Generally Accepted System Security Principles
Framework
Framework
Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved
Security Principles Boards
GSSP governing practices of Certified Information System Security
Professionals and external audit will be governed by an opinion board
consisting of respected members of the information security profession,
nominated by executive committee and elected by a council. The
relationship between Certification, GSSP, the Security Principles Board,
and the Common Body of Knowledge is illustrated in Figure 1. The board
will have practitioners, industrialists, educators, and government
employees. The board will:
- Publish proposed and approved opinions of the profession about
accepted practices, processes, standards, and professional codes
of conduct.
- Establish a process for gathering comments about proposed
opinions and determining whether proposed opinions merit inclusion
in the GSSP as an opinion of the profession and finally
incorporating those with demonstrable consensus as Generally
Accepted System Security Principles.
- Establish processes for reporting and dispositioning acts by
professionals not in accordance with GSSP (to include loss of
certification, censure, etc.).
- Establish processes for professionals to depart from
GSSP-authorized exceptions-- without censure or loss of
certification.
A similar board will be established to publish proposed and approved
opinions of the profession regarding principles, practices, standards,
and processes to be included or adhered to in security products. These
principles could also be supported by a product certification process
(manifested by a registered trademark or a Common Criteria* registered
protection profile) and periodic audits of product compliance to GSSP.
See Figure "Relationship of GSSP to Information Systems Security."
*The Common Criteria is a document and process that is
being built by NIST, NSA, and international organizations to build
protection profiles that may be used by vendors to create security
products that meet those organizations' needs. The process of building
a profile includes a step for specifying evaluation criteria. If the
GSSP could be expressed as a protection profile, then it would inherit a
global distribution and evaluation channel. Couple this with an
admonition to Certified Information Systems Security Professionals to
exercise preference for applications that meet the GSSP profile. This
approach could accelerate the acceptance and proliferation of GSSP for
vendor security product offerings. Editor's note: The GSSP committee
has received comments suggesting that a single board should publish and
maintain opinions on security practices, processes, standards, and codes
of behavior for professionals; and also publish and maintain opinions
regarding principles, practices, and processes to be included or adhered
to in security products. This issue will be debated at an upcoming
committee meeting.
Principle Hierarchy
Candidate principles may be placed into one of the three categories
of principles. The categories are defined as follows:
- Pervasive Principles relate to information security as a whole and
provide a basis for other principles.
- Broad Operating/Functional Principles guide the recording,
measuring, and communicating processes of information security.
- Detailed Security Principles indicate the practical application of
the pervasive and broad operating/functional principles.
The pervasive principles are few in number and are fundamental in
nature and as such will change rarely. The broad operating principles
are derived from the pervasive principles and are more numerous, more
specific, and guide the application of a series of more detailed
principles. The detailed security principles are numerous and specific.
They are generally based on one or more broad operating principles and
the broad operating principles are generally based on the pervasive
principles.