Password Modification Policy
• Password Policy
• Password Usage Policy
• Payment Card Industry Data Security Standard
• Policy
• Policy Administration Point
• Policy Based Management System
• Policy Core Information Model
• Policy Decision Point
• Policy Enforcement Point
• Policy Information Point
• Policy Retrieval Point
• Privileged User Management
• Provisioning Policies
• PwdProperties
• RFC 2753
• RFC 4104
• SOC 2
• Same Origin Policy
• Sarbanes-Oxley Act
• SasUpdateLoginInfo
• Secure by design
• System
• Trust Framework Provider
• Trust Model
• United States Department of Energy
• United States Office of Personnel Management
• User-Managed Access
• WEB Access Management
• Web Blog_blogentry_010117_1
• Web Blog_blogentry_020117_1
• Web Blog_blogentry_150519_1
• Web Blog_blogentry_231215_1
• Web Blog_blogentry_260715_1
• Web Hypertext Application Technology Working Group
• XACML