Transcription of Generally Accepted System Security Principles
1 27 Generally Accepted System Security Principles Release for Public Comment Ralph Spencer Poore The Generally Accepted System SecurityPrinciples (GASSP) Committee hasapproved this release of the GASSP for pub-lic comment. The introductory materialsand the sections through and includingSection Pervasive Principles are includedfor the reader s information only. PervasivePrinciples have previously had a publiccomment period. The GASSPC asks theprofession to review and comment on Sec-tion Broad Functional Principles (themajority of the document). Section Detailed Security Principles remains a workin progress that will be built on the BroadFunctional Principles . We welcome yourcomments on all aspects of the document;however, we ask that you concentrate onsubstantive matters rather than Chairman asks that we provide spe-cial recognition to all those persons andorganizations that have contributed to theGASSP effort to date.
2 In addition, he citesthe following individuals and organiza-tions for their exceptional contributions:Craig Schiller, who drafted the first straw-man in a Herculean original effort; theComputer Security Institute (CSI), whichhas consistently provided the GASSPC with solid support; the MassachusettsInstitute of Technology (MIT), which hasprovided the GASSPC with a Web site;Charlie LeGrande and the Institute forInternal Auditors (IIA) for the same rea-son; as well as William H. Murray, IanRoss, Hal Tipton, Ross Leo, and RalphPoore. These organizations and individu-als made major contributions, often at sig-nificant personal address your comments to RalphSpencer Poore at with a copy to Will Ozier,Chairman, GASSPC at The public comment period willend 90 days after publication.
3 Copyright 1996, 1997, 1998, 1999 by International Information Security Foundation; published with permission, all rights reserved. 28 Generally Accepted System Security Principles The International Information Security Foundation (I 2 SF)-Sponsored Committee to Develop and Promulgate Generally Accepted System Security Principles BACKGROUND Formation of the I 2 SF-sponsored GASSPC ommittee (GASSPC) began in mid-1992in response to Recommendation #1 of thereport Computers at Risk (CAR), publishedby the United States of America s NationalResearch Council in 1990. That recom-mendation, To Promulgate Comprehen-sive Generally Accepted System SecurityPrinciples, and its subordinate elementssparked the genesis of a concerted effort toestablish a well-balanced committee popu-lation representing key elements of the pri-vate and public sectors from both theUnited States and administrative and product-related Principles are being addressed,individual and organizational privacyrights are being addressed, and, to consol-idate all the elements of a rapidly evolvingindustry, alliances are being established tothe International Information SystemsSecurity Certification Consortium (ISC)
4 2 ,the international Common Criteria effortto develop information technology prod-uct-related information Security princi-ples, and other organizations having aninterest in the Security of information andassociated consolidate and sustain the value ofcomprehensive GASSP effectively, theCAR recommendation envisions the cre-ation of an authoritative infrastructure tomaintain the GASSP, support their evolu-tion, enforce compliance, and provide avehicle for the authoritative approval ofreasonably founded exceptions or depar-tures from GASSP. This authoritativeinfrastructure would be modeled afterthose that support and sustain the Gener-ally Accepted Accounting Principles (GAAP) and like models of the interna-tional accounting GASSP Committee kickoff meet-ing was held in the United States at the1992 National Computer Security Con-ference in Baltimore, Maryland, and wasattended by 25 leading information secu-rity experts from the United States, Can-ada, the United Kingdom, France,Germany, the Netherlands, Sweden, andthe European Commission (EC).
5 Manydiffering perspectives and agendas werediscussed in an open exchange, but at theclose of the meeting, it was the consensusthat the objectives were important, neces-sary, and, perhaps most significant,achievable. Generally Accepted System Security Principles FALL 1990 29 BENEFITS n The GASSP will promote good practice. n The GASSP will provide the authorita-tive point of reference and legal reference for information Security Principles , prac-tices, and opinions. n Good information Security practice will increase the effectiveness and efficiency of business, promote trade and commerce, and improve productivity. n Good information Security practice will help preserve the necessary public trust in the ability to leverage modern information technology while avoiding unintended consequences.
6 This trust is necessary for the effective use of the technology. n The GASSP will improve the effective-ness and the efficiency of the information technology Security functions and practi-tioners by promoting the best practice and reducing duplication of creative effort. n Global harmonization of information Security Principles will serve to minimize artificial barriers to the appropriately free flow of information that can result from conflicting standards and controls. n Information Security professionals are practitioners certified and self-policed against a Common Body of Knowledge (CBK) main-tained through coordination between the GASSP infrastructure and (ISC) 2 . Thus, a globally known skill set will be assured.
7 N Management will have increased confi-dence that information Security practitio-ners decisions are in concert with GASSP. n Industry and government will be moti-vated to support GASSP, recognizing the broad efficiency achievable through the recognition of globally Accepted GASSP. n Management worldwide will hold func-tional information Security to the same set of rules. n Vendors will be able to develop prod-ucts with global conformance, rather than meeting variable local guidance, thus reducing both development andend-use costs. n Vendor products conforming to GASSP will enjoy increased customer confidence, trust, and acceptance. APPROACH Rather than another ad hoc effort, the GAS-SPC decided to establish an AuthoritativeFoundation of existing works that, throughtheir broad acceptance, have articulated, inone way or another, the GASSP of the infor-mation Security profession.
8 Recognizing thehierarchic nature of Principles , it was deter-mined to use the Organization for Eco-nomic Cooperation and Development(OECD) Information Security Principles ,with their international acceptance, as themodel for the foundation of the GASSP hierarchy, the Pervasive Principles , and,through a careful analysis and mapping ofthe Authoritative Foundation and deriva-tive works, to develop Broad FunctionalPrinciples, as Accepted and supported byconsensus of the IT industry and the GASSPC will develop DetailedPrinciples, including how to development of a consensus-build-ing process is central to the success of thisapproach. Other key tasks include theestablishment of linkages to the CommonCriteria and the (ISC) 2 -sponsored , two essential elements, whichwill be evolutionary in nature, are to bedeveloped.
9 The first is the definition andestablishment of an authoritative infra-structure, or governing body. This efforthas been initiated. Second is the develop-ment of models for legislative/regulatoryinitiatives that have the support of the pro-fession, industry, and government. Theirpurpose will be to establish the glue thateffectively binds the consolidation of thesecomplex issues internationally. OBJECTIVES n The international harmonization of cul-turally neutral information Security . n The elimination of artificial barriers to the free flow of information worldwide. n The definition and implementation of a principled foundation for an industry, the success of which is critical to the future of the Information Age and its ramifications for privacy and Security .
10 30 INFORMATION SYSTEMS Security FALL 1999 n Provision for the rapidly evolving nature of information Security methods, issues, and technology, and their articulation in principle. n Recognition and correlation to related management issues. CURRENT STATUS [ Note: This section articulates currentproject status. In the final document, thissection will be replaced with a develop-ment history.]The National Performance Review(NPR) Task Force, formed by the VicePresident of the United States of America,has recommended that the National Insti-tute of Standards and Technology (NIST),with advice from the National SecurityAgency (NSA) and the Office of Manage-ment and Budget (OMB), develop GASSPfor the federal government.