Security analysts organize the needs of a site in order to define a security policy. From this policy, analysts develop and implement mechanisms for enforcing the policy. The mechanisms may be procedural, technical, or physical. Part 3 describes the notion of policy and how it can be expressed and formalized, and how different types of policies affect accesses.

Chapter 4, “Security Policies,” presents the abstract notion of a security policy and some ways to represent policies. Policy languages abstract some of the common elements of policies and allow expression of policies both at abstract levels and in terms of the properties of the particular systems under consideration.

Chapter 5, “Confidentiality Policies,” discusses policies ...