Security managers define policies and procedures to express how employees should behave to ‘do their bit’ for information security. They assume these policies are compatible with the business processes and individual employees’ tasks as they know them. Security managers usually rely on the ‘official’ description of how those processes are run; the dayto-day reality is different, and this is whe...

Relying on its partisan principles and values, the Ba’athist regime– the period when Saddam Hussein was in charge in Iraq– sought a powerful government. Not respecting and believing in ethnical and sectarian differences and seeking the realization of national unity, Saddam tried to regulate security policies in a way in which he could assimilate the differing Iraqi society, using the policies o...

A security policy specifies a security property as the maximal information flow. A distributed system composed of interacting processes implicitly defines an intransitive security policy by repudiating direct information flow between processes that do not exchange messages directly. We show that implicitly defined security policies in distributed systems are enforced, provided that processes ru...

IT systems with advanced security requirements increasingly apply problem-specific security policies for describing, analyzing, and implementing security properties. Security policies are a vital part of a system’s trusted computing base (TCB). Hence, both correctness and tamper-proofness of a TCB’s implementation are essential for establishing, preserving, and guaranteeing a system’s security ...

This paper discusses the development of a methodology for reasoning about properties of security policies. We view a security policy as a special case of regulation which specifies what actions some agents are permitted, obliged or forbidden to perform and we formalize a policy by a set of deontic formulae. We first address the problem of checking policy consistency and describe a method for so...

The design of an integrated approach for security management represents a difficult challenge, but the requirements of modern information systems make extremely urgent to dedicate research efforts in this direction. Three perspectives for integration can be identified. 1 Challenges to Security Policy Management The management of security policies is well known to be a hard problem. Significant ...

To address information security threats, an organization defines security policies that state how to deal with sensitive information. These policies are high-level policies that apply for the whole organization and span the three security domains: physical, digital and social. One example of a high-level policy is: ”The sales data should never leave the organization.” The high-level policies ar...

Network security should be based around security policies. From high-level natural language, non-technical, policies created by management, down to device and vendor specific policies, or configurations, written by network system administrators. There exists a multitude of research into policy-based network systems which has been undertaken. This paper provides an overview of the different type...

We introduce a new language and system that allows security architects to develop well-structured and easy-to-maintain security policies for Java applications. In our system, policies are first-class objects. Consequently, programmers can define parameterized meta-policies that act as policy combinators and policy modifiers, so that complex security policies can be implemented by composing simp...