A novel model of security policies and requirements

The responsibility of controlling, monitoring, analyzing or enforcing security of a system becomes complex due to the interplay among different security policies and requirements. Many of the security requirements have overlap among themselves and they are not exhaustive in nature. For that reason, maintaining security requirements and designing optimal security controls are difficult, and involve wastage of valuable resources. Finding out a set of mutually exclusive and exhaustive security requirements and canonical policies will indeed ease the security management job. From this motivation, in this paper we try to find out a set of mutually exclusive and exhaustive security requirements. To do this, a small set of low-level security policy descriptions are proposed using Process Algebraic notions, by which all kinds of high level security policies can be represented. Non-compliance to this new set of security policies gives rise to a set of security violations. These security violations are mutually exclusive and exhaustive, so all the other security violations can be described by this basic set of security violations. From these security violations, a set of security requirements is determined. To preserve the security for any system it is necessary and sufficient to maintain these requirements.