Health informatics - Privilege management and access control - Part 3: Implementations (ISO/DIS 22600-3:2014)

This multi part International Standard defines privilege management and access control services required for communication and use of distributed health information over domain and security borders. The document introduces principles and specifies services needed for managing privileges and access control. It specifies the necessary component-based concepts and is intended to support their technical implementation. It does not specify the use of these concepts in particular clinical process pathways nor does it address the safety concerns, if any, associated with their use.
While Part 1 is a narrative introduction to the problem of policy bridging in the context of inter-organizational communication and co-operation, Part 2 defines a generic development process for analysing, designing, implementing and deploying semantically health information systems. The security services needed due to legal, social, organisational, user-related, functional and technological requirements have to be embedded in the advanced and sustainable system architecture meeting the paradigms for semantic interoperability.
This Part 3 of the ISO 26000 instantiates requirements for repositories for access control policies and requirements for privilege management infrastructures. It provides implementation examples of the formal models specified in Part 2.
This International Standard excludes platform-specific and implementation details. It does not specify technical communication security services, authentication techniques and protocols that have been established in other standards such as, e.g., ISO 7498-2 Information processing systems, Open Systems Interconnection, Basic Reference Model - Part 2: Security Architecture, ISO/IEC 10745 (ITU-T X.803), ISO/IEC 13594 - IT-Lower layers security (ITU-T X.802) and ISO/IEC 10181-1 (ITU-T X.810), ISO/IEC 9594-8 Information technology - Open Systems Interconnection - The Directory – Part 8 – Authentication framework (equiv. to ITU-T/X.509, ISO/IEC 9796 Security techniques, Digital signature scheme giving message recovery, multiple Parts (1-2), ISO/IEC 9797 Security techniques, Message authentication codes, ISO/IEC 9798 Information technology – Security techniques – Entity authentication.

Medizinische Informatik - Privilegienmanagement und Zugriffssteuerung - Teil 3: Implementierungen (ISO 22600-3:2014)

Diese mehrteilige Internationale Norm legt Grundsätze fest und spezifiziert die für das Privilegienmanagement und die Zugriffssteuerung auf Daten und Funktionen erforderlichen Dienste.
Sie konzentriert sich auf die Kommunikation und Nutzung von gesundheitsbezogene Informationen, die über die Grenzen von Policy-Domains hinweg verteilt werden. Das umfasst die gemeinsame Nutzung von gesundheitsbezogenen Informationen durch nicht miteinander verbundene Anbieter und Organisationen des Gesundheitswesens, Krankenversicherungen, deren Patienten, Mitarbeiter und Handelspartner sowohl durch Einzelpersonen als auch durch Anwendungssysteme im Bereich von einer lokalen zu einer regionalen oder auch nationalen Situation.
Sie legt die erforderlichen komponentenbasierten Begriffe fest und soll deren technische Implementierung unterstützen. Sie legt jedoch nicht fest, wie diese Begriffe in speziellen klinischen Prozessabläufen zu verwenden sind.
Dieser Teil von ISO 26000 instanziiert Anforderungen an Repositories für Zugriffssteuerungs-Policies und Anforderungen an Infrastrukturen für das Privilegienmanagement. Er gibt Beispiele für die Implementierung der in ISO 22600-2 spezifizierten formalen Modelle.
Dieser Teil von ISO 22600 enthält weder plattformspezifische noch implementierungstechnische Einzelheiten. Sie legt keine technischen Kommunikationssicherheitsdienste, Authentisierungsverfahren und -protokolle fest, die bereits in anderen Internationalen Normen festgelegt sind, wie z. B. in ISO 7498‑2, ISO/IEC 10745 (ITU-T X.803), ISO/IEC TR 13594:1995 (ITU-T X.802), ISO/IEC 10181‑1 (ITU-T X.810), ISO/IEC 9594‑8 (ITU-T X.509), ISO/IEC 9796 (alle Teile), ISO/IEC 9797 (alle Teile) und ISO/IEC 9798 (alle Teile).

