The Simple Difference Between a Security Policy vs Security Model

What is a security policy?

A security policy is a high-level conceptual written document of how a system is to operate.

It is words on paper.

What is a security model?

A security model provides the means to secure a system in accordance with the security policy.

Simply, a security model involves math.

How does a security model relate to a security policy?

  • The words on a paper (security policy) dictate the way a system is to be designed.

  • The math required to translate the requirements of the security policy is the security model.

  • The programmers use the security model to create the code to design the system.