Formation of the I²SF-sponsored GASSP Committee (GASSPC) began in mid-1992 in response to Recommendation #1 of the report "Computers at Risk" (CAR), published by the United States of America's National Research Council in 1990. That recommendation, "To Promulgate Comprehensive Generally Accepted System Security Principles," and its subordinate elements sparked the genesis of a concerted effort to establish a well-balanced committee population representing key elements of the private and public sectors from both the USA and abroad.

Both administrative and product-related principles are being addressed, individual and organizational privacy rights are being addressed, and, to consolidate all the elements of a rapidly evolving industry, alliances are being established to the International Information Systems Security Certification Consortium (ISC)², the international Common Criteria effort to develop information technology product-related information security principles, and other organizations having an interest in the security of information and associated principles.

In order to effectively consolidate and sustain the value of comprehensive GASSP, the CAR recommendation envisions the creation of an authoritative infrastructure to maintain the GASSP, support their evolution, enforce "compliance", and provide a vehicle for the authoritative approval of reasonably founded exceptions or departures from GASSP. This authoritative infrastructure would be modeled after those that support and sustain the Generally Accepted Accounting Principles (GAAP) and like models of the international accounting profession.

The GASSP Committee kickoff meeting was held at the 1992 National Computer Security Conference in Baltimore, Maryland, USA, and was attended by twenty-five leading information security experts from the USA, Canada, the UK, France, Germany, the Netherlands, Sweden, and the European Commission (EC). Many differing perspectives and agendas were discussed in an open exchange, but at the close of the meeting, it was the consensus that the objectives were important, necessary, and, perhaps most significant, achievable.

• The GASSP will promote good practice.
• The GASSP will provide the authoritative point of reference and legal reference for information security principles, practices, and opinions.
• Good information security practice will increase the effectiveness and efficiency of business, promote trade and commerce, and improve productivity.
• Good information security practice will help preserve the necessary public trust in the ability to leverage modern information technology while avoiding unintended consequences. This trust is necessary for the effective use of the technology.
• The GASSP will improve the effectiveness and the efficiency of the information technology security functions and practitioners by promoting the best practice and reducing duplication of creative effort.
• Global harmonization of information security principles will serve to minimize artificial barriers to the appropriately free flow of information that can result from conflicting standards and controls.
• Information security professionals are practitioners certified and self-policed against a Common Body of Knowledge (CBK) maintained through coordination between the GASSP infrastructure and (ISC)². Thus, a globally known skill set will be assured.
• Management will have increased confidence that information security practitioners=92 decisions are in concert with GASSP.
• Industry and government will be motivated to support GASSP, recognizing the broad efficiency achievable through the recognition of globally accepted GASSP.
• Management worldwide will hold functional information security to the same set of rules.
• Vendors will be able to develop products with global conformance, rather than meeting variable local guidance, thus reducing both development and end-use costs.
• Vendor products conforming to GASSP will enjoy increased customer confidence, trust, and acceptance.

Rather than another ad hoc effort, the GASSPC decided to establish an Authoritative Foundation of existing works that, through their broad acceptance, have articulated, in one way or another, the GASSP of the information security profession. Recognizing the hierarchic nature of principles, it was determined to use the Organization for Economic Cooperation and Development (OECD) Information Security Principles, with their international acceptance, as the model for the foundation of the GASSP hierarchy, the Pervasive Principles, and, through a careful analysis and mapping of the Authoritative Foundation and derivative works, to develop Broad Functional Principles, as accepted and supported by consensus of the IT industry and profession. Finally the GASSPC will develop Detailed Principles, including "how to" guidance.

The development of a consensus-building process is central to the success of this approach. Other key tasks include the establishment of linkages to the Common Criteria and the (ISC)² sponsored CISSP designation.

Finally, two essential elements, which will be evolutionary in nature, are to be developed. The first is the definition and establishment of an authoritative infrastructure, or governing body. This effort has been initiated. Second is the development of models for legislative/regulatory initiatives that have the support of the profession, industry, and government. Their purpose will be to establish the "glue" that effectively binds the consolidation of these complex issues internationally.

• The international harmonization of culturally neutral information security.
• The elimination of artificial barriers to the free flow of information worldwide.
• The definition and implementation of a principled foundation for an industry, the success of which is critical to the future of the Information Age and its ramifications for privacy and security.
• Provision for the rapidly evolving nature of information security methods, issues, and technology, and their articulation in principle.
• Recognition and correlation to related management issues.

[NOTE: This section articulates current project status. In the final document, this section will be replaced with a development history.]

The National Performance Review (NPR) Task Force, formed by the Vice President of the United States of America, has recommended that the National Institute of Standards and Technology (NIST), with advice from the National Security Agency (NSA) and the Office of Management & Budget (OMB), develop GASSP for the Federal government. The GASSPC has drafted strategic project plans to secure funds that will enable the GASSPC to accelerate its efforts and develop GASSP that NIST, in turn, can adapt in response to its NPR task. It is essential to now secure funding and "in kind" support, identify a fund administrator, and support the working GASSP project team as appropriate.

