TY - GEN
T1 - Security policy foundations in Context UNITY
AU - Gamble, M. Todd
AU - Gamble, Rose F.
AU - Hale, Matthew L.
PY - 2011
Y1 - 2011
N2 - Security certification includes assessing an information system to verify its compliance with diverse, pre-selected security controls. The goal of certification is to identify where controls are implemented correctly and where they are violated, creating potential vulnerability risks. Certification complexity is magnified in software composed of systems of systems where there are limited formal methodologies to express management policies, given a set of security control properties, and verify them against the interaction of the participating components and their individual security policy implementations. In this paper, we extend Context UNITY, a formal, distributed, and context aware coordination language to support policy controls. The new language features enforce security controls and provide a means to declare policy specifics in a manner similar to declaring variable types. We use these features in a specification to show how verifying system compliance with selected security controls, such as those found in the NIST SP800-53 document, can be accomplished.
AB - Security certification includes assessing an information system to verify its compliance with diverse, pre-selected security controls. The goal of certification is to identify where controls are implemented correctly and where they are violated, creating potential vulnerability risks. Certification complexity is magnified in software composed of systems of systems where there are limited formal methodologies to express management policies, given a set of security control properties, and verify them against the interaction of the participating components and their individual security policy implementations. In this paper, we extend Context UNITY, a formal, distributed, and context aware coordination language to support policy controls. The new language features enforce security controls and provide a means to declare policy specifics in a manner similar to declaring variable types. We use these features in a specification to show how verifying system compliance with selected security controls, such as those found in the NIST SP800-53 document, can be accomplished.
KW - Security certification
KW - Security controls
KW - UNITY
UR - http://www.scopus.com/inward/record.url?scp=79959551871&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=79959551871&partnerID=8YFLogxK
U2 - 10.1145/1988630.1988633
DO - 10.1145/1988630.1988633
M3 - Conference contribution
AN - SCOPUS:79959551871
SN - 9781450305815
T3 - Proceedings - International Conference on Software Engineering
SP - 8
EP - 14
BT - SESS'11 - Proceedings of the 7th International Workshop on Software Engineering for Secure Systems, Co-located with ICSE 2011
T2 - 7th International Workshop on Software Engineering for Secure Systems, SESS 2011, Co-located with ICSE 2011
Y2 - 22 May 2011 through 22 May 2011
ER -