Information Security Policy Architecture

2011 Information Security for South Africa, 2011

Information Security Governance has become one of the key focus areas of strategic management due to its importance in the overall protection of the organization's information assets. A properly implemented Information Security Governance framework should ideally facilitate the implementation of (directing), and compliance to (control), Strategic level management directives. These Strategic level management directives are normally interpreted, disseminated and implemented by means of a series of information security related policies. These policies should ideally be disseminated and implemented from the Strategic management level, through the Tactical level to the Operational level where eventual execution takes place. Control is normally exercised by capturing data at the lowest levels of execution and measuring compliance against the Operational level policies. Through statistical and summarized analyses of the Operational level data into higher levels of extraction, compliance at the Tactical and Strategic levels can be facilitated. This scenario of directing and controlling defines the basis of sound Information Security Governance. Unfortunately, information security policies are normally not disseminated onto the Operational level. As a result, proper controlling is difficult and therefore compliance measurement against all information security policies might be problematic. The objective of this paper is to argue towards a more complete information security policy architecture that will facilitate complete control, and therefore compliance, to ensure sound Information Security Governance.

While information security policy development seems to have some foundation in the literature, it is uncertain whether the methods described are operationalized in an organizational setting. Little is known about how organizations develop security policies, how these policies are documented, what factors contribute to policy effectiveness and how policy effectiveness is determined. In addition, for most organizations, securing their information is not considered a core business objective. This paper identifies potential problems in current security policy development practice, and offers suggestions about how these problems may be addressed.

IEEE Network, 2002

Policies are rules governing the choices in behaviour of a system. They are increasingly being used as a means of implementing flexible and adaptive systems for management of internet services, networks, and security systems. There is also a need for a common specification of security policy for large-scale, multi-organisational systems where access control is implemented in a variety of heterogeneous components. In this paper we survey both security and management policy specification approaches, concentrating on practical systems in which the policy specification can be directly translated into an implementation.

Journal of Emerging Technologies and Innovative Research , 2018

This paper discusses the need for information security policy and the steps in developing security policy in an organization. The human factor is important in the implementation of information security. By imparting proper security awareness and training to the employees, the organisation's information system can be secured.

With the increasing growth in global enterprises and collaborations among the enterprises, security and trust have become essential for information systems. For example, within an enterprise, there may be a need to maintain security within each project group so the information sharing among the groups is controlled. Similarly, there may be a need to facilitate controlled and timed sharing of data among cooperating enterprises (e.g., coalitions). In this paper, we propose a policy-based security mechanism for such sharing in an enterprise. In particular, in our system, each user (or administrator) specifies restrictions on the use of resources at a particular node (or machine) in terms of a set of policy statements (NRPS and NTPS). Similarly, the owner of each object specifies the conditions on which certain operations can be performed on the object (ORPS and OTPS). Trusted policy enforcement agents (PEA), running at each node in the enterprise (or coalition), ensure that both node a...

2011

Network security should be based around security policies. From high-level natural language, non-technical, policies created by management, down to device and vendor specific policies, or configurations, written by network system administrators. There exists a multitude of research into policy-based network systems which has been undertaken. This paper provides an overview of the different type of policies relating to security in networks, and a taxonomy of the research into systems which have been proposed to support the network administrators in difficult tasks of creating, managing and deploying these policies.

Lecture Notes in Computer Science, 2001

Many different access control policies and models have been developed to suit a variety of goals; these include Role-Based Access Control, One-directional Information Flow, Chinese Wall, Clark-Wilson, N-person Control, and DAC, in addition to more informal ad hoc policies. While each of these policies has a particular area of strength, the notational differences between these policies are substantial. As a result it is difficult to combine them, both in making formal statements about systems which are based on differing models and in using more than one access control policy model within a given system. Thus, there is a need for a unifying formalism which is general enough to encompass a range of these policies and models. In this paper, we propose an open security architecture called the Policy Machine (PM) that would meet this need. We also provide examples showing how the PM specifies and enforces access control polices.

International Journal of Research and Reviews in Computer Science (IJRRCS) , 2011

ABSTRACT The security attention in information systems has grown in recent years according to their diffusion, the growing role they have in contexts in which they operate and their increasing complexity and exposure to possible attacks. This leads Information security not to be any longer a technology-focused problem as it has become the basis for business survival. Information Security Policies are the basis for a reliable information security scheme and are critical to protect the organisation's information system resources and data. This paper analyses the need for organisation the benefit of setting a strong Information Security Policies to prevention system attacks rather than focusing on the detection system.

A typical Information Security Policy Framework document defines an organisation's aspirations and processes regarding the security goals and objectives required to manage its overall activities effectively. It is a write-up that informs all users what they can and must do. The Security Policy Framework regulates how the bank should administer, guard, and share sensitive information within and outside the organisation.

Asian Conference on Intelligent Information and Database Systems, 2009

Policy-based security is an effective and convenient approach to manage information systems. By this approach, we can handle easily all behaviors of a system thought a set of rules. However, conflicts between rules are one of the most common problems we have to deal with in administrative process. In this paper, we propose a new axiomatic approach to solve this problem. Several postulates are presented and analyzed as well as some algorithms are proposed next. The algorithms also have been implemented and tested, and experimental results are presented.