A Knowledge-Based Repository Model for Security Policies Management - Computer Network Security

Information Technology Reference

In-Depth Information

In the above declaration the token Bob belongs to a class named EmployeeClass

that should also be defined by a TELL declaration. Classes can be specialized along

generalizations or ISA hierarchies. For example,

TELL Subject isA Entity

WITH

attribute

subjectName : NameClass

END

means that a Subject is an entity with all entity attributes (as defined in the Entity

Class declaration), plus a name, which is an instance of the Name Class. Note that isA

hierarchies are orthogonal to the classification dimension. In addition, O-Telos pro-

vides operations such as TELL, UNTELL and RETELL, used to extend or modify a

knowledge base, and also RETRIEVE and ASK, which can be used to query it.

4.2

Conceptual Model

A security policy in the SPR consists of the following basic elements: Objective ,

Guideline , Rule, and Domain .

Objectives

The “Objectives” are derived from the organization's strategy towards security. They

express this strategy and the associated security goals in a concrete and precise way.

Guidelines

“Guidelines” are expressed in natural language in the form of 'policy statements'.

They are instructions on activities to be or not to be performed, procedures to be fol-

lowed and decisions to be made. Guidelines in the SPR follow a three level structure:

the first level comprises of abstract guidelines, which come from generic security

policies; the second level guidelines are concrete statements while the third level

guidelines represent implementation options. Each guideline belongs to a category

and is assigned a unique code. This structure facilitates the comparison of security

policies and the assessment of their effectiveness. We may, for example, examine the

completeness of the policy by examining if it provides guidelines covering all catego-

ries.

Rules

Rules in the SPR are represented as formal rules, expressed in first-order logic. The

SPR can check for possible violations of rules automatically, something that cannot

be realized with guidelines. An indicative rule declaration in O-Telos is the following.

TELL StarProperty isA Rule

WITH

attribute, rule

ruledef: $ (exists ag/Agent act1,act2/Activity

o,p/Object

(act1 in BLPpolicy.domain.activity) and

(o in act1.object) and

Search WWH ::

Custom Search

Home