IT:AD:6A
Principle
The goal is to provide access to systems and their data.
* Anytime (ie: afterhours, and reduce downtimes). * Anywhere (ie: from within and outside of corporate firewalls)
- Meets Accessible Values, And Accessibility Qualities
* Anyhow (ie: any device, that does not require special plugins, client certs, etc.) * Anyone (ie: available to any system or person – anonymous or identified – but will be filtered Appropriately based on Authorisation)
- Meets Protective Qualities
* Appropriate (ie: provide filtered projections which strip out sensitive data)
- Implements Clemency Values
- Meets Resilience Qualities
* Audited (ie: all – including Views – operations are audited, as well as monitored and automatically alert as required).
- Meets Accountable Values,
- Meets Accountability Qualities
Notes
Note that IT:AD:5A's Authorisation is dropped in favour of Appropriate. Although Authorisation is maybe more common – possibly due to its ease of implementation – it remains a crude binary state (you are either have the required role or not). Whereas an Appropriate response can be more nuanced: it might always provides an query response regardless of role, but project more or less Attributes based on an authorisation assessment.
For example: