Impacto de la normatividad en los resultados del procedimiento de comparación de precios

As described in earlier sections of this report, implementation of privacy policy within an information system requires three basic functional services. Those technical services are an authentication service to validate identity, an authorization service to execute the privacy policy rules and actions, and an audit service to log incoming/outgoing messages for ongoing monitoring of the privacy policy implementation.

The industry trend is to provision authentication, authorization, and auditing as a set of intermediary shared services deployed externally to the core information resource delivery service. As noted in the vendor product review section of this report, multiple alternatives exist for provisioning these services, including dedicated XML Security appliances, registry vendor products, and components of platform vendor suites, as well as point-specific products focused on administration of role-based entitlements for service consumers.

To meet the major goal of enabling greater electronic information sharing among justice agencies while ensuring privacy, civil rights, and civil liberties dictates a number of technical subgoals to be met. These goals include standardization of vocabulary (for example, NIEM and GJXDM) and a common technical framework (such as Global JRA specifications, terminology, and concepts), along with standards that support interoperability, reliability, confidentiality, integrity, authentication, authorization, and auditability.

The Global Justice Reference Architecture identifies a set of conceptual components that are required to build a set of loosely coupled Service(s). Figure 9 below depicts the current JRA conceptual model.

Policies and Contracts—This JRA component is the primary domain for defining human- readable and machine-readable policy, privacy policy (authorization policy), audit policy, service-level agreements, and identity and authentication policy.

Visibility—The privacy policy requirements and obligations for a service must be known before a service consumer can interact with a service provider service. The policy service interaction requirements must be stored in some reachable persistent storage repository. This repository is sometimes referred to as a policy server or metadata server. The standards available for providing visibility include:

▪ WS-Policy

 WS-PolicyAttachment

 WS-SecurityPolicy

 WS-PolicyAssertions ▪ UDDI, Registry Access

▪ Web Site Publication of Services ▪ WS-MetadataExchange

Domain Vocabulary—The set of privacy metadata and policy content elements required to support the privacy policy rules should be available in the domain vocabulary.

Behavior Model—For a privacy policy service, the behavior model would specify the privacy policy rules, including the authentication, auditing, and obligations specifications. The behavior model would be specified using a policy-authoring tool that generates a PAL such as XACML. WS-SecurityPolicy provides a PAL for defining authentication requirements. The specific policy metadata values for user categories, actions, data categories, purposes, and obligations would be described at the same time the behavior model for the core information service was being defined. The service policy rules would be authored using a PAL such as XACML.

Information Model—The metadata required to build a set of policy rules represents the information model for policy definition. The privacy metadata could become additional elements and attributes within the NIEM/GJXDM information model or a separate information model linked to NIEM/GJXDM.

Messages—All service interaction is performed via exchange of messages. Therefore, the messages must convey all service consumer authentication and authorization attributes necessary for the service provider policy service(s) to be executed. These intermediary policy services are depicted in the diagram below:

Figure 10: Global JRA Integration of Policy Attributes for Centralized Policy Enforcement Model

Figure 10 depicts the transport of policy attributes in the small colored box contained within the message. In this design, the policy interface is the intermediate service interface for the request message. The security service performs authentication or validates the federated authentication assertion and may perform other message validation functions. The audit service will log the required message information per the service provider policy requirements. The Policy Decision Point (PDP) and Policy Enforcement Point (PEP) are the services that evaluate the request message policy attributes and message elements to determine what content will be returned in the response message.

Figure 11 depicts an alternative design in which each service provider determines whether an intermediary policy service will be invoked to meet policy requirements. The selection of the more centralized policy enforcement model in Figure 10 or decentralized model in Figure 11 will be determined by the information technology governance model for the implementing organization.

Figure 11: Global JRA Integration of Policy Attributes for Decentralized Policy Enforcement Model

Service Interaction Profiles—Provide interoperable message structures for including policy assertions (identity tokens, user-credentials authorization attributes, privacy preferences) in the service interaction message(s). The supported tokens, assertions, etc., would be defined in the PAL. (See behavior model description above.)

Execution Context—As noted in the vendor product review, a typical execution context provisions contracts and policies functionality as a set of services external to the information delivery service. (See Appendix E). The authentication service, authorization service, and auditing service become a set of “shared services” or “agents” utilized by the service provider to implement policy constraints on the information resources being made available as a service. Each core information resource service, in effect, specifies a set of external electronic policy statements that governs the content the service will accept and distribute.