Method and apparatus for establishing a security policy, and method and apparatus for supporting establishment of security policy

US 7,260,830 B2
Filed: 05/14/2001
Issued: 08/21/2007
Est. Priority Date: 06/01/2000
Status: Active Grant

First Claim

Patent Images

1. A method of generating a security policy for an organization, comprising:

receiving a field of business identifier;

receiving an indicator of rigorousness;

generating security rules from a stored knowledge base based on the indicator of rigorousness;

generating inquiries regarding the security rules based on the field of business identifier and the indicator of rigorousness;

transmitting the generated inquiries to at least one user;

receiving input from the at least one user in response to the transmitted inquiries;

adjusting the security rules based on the received input and the indicator of rigorousness; and

outputting the security policy that includes the security rules,wherein the security policy includes settings of individual equipment components within the organization that implements the security policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There are provided a method of efficiently establishing a security policy and an apparatus for supporting preparation of a security policy. According to a method of establishing a security policy in six steps, a simple security policy draft is first prepared. The security policy draft is adjusted so as to match realities of an organization, as required, thus completing a security policy stepwise. Therefore, a security policy can be established in consideration of a schedule or budget of the organization.

326 Citations

39 Claims

1. A method of generating a security policy for an organization, comprising:
- receiving a field of business identifier;
  
  receiving an indicator of rigorousness;
  
  generating security rules from a stored knowledge base based on the indicator of rigorousness;
  
  generating inquiries regarding the security rules based on the field of business identifier and the indicator of rigorousness;
  
  transmitting the generated inquiries to at least one user;
  
  receiving input from the at least one user in response to the transmitted inquiries;
  
  adjusting the security rules based on the received input and the indicator of rigorousness; and
  
  outputting the security policy that includes the security rules,wherein the security policy includes settings of individual equipment components within the organization that implements the security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of generating a security policy according to claim 1, wherein transmitting the generated inquiries further comprises transmitting the generated inquiries to members of an organization for review and receiving input further comprises receiving input from the members of the organization.
  - 3. The method of generating a security policy according to claim 2, further comprising generating an information system virtual design based on the received input, the level of rigorousness and the field of business identifier.
  - 4. The method of generating a security policy according to claim 2, further comprising receiving job specifications of the members to receive the inquiries,wherein generating inquiries includes generating inquiries based upon the field of business identifier, the indicator of rigorousness and the received member job specifications.
  - 5. The method of generating a security policy according to claim 3, wherein receiving input from the members of the organization includes:
    - storing input received from a member;
      
      comparing input from other members to the stored input;
      
      retransmitting inquiries to members if contradictory inputs are received; and
      
      storing input received from members in response to retransmitted inquiries.
  - 6. The method of generating a security policy according to claim 5, further comprising:
    - assigning weights to contradictory inputs according to job specifications of the members if contradictory inputs are received from members in response to retransmitted inquiries; and
      
      displaying an estimated response based upon the weighted contradictory inputs.
  - 7. The method of generating a security policy according to claim 5, further comprising:
    - comparing the information system virtual design and a real information system design and updating the information system virtual design to correct identified differences, thereby obtaining a verified information system virtual design; and
      
      comparing the verified information system virtual design with the generated security policy draft to identify a first set of differences.
  - 8. The method of generating a security policy according to claim 7, further comprising:
    - assigning priorities to identified differences within the first set of differences; and
      
      generating a schedule for resolving the first set of differences based upon the priorities assigned.
  - 9. The method of generating a security policy according to claim 7, further comprising generating an assessment of a security state of the organization based upon the first set of differences and the received level of rigorousness.
  - 10. The method of generating a security policy according to claim 1, wherein the generated security policy draft includes recommendations for regulations aimed at a specific line of business.
  - 11. The method of generating a security policy according to claim 1, wherein the stored knowledge base includes a set of global guidelines, recommendations or regulations aimed at a specific line of business.
  - 12. The method of generating a security policy according to claim 11, wherein the inquiries are generated based upon the global guidelines.
  - 13. The method of generating a security policy according to claim 1, wherein the stored knowledge base includes security rules related to at least three levels of security policy, including:
    - executive-level security rules that describe an organization'"'"'s policy concerning information security, in conformity with global guidelines;
      
