Both organizations and individuals use some form of policies to regulate their behavior and use of various resources. Using IT access control systems, for example, a school or company can restrict the access and use of data on their computers. The drawback with this approach is that is does not provide any sort of high level description, rather everything is handled by the computer's low-level access control system (e.g., IBM zSeries RACF).
Michael, J., Ong, V., and Rowe, N., “Natural-Language Processing Support for Developing Policy-Governed Software Systems” 39th International Conference on Technology for Object-Oriented Languages and Systems, IEEE Computer Society Press, (Santa Barbara, Calif., July 2001), 263-274), describes a method enabling users to enter their desired policy using natural language, which is than converted into first-order predicate logic for use by a computer's access control system. The main problem with this approach is that the translation from natural language to first-order predicate logic can be inaccurate. Thus, a given specified policy may be never actually enforced. Further, no method is provided to verify that the given computer's activity complies with the given policy.
Karat, J., Karat, C., Brodie, C., and Feng, J., “Privacy in Information Technology: Designing to Enable Privacy Policy Management in Organization” (International Journal of Human-Computer Studies, Volume 63, Issue 1-2 (July 2005) pp 153-174) provides a case study of the development of a privacy policy workbench utility. The work describes a workbench providing support for privacy, but not any other domain. More importantly, it does not provide a repeatable method for a person of ordinary skill in the art to develop his or her own policy workbench for a given domain—possibly one other than privacy.
Thus, there remains a need for a method enabling creation of domain-specific policy workbench, for example, that provides an authoring tool to create relevant policies, a mapping tool to enable the implementation of a given policy, and a compliance auditing tool that allows a user to verify that a given system's activity complies with a given policy.