Ensuring compliance of organizations to federal regulations is a growingconcern. This paper presents a framework and methods to verify whether animplemented low-level security policy is compliant to a high-level securitypolicy. Our compliance checking framework is based on organizational andsecurity metadata to support refinement of high-level concepts toimplementation specific instances. Our work uses the results of refinementcalculus to express valid refinement patterns and their properties.Intuitively, a low-level security policy is compliant to a high-level securitypolicy if there is a valid refinement path from the high-level security policyto the low-level security policy. Our model is capable of detecting violationsof security policies, failures to meet obligations, and capability and modalconflicts.
展开▼