      corporate-level security rules that describe an information security system embodying the executive-level information security policy; and
      
      product-level security rules that describe measures for implementing the executive-level security policy with reference to the corporate-level security policy.
  - 14. The method of generating a security policy according to claim 13, wherein the corporate-level security policy includes security rules for the information security system of the overall organization;
    - and includes security rules for individual equipment components constituting the information security system of the organization.
  - 15. The method of generating a security policy according to claim 13, wherein the product-level security policy includes at least two types of product-level security rules, including:
    - first-level product security rules that describe settings of individual equipment components constituting the information security system in natural language; and
      
      second-level product security rules that describe settings of individual equipment component constituting the information security system in a specific language used in each specific equipment component.

16. An apparatus for generating a security policy for an organization, comprising:
- means for receiving a field of business identifier;
  
  means for receiving an indicator of rigorousness;
  
  means for generating security rules from a stored knowledge base based on the indicator of rigorousness;
  
  means for generating inquiries regarding the security rules based on the field of business identifier and the indicator of rigorousness;
  
  means for transmitting the generated inquiries to at least one user;
  
  means for receiving input from the at least one user in response to the transmitted inquiries;
  
  means for adjusting the security rules based on the received input and the indicator of rigorousness; and
  
  means for outputting the security policy that includes the security rules,wherein the security policy includes settings of individual equipment components within the organization that implements the security policy.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The apparatus for generating a security policy according to claim 16, wherein the means for transmitting the generated inquiries further comprises means for transmitting the generated inquiries to members of an organization for review and the means for receiving input further comprises means for receiving input from the members of the organization.
  - 18. The apparatus for generating a security policy according to claim 17, further comprising means for generating an information system virtual design based on the received input, the level of rigorousness and the field of business identifier.
  - 19. The apparatus for generating a security policy according to claim 17, further comprising means for receiving job specifications of the members to receive the inquiries,wherein the means for generating inquiries includes means for generating inquiries based upon the field of business identifier, the indicator of rigorousness and the received member job specifications.
  - 20. The apparatus for generating a security policy according to claim 18, wherein the means for receiving input from the members of the organization includes:
    - means for storing input received from a member;
      
      means for comparing input from other members to the stored input;
      
      means for retransmitting inquiries to members if contradictory inputs are received; and
      
      means for storing input received from members in response to retransmitted inquiries.
  - 21. The apparatus for generating a security policy according to claim 20, further comprising:
    - means for assigning weights to contradictory inputs according to job specifications of the members if contradictory inputs are received from members in response to retransmitted inquiries; and
      
      means for displaying an estimated response based upon the weighted contradictory inputs.
  - 22. The apparatus for generating a security policy according to claim 20, further comprising:
    - means for comparing the information system virtual design and a real information system design and means for updating the information system virtual design to correct identified differences, thereby obtaining a verified information system virtual design; and
      
      means for comparing the verified information system virtual design with the generated security policy draft to identify a first set of differences.
  - 23. The apparatus for generating a security policy according to claim 22, further comprising:
    - means for assigning priorities to identified differences within the first set of differences; and
      
      means for generating a schedule for resolving the first set of differences based upon the priorities assigned.
  - 24. The apparatus for generating a security policy according to claim 22, further comprising means for generating an assessment of a security state of the organization based upon the first set of differences and the received level of rigorousness.
  - 25. The apparatus for generating a security policy according to claim 16, wherein the generated security policy draft includes recommendations for regulations aimed at a specific line of business.
  - 26. The apparatus for generating a security policy according to claim 16, wherein the stored knowledge base includes a set of global guidelines, recommendations or regulations aimed at a specific line of business.
  - 27. The apparatus for generating a security policy according to claim 26, wherein the inquiries are generated based upon the global guidelines.
  - 28. The apparatus for generating a security policy according to claim 16, wherein the stored knowledge base includes security rules related to at least three levels of security policy, including:
    - executive-level security rules that describe an organization'"'"'s policy concerning information security, in conformity with global guidelines;
      
