Abstract. In this paper we propose a security architecture and mechanism for Virtual Organizations (VO) for businesses. The VOs we consider are based on web service technology to address interoperability issues and cater for future business software, and are dynamic, i.e. their membership may change frequently throughout their lifetime. We improve over previous approaches in the following aspect: We have designed, implemented and evaluated a comprehensive security mechanism for our architecture that can protect both the web services in the VO and the VO management services. The security policies of VO management are enforced by inspecting the request for the encodings of parameters that are relevant to the policy decision. The basic idea may be applicable to other web service based software with data-dependent security policies, e.g. databases.