Informatique de santé - Gestion de privilèges et contrôle d'accès - Partie 3: Mises en oeuvre (ISO 22600-3:2014)

L'ISO 22600 définit les principes de gestion des privilèges et de contrôle d'accès aux données et/ou aux fonctions et spécifie les services nécessaires à ces activités.
Elle se concentre sur la communication et l'utilisation des informations de santé réparties au-delà des limites d'un domaine de politique. Cela inclut le partage d'informations de santé entre prestataires de soins de santé non affiliés, organisations de soins de santé, sociétés d'assurance‑maladie, patients, membres du personnel et partenaires commerciaux, par des individus tout comme par des systèmes d'application utilisés dans un contexte local, voire régional ou même national.
Elle spécifie les concepts nécessaires pour chaque composante et est destinée à venir à l'appui de leur mise en oeuvre technique. Elle ne spécifiera pas l'utilisation de ces concepts pour des cheminements de processus cliniques particuliers.
L'ISO 22600-3:2014 instancie les exigences applicables aux répertoires de politiques de contrôle d'accès et les exigences applicables aux infrastructures de gestion des privilèges. Elle fournit des exemples de mise en oeuvre des modèles formels spécifiés dans l'ISO 22600-2.

Zdravstvena informatika - Upravljanje privilegijev in dostopovno krmiljenje - 3. del: Izvedbe (ISO 22600-3:2014)

Ta mednarodni standard v več delih določa storitve za upravljanje privilegijev in dostopovno krmiljenje, ki so potrebne za sporočanje in uporabo porazdeljenih zdravstvenih informacij prek meja domene in zaščite. Dokument predstavlja načela in določa storitve, ki so potrebne za upravljanje privilegijev in dostopovno krmiljenje. Določa potrebne koncepte za komponente in je namenjen za podporo njihovi tehnični izvedbi. Ne določa uporabe teh konceptov na določenih poteh kliničnih postopkov in se ne ukvarja s pomisleki glede varnosti, če obstajajo, povezanimi z njihovo uporabo. V 1. delu je opisno predstavljena težava premostitve politike v kontekstu medorganizacijske komunikacije in sodelovanja, 2. del pa določa splošen razvojni postopek za semantično analizo, načrtovanje, izvedbo in uvedbo zdravstvenih informacijskih sistemov. Varnostne storitve, ki so potrebne zaradi pravnih, družbenih, organizacijskih, uporabniških, funkcijskih in tehnoloških zahtev, morajo biti vgrajene v napredni in trajni sistemski arhitekturi, ki izpolnjuje paradigme glede semantične interoperabilnosti. V tem 3. delu standarda ISO 26000 so navedene zahteve glede repozitorijev za politiko o dostopovnem krmiljenju in zahteve glede infrastruktur za upravljanje privilegijev. Navaja primere izvedbe formalnih modelov, določenih v 2. delu. Ta mednarodni standard ne vključuje podrobnosti o platformi in izvedbi. Ne določa varnostnih storitev za tehnično komunikacijo, tehnik za overjanje in protokolov, ki so bili vzpostavljeni v drugih standardih, kot je ISO 7498-2 Sistemi za obdelavo informacij – Medsebojno povezovanje odprtih sistemov – Osnovni referenčni model – 2. del: Varnostna arhitektura, ISO/IEC 10745 (ITU-T X.803), ISO/IEC 13594 IT – Varnost nižjih plasti (ITU-T X.802) in ISO/IEC 10181-1 (ITU-T X.810), ISO/IEC 9594-8 Informacijska tehnologija – Medsebojno povezovanje odprtih sistemov – Imenik – 8. del – Ogrodje za overjanje (enakovr. ITU-T/X.509, ISO/IEC 9796 Varnostne tehnike – Shema digitalnega podpisa za obnovitev sporočila, več delov (1-2), ISO/IEC 9797 Varnostne tehnike – Kode za overjanje sporočil, ISO/IEC 9798 Informacijska tehnologija – Varnostne tehnike – Overjanje entitet.

