Security Policy
The technology of information system protection began to develop relatively recently, but today there are a significant number of theoretical models that allow describing various aspects of security and providing means of protection from the formal side.
The security policy is understood as a set of rules and regulations governing the information processing process, the implementation of which provides protection against a certain set of threats and constitutes a necessary condition for the security of the system. The formal expression of a security policy is called a security model.
The main purpose of creating a security policy is to determine the conditions to which the behavior of the system should be subject, develop a security criterion and conduct formal proof of the system's compliance with this criterion, subject to established rules and restrictions.
In addition, security models allow solving a number of other tasks that arise during the design, development and certification of secure systems, so they are used not only by information security theorists, but also by other categories of specialists involved in the process of creating and operating secure information systems.
Security models provide a system-technical approach that includes solving the following tasks:
selection and justification of the basic principles of the architecture of protected systems that determine the mechanisms for the implementation of information security tools and methods;
confirmation of the security properties of the developed systems by formal proof of compliance with the security policy;
drawing up a formal specification of the security policy as an essential part of the organizational and documentation support of the developed secure systems.
Manufacturers of secure information systems use security models in the following cases:
when drawing up a formal specification of the security policy of the system being developed;
when choosing and justifying the basic principles of the architecture of a secure system that determine the mechanisms for implementing security measures;
in the process of analyzing the security of the system, the model is used as a reference model;
when confirming the properties of the system being developed by formally proving compliance with the security policy.
By drawing up formal security models, consumers have the opportunity to inform manufacturers of their requirements, as well as to assess the compliance of protected systems with their needs.
During the analysis of the adequacy of the implementation of security policy in secure systems, experts use security models as benchmarks.
In fact, security models are a connecting element between manufacturers, consumers and experts.
