Generally Accepted System Security Principles


Formation of the I2SF-sponsored GASSP Committee (GASSPC) began in mid-1992 in response to Recommendation #1 of the report "Computers at Risk" (CAR), published by the United States of America's National Research Council in 1990. That recommendation, "To Promulgate Comprehensive Generally Accepted System Security Principles," and its subordinate elements sparked the genesis of a concerted effort to establish a well-balanced committee population representing key elements of the private and public sectors from both the USA and abroad.

Both administrative and product-related principles are being addressed, individual and organizational privacy rights are being addressed, and, to consolidate all the elements of a rapidly evolving industry, alliances are being established to the International Information Systems Security Certification Consortium (ISC)2, the international Common Criteria effort to develop information technology product-related information security principles, and other organizations having an interest in the security of information and associated principles.

In order to effectively consolidate and sustain the value of comprehensive GASSP, the CAR recommendation envisions the creation of an authoritative infrastructure to maintain the GASSP, support their evolution, enforce "compliance", and provide a vehicle for the authoritative approval of reasonably founded exceptions or departures from GASSP. This authoritative infrastructure would be modeled after those that support and sustain the Generally Accepted Accounting Principles (GAAP) and like models of the international accounting profession.

The GASSP Committee kickoff meeting was held at the 1992 National Computer Security Conference in Baltimore, Maryland, USA, and was attended by twenty-five leading information security experts from the USA, Canada, the UK, France, Germany, the Netherlands, Sweden, and the European Commission (EC). Many differing perspectives and agendas were discussed in an open exchange, but at the close of the meeting, it was the consensus that the objectives were important, necessary, and, perhaps most significant, achievable.



Rather than another ad hoc effort, the GASSPC decided to establish an Authoritative Foundation of existing works that, through their broad acceptance, have articulated, in one way or another, the GASSP of the information security profession. Recognizing the hierarchic nature of principles, it was determined to use the Organization for Economic Cooperation and Development (OECD) Information Security Principles, with their international acceptance, as the model for the foundation of the GASSP hierarchy, the Pervasive Principles, and, through a careful analysis and mapping of the Authoritative Foundation and derivative works, to develop Broad Functional Principles, as accepted and supported by consensus of the IT industry and profession. Finally the GASSPC will develop Detailed Principles, including "how to" guidance.

The development of a consensus-building process is central to the success of this approach. Other key tasks include the establishment of linkages to the Common Criteria and the (ISC)2 sponsored CISSP designation.

Finally, two essential elements, which will be evolutionary in nature, are to be developed. The first is the definition and establishment of an authoritative infrastructure, or governing body. This effort has been initiated. Second is the development of models for legislative/regulatory initiatives that have the support of the profession, industry, and government. Their purpose will be to establish the "glue" that effectively binds the consolidation of these complex issues internationally.



[NOTE: This section articulates current project status. In the final document, this section will be replaced with a development history.]

The National Performance Review (NPR) Task Force, formed by the Vice President of the United States of America, has recommended that the National Institute of Standards and Technology (NIST), with advice from the National Security Agency (NSA) and the Office of Management & Budget (OMB), develop GASSP for the Federal government. The GASSPC has drafted strategic project plans to secure funds that will enable the GASSPC to accelerate its efforts and develop GASSP that NIST, in turn, can adapt in response to its NPR task. It is essential to now secure funding and "in kind" support, identify a fund administrator, and support the working GASSP project team as appropriate.

The GASSP Pervasive Principles, based on the OECD Information Security Principles, have been developed, based on comments received and addressed to the GASSPC-approved Exposure Drafts, 1.0 and 2.0, that were published for comment and widely circulated. Work on the GASSP Broad Functional Principles has been completed. A fully articulated outreach and awareness program is also underway.

Core tasks of the GASSP Project and their status are as follows:













Special thanks is due to the GASSP Committee, organizations having established liaisons to the GASSP Committee, and the various organizations that employ the GASSP Committee members for their contributions, comments, and support in this voluntary endeavor. The efforts of the GASSP Committee members and the support of their respective employers were essential in the preparation of this document.

Chairman's comment: A number of individuals have made singularly outstanding contributions and personal sacrifices in support of the GASSP development. Their contributions have been instrumental to the success of this effort and are deeply appreciated. They are listed below alphabetically.

Vaune Rimkus Carr

Nigel Hickson

Charles Le Grand

Ross Leo

William Hugh Murray

Donn Parker

Ralph Spencer Poore

Ian Ross

Craig Schiller

Hal Tipton