Computer security policy
Encyclopedia
A computer security policy defines the goals and elements of an organization's computer systems. The definition can be highly formal or informal. Security policies are enforced by organizational policies or security mechanisms. A technical implementation defines whether a computer system is secure or insecure. These formal policy models can be categorized into the core security principles of: Confidentiality, Integrity and Availability. For example the Bell-La Padula model is a confidentiality policy model, whereas Biba model
Biba model
The Biba Model or Biba Integrity Model developed by Kenneth J. Biba in 1977, is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity...

 is an integrity policy model.

Formal description

If a system is regarded as a finite-state automaton with a set of transitions (operations) that change the system's state, then a security policy can be seen as a statement that partitions these states into authorized and unauthorized ones.

Given this simple definition one can define a secure system as one that starts in an authorized state and will never enter an unauthorized state.

Hybrid policy model

  • Chinese Wall (Also known as Brewer and Nash model
    Brewer and Nash model
    The Brewer and Nash model was constructed to provide information security access controls that can change dynamically. This security model, also known as the Chinese wall model, was designed to provide controls that mitigate conflict of interest in commercial organizations, and is built upon an...

    )

Policy languages

To represent a concrete policy especially for automated enforcement of it, a language representation is needed. There exist a lot of application specific languages that are closely coupled with the security mechanisms that enforce the policy in that application.

Compared with this abstract policy languages, e.g. the Domain Type Enforcement
Type enforcement
The concept of type enforcement in the field of information technology is related to access control. Implementing TE, gives priority to “mandatory access control” over “discretionary access control” . Access clearance is first given to a subject accessing objects based on rules defined in an...

-Language, are independent of the concrete mechanism.

See also

  • Information Assurance - CIA Triad
  • Protection mechanisms
  • separation of protection and security
    Separation of protection and security
    In computer sciences the separation of protection and security is a design choice. Wulf et al. identified protection as a mechanism and security as a policy, therefore making the protection-security distinction a particular case of the separation of mechanism and policy principle.- Overview :The...

  • ITU Global Cybersecurity Agenda
The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK