Critical information formal exchange policies within organisations

Critical information formal exchange policies within organisations

Claire Saurel

ONERA Toulouse, France

Corresponding Author Email:
31 August 2016
| Citation



This paper starts from a logical framework intended to define and analyse information exchange policies for users of critical information systems within some organisations. These information exchange rules are defined according to the roles users play in organisations: so they depend on the structure of organisations. A layer is then introduced to express organisational information exchange policies at a more abstract level than users level: organisational level. Generic and specific properties can be defined within this organisational layer, in particular information permeability through organisations. More efficiency is expected for policies expression, analysis and update.


information exchange policy, information security, organisation, role, rights inheritance, formal modelling, formal analysis, critical information

1. Introduction
2. PEPS : un environnement logique pour exprimer des politiques d’échange d’informations orientées agents
3. PEPS-ORG : une couche au-dessus de PEPS pour exprimer et analyser des politiques organisationnelles d’échange
4. Transmission de droits entre rôles ou organisations
5. Propriétés de politiques organisationnelles d’échange d’informations
6. Conclusion et futurs travaux

Benferhat S., Kalam A. A. E., Miège A., Baida R. E., Cuppens F., Saurel C. et al. (2003). Organization Based Access Control. In IEEE 4th International Workshop on Policies for Distributed Systems and Networks (Policy 2003).

Carmo J., Pacheco O. (2001). Deontic and action logics for organized collective agency, modeled through institutionalized agents and roles. Fundamental Informaticae, vol. 48(2,3), p. 129â163.

Chellas B. F. (1980). Modal logic : an introduction. Cambridge, Cambridge Univ. Press.

Cholvy L., Cuppens F. (1997). Analyzing consistency of security policies. In IEEE Symposium on Security and Privacy, p. 103-112.

Cholvy L., Garion C., Saurel C. (2006). Information sharing policies for coalition systems. In NATO RTO-IST-062 Symposium on dynamic communications management.

Cholvy L., Garion C., Saurel C. (2007). Modà clisation de rà cglementations pour le partage d’information dans un système multi-agents. In Actes des quatrièmes journà ces francophones modèles formels de l’intercation (mfi’07).

Crampton J. (2003). On permissions, inheritance and role hierarchies. In 10th ACM conference on Computer and Communication Security, p. 85-92.

Cuppens F., Cholvy L., Saurel C., Carrère J. (2001). Merging regulations: analysis of a practical example. Data and Knowledge Fusion, Special issue of International Journal of Intelligent Systems, vol. 16.

Cuppens F., Cuppens-Boulahia N., Miège A. (2004). Héritage de privilèges dans le modèle Or-BAC : application dans un environnement réseau. In SSTIC 04 : Symposium sur la Sécurité des Technologies de l’Information et des Communications.

Delmas R., Polacsek T. (2013). Formal methods for exchange policy specification. In Proceedings of Conference on Advanced Information Systems Engineering (CAiSE), p. 288-303.

Feldmeier C. J. (2006). Limiting hierarchical inheritance of permissions in access control model. Rapport technique. Fairfax, USA, George Mason University, ISA 767 Secure electronic commerce.

Glassey O., Chappelet J.-L. (2002). Comparaison de trois techniques de modélisation de processus : ADONIS, OSSAD et UML. Rapport technique. UER Management public / systèmes d’informations, Lausanne, Working paper de l’IDHEAP/14.

Kalam A. A. E., Balbiani P., Benferhat S., Cuppens F., Deswarte Y., Baida R. E. et al. (2003). Modèles et politiques de sécurité des systèmes d’information et de communication en santé et social. Santé et Systémique, vol. 7, p. 107-125.

Mandl K., Overhage J., Wagner M., al. (2004). Implementing syndromic surveillance : a practical guide informed by early experience. American Medical Informatics Association, vol. 11(2), p. 141-150.

Pacheco O., Carmo J. (2003). A Role Based Model for the normative specification of organized collective agency and agent interaction. Journal of Autonomous Agents and Multi-Agent Systems, vol. 6, p. 145-184.

Parks L. I. (2004). Homeland security and HIM. appendix b : syndromic srveillance systems in bioterrorism and outbreak detection. Journal of AHIMA 75 (American Health Information Management Association), vol. 6.

Rozière P. (2004). Logique mathématique : introduction. Rapport technique. Paris 7, MT 3062.

Sandhu R., Coyne E., Feinstein H., Youman C. (1996). Role-Based Access Control models. IEEE Computer, vol. 29(2), p. 38-47.

von Wright G. H. (1951). Deontic logic.