The idea of AI-based "thought-ware" for policy generation, to paraphrase Bill Royds' thoughts, is certainly an interesting idea. SHL/Systemhouse are not alone, but do have a package called Transform that addresses this fairly completely (amongst every other aspect of IS development). Problem is, its also damn expensive, selling IP usually is. Policy generation deals with all those intangible Intellectual Property rightsy things that are, virtually, the sole commodity a consultant has to sell. Getting vendors to make it easier to define "what's right", in some rule-based kinda way, would certainly make a lot of the Policy generation details a lot easier (and doesn't cut in on what we consultants sell either...;-]). I think the aspects of policy generation that take the largest effort are things like "what do you do when..." or "can we fire him/her after..." or "should this even be connected to the network..." AI isn't going to make those decisions any easier, and I don't really think I would trust it to tell me whether or not a "risk" is one I should or shouldn't take. If all it did was outline what a policy should include, well, that's probably already around in abundance anyway. Now a "learning" policy generator, now there's an idea. It learns policy based on what I don't slap it for (i.e. if someone gets away with something enough times then it must be acceptable policy...;-]). I use it to enforce my policy violations and it learns that what it saw was a no-no, it happens again, it pops up an alert (i.e. "someone else just did that no-no thing over there Boss..."). That would seem to have some legs?? Thoughts?? Cheers, Russ Cooper R.C. Consulting, Inc. - NT/Internet Security Moderator of the NTBugtraq mailing list http://www.ntbugtraq.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:21 PDT