General Information

Status
Published
Public Enquiry End Date
28-Feb-2013
Publication Date
19-Jan-2015
Technical Committee
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
23-Oct-2014
Due Date
28-Dec-2014
Completion Date
20-Jan-2015

Buy Standard

Standard
EN ISO 22600-3:2015
English language
77 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI STANDARD
SIST EN ISO 22600-3:2015
01-februar-2015
Zdravstvena informatika - Upravljanje privilegijev in dostopovno krmiljenje - 3. del:
Izvedbe (ISO 22600-3:2014)
Health informatics - Privilege management and access control - Part 3: Implementations
(ISO/DIS 22600-3:2014)
Medizinische Informatik - Privilegienmanagement und Zugriffssteuerung - Teil 3:
Implementierungen (ISO 22600-3:2014)
Informatique de santé - Gestion de privilèges et contrôle d'accès - Partie 3: Mises en
oeuvre (ISO 22600-3:2014)
Ta slovenski standard je istoveten z: EN ISO 22600-3:2014
ICS:
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
SIST EN ISO 22600-3:2015 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST EN ISO 22600-3:2015

---------------------- Page: 2 ----------------------

SIST EN ISO 22600-3:2015

EUROPEAN STANDARD
EN ISO 22600-3

NORME EUROPÉENNE

EUROPÄISCHE NORM
October 2014
ICS 35.240.80
English Version
Health informatics - Privilege management and access control -
Part 3: Implementations (ISO 22600-3:2014)
Informatique de santé - Gestion de privilèges et contrôle Medizinische Informatik - Privilegienmanagement und
d'accès - Partie 3: Mises en oeuvre (ISO 22600-3:2014) Zugriffssteuerung - Teil 3: Implementierungen (ISO 22600-
3:2014)
This European Standard was approved by CEN on 21 June 2014.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European
Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national
standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same
status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.





EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2014 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN ISO 22600-3:2014 E
worldwide for CEN national Members.

---------------------- Page: 3 ----------------------

SIST EN ISO 22600-3:2015
EN ISO 22600-3:2014 (E)
Contents Page
Foreword .3
2

---------------------- Page: 4 ----------------------

SIST EN ISO 22600-3:2015
EN ISO 22600-3:2014 (E)
Foreword
This document (EN ISO 22600-3:2014) has been prepared by Technical Committee ISO/TC 215 "Health
informatics" in collaboration with Technical Committee CEN/TC 251 “Health informatics” the secretariat of
which is held by NEN.
This European Standard shall be given the status of a national standard, either by publication of an identical
text or by endorsement, at the latest by April 2015, and conflicting national standards shall be withdrawn at the
latest by April 2015.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following
countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech
Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece,
Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal,
Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom.
Endorsement notice
The text of ISO 22600-3:2014 has been approved by CEN as EN ISO 22600-3:2014 without any modification.
3

---------------------- Page: 5 ----------------------

SIST EN ISO 22600-3:2015

---------------------- Page: 6 ----------------------

SIST EN ISO 22600-3:2015
INTERNATIONAL ISO
STANDARD 22600-3
First edition
2014-10-01
Health informatics — Privilege
management and access control —
Part 3:
Implementations
Informatique de santé — Gestion de privilèges et contrôle d’accès —
Partie 3: Mises en oeuvre
Reference number
ISO 22600-3:2014(E)
©
ISO 2014

---------------------- Page: 7 ----------------------

SIST EN ISO 22600-3:2015
ISO 22600-3:2014(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2014
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2014 – All rights reserved

---------------------- Page: 8 ----------------------

SIST EN ISO 22600-3:2015
ISO 22600-3:2014(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms .13
5 Structures and services for privilege management and access control .15
6 Interpretation of ISO 22600-2 formal models in healthcare settings .18
7 Concept representation for health information systems .18
7.1 Overview .18
7.2 Domain languages .19
7.3 OCL constraint modelling .20
7.4 Other constraint representations .20
8 Consent .22
8.1 Overview .22
8.2 Patient consent .22
8.3 Patient consent management .22
9 Emergency access .22
10 Refinement of the control model .23
11 Refinement of the delegation model .23
Annex A (informative) Privilege management infrastructure .24
Annex B (informative) Attribute certificate extensions.60
Annex C (informative) Terminology comparison .62
Annex D (informative) Examples for policy management and policy representation .63
Bibliography .66
© ISO 2014 – All rights reserved iii

---------------------- Page: 9 ----------------------

SIST EN ISO 22600-3:2015
ISO 22600-3:2014(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers
to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/TC 215, Health informatics.
This first edition of ISO 22600-3 cancels and replaces ISO/TS 22600-3:2009, which has been technically
revised.
ISO 22600 consists of the following parts, under the general title Health informatics — Privilege
management and access control:
— Part 1: Overview and policy management
— Part 2: Formal models
— Part 3: Implementations
iv © ISO 2014 – All rights reserved

