Information Technology Reference
In-Depth Information
context the design of the KAoS [40, 41] policy ontology suggests the use of a descrip-
tion logic inference engine to analyze policy rules. The Rei [38] policy ontology re-
quires the use of an F-Logic based interpreter to compute the defined policy restric-
tions and constraints. The policy analysis mechanism in the e-Wallet system [42]
exploits the XSLT technology to translate policy rules from RDF to JESS rules and
uses a JESS rule engine to compute policy restrictions. Furthermore, the SOUPA [43]
policy language is similar to Rei in modeling a policy as a set of rules that defines
restrictions on actions but the specific policy ontology has limited support for meta-
policy reasoning and speech-acts (for a detailed description and comparison of policy
representation and reasoning languages at the semantic level see [41]).
The legacy DMTF approach (i.e. the root of our SO), lacks a) the security manage-
ment aspect (which we define as an Extension Schema), b) the centralized management
of security management information, and c) the domain knowledge perspective, which
we incorporate into our model enriching the Extension Schema with ontological support.
In addition, most of these approaches are related with specific aspects of security
and particularly to specific application domains; our approach is generic enough to be
applied in every information system, incorporating security knowledge from various
sources. Furthermore, all aforementioned approaches lack the security standards sup-
port, which we use for modeling the security requirements.
6 Conclusions and Further Research
In this paper we set the foundations for establishing a knowledge-based, ontology-
centric framework with respect to the security management of an arbitrary IS. We
demonstrated that the linking between high-level policy statements and deployable
security controls is possible and the implementation is achievable. This framework
may support critical security expert activities with respect to security requirements
identification and selection of certain controls that apply to a certain IS. In addition,
we presented a structured approach for establishing a security management frame-
work and identified its critical parts. Our security ontology is represented in a neutral
manner, based on well-known security standards and can be used for security knowl-
edge reusability and exchange.
Moreover, a reference representation for SO in OWL is underway, examining in
parallel the possibility of integrations with other security standards, such as [44]. The
combination of formal methods and an ontology-based semantic reference model is a
very interesting direction and is under consideration. The standardization of security
requirements in order to implement a standards-based, security requirements database
(Security & Assurance Standards Database) is also investigated. Further steps of our
work will include the practical implementation of the framework; a comprehensive set
of attributes, relationships and constraints for the security ontology is under investiga-
tion. Additionally, we investigate ways of extracting security information from high-
level documents (e.g. security policy and risk analysis documents) and from the infra-
structure level of the organizational domain, as well.
Finally, open issues include conflict resolution on security requirements, comp-
liance checking against desirable IS policy, automated development of IS audit pro-
grams; integration of the approach into a security/risk management framework;
evaluation metrics of produced security controls; definition of a comprehensive matc-
hing algorithm between countermeasures in security ontology instances and technical
