Security Policy Enforcement

Many chapters of this Handbook describe mechanisms that contribute to various facets of security. The arbitrary use of security mechanisms provides no prescription for the achievement of security goals. It is only in their application in the context of organizational objectives for the protection of information and computational assets that security can be assessed. This chapter is intended to discuss the policies that provide a rationale for those mechanisms and to broadly examine their enforcement mechanisms in computer systems. It is intended to focus primarily on fundamental concepts, which remain valid despite their longevity. In a utopian world where nothing bad ever happened, information security would be unnecessary. There would be no accidents all actions performed by users would be correct no attackers would attempt to violate systems. Unfortunately, reality is dramatically different. Information owners are confronted with risks to their assets and, to address these risks, make statements regarding what needs to be protected and how well. These statements constitute the basis for information security policies. Security policies for information and assets have been with us for centuries, but their application within computer systems requires examination. Sterne 1991 provides a useful guide to understanding how policy is expressed at several levels within an organization and how it is described in a technical context. First, security policy applies to the protection of assets. Sterne points out that only tangible assets can be protected. Intangible assets may also be protected through the protection of tangible assets, but it is impossible to state and implement a policy to address intangible assets. For example, how can a bank protect its reputation Not by putting guards around that reputation.