A case-study of security policy for manual and automated systems

It is argued that predisposed assumptions in security policy models can leave holes in the security aspects of the information systems that are based on them. In particular, information systems based only on the Bell-LaPadula model (D.E. Bell and L.J. LaPadula, 1976) pose potential problems by allowing new threats to be built in them because the policies are incomplete. A comparison of manual and automated systems is used to demonstrate the derivation of the Bell-LaPadula star-property for automated systems and its analog for manual systems. This exercise aids in producing a policy model based on needs and a perspective on the limitations of classical security policy models.<<ETX>>