---------------------- Page: 10 ----------------------

SIST EN ISO 22600-3:2015
ISO 22600-3:2014(E)

Introduction
The distributed architecture of shared care information systems supporting service-oriented
architecture (SOA) is increasingly based on corporate networks and virtual private networks. For
meeting the interoperability challenge, the use of standardized user interfaces, tools, and protocols,
which ensures platform independence, but also the number of really open information systems, is
rapidly growing during the last couple of years.
As a common situation today, hospitals are supported by several vendors providing different applications,
which are not able to communicate authentication and authorization since each has its own way of
handling these functions. For achieving an integrated scenario, it takes a remarkable amount of money,
time, and efforts to get users and changing organizational environments dynamically mapped before
starting communication and cooperation. Resources required for the development and maintenance
of security functions grow exponentially with the number of applications, with the complexity of
organizations towards a regional, national, or even international level, and with the flexibility of users
playing multiple roles, sometimes even simultaneously.
The situation becomes even more challenging when inter-organizational communications happens,
thereby crossing security policy domain boundaries. Moving from one healthcare centre to another or
from country to country, different rules for privileges and their management can apply to similar types
of users, both for execution of particular functions and for access to information. The policy differences
between these domains have to be bridged automatically or through policy agreements, defining sets of
rules followed by the parties involved, for achieving interoperability.
Another challenge to be met is how to improve the quality of care by using IT without infringing the
privacy of the patient. To provide physicians with adequate information about the patient, a virtual
electronic health care record is required which makes it possible to keep track of all the activities
belonging to one patient regardless of where and by whom they have been performed and documented.
In such an environment, a generic model or specific agreement between the parties for managing
privileges and access control including the patient or its representative is needed.
Besides a diversity of roles and responsibilities, typical for any type of large organization, also ethical
and legal aspects in the healthcare scenario due to the sensitivity of person-related health information
managed and its personal and social impact have to be considered.
Advanced solutions for privilege management and access control are required today already, but
this challenge will even grow over the next couple of years. The reason is the increase of information
exchanged between systems in order to fulfil the demands of health service providers at different care
levels for having access to more and more patient-related information to ensure the quality and efficiency
of patient’s diagnosis and treatment, however combined with increased security and privacy risks.
The implementation of this International Standard might be currently too advanced and therefore not
feasible in certain organizational and technical settings. For meeting the basic principle of best possible
action, it is therefore very important that at least a policy agreement is written between the parties
stating to progress towards this International Standard when any update/upgrade of the systems is
intended. The level of formalization and granularity of policies and the objects these policies are bound
to defines the solution maturity on a pathway towards the presented specification.
The policy agreement also has to contain defined differences in the security systems and agreed
solutions on how to overcome the differences. For example, the authentication service and privileges
of a requesting party at the responding site have to be managed according to the policy declared in
the agreement. For that reason, information and service requester, as well as information and service
provider on the one hand, and information and services requested and provided on the other hand, have
to be grouped and classified in a limited number of concepts for enabling the specification of a limited
number of solution categories. Based on that classification, claimant mechanisms, target sensitivity
mechanisms, and policy specification and management mechanisms can be implemented. Once all
parties have signed the policy agreement, the communication and information exchange can start with
the existing systems if the parties can accept the risks. If there are unacceptable risks which have to be
eliminated before the information exchange starts, they also have to be recorded in the policy agreement
© ISO 2014 – All rights reserved v

---------------------- Page: 11 ----------------------

SIST EN ISO 22600-3:2015
ISO 22600-3:2014(E)

