|
 ABSTRACT
Metapolicies, or "policies about policies", may become a powerful concept for developing the large, complex, and interrelated trusted systems that military, commercial and non-profit organizations need today. Metapolicies provide a framework for clarifying policies and for successfully coordinating security policies and subpolicies.When there is only one security policy, metapolicies tend to be implicit, embedded, and fixed. When more than one security policy is involved, as in a multipolicy system, metapolicies must become explicit and flexible.This paper illustrates metapolicies implicit in simple security policies, demonstrates how metapolicies can coordinate multiple security policies, and provides a foundation for future study of metapolicies.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
Abrams, M. D., K. W. Eggers, L. J. La Padula, and I. M. Olson, "A Generalized Framework for Access Control: An Informal Description," <i>Proceedings 13th National Computer Security Conference</i>, Washington, D.C. October 1990.
|
| |
2
|
Amdahl Corporation, <i>Multiple Domain Feature: General Information Manual</i>, CA, 1989.
|
| |
3
|
Bell, D. E. and L. J. LaPadula, "Secure Computer Systems, Unified Exposition of Multics Interpretation", MTR-2997, Rev. 1, The MITRE Corporation, Bedford, MA 1976.
|
| |
4
|
Benzel, Terry C. Vickers, "Formal Policies for Trusted Processes", position paper, Seventh Annual Computer Security Applications Conference, December, 1991.
|
| |
5
|
Brewer, Dr. David F. C. and Dr. Michael J. Nash, "The Chinese Wall Security Policy", <i>Proceedings of the 1989 IEEE Computer Security Symposium on Security and Privacy</i>, Oakland, CA, 1989.
|
| |
6
|
Chalmers, Leslie, "An Analysis of the Differences Between the Computer Security Practices in the Military and Private Sectors", <i>Proceedings of the 1986 Symposium on Security and Privacy</i>, 1986, pages 71--74.
|
| |
7
|
Chen, Peter, The Entity-Relationship Approach to Logical Data Base Design, Q.E.D. Information Systems Inc. Wellesley, MA 1977.
|
| |
8
|
Department of Defense Trusted Computer System Evaluation Criteria, DOD 5200.28-STD, December 1985.
|
| |
9
|
Dobson, J. E. and J. A. McDermid, "Security Models and Enterprise Models", <i>Database Security, II Status and Prospect</i>, North Holland, 1989.
|
| |
10
|
Dobson, John, McDermid, John, "A Framework for Expressing Models of Security Policy", <i>IEEE Computer</i>, July 1989.
|
| |
11
|
Executive Order 12356, <i>National Security Information</i>, 6 April 1982.
|
| |
12
|
Haigh, T. ACM SIGSAC presentation, NCSC Conference, Washington, D.C. October 3, 1991.
|
| |
13
|
Holden, D. B. "An Exploration of the Nature of Management Policy", ESPRIT,/5165/harw/T2.1/1_0, AEA Industrial Technology, Harwell Laboratory, Oxfordshire, UK 5 February 1991.
|
| |
14
|
Holt, A. W. Ramsey H. R. and Grimes, J. D. "Coordination System Technology as the Basis for A Programming Effort", <i>Electrical Communication</i>, Vol. 57, No. 4, 1983.
|
| |
15
|
Hosmer, Hilary H. "Integrating Security Policies", <i>Proceedings of the Third RADC Database Security Workshop June 5 - June 7, 1990, Castile New York</i>, MITRE MTP 385, May 1991.
|
| |
16
|
Hosmer, Hilary H. "The Multipolicy Machine: A New Paradigm for Multilevel Secure Systems", <i>Proceedings of the National Institute of Standards and Technology Workshop on Secure Labels</i>, Gaithersburg, Maryland, April 9-10, 1991.
|
| |
17
|
Hosmer, Hilary H.. "A Multipolicy Model: A Working Paper", <i>Proceedings of the Fourth RADC Workshop on Multilevel Secure Database Systems</i>, Little Compton, Rhode Island, June 1991.
|
| |
18
|
|
| |
19
|
LaPadula, L. J. "A Rule-Base Approach to Formal Modeling of a Trusted Computer System", MITRE M91-021, Aug. 1991.
|
| |
20
|
LaPadula, L. J., "Formal Modeling in a Generalized Framework for Access Control", Proceedings of the Computer Security Foundation Workshop III, June 1990.
|
| |
21
|
Matley, Ben G. and Thomas A. McDannold, "National Computer Policies", IEEE, Washington D.C., 1987.
|
| |
22
|
|
| |
23
|
|
 |
24
|
|
| |
25
|
National Computer Security Center, <i>Trusted Database Management System Interpretation of the Trusted Computer System Evaluation Criteria</i>, April 1991.
|
| |
26
|
Obal, Supreme Allied Commander Atlantic James, William Grogan, "A Case Study for the Approach To Developing a Multilevel Secure Command and Control System", <i>Proceedings of the 14th National Computer Security Conference</i>, Washington, D.C., October 1991.
|
| |
27
|
Price, Lt. Col William, Michael E. O'Neill, Frank B. White, "Accreditation Strategy for the Air Force Satellite Control Network (AFSCN) <i>Proceedings of the 14th National Computer Security Conference</i>, Washington, D.C., October 1991.
|
| |
28
|
Sibley, Edgar, James B. Michael, and Richard Wexelblat, "An Approach to Formalizing Policy Management", <i>CECOIA2-Proceedings of the 2nd International Conference on Economics and Artificial Intelligence</i>, Pergamon Press, Oxford, England, 1991.
|
| |
29
|
|
| |
30
|
Sterne, Daniel, Martha Branstad, Brian Hubbard, Barbara Mayer, Dawn Wolcott, "An Analysis of Application Specific Security Policies", <i>Proceedings of the 14th National Computer Security Conference</i>, Washington, D.C., October 1991.
|
| |
31
|
Thomsen, D. J. "Role-based Application Design and Enforcement", <i>Proceedings of the Fourth IFIP Workshop on Database Security</i>, Halifax, England, September, 1990.
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf
K.6