Abstract
This paper presents a method for the specification of the security of information systems. The proposed approach provides a flexible and expressive specification method, corresponding to the specific needs of organizations. First, we outline the overall guidelines of the security policy definition process, and the different consistency issues associated to the description of the security requirements of an organization information system. The specification language used is based on a convenient extension of deontic logic. The formalism and its extensions are defined briefly. To illustrate the use of this formalism, the paper presents how the method applies to the description of the security requirements of a real organization: a medium-size bank agency.
Chapter PDF
References
D. E. Bell, L. J. LaPadula, Secure Computer Systems: Unified Exposition and Multics Interpretation, The MITRE Corporation, Report ESD-TR-73-306, 1975.
L. Catach, “TABLEAUX: A General Theorem Prover for Modal Logics”, Journal of Automated Reasoning, vol. 7, pp. 489–510, 1991.
B. F. Chellas, Modal Logic: An Introduction, 295 p., ISBN 0-521-29515-7, Cambridge University Press, 1980.
L. Cholvy, F. Cuppens, “Analyzing Consistency of Security Policies”, in IEEE Symposium on Security and Privacy, Oakland, California, May 4–7, pp. 103–112, ISBN 0-8186-7828-3, IEEE Computer Society Press, 1997.
F. Cuppens, C. Saurel, “Specifying a Security Policy: A Case Study”, in 9th IEEE Computer Security Foundations Workshop, Kenmare, Ireland, June 10–12, pp. 123–134, ISBN 0-8186-7522-5, IEEE Computer Society Press, 1996.
L. Fariñas del Cerro, A. Herzig, “Modal Deduction with Applications in Epistemic and Temporal Logic”, in Handbook of Logic in Artificial Intelligence and Logic Programming, Epistemic and Temporal Reasoning (D. M. Gabbay, C. J. Hogger, J.A. Robinson, Eds.), vol. 4/5, pp. 499–594, ISBN 0-19-853791-3, Oxford Science Publications, 1995.
M. Fitting, “First-Order Modal Tableaux”, Journal of Automated Reasoning, vol. 4, no. 2, pp. 191–213, 1988.
M. Fitting, “Basic Modal Logic”, in Handbook of Logic in Artificial Intelligence and Logic Programming, Logical Foundations (D.M. Gabbay, C. J. Hogger, J.A. Robinson, Eds.), vol. 1/5, pp. 365–448, ISBN 0-19-853745-X, Oxford Science Publications, 1993.
J. Glasgow, G. McEwen, P. Panangaden, “A Logic for Reasoning About Security”, in Computer Security Foundations Workshop, Franconia, pp. 2–13, IEEE Computer Society Press, 1990.
ITSEC, Information Technology Security Evaluation Criteria, v1.2, 163 p., ISBN 92-826-3004-8, Office for Official Publications of the European Communities, Luxembourg, 1991.
ITSEM, Information Technology Security Evaluation Manual, v1.0, 262 p., ISBN 92-826-7087-2, Office for Official Publications of the European Communities, Luxembourg, 1993.
A. J. I. Jones, M. Sergot, “Formal Specification of Security Requirements using the Theory of Normative Positions”, in Second European Symposium On Research In Computer Security (ESORICS 92), (Y. Deswarte, G. Eizenberg, J.-J. Quisquater, Eds.), Toulouse, France, November 23–25, LNCS, 648, pp. 103–121, ISBN 3-540-56246-X & 0-387-56246-X, Springer-Verlag, 1992.
S. A. Kripke, “Semantical Considerations in Modal Logic”, Acta Philosophica Fennica, vol. 16, pp. 83–94, 1963.
G. Kuper, “Logic Programming with Sets”, in 6th ACM Conference on Principles of Database Systems (PODS), San Diego, California, USA, March 23–25, pp. 11–20, ISBN 0-89791-223-3, ACM Press, 1987.
J.-J. C. Meyer, R. J. Wieringa (Eds.), Deontic Logic in Computer Science, 317p., ISBN 0-471-93743-6, Jon Wiley & Sons, 1993.
B. A. Myers, R. G. McDaniel, R. C. Miller, A. S. Ferrency, A. Faulring, B. D. Kyle, A. Mickish, A. Klimovitski, P. Doane, “The Amulet Environment: New Models for Effective User Interface Software Development”, IEEE Transations on Software Engineering, vol. 23, no. 6, pp. 347–365, June, 1997.
R. Ortalo, Using Role-Based Abstractions for Security Policy Specification with Deontic Logic, 20 p., LAAS-CNRS, Report 97216, June, 1997.
R. Ortalo, Y. Deswarte, “Quantitative Evaluation of Information System Security”, in 14th IFIP International Information Security Conference (IFIP/SEC’98), August31–September 4, Vienna-Budapest, Austria-Hungary, Chapman & Hall, 1998. (to appear)
R. S. Sandhu, E. J. Coyne, H. L. Feinstein, C. E. Youman, “Role-Based Access Control Models”, IEEE Computer, vol. 29, no.2, pp. 38–47, February, 1996.
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 1998 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ortalo, R. (1998). A flexible method for information system security policy specification. In: Quisquater, JJ., Deswarte, Y., Meadows, C., Gollmann, D. (eds) Computer Security — ESORICS 98. ESORICS 1998. Lecture Notes in Computer Science, vol 1485. Springer, Berlin, Heidelberg. https://doi.org/10.1007/BFb0055856
Download citation
DOI: https://doi.org/10.1007/BFb0055856
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-65004-1
Online ISBN: 978-3-540-49784-4
eBook Packages: Springer Book Archive