...
There are always questions of scope and completeness in filling out this evaluation form. While no implementation or documentation is ever exhaustive or covers every corner case, if there are significant holes then filling in the scope that is covered in the form is useful. For example, there may be centrally managed services for an infrastructure, while there are shared infrastructure at the service providers that follow different policies. Or there may be different policies for different tiers of infrastructure worth nnoting.
Operational Security
[OS1]
A security model addressing issues such as authentication, authorisation, access control, confidentiality, integrity and availability, together with compliance mechanisms ensuring its implementation.
Examples of an authentication model might be a Kerberos system or PKI use to identify users. Other things that may be included in an authentication model is how one federates with other identity providers.
Authorization models might include something like VOMS or a central database to manage allocations and a corresponding process to decide which projects or communities get allocations and how they can authorize their users.
Access control example Dave?
Confidentiality example Dave?
Integrity example Dave?
Examples of compliance mechanisms are top-level security policies, service provider agreements, and terms of service that allow the organization to enforce policies for entities bypassing the model. For example, a service provider setting up a gateway which bypasses authentication and authorization by sharing an account might be cut off from resources for breaking the model.
...
Some explanations from Dave Kelsey (my personal views - recalling the history)
...