A Tool for Managing Security Policies in Organisations

  • Anna V. Álvarez
  • Karen A. García
  • Raúl Monroy
  • Luis A. Trejo
  • Jesús Vázquez
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4266)


Security policies are rules aimed at protecting the resources of an organisation from the risks associated with computer usage. Designing, implementing and maintaining security policies are all error prone and time consuming. We report on a tool that helps managing the security policies of an organisation. Security policies are formalised using first-order logic with equality and the unique names assumption, closely following the security policy language suggested in [1]. The tool includes a link to an automated theorem prover, Otter [2], and to a model finder, Mace [2], used to formally verify a set of formal security policies. It also includes a GUI and a number of links to read information and security policies from organisation databases and access control lists.


Policy Language Security Policy Verification Task Basic Environment Automate Theorem Prover 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Halpern, J.Y., Weissman, V.: Using first-order logic to reason about policies. In: Proceedings of the 16th IEEE Computer Security Foundations Workshop CSFW 2003, pp. 187–201. IEEE Computer Society, Los Alamitos (2003)CrossRefGoogle Scholar
  2. 2.
    McCune, W.: Otter 2.0. In: Stickel, M.E. (ed.) CADE 1990. LNCS, vol. 449, pp. 663–664. Springer, Heidelberg (1990)Google Scholar
  3. 3.
    McCune, W.: Mace4 Reference Manual and Guide. The Computing Research Repository (CoRR) CS.SC/0310055 (2004)Google Scholar
  4. 4.
    Hoagland, J.A.: Specifying and enforcing policies using LaSCO, the language for security constraints on objects. The Computing Research Repository, CS.CR/0003066 (2000)Google Scholar
  5. 5.
    Iannella, R.: ODRL: The open digital rights language initiative. Technical reportGoogle Scholar
  6. 6.
    Kangasluoma, M.: Policy Specification Languages. Department of Computer Science, Helsinki University of Technology (1999)Google Scholar
  7. 7.
    Krsul, I., Spafford, E., Tuglular, T.: A New Approach to the Specification of General Computer Security Policies. COAST Techical Report 97–13, West Lafayette, IN 47907–1398 (1998)Google Scholar
  8. 8.
    Davies, E.: Representation of Commonsense Knowledge. Courant Institute for Mathematical Sciences (1990)Google Scholar
  9. 9.
    Ryutov, T., Neuman, C.: Representation and evaluation of security policies for distributed system services. In: Proceedings of DARPA Information Survivability Conference and Exposition 2000 (DISCEX 2000), vol. 2, pp. 172–183 (2000)Google Scholar
  10. 10.
    Bhatti, R., Ghafoor, A., Bertino, E., Joshi, J.: X-GTRBAC: an XML-based policy specification framework and architecture for enterprise-wide access control. ACM Transactions on Information and System Security (TISSEC) 8(2), 187–227 (2005)CrossRefGoogle Scholar
  11. 11.
    Ngamsuriyaroj, S., Keefe, T.F., Hurson, A.R.: Maintaining consistency of the security policy using timestamp ordering. In: Proceedings of the 2002 International Conference on Information Technology: Coding and Computing, pp. 164–170. IEEE Computer Society, Los Alamitos (2002)CrossRefGoogle Scholar
  12. 12.
    Ngamsuriyaroj, S., Keefe, T.F., Hurson, A.R.: Maintaining consistency of the security policy in distributed environment. In: Proceedings of the 21st IEEE International Performance, Computing, and Communications Conference, pp. 179–186. IEEE Computer Society, Los Alamitos (2002)Google Scholar
  13. 13.
    Zanin, G., Mancini, L.V.: Security analysis: Towards a formal model for security policies specification and validation in the selinux system. In: Proceedings of the ninth ACM symposium on Access control models and technologies, pp. 126–135. ACM Press, New York (2004)Google Scholar
  14. 14.
    García, K., Monroy, R., Vázquez, J.: An Artificial Manager for Security Policies in Organizations. Journal of Research in Computing Science 17, 97–106 (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Anna V. Álvarez
    • 1
  • Karen A. García
    • 1
  • Raúl Monroy
    • 1
  • Luis A. Trejo
    • 1
  • Jesús Vázquez
    • 2
  1. 1.Tecnológico de MonterreyAtizapán de Zaragoza, Estado de MéxicoMexico
  2. 2.Banco de MéxicoMéxico D.F.Mexico

Personalised recommendations