PoSecCo's vision is to establish and maintain a consistent, transparent, sustainable and traceable link between high-level, business-driven security and compliance requirements on one side and low-level technical configuration settings of individual services on the other side. This approach relies on the use of a series of models at different levels of abstractions: the Business, the IT, and the Configuration levels. The IT policy represents the crucial step where the security policy is described using IT-centered concepts (rather than the business concepts adopted in the representation at the Business level) and where a formal and (semi-)automatically processable representation is created.

The IT level representation of the security policy is called the IT Policy. The IT policy is a conceptual representation of the restrictions that the system has to put in place in order to satisfy the security requirements. It is a declarative specification, i.e., it specifies the set of admissible configurations without reference to the concrete mechanisms that will be used to implement the policy.

The definition of the IT Policy relies on the use of a meta-model, a UML class diagram that specifies the different concepts that are used for its representation. The meta-model is organized in six sub-models, dedicated to the representation of security principals, security rules, resources, privileges, authentication properties, and security domains.

The IT policy is enriched with the application of Semantic Web technology and flexible ontology management tools. The first crucial advantage offered by ontologies is the possibility of checking the consistency of the model instances, going well beyond what can be offered by classical modeling tools. A second advantage is represented by the opportunity of managing with ontological tools design problems about the consistency of the policy, intra-layer and inter-layer, that would otherwise require the implementation of ad hoc tools.