Generally Accepted System Security Principles

Framework

Framework

Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved


Security Principles Boards

GSSP governing practices of Certified Information System Security Professionals and external audit will be governed by an opinion board consisting of respected members of the information security profession, nominated by executive committee and elected by a council. The relationship between Certification, GSSP, the Security Principles Board, and the Common Body of Knowledge is illustrated in Figure 1. The board will have practitioners, industrialists, educators, and government employees. The board will:

A similar board will be established to publish proposed and approved opinions of the profession regarding principles, practices, standards, and processes to be included or adhered to in security products. These principles could also be supported by a product certification process (manifested by a registered trademark or a Common Criteria* registered protection profile) and periodic audits of product compliance to GSSP. See Figure "Relationship of GSSP to Information Systems Security."

*The Common Criteria is a document and process that is being built by NIST, NSA, and international organizations to build protection profiles that may be used by vendors to create security products that meet those organizations' needs. The process of building a profile includes a step for specifying evaluation criteria. If the GSSP could be expressed as a protection profile, then it would inherit a global distribution and evaluation channel. Couple this with an admonition to Certified Information Systems Security Professionals to exercise preference for applications that meet the GSSP profile. This approach could accelerate the acceptance and proliferation of GSSP for vendor security product offerings. Editor's note: The GSSP committee has received comments suggesting that a single board should publish and maintain opinions on security practices, processes, standards, and codes of behavior for professionals; and also publish and maintain opinions regarding principles, practices, and processes to be included or adhered to in security products. This issue will be debated at an upcoming committee meeting.

Principle Hierarchy

Candidate principles may be placed into one of the three categories of principles. The categories are defined as follows:

The pervasive principles are few in number and are fundamental in nature and as such will change rarely. The broad operating principles are derived from the pervasive principles and are more numerous, more specific, and guide the application of a series of more detailed principles. The detailed security principles are numerous and specific. They are generally based on one or more broad operating principles and the broad operating principles are generally based on the pervasive principles.