On the buzzword 'security policy'

Abstract

It is pointed out that, although the term 'security policy' is fundamental to computer security, its conflicting meanings have obscured important conceptual distinctions, especially where concerns other than confidentiality are involved. A clearer definition is needed to clarify routine technical discourse, facilitate resolution of key research issues, and establish the scope of security research and standardization efforts. The terms security policy objective, organization security policy, and automated security policy are proposed. These terms are based on simple generalizations of ideas that underlie the trusted computer system evaluation criteria (TCSEC). Yet, they describe a view of security that is more precise, more general, and different than 'confidentiality, integrity, and assured service'. Their usefulness in clarifying conceptual and terminological issues is illustrated through examples.