together with an action plan stating how these risks have to be removed. The policy agreement also has
to contain a time plan for this work and an agreement on how it has to be financed.
The documentation of the negotiation process is very important and provides the platform for the policy
agreement.
Privilege management and access control address security and privacy services required for
communication and cooperation, i.e. distributed use of health information. It also implies safety aspects,
professional standards, and legal and ethical issues. This International Standard introduces principles
and specifies services needed for managing privileges and access control. Cryptographic protocols are
out of the scope of this International Standard.
This three-part International Standard references existing architectural and security standards as well
as specifications in the healthcare area such as ISO, CEN, ASTM, OMG, W3C, etc., and endorses existing
appropriate standards or identifies enhancements or modifications or the need for new standards. It
comprises of:
— ISO 22600-1: describes the scenarios and the critical parameters in information exchange across
policy domains. It also gives examples of necessary documentation methods as the basis for the
policy agreement.
— ISO 22600-2: describes and explains, in a more detailed manner, the architectures and underlying
models for privilege management and access control which are necessary for secure information
sharing including the formal representation of policies.
— ISO 22600-3: describes examples of implementable specifications of application security services
and infrastructural services using different specification languages.
It accommodates policy bridging. It is based on a conceptual model where local authorization servers and
cross-border directory and policy repository services can assist access control in various applications
(software components). The policy repository provides information on rules for access to various
application functions based on roles and other attributes. The directory service enables identification
of the individual user. The granted access will be based on four aspects:
— the authenticated identification of principals (i.e. human users and objects that need to operate
under their own rights) involved;
— the rules for access to a specific information object including purpose of use;
— the rules regarding authorization attributes linked to the principal provided by the authorization
manager;
— the functions of the specific application.
This International Standard supports collaboration between several authorization managers that can
operate over organizational and policy borders.
This International Standard is strongly related to other ISO/TC 215 works such as ISO 17090 (all parts),
ISO 22857, ISO 21091, and ISO 21298.
This International Standard is meant to be read in conjunction with its complete set of associated
standards.
Based on the Unified Process, a three-dimensional architectural reference model has been derived for
defining the constraint models needed. The dimensions of the Generic Component Model used are the
domain axis, the decomposition/composition axis, and the axis describing the views on a system and its
components. For being future-proof, sustainable, flexible, portable, and scalable, only the constraining
process and the resulting security-related meta-models are presented. The instantiation and
implementation, e.g. the specification of mechanisms and encoding definitions, is a long-term process,
dedicated to other standards and projects or the vendor/provider community, respectively.
vi © ISO 2014 – All rights reserved

---------------------- Page: 12 ----------------------

SIST EN ISO 22600-3:2015
ISO 22600-3:2014(E)

After shortly summarizing the basics of ISO 22600-2, the different ways of representing different levels
of maturity with different levels of interoperability below the ideal situation of a semantically valid one
are discussed.
For those different environments and levels, this part of ISO 22600 introduces examples for specializing
and implementing the formal high-level models for architectural components based on ISO/IEC 10746
and defined in ISO 22600-2. These examples and related services are grouped in different Annexes.
The specifications are provided using derivates of the Extensible Markup Language (XML), especially
Security Assertion Markup Language (SAML) and Extensible Access Control Markup Language (XACML)
specified by OASIS. Additional specifications are also presented in the traditional ASN.1 syntax.
This International Standard has been harmonized in essential parts with ASTM E2595-07.
© ISO 2014 – All rights reserved vii

---------------------- Page: 13 ----------------------

SIST EN ISO 22600-3:2015

---------------------- Page: 14 ----------------------

SIST EN ISO 22600-3:2015
INTERNATIONAL STANDARD ISO 22600-3:2014(E)
Health informatics — Privilege management and access
control —
Part 3:
Implementations
1 Scope
This multi-part International Standard defines principles and specifies services needed for managing
privileges and access control to data and/or functions.
It focuses on communication and use of health information distributed across policy domain boundaries.
This includes healthcare information sharing across unaffiliated providers of healthcare, healthcare
organizations, health insurance companies, their patients, staff members, and trading partners by
both individuals and application systems ranging from a local situation to a regional or even national
situation.
It specifies the necessary component-based concepts and is intended to support their technical
implementation. It will not specify the use of these concepts in particular clinical process pathways.
This part of ISO 22600 instantiates requirements for repositories for access control policies and
requirements for privilege management infrastructures. It provides implementation examples of the
formal models specified in ISO 22600-2.
This part of ISO 22600 excludes platform-specific and implementation details. It does not specify technical
communication security services, authentication techniques, and protocols that have been established in
other International Standards such as e.g. ISO 7498-2, ISO/IEC 10745 (ITU-T X.803), ISO/IEC/TR 13594
(ITU-T X.802), ISO/IEC 10181-1 (ITU-T X.810), ISO/IEC 9594-8 (ITU-T X.509), ISO/IEC 9796 (all parts),
ISO/IEC 9797 (all parts), and ISO/IEC 9798 (all parts).
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 9594-8, Information technology — Open Systems Interconnection — The Directory — Part 8:
Public-key and attribute certificate frameworks
ISO/IEC 10181-3, Information technology — Open Systems Interconnection — Security frameworks for
open systems: Access control framework — Part 3
ASTM E2084-00, Standard Specification for Authentication of Healthcare Information Using Digital
Signatures
3 Terms and definitions
3.1
access control
means of ensuring that the resources of a data processing system can be accessed only by authorized
entities in authorized ways
[SOURCE: ISO/IEC 2382-8:1998]
© ISO 2014 – All rights reserved 1

