Definition of Key Terms

Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved

Generally Accepted System Security Principles (GSSP)

Generally Accepted System Security Principles incorporate the consensus at a particular time as to the practices, conventions, rules, mechanisms, and procedures that 1) information security professionals should employ, or that 2) information processing products should provide, to achieve, preserve, and restore the properties of integrity, availability, and confidentiality of information and information systems.

GSSP is a technical security term encompassing the practices, conventions, rules, mechanisms, and procedures that are needed to define accepted security practice at a particular time. It includes broad guidelines and detailed practices and procedures.*

*The Generally Accepted Accounting Principles (GAAP) were recommended by the Computers at Risk authors as an appropriate model for GSSP. GAAP are defined as "A technical accounting term encompassing the conventions, rules, and procedures that are needed to define accepted accounting practice at a particular time. It includes broad guidelines and detailed practices and procedures." from Page 6-3, Chapter 6, Part II A of "CPA Review", Nathan Bisk, JD, C.P.A., 1985. One significant difference that been noted between proposed GSSP and GAAP: GAAP define conventions, rules, standards, and procedures that are needed to define accepted security practice for Accounting professionals only. In addition to defining the conventions, rules, standards, and procedures for information security professionals, GSSP define required countermeasures and practices to be included in vendor security products..

Generally Accepted

GSSP are conventional--that is, they become generally accepted by agreement (often tacit agreement) rather than formal derivation from a set of postulates or basic concepts. The principles have been developed on the basis of experience, reason, custom, usage, and, to a significant extent, practical necessity. The sources of established security principles are generally the following:

• Pronouncements of an authoritative body (to be established) designated by the ISSA Board of Directors and others as appropriate, to establish security principles.
• Pronouncements of bodies composed of expert security professionals that follow a due process procedure, including broad distribution of proposed security principles for public comment, for the intended purpose of establishing security principles or describing existing practices that are generally accepted. Includes Security Audit guides and Statements of Position.
• Practices or pronouncements that are widely accepted as being generally accepted because they represent prevalent practice in a particular industry or the knowledgeable application to specific circumstances of pronouncements that are generally accepted. Includes interpretations and practices that are widely recognized and prevalent in the industry.
• Other security literature. Includes pronouncements of other professional associations or regulatory agencies, and information security textbooks and articles.

The concept of generally accepted is to be distinguished from the concept of universally accepted. This distinction has been made to address the case that even obvious fundamental principles, such as accountability, may have exceptions (e.g., a library system that insists that use of the card catalog system have no accountability to preserve the privacy of the user). Since situations outside of the GSSP may be considered appropriate exceptions, it will be necessary to include a procedure to follow when an information security professional deems it necessary to depart from the published GSSP.

System

For this report, the term System is used as an umbrella term for the hardware, software, physical, procedural, and organizational (sometimes referred to as physical, administrative, personnel, and technological security) issues that need to be considered when addressing the security of an application, group of applications, organization, or group of organizations. It is used to imply that these principles address the broadest definition of security rather than just the security operations discipline. The term is intended to be the equivalent of the terms Information Technology (IT) and Automated Information System (AIS), Automated Data Processing Element (ADPE), etc.

Security Principles

For this report, the term Security Principles is used in its broadest application. At least initially, it is beneficial to include generally accepted principles, practices, policies, standards, and categories of procedures without distinction. Three useful, albeit somewhat arbitrary categories will be used to collect, discuss, and organize security principles: pervasive principles, broad operating/functional principles, and detailed security principles. The broad operating/functional principles and detailed security principles will be divided into principles for information security professionals and principles for information processing products. In addition, the broad operating/functional principles and the detailed security principles will be organized and presented twice, once organized along operations lines and once organized along functional lines.

GSSP will be used to support security professional certification, external audit, security product development, and maintain credibility with management. To meet these needs, GSSP must have substantial authoritative support. Opinions of the Security Principles Board have substantial authoritative support (by design). Substantial authoritative support can exist for principles that differ from opinions of the Security Principles Board.