A network is comprised of hardware, software and media connecting information technology (IT) resources. Organizations design, deploy and administer networks according to various rules or policies provided by a variety of administrative sources. For example, regulatory and industry requirements such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry (PCI) require companies to manage their IT in specific ways. Governance initiatives, such as COBIT and IT Infrastructure Library (ITIL) provide best practices frameworks that recommend the extensive use of polices to define how companies operate as well as how the policies can be enforced. In addition, each organization applies additional policies to their resources according to their own particular business needs. Managing compliance involves implementing a common set of IT controls which meet both external and internal requirements.
Policing compliance involves identifying the policies that are associated with resources and monitoring the resources for compliance with the policies. Monitoring for compliance is complicated because policies are often sourced by different administrative entities which define their policies using their own semantics and syntax. As a result, it is often difficult to quickly discern inter-policy relationships, dependencies and conflicts. In addition, policies are not static, but rather evolve over time as new resources, applications and content is introduced into the network. A modification to an existing policy may disrupt the ability of the network to deliver resources according other existing policies. The complexity of policy application quickly overwhelms the practical application of the policies.
It would be desirable to identify a system and process which would enable the coherent, consistent application of multiple policies across a network through identification, monitoring and resolution of inter-policy relationships and dependencies.