---------------------- Page: 15 ----------------------

SIST EN ISO 22600-3:2015
ISO 22600-3:2014(E)

3.2
access control decision function
ADF
specialized function that makes access control decisions by applying access control policy rules to a
requested action
3.3
access control enforcement function
AEF
specialized function that is part of the access path between a requester and a protected resource that
enforces the decisions made by the ADF
3.4
access control information
information used for access control purposes, including contextual information
3.5
accountability
property that ensures that the actions of an entity can be traced uniquely to the entity
[SOURCE: ISO 7498-2:1989]
3.6
asymmetric cryptographic algorithm
algorithm for performing encipherment or the corresponding decipherment in which the keys used for
encipherment and decipherment differ
[SOURCE: ISO/IEC 10181-1:1996]
3.7
attribute authority
AA
authority which assigns privileges by issuing attribute certificates
[SOURCE: ISO/IEC 9594-8:2008]
3.8
attribute authority revocation list
AARL
revocation list containing a list of references to attribute certificates issued to AAs that are no longer
considered valid by the certificate issuing authority
3.9
attribute certificate
data structure, digitally signed by an attribute authority, that binds some attribute values with
identification about its holder
[SOURCE: ISO/IEC 9594-8:2008]
3.10
attribute certificate revocation list
ACRL
revocation list containing a list of references to attribute certificates that are no longer considered valid
by the certificate issuing authority
2 © ISO 2014 – All rights reserved

---------------------- Page: 16 ----------------------

SIST EN ISO 22600-3:2015
ISO 22600-3:2014(E)

3.11
authentication
provision of assurance of the claimed identity of an entity by securely associating an identifier and its
authenticator
[SOURCE: ISO/IEC 15944-5:2008, 3.5]
Note 1 to entry: See also data origin authentication (3.49) and peer entity authentication.
3.12
authentication token
information conveyed during a strong authentication exchange, which can be used to authenticate its
sender
3.13
authority
entity, which is responsible for the issuance of certificates
Note 1 to entry: Two types are defined in this part of ISO 22600: certification authority which issues public key
certificates and attribute authority which issues attribute certificates.
3.14
authority certificate
certificate issued to a certification authority or an attribute authority
[SOURCE: ISO/IEC 9594-8:2008, modified]
3.15
authority revocation list
ARL
revocation list containing a list of public key certificates issued to authorities, which are no longer
considered valid by the certificate issuer
3.16
authorization
granting of privileges, which includes the granting of privileges to access data and functions
[SOURCE: ISO 7498-2:1989, modified]
3.17
authority certificate
certificate issued to an authority (e.g. either to a certification authority or to an attribute authority)
3.18
authorization credential
signed assertion of a user’s permission attributes
3.19
availability
property of being accessible and useable upon demand by an authorized entity
[SOURCE: ISO 7498-2:1989]
3.20
base CRL
CRL that is used as the foundation in the generation of a dCRL
3.21
business partner agreement
document used to demarcate the legal, ethical, and practical responsibilities between subscribers to a
PMI and between cooperating PMI implementations
© ISO 2014 – All rights reserved 3

---------------------- Page: 17 ----------------------

SIST EN ISO 22600-3:2015
ISO 22600-3:2014(E)

3.22
CA certificate
certificate for one CA issued by another CA
3.23
certificate
public key certificate
3.24
certificate distribution
act of publishing certificates and transferring certificates to security subjects
3.25
certificate management
procedures relating to certificates: certificate generation, certificate distribution, certificate archiving,
and revocation
3.26
certificate policy
named set of rules that ind
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.