ABSTRACT
Before one designs a secure system, the first question that must be answered is what security policy is to be enforced by the system. Security policy is essentially a set of rules that enforce security. Security policies include mandatory security policies and discretionary security policies. Mandatory security policies are the policies that are “mandatory” in nature and are application independent. Discretionary security policies are policies that are specified by the administrator or anyone who is responsible for the environment in which the system will operate. We discuss mandatory security policies such as the Bell and LaPadula policy for database systems in Chapter 8. In this chapter we focus on discretionary security policies. In particular we discuss various types of policies. Enforcing such policies is the subject of Chapter 6.
