Transcription of Generally Accepted System Security Principles
1 27 Generally Accepted System Security Principles Release for Public Comment Ralph Spencer Poore The Generally Accepted System SecurityPrinciples (GASSP) Committee hasapproved this release of the GASSP for pub-lic comment. The introductory materialsand the sections through and includingSection Pervasive Principles are includedfor the reader s information only. PervasivePrinciples have previously had a publiccomment period. The GASSPC asks theprofession to review and comment on Sec-tion Broad Functional Principles (themajority of the document).
2 Section Detailed Security Principles remains a workin progress that will be built on the BroadFunctional Principles . We welcome yourcomments on all aspects of the document;however, we ask that you concentrate onsubstantive matters rather than Chairman asks that we provide spe-cial recognition to all those persons andorganizations that have contributed to theGASSP effort to date. In addition, he citesthe following individuals and organiza-tions for their exceptional contributions:Craig Schiller, who drafted the first straw-man in a Herculean original effort; theComputer Security Institute (CSI), whichhas consistently provided the GASSPC with solid support; the MassachusettsInstitute of Technology (MIT), which hasprovided the GASSPC with a Web site;Charlie LeGrande and the Institute forInternal Auditors (IIA) for the same rea-son; as well as William H.
3 Murray, IanRoss, Hal Tipton, Ross Leo, and RalphPoore. These organizations and individu-als made major contributions, often at sig-nificant personal address your comments to RalphSpencer Poore at with a copy to Will Ozier,Chairman, GASSPC at The public comment period willend 90 days after publication. Copyright 1996, 1997, 1998, 1999 by International Information Security Foundation; published with permission, all rights reserved. 28 Generally Accepted System Security Principles The International Information Security Foundation (I 2 SF)-Sponsored Committee to Develop and Promulgate Generally Accepted System Security Principles BACKGROUND Formation of the I 2 SF-sponsored GASSPC ommittee (GASSPC) began in mid-1992in response to Recommendation #1 of thereport Computers at Risk (CAR), publishedby the United States of America s NationalResearch Council in 1990.
4 That recom-mendation, To Promulgate Comprehen-sive Generally Accepted System SecurityPrinciples, and its subordinate elementssparked the genesis of a concerted effort toestablish a well-balanced committee popu-lation representing key elements of the pri-vate and public sectors from both theUnited States and administrative and product-related Principles are being addressed,individual and organizational privacyrights are being addressed, and, to consol-idate all the elements of a rapidly evolvingindustry, alliances are being established tothe International Information SystemsSecurity Certification Consortium (ISC)
5 2 ,the international Common Criteria effortto develop information technology prod-uct-related information Security princi-ples, and other organizations having aninterest in the Security of information andassociated consolidate and sustain the value ofcomprehensive GASSP effectively, theCAR recommendation envisions the cre-ation of an authoritative infrastructure tomaintain the GASSP, support their evolu-tion, enforce compliance, and provide avehicle for the authoritative approval ofreasonably founded exceptions or depar-tures from GASSP.
6 This authoritativeinfrastructure would be modeled afterthose that support and sustain the Gener-ally Accepted Accounting Principles (GAAP) and like models of the interna-tional accounting GASSP Committee kickoff meet-ing was held in the United States at the1992 National Computer Security Con-ference in Baltimore, Maryland, and wasattended by 25 leading information secu-rity experts from the United States, Can-ada, the United Kingdom, France,Germany, the Netherlands, Sweden, andthe European Commission (EC).
7 Manydiffering perspectives and agendas werediscussed in an open exchange, but at theclose of the meeting, it was the consensusthat the objectives were important, neces-sary, and, perhaps most significant,achievable. Generally Accepted System Security Principles FALL 1990 29 BENEFITS n The GASSP will promote good practice. n The GASSP will provide the authorita-tive point of reference and legal reference for information Security Principles , prac-tices, and opinions. n Good information Security practice will increase the effectiveness and efficiency of business, promote trade and commerce, and improve productivity.
8 N Good information Security practice will help preserve the necessary public trust in the ability to leverage modern information technology while avoiding unintended consequences. This trust is necessary for the effective use of the technology. n The GASSP will improve the effective-ness and the efficiency of the information technology Security functions and practi-tioners by promoting the best practice and reducing duplication of creative effort. n Global harmonization of information Security Principles will serve to minimize artificial barriers to the appropriately free flow of information that can result from conflicting standards and controls.
9 N Information Security professionals are practitioners certified and self-policed against a Common Body of Knowledge (CBK) main-tained through coordination between the GASSP infrastructure and (ISC) 2 . Thus, a globally known skill set will be assured. n Management will have increased confi-dence that information Security practitio-ners decisions are in concert with GASSP. n Industry and government will be moti-vated to support GASSP, recognizing the broad efficiency achievable through the recognition of globally Accepted GASSP.
10 N Management worldwide will hold func-tional information Security to the same set of rules. n Vendors will be able to develop prod-ucts with global conformance, rather than meeting variable local guidance, thus reducing both development andend-use costs. n Vendor products conforming to GASSP will enjoy increased customer confidence, trust, and acceptance. APPROACH Rather than another ad hoc effort, the GAS-SPC decided to establish an AuthoritativeFoundation of existing works that, throughtheir broad acceptance, have articulated, inone way or another, the GASSP of the infor-mation Security profession.
