CAN/CSA-ISO/IEC 10181-3-00 (R2013)

This National Standard of Canada is equivalent to International Standard ISO/IEC 10181-3:1996 (first edition, 1996-09-15). 1 Scope The Security Frameworks are intended to address the application of security services in an Open Systems environment, where the term Open Systems is taken to include areas such as Database, Distributed Applications, ODP and OSI. The Security Frameworks are concerned with defining the means of providing protection for systems and objects within systems, and with the interactions between systems. The Security Frameworks are not concerned with the methodology for constructing systems or mechanisms. The Security Frameworks address both data elements and sequences of operations (but not protocol elements) that are used to obtain specific security services. These security services may apply to the communicating entities of systems as well as to data exchanged between systems, and to data managed by systems. In the case of Access Control, accesses may either be to a system (i.e. to an entity that is the communicating part of a system) or within a system. The information items that need to be presented to obtain the access, as well as the sequence of operations to request the access and for notification of the results of the access, are considered to be within the scope of the Security Frameworks. However, any information items and operations that are depended solely on a particular application and that are strictly concerned with local access within a system are considered to be outside the scope of the Security Frameworks. Many applications have requirements for security to protect against threats of resources, including information, resulting from the interconnection of Open Systems. Some commonly known threats, together with the security services and mechanisms that can be used to protect against them, in an OSI environment, are described in CCITT Rec. X.800 | ISO 7498-2. The process of determining which uses of resources within an Open System environment are permitted and, where appropriate, preventing unauthorized access is called control. This Recommendation | International Standard defines a general framework for the provision of access control services. This Security Framework: a) defines the basic concepts for access control; b) demonstrated the manner in which the basic concepts of access control can be specialized to support some commonly recognized access control services and mechanisms; c) defines these services and corresponding access control mechanisms; d) identifies functional requirements for protocols to support these access control services and mechanisms; e) identifies management requirements to support these access control services and mechanisms; f) addresses the interaction of access control services and mechanisms with other security services and mechanisms. As with other security services, access control can be provided only within the context of a defined security policy for a particular application. The definition of access control policies is outside the scope of this Recommendation | International Standard, however, some characteristics of access control policies are discussed. It is not a matter for this Recommendation | International Standard to specify details of the protocol exchanges which may need to be performed in order to provide access control services. This Recommendation | International Standard does not specify particular mechanisms to support these access control services nor the details of security nor the details of security management services and protocols.