Comparing Access Control Security Policies : A Case Study Using SBVR

• Main Author: Graisithikul, Gunyarat
• Format: Others
• Language: English
• Published: KTH, Skolan för informations- och kommunikationsteknik (ICT) 2012
• Subjects: SBVR; business vocabulary; business rules; access control; security policy; comparing; TECHNOLOGY; TEKNIKVETENSKAP
• Online Access: http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-108306

Companies today are required more and more to interconnect their information systems with partners and suppliers in order to be competitive in a global marketplace. A problem of how to compare a security policy between two different companies when they need to agree upon a single security policy has been raised. Can a comparison of two access control policies made through Semantic of Business Vocabulary and Business Rules (SBVR) be more appropriate than the traditional way of intuitively comparing two information security policies? In this research, a case study has been conducted along with the questionnaires as a data collection approach. In the case study, a calculation for a degree of policy statement similarity of Company A’s and Company B has been done. Both calculations were based on the questionnaire results of the Company A and Company B in form of SBVR and traditional policy statements separately. This research has revealed that SBVR applied policy is more appropriate for comparing two company policies than a traditional written policy. By applying SBVR to the policy statements, Company A and Company B had their policy in the same structure, which is in the SBVR format. They could get a very clear similar part of the policy statements (70% calculated by the results of the second questionnaire in this case study) agreed by both companies.