Generally Accepted System Security Principles incorporate the consensus at a particular time as to the practices, conventions, rules, mechanisms, and procedures that 1) information security professionals should employ, or that 2) information processing products should provide, to achieve, preserve, and restore the properties of integrity, availability, and confidentiality of information and information systems.
GSSP is a technical security term encompassing the practices, conventions, rules, mechanisms, and procedures that are needed to define accepted security practice at a particular time. It includes broad guidelines and detailed practices and procedures.*
* GSSP are conventional--that is, they become generally accepted by
agreement (often tacit agreement) rather than formal derivation from a
set of postulates or basic concepts. The principles have been developed
on the basis of experience, reason, custom, usage, and, to a significant
extent, practical necessity. The sources of established security
principles are generally the following:
The concept of generally accepted is to be distinguished from the
concept of universally accepted. This distinction has been made to
address the case that even obvious fundamental principles, such as
accountability, may have exceptions (e.g., a library system that
insists that use of the card catalog system have no accountability
to preserve the privacy of the user). Since situations outside of
the GSSP may be considered appropriate exceptions, it will be
necessary to include a procedure to follow when an information
security professional deems it necessary to depart from the
published GSSP.
For this report, the term System is used as an umbrella term for the
hardware, software, physical, procedural, and organizational (sometimes
referred to as physical, administrative, personnel, and technological
security) issues that need to be considered when addressing the security
of an application, group of applications, organization, or group of
organizations. It is used to imply that these principles address the
broadest definition of security rather than just the security operations
discipline. The term is intended to be the equivalent of the terms
Information Technology (IT) and Automated Information System (AIS),
Automated Data Processing Element (ADPE), etc.
For this report, the term Security Principles is used in its
broadest application. At least initially, it is beneficial to include
generally accepted principles, practices, policies, standards, and
categories of procedures without distinction. Three useful, albeit
somewhat arbitrary categories will be used to collect, discuss, and
organize security principles: pervasive principles, broad
operating/functional principles, and detailed security principles. The
broad operating/functional principles and detailed security principles
will be divided into principles for information security professionals
and principles for information processing products. In addition, the
broad operating/functional principles and the detailed security
principles will be organized and presented twice, once organized along
operations lines and once organized along functional lines.
GSSP will be used to support security professional certification,
external audit, security product development, and maintain credibility
with management. To meet these needs, GSSP must have substantial
authoritative support. Opinions of the Security Principles Board have
substantial authoritative support (by design). Substantial
authoritative support can exist for principles that differ from opinions
of the Security Principles Board.
Generally Accepted
System
Security Principles