Checking Policy Compliance

Ensuring compliance of organizations to federal regulations is a growing concern. This paper presents a framework and methods to verify whether an implemented, low-level policy is compliant to a high- level policy. Our compliance checking framework is based on organizational and security metadata to support refinement of high-level concepts to implementation specific instances. Our work uses the results of refinement calculus to express valid refinement patterns and their properties. Intuitively, a low-level policy is compliant to a high-level policy if there is a valid refinement path from the high-level policy to the low-level policy. Our model is capable of detecting violations of security policies, failures to meet obligations, and capability and modal conflicts.

V. Gowadia, C. Farkas and M. Kudo, Checking Policy Compliance, under Journal Review