Checking Security Policy Compliance

Ensuring compliance of organizations to federal regulations is a growing concern. This paper presents a framework and methods to verify whether an implemented low-level security policy is compliant to a high-level security policy. Our compliance checking framework is based on organizational and security metadata to support refinement of high-level concepts to implementation specific instances. Our work uses the results of refinement calculus to express valid refinement patterns and their properties. Intuitively, a low-level security policy is compliant to a high-level security policy if there is a valid refinement path from the high-level security policy to the low-level security policy. Our model is capable of detecting violations of security policies, failures to meet obligations, and capability and modal conflicts.

[1]  Michael Backes,et al.  Efficient comparison of enterprise privacy policies , 2004, SAC '04.

[2]  Robin Milner,et al.  A Calculus of Communicating Systems , 1980, Lecture Notes in Computer Science.

[3]  Jan A. Bergstra,et al.  Algebra of Communicating Processes with Abstraction , 1985, Theor. Comput. Sci..

[4]  P. Sarbanes,et al.  Sarbanes-Oxley Act of 2002 , 2002 .

[5]  Lalana Kagal Rei : A Policy Language for the Me-Centric Project , 2002 .

[6]  Sushil Jajodia,et al.  Flexible support for multiple access control policies , 2001, TODS.

[7]  Ursula Goltz,et al.  Refinement of actions and equivalence notions for concurrent systems , 2001, Acta Informatica.

[8]  Claudia Eckert,et al.  Expertise Knowledge-Based Policy Refinement Process , 2007, Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07).

[9]  Sushil Jajodia,et al.  Provisions and Obligations in Policy Management and Security Applications , 2002, VLDB.

[10]  Alessandra Russo,et al.  A goal-based approach to policy refinement , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[11]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[12]  Jan A. Bergstra,et al.  Process Algebra for Synchronous Communication , 1984, Inf. Control..

[13]  Edsger W. Dijkstra,et al.  Notes on structured programming , 1970 .

[14]  Guy P. Lander The Sarbanes-Oxley Act of 2002 , 2002 .

[15]  Ralph-Johan Back,et al.  Refinement Calculus: A Systematic Introduction , 1998 .

[16]  Jos C. M. Baeten,et al.  Process Algebra , 2007, Handbook of Dynamic System Modeling.

[17]  Niklaus Wirth,et al.  Program development by stepwise refinement , 1971, CACM.

[18]  Paris Flegkas,et al.  A Functional Solution for Goal-Ooriented Policy Refinement , 2006, Seventh IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'06).

[19]  Adrian Walker,et al.  Towards a Theory of Declarative Knowledge , 1988, Foundations of Deductive Databases and Logic Programming..

[20]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[21]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..