Defining Policies Using Meta Rules

This paper seeks to initiate a discussion on how to design and implement security policies within a company. It first describes a methodology for developing security policies based on the concept of meta-rules, rules which define how to write rules. It then describes how to use measures to determine the effectiveness of the policies in a business context. Finally it shows the relationship between a measurement system and a systematic review of policy to verify and validate the meta-rules chosen as the basis for security policy.