We discuss how to design mechanically an information processing system presented with two independent requirements, one of which shows information flow to perform some process and one which prohibits illegal information flow. To do this, we introduce one well-known security model the "Bell and LaPadula model" and formulate this design problem. This problem then becomes a security level assignment problem. We show that the design possibilities and level assignment can be mechanically solved by expressing the inequalities in graph theoretical form and by using an analytical method of graph theory.

This paper studies the evaluation of information flow and access guard mechanism in information system, based on process requirements occured at business and security requirements which prohibit information leakage to subjects of "conflict of interest". For the evaluation, process requirements are described by read, append matrix of subject row and object column (S-O matrix), and then the S-O matrix is evaluated by security requirements. The method of the evaluation is the following, (1) it is prohibited that two conflicting subjects can directly read or append to each other's objects, (2) a subject that have a possibility of information leakage must be observed.