      corporate-level security rules that describe an information security system embodying the executive-level information security policy; and
      
      product-level security rules that describe measures for implementing the executive-level security policy with reference to the corporate-level security policy.
  - 29. The apparatus for generating a security policy according to claim 28, wherein the corporate-level security policy includes security rules for the information security system of the overall organization;
    - and includes security rules for individual equipment components constituting the information security system of the organization.
  - 30. The apparatus for generating a security policy according to claim 28, wherein the product-level security policy includes at least two types of product-level security rules, including:
    - first-level product security rules that describe settings of individual equipment components constituting the information security system in natural language; and
      
      second-level product security rules that describe settings of individual equipment components constituting the information security system in a specific language used in each specific equipment component.

31. A storage medium storing a set of program instructions executable on a data processing device and usable for generating a security policy for an organization, comprising:
- instructions for receiving a field of business identifier;
  
  instructions for receiving an indicator of rigorousness;
  
  instructions for generating security rules from a stored knowledge base based on the indicator of rigorousness;
  
  instructions for generating inquiries regarding the security rules based on the field of business identifier and the indicator of rigorousness;
  
  instructions for transmitting the generated inquiries to at least one user;
  
  instructions for receiving input from the at least one user in response to the transmitted inquiries;
  
  instructions for adjusting the security rules based on the received input and the indicator of rigorousness; and
  
  instructions for outputting the security policy that includes the security rules,wherein the security policy includes settings of individual equipment components within the organization that implements the security policy.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39)
- - 32. The storage medium according to claim 31, wherein the instructions for transmitting the generated inquiries further comprise instructions for transmitting the generated inquiries to members of an organization for review and instructions for receiving input further comprises receiving input from the members of the organization.
  - 33. The storage medium according to claim 32, further comprising instructions for generating an information system virtual design based on the received input, the level of rigorousness and the field of business identifier.
  - 34. The storage medium according to claim 32, further comprising instructions for receiving job specifications of the members to receive the inquiries,wherein the instructions for generating inquiries includes instructions for generating inquiries based upon the field of business identifier, the indicator of rigorousness and the received member job specifications.
  - 35. The storage medium according to claim 33, wherein the instructions for receiving input from the members of the organization includes:
    - instructions for storing input received from a member;
      
      instructions for comparing input from other members to the stored input;
      
      instructions for retransmitting inquiries to members if contradictory inputs are received; and
      
      instructions for storing input received from members in response to retransmitted inquiries.
  - 36. The storage medium according to claim 35, further comprising:
    - instructions for assigning weights to contradictory inputs according to job specifications of the members if contradictory inputs are received from members in response to retransmitted inquiries; and
      
      instructions for displaying an estimated response based upon the weighted contradictory inputs.
  - 37. The storage medium according to claim 35, further comprising:
    - instructions for comparing the information system virtual design and a real information system design and updating the information system virtual design to correct identified differences, thereby obtaining a verified information system virtual design; and
      
      instructions for comparing the verified information system virtual design with the generated security policy draft to identify a first set of differences.
  - 38. The storage medium according to claim 37, further comprising:
    - instructions for assigning priorities to identified differences within the first set of differences; and
      
      instructions for generating a schedule for resolving the first set of differences based upon the priorities assigned.
  - 39. The storage medium according to claim 37, further comprising instructions for generating an assessment of a security state of the organization based upon the first set of differences and the received level of rigorousness.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Asgent, Inc.
Original Assignee
Asgent, Inc.
Inventors
Sugimoto, Takahiro
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
HO, THOMAS

Application Number

US09/853,708
Publication Number

US 20010049793A1
Time in Patent Office

2,290 Days
Field of Search

705/50, 713/200, 726/1
US Class Current

726/1
CPC Class Codes

G06F 21/6218 to a system of files or obj...

H04L 63/20 for managing network securi...

Method and apparatus for establishing a security policy, and method and apparatus for supporting establishment of security policy

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

326 Citations

39 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for establishing a security policy, and method and apparatus for supporting establishment of security policy

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

326 Citations

39 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others