Security Policy Enforcement

Abstract

Many chapters of this Handbook describe mechanisms that contribute to various facets of security. The arbitrary use of security mechanisms provides no prescription for the achievement of security goals. It is only in their application in the context of organizational objectives for the protection of information and computational assets that security can be assessed. This chapter is intended to discuss the policies that provide a rationale for those mechanisms and to broadly examine their enforcement mechanisms in computer systems. It is intended to focus primarily on fundamental concepts, which remain valid despite their longevity. In a utopian world where nothing bad ever happened, information security would be unnecessary. There would be no accidents; all actions performed by users would be correct; no attackers would attempt to violate systems. Unfortunately, reality is dramatically different. Information owners are confronted with risks to their assets and, to address these risks, make statements regarding what needs to be protected and how well. These statements constitute the basis for information security policies. Security policies for information and assets have been with us for centuries, but their application within computer systems requires examination. Sterne (1991) provides a useful guide to understanding how policy is expressed at several levels within an organization and how it is described in a technical context. First, security policy applies to the protection of assets. Sterne points out that only tangible assets can be protected. Intangible assets may also be protected through the protection of tangible assets, but it is impossible to state and implement a policy to address intangible assets. For example, how can a bank protect its reputation? Not by putting guards around that reputation.

Document Details

Document Type

Technical Report

Publication Date

Sep 21, 2005

Accession Number

ADA605488

Entities

Tags