A Methodology for Conversion of Enterprise-Level Information Security Policies to Implementation-Level Policies/Rule

An enterprise is considered as a collection of assets and their interrelationships. To ensure security, enterprise-level information security policies are specified. An information security procedure details the steps needed to implement a security policy. Implementation of security procedures needs a set of low-level (implementation-level) policies defining authorizations of subjects over objects. For a large enterprise, manual specification of low-level policies may lead to errors and conflicts. This study presents a methodology for the conversion of security procedures to low-level policies, the methodology also validates policies based on information security requirements of enterprises.

[1]  Advances in Data Base Theory , 1984, Springer US.

[2]  Anirban Sengupta,et al.  A formal methodology for detection of vulnerabilities in an enterprise information system , 2009, 2009 Fourth International Conference on Risks and Security of Internet and Systems (CRiSIS 2009).

[3]  Marianne M. Swanson,et al.  Recommended Security Controls for Federal Information Systems , 2005 .

[4]  Stefano Bistarelli,et al.  Weighted Datalog and Levels of Trust , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[5]  Andrew D. Gordon,et al.  SecPAL: Design and semantics of a decentralized authorization language , 2010, J. Comput. Secur..

[6]  John DeTreville,et al.  Binder, a logic-based security language , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[7]  Yuri Gurevich,et al.  DKAL: Distributed-Knowledge Authorization Language , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[8]  Gladys Diaz,et al.  A Comparative Study of Policy Specification Languages for Secure Distributed Applications , 2002, DSOM.

[9]  Barbara Fraser,et al.  Site Security Handbook , 1997, RFC.

[10]  Marianne Swanson,et al.  Recommended Security Controls for Federal Information Systems | NIST , 2005 .