CYBER SECURITY POLICY SPECIFICATION AND MANAGEMENT

SUSAN K. HINRICHS

University of Illinois at Urbana-Champaign and Network Geographics, Inc., Champaign, Illinois

1 INTRODUCTION

According to the Oxford English Dictionary, policy is defined as “a course or principle of action adopted or proposed by an organization or individual”. The policy defines how things should be, but it does not get into the details of how that principle of action should be enforced. Consider an organizational policy that states that employees may not use e-mail for personal correspondence. The policy defines a general goal that will not change frequently, but how that goal gets enforced may change over time. Perhaps initially it is enforced by procedure. The employees are informed that they are not to use e-mail for personal use, and the system administrator periodically spot checks the e-mail queues for personal mail. The system administrator may later deploy a tool to automate the detection of personal mail. By separating policy from enforcing mechanism, the longer term goals and constraints driving the organization are clear. The enforcing mechanisms are then free to evolve over time to best enforce the policy goals. Most organizations today use these high level natural language policies to drive all aspects of their operation from human resources to financial practices to security. If the natural language security policy could be formalized, a computer program could use the policy to directly provision ...