1. Field of the Invention
The invention relates to creation of setting information of components that constitute an information system. In particular, the invention relates to the technology of creating a security policy written in specific languages of the respective components, based on a security policy that is written in natural language.
2. Description of the Related Art
With the progression of information and communications technology, information security of information systems belonging to specific organizations is assuming importance. In recent years, attention is being given to the significance of security policies in particular.
In the government of Japan, for example, the Cabinet Office for National Security Affairs and Crisis Management issued “Guidelines for Information Technology Security Policy” in July, 2000, and the central government ministries prepared information security policies.
The present inventor has proposed in Japanese Patent Application Nos. 2000-164819 and 2001-132177 apparatuses and methods for creating a security policy by making inquiries to organization members, and grasping the current conditions from the responses.
In these patent applications, the present inventor has proposed to make a security policy in the following three levels:
(1) Executive level policy for describing the concept and plan on information security of an organization;
(2) Corporate level policy for describing standards for the information security system that enforces the executive level policy; and
(3) Product level policy for describing the means to implement the plan of the executive level policy based on the standards of the corporate level policy. The security policy is, so to say, a group of rules describing these concept, plan, standards, and means.
Incidentally, as employed in this document, “organizations” refer to not only business enterprises but also other organizations including government and municipal institutions and various incorporations such as foundations.
Now, security policies are the descriptions of the rules as to information security, typically written in natural language. Then, the foregoing three levels of security policies are basically written in natural language.
For example, product level policies describe actual means, and thus include descriptions of the setting information of concrete electronic equipment, software, etc., which are written in human-readable natural language. The setting information of the electronic equipment and software is of no use unless it is actually set to the electronic equipment and software.
In the foregoing applications, two levels of product level policies are hence proposed, i.e., those of a first level written in natural language and a second level written in specific languages of specific devices.
The two types of product level policies, in natural language and in specific languages, define the same contents. One is written in natural language for the sake of human readability. The other is in itself the data for setting specific devices, and thus written in the specific languages of the specific devices. Despite the same contents, it has been required due to the different description languages that the two types of product level policies be created separately.
It would be convenient, however, that the product level policies written in specific languages can be automatically created from those written in natural language, since the contents of the two types are fundamentally the same.