Policy-based management of information systems enables the specification of high-level policies which need to be refined into lower level configurations suitable to be directly applied to services and final devices in order to achieve the high-level behavior previous specified. This chapter presents a proposal for describing high-level security policies and for carrying out the policy refinement process for which low level policies and configurations are achieved. Firstly, an analysis of different research works related to the specification of security policy is provided. Then, a detailed description of the information model used for describing the information systems and the policies is described. After that, the language designed for specifying high level security policies is explained as well as the low level language based on the Common Information Model. Finally, some aspect about the policy refinement process done in the policy-based system in order to achieve low-level policies from the high-level security policies is outlined together with a description of the tools which can assist in the definition of the security policies and in the process refinement process.