1. Field of the Invention
The invention generally relates to methods and systems for analyzing policies, and more specifically, to analyzing policies for compliance with a specified policy using a policy template. The preferred embodiment of the present invention also relates to services that provide policy compliance verification.
2. Background Art
Due to existing and new legislation, regulations, social factors, changes in technology, and ever-changing demands in the global community, organizations need or may be required on an ongoing basis to add new policies to control access to their information (e.g., security and privacy) as well as control other resources (e.g., network access control using firewalls). Also, once organizations have defined policies, they need to implement these policies in their organizations and to monitor the application of policies in practice.
The SPARCLE Policy Workbench (see Karat, Karat, Brodie, and Feng 2006 (Karat, C., Karat, J., Brodie, C., and Feng, J. (2006). Evaluating Interfaces for Privacy Policy Rule Authoring. Proceedings of the Conference on Human Factors in Computing Systems. NY: ACM Press, 83-92) provides a method for users to author and to analyze policies, which can then be enforced, and then, after the system has run, to audit how the newly implemented restrictions were followed. In this disclosure, no method is given to allow a service organization to provide SPARCLE features for a customer. Nor is there any description of how a policy template for a given piece of legislation can be provided or implemented for a customer.
Access control enforcement engines, like IBM's RACF, provide for the specification and enforcement of access control of system resources, but do not allow for the specification of a policy representing legislation. Nor do such systems enable a service organization to check whether a given organization's current access control engine's decisions comply with such new legislation.