The GASSP Pervasive Principles, based on the OECD Information Security Principles, have been developed, based on comments received and addressed to the GASSPC-approved Exposure Drafts, 1.0 and 2.0, that were published for comment and widely circulated. Work on the GASSP Broad Functional Principles has been completed. A fully articulated outreach and awareness program is also underway.

Core tasks of the GASSP Project and their status are as follows:

• Define and execute the outreach and awareness program (Ongoing)
• Research and complete the GASSPC Foundation Documents List (Ongoing)
• Develop and approve the framework for the GASSP (Completed)
• Map the GASSPC Foundation Documents List of related authoritative works (Ongoing)
• Survey the industry to ascertain outside interest/support (Ongoing)
• Define/establish liaison with the International Information Systems Security Certification Consortium (ISC)² (Completed)
• Define and approve the Consensus Process I (Internal-GASSPC) and II (External) (Completed)
• Develop Exposure Draft 1.0 of the GASSP Pervasive Principles, approve, and release for public comment (Completed)
• Address public comment to GASSP Pervasive Principles ED 1.0, approve, and release as GASSP Pervasive Principles Version 1.0 for public comment (Completed)
• Address public comment to GASSP Version 2.0, including the Broad Functional Principles, submit to the GASSPC for final review and comment and release, without GASSPC voting member objection, as GASSP Version 2.0 (In process)
• Extract and define GASSP Broad Functional Principles from the GASSPC foundation Document List and map to Pervasive Principles (Completed)
• Execute the Consensus Process on GASSP Broad Functional Principles (Completed)
• Plan development of GASSP Detailed Principles (In process)
• Execute development of GASSP Detailed Principles (Pending)
• Define/establish liaison with the Common Criteria Project (Pending)
• Define, approve, and establish the GASSPC governing infrastructure, the International Information Security Foundation (I2SF) (Initiated)
• Fund and populate the I2SF (Pending)

• David Herson - European Commission, information only

• Peter Davis - Peter Davis & Associates, voting member
• Peter Kingston - The Kingston Group, voting member and Liaison for Canadian Information Processing Society (CIPS)
• Ian Ross - Communications Security Establishment, voting member

• Yvon Klein - Centre National d=92Etudes Spatial, voting member

• Ulrich van Essen - Bundesamt fur Sicherheit in der Informationstechnik, voting member

• Haruki Tabuchi - Fujitsu Limited, voting member
• Junji Tezuka - JEIDA, observer

• Miguel Alvarado - CONSI Group, voting member
• Ana Dominguez - Anderson Consulting, voting member

• Fritz Taal - National Communications Security Agency, voting member

• Mats Ohlin - Defense materiel Administration, voting member

• Nigel Hickson - Department of Trade and Industry, voting member

• Jim Appleyard - IBM Corporation, voting member and liaison for SHARE
• Tom Austin - IBG Corporation, voting member
• Laura Brown - Ernst & Young, voting member
• Stephen A. Carlton - Security Analysts Incorporated, voting member and liaison for Standing Committee for the Safeguarding of Proprietary Information of ASIS
• Cris R. Castro - Ernst & Young, voting member
• Ken Cutler - Information Security Institute, observer
• Jim Flyzik - Department of the Treasury, information only
• Brian Kahin - Office of Science & Technology Policy, information only
• John Kinyon - Motorola Incorporated, observer
• Charles Le Grand - The Institute of Internal Auditors, voting member and liaison for IIA
• Ross A. Leo =96 Omitron, Inc., voting member
• William Hugh Murray - Deloitte & Touche, voting member
• Peter G. Neumann - SRI International, information only
• Kristen Noakes-Fry - Noakes-Fry Associates, observer
• Thomas J. Orlowski - National Association of Manufacturers ,voting member and liaison for NAM
• Will Ozier - OPA Inc.-The Integrated Risk Management Group, chair and voting member
• Donn Parker - SRI International, voting member
• Chuck Perkins - Coopers & Lybrand, voting member
• Ralph S. Poore - Ernst & Young, voting member
• Craig Schiller - Learjet, voting member
• Hal Tipton - HFT & Associates, voting member
• Fred Tompkins - Unisys, voting member
• Dan White - Grant - Thornton, voting member
• Lauren Wood - Allied Signal, voting member and liaison for International Standards Organization (ISO)

Acknowledgments

Special thanks is due to the GASSP Committee, organizations having established liaisons to the GASSP Committee, and the various organizations that employ the GASSP Committee members for their contributions, comments, and support in this voluntary endeavor. The efforts of the GASSP Committee members and the support of their respective employers were essential in the preparation of this document.

Chairman's comment: A number of individuals have made singularly outstanding contributions and personal sacrifices in support of the GASSP development. Their contributions have been instrumental to the success of this effort and are deeply appreciated. They are listed below alphabetically.

Vaune Rimkus Carr

Nigel Hickson

Charles Le Grand

Ross Leo

William Hugh Murray

Donn Parker

Ralph Spencer Poore

Ian Ross

Craig Schiller

Hal Tipton