Generally Accepted System Security Principles
BACKGROUND:
Formation of the I2SF-sponsored GASSP Committee
(GASSPC) began in mid-1992 in response to Recommendation #1 of the
report "Computers at Risk" (CAR), published by the United States of
America's National Research Council in 1990. That recommendation, "To
Promulgate Comprehensive Generally Accepted System Security
Principles," and its subordinate elements sparked the genesis of a
concerted effort to establish a well-balanced committee population
representing key elements of the private and public sectors from both
the USA and abroad.
Both administrative and product-related principles are being
addressed, individual and organizational privacy rights are being
addressed, and, to consolidate all the elements of a rapidly evolving
industry, alliances are being established to the International
Information Systems Security Certification Consortium
(ISC)2, the international Common Criteria effort to develop
information technology product-related information security principles,
and other organizations having an interest in the security of
information and associated principles.
In order to effectively consolidate and sustain the value of
comprehensive GASSP, the CAR recommendation envisions the creation of
an authoritative infrastructure to maintain the GASSP, support their
evolution, enforce "compliance", and provide a vehicle for the
authoritative approval of reasonably founded exceptions or departures
from GASSP. This authoritative infrastructure would be modeled after
those that support and sustain the Generally Accepted Accounting
Principles (GAAP) and like models of the international accounting
profession.
The GASSP Committee kickoff meeting was held at the 1992 National
Computer Security Conference in Baltimore, Maryland, USA, and was
attended by twenty-five leading information security experts from the
USA, Canada, the UK, France, Germany, the Netherlands, Sweden, and the
European Commission (EC). Many differing perspectives and agendas were
discussed in an open exchange, but at the close of the meeting, it was
the consensus that the objectives were important, necessary, and,
perhaps most significant, achievable.
BENEFITS:
- The GASSP will promote good practice.
- The GASSP will provide the authoritative point of reference and
legal reference for information security principles, practices, and
opinions.
- Good information security practice will increase the effectiveness
and efficiency of business, promote trade and commerce, and improve
productivity.
- Good information security practice will help preserve the necessary
public trust in the ability to leverage modern information technology
while avoiding unintended consequences. This trust is necessary for the
effective use of the technology.
- The GASSP will improve the effectiveness and the efficiency of the
information technology security functions and practitioners by
promoting the best practice and reducing duplication of creative
effort.
- Global harmonization of information security principles will serve
to minimize artificial barriers to the appropriately free flow of
information that can result from conflicting standards and controls.
- Information security professionals are practitioners certified and
self-policed against a Common Body of Knowledge (CBK) maintained
through coordination between the GASSP infrastructure and
(ISC)2. Thus, a globally known skill set will be assured.
- Management will have increased confidence that information security
practitioners=92 decisions are in concert with GASSP.
- Industry and government will be motivated to support GASSP,
recognizing the broad efficiency achievable through the recognition of
globally accepted GASSP.
- Management worldwide will hold functional information security to
the same set of rules.
- Vendors will be able to develop products with global conformance,
rather than meeting variable local guidance, thus reducing both
development and end-use costs.
- Vendor products conforming to GASSP will enjoy increased customer
confidence, trust, and acceptance.
APPROACH:
Rather than another ad hoc effort, the GASSPC decided to
establish an Authoritative Foundation of existing works that, through
their broad acceptance, have articulated, in one way or another, the
GASSP of the information security profession. Recognizing the
hierarchic nature of principles, it was determined to use the
Organization for Economic Cooperation and Development (OECD)
Information Security Principles, with their international acceptance,
as the model for the foundation of the GASSP hierarchy, the Pervasive
Principles, and, through a careful analysis and mapping of the
Authoritative Foundation and derivative works, to develop Broad
Functional Principles, as accepted and supported by consensus of the IT
industry and profession. Finally the GASSPC will develop Detailed
Principles, including "how to" guidance.
The development of a consensus-building process is central to the
success of this approach. Other key tasks include the establishment of
linkages to the Common Criteria and the (ISC)2 sponsored
CISSP designation.
Finally, two essential elements, which will be evolutionary in
nature, are to be developed. The first is the definition and
establishment of an authoritative infrastructure, or governing body.
This effort has been initiated. Second is the development of models for
legislative/regulatory initiatives that have the support of the
profession, industry, and government. Their purpose will be to
establish the "glue" that effectively binds the consolidation of these
complex issues internationally.
OBJECTIVES:
- The international harmonization of culturally neutral
information security.
- The elimination of artificial barriers to the free flow of
information worldwide.
- The definition and implementation of a principled foundation for an
industry, the success of which is critical to the future of the
Information Age and its ramifications for privacy and security.
- Provision for the rapidly evolving nature of information security
methods, issues, and technology, and their articulation in principle.
- Recognition and correlation to related management issues.
CURRENT STATUS:
[NOTE: This section articulates current project status. In
the final document, this section will be replaced with a development
history.]
The National Performance Review (NPR) Task Force, formed by the Vice
President of the United States of America, has recommended that the
National Institute of Standards and Technology (NIST), with advice from
the National Security Agency (NSA) and the Office of Management &
Budget (OMB), develop GASSP for the Federal government. The GASSPC has
drafted strategic project plans to secure funds that will enable the
GASSPC to accelerate its efforts and develop GASSP that NIST, in turn,
can adapt in response to its NPR task. It is essential to now secure
funding and "in kind" support, identify a fund administrator, and
support the working GASSP project team as appropriate.
