Checking Policy Compliance

Ensuring compliance of organizations to federal regulations is a growing concern. This paper presents a framework and methods to verify whether an implemented, low-level policy is compliant to a high- level policy. Our compliance checking framework is based on organizational and security metadata to support refinement of high-level concepts to implementation specific instances. Our work uses the results of refinement calculus to express valid refinement patterns and their properties. Intuitively, a low-level policy is compliant to a high-level policy if there is a valid refinement path from the high-level policy to the low-level policy. Our model is capable of detecting violations of security policies, failures to meet obligations, and capability and modal conflicts.


Publications:
V. Gowadia, C. Farkas and M. Kudo, Checking Policy Compliance, under Journal Review