The GASSP Pervasive Principles, based on the OECD Information
Security Principles, have been developed, based on comments received
and addressed to the GASSPC-approved Exposure Drafts, 1.0 and 2.0, that
were published for comment and widely circulated. Work on the GASSP
Broad Functional Principles has been completed. A fully articulated
outreach and awareness program is also underway.
Core tasks of the GASSP Project and their status are as follows:
- Define and execute the outreach and awareness program (Ongoing)
- Research and complete the GASSPC Foundation Documents List
(Ongoing)
- Develop and approve the framework for the GASSP (Completed)
- Map the GASSPC Foundation Documents List of related authoritative
works (Ongoing)
- Survey the industry to ascertain outside interest/support (Ongoing)
- Define/establish liaison with the International Information Systems
Security Certification Consortium (ISC)2 (Completed)
- Define and approve the Consensus Process I (Internal-GASSPC) and II
(External) (Completed)
- Develop Exposure Draft 1.0 of the GASSP Pervasive Principles,
approve, and release for public comment (Completed)
- Address public comment to GASSP Pervasive Principles ED 1.0,
approve, and release as GASSP Pervasive Principles Version 1.0 for
public comment (Completed)
- Address public comment to GASSP Version 2.0, including the Broad
Functional Principles, submit to the GASSPC for final review and
comment and release, without GASSPC voting member objection, as GASSP
Version 2.0 (In process)
- Extract and define GASSP Broad Functional Principles from the
GASSPC foundation Document List and map to Pervasive Principles
(Completed)
- Execute the Consensus Process on GASSP Broad Functional Principles
(Completed)
- Plan development of GASSP Detailed Principles (In process)
- Execute development of GASSP Detailed Principles (Pending)
- Define/establish liaison with the Common Criteria Project (Pending)
- Define, approve, and establish the GASSPC governing infrastructure,
the International Information Security Foundation (I2SF) (Initiated)
- Fund and populate the I2SF (Pending)
THE GASSP INTERNATIONAL COMMITTEE MEMBERS
BELGIUM
- David Herson - European Commission, information
only
CANADA
- Peter Davis - Peter Davis & Associates, voting
member
- Peter Kingston - The Kingston Group, voting member and
Liaison for Canadian Information Processing Society (CIPS)
- Ian Ross - Communications Security Establishment, voting
member
FRANCE
- Yvon Klein - Centre National d=92Etudes Spatial, voting
member
GERMANY
- Ulrich van Essen - Bundesamt fur Sicherheit in der
Informationstechnik, voting member
JAPAN
- Haruki Tabuchi - Fujitsu Limited, voting member
- Junji Tezuka - JEIDA, observer
MEXICO
- Miguel Alvarado - CONSI Group, voting member
- Ana Dominguez - Anderson Consulting, voting member
NETHERLANDS
- Fritz Taal - National Communications Security Agency,
voting member
SWEDEN
- Mats Ohlin - Defense materiel Administration, voting
member
UNITED KINGDOM
- Nigel Hickson - Department of Trade and Industry, voting
member
UNITED STATES
- Jim Appleyard - IBM Corporation, voting member and
liaison for SHARE
- Tom Austin - IBG Corporation, voting member
- Laura Brown - Ernst & Young, voting member
- Stephen A. Carlton - Security Analysts Incorporated, voting
member and liaison for Standing Committee for the Safeguarding of
Proprietary Information of ASIS
- Cris R. Castro - Ernst & Young, voting member
- Ken Cutler - Information Security Institute, observer
- Jim Flyzik - Department of the Treasury, information only
- Brian Kahin - Office of Science & Technology Policy,
information only
- John Kinyon - Motorola Incorporated, observer
- Charles Le Grand - The Institute of Internal Auditors,
voting member and liaison for IIA
- Ross A. Leo =96 Omitron, Inc., voting member
- William Hugh Murray - Deloitte & Touche, voting member
- Peter G. Neumann - SRI International, information only
- Kristen Noakes-Fry - Noakes-Fry Associates, observer
- Thomas J. Orlowski - National Association of Manufacturers
,voting member and liaison for NAM
- Will Ozier - OPA Inc.-The Integrated Risk Management Group,
chair and voting member
- Donn Parker - SRI International, voting member
- Chuck Perkins - Coopers & Lybrand, voting member
- Ralph S. Poore - Ernst & Young, voting member
- Craig Schiller - Learjet, voting member
- Hal Tipton - HFT & Associates, voting member
- Fred Tompkins - Unisys, voting member
- Dan White - Grant - Thornton, voting member
- Lauren Wood - Allied Signal, voting member and liaison for
International Standards Organization (ISO)
Acknowledgments
Special thanks is due to the GASSP Committee, organizations having
established liaisons to the GASSP Committee, and the various
organizations that employ the GASSP Committee members for their
contributions, comments, and support in this voluntary endeavor. The
efforts of the GASSP Committee members and the support of their
respective employers were essential in the preparation of this
document.
Chairman's comment: A number of individuals have made singularly
outstanding contributions and personal sacrifices in support of the
GASSP development. Their contributions have been instrumental to the
success of this effort and are deeply appreciated. They are listed
below alphabetically.
Vaune Rimkus Carr
Nigel Hickson
Charles Le Grand
Ross Leo
William Hugh Murray
Donn Parker
Ralph Spencer Poore
Ian Ross
Craig Schiller
Hal Tipton