Generally Accepted System Security Principles

1.0 Introduction

Information security is a combination of preventive, detective, and recovery measures. A preventive measure is a risk control that avoids or deters the occurrence of an undesirable event. Passwords, keycards, badges, contingency plans, policies, firewalls, and encryption are examples of preventive measures. A detective measure is a risk control that identifies the occurrence of an undesirable event. Visitor logs, audit trails, motion sensors, closed-circuit TV, and security reviews are examples of detective controls. Detective measures also provide a means for reporting the occurrence of events. A recovery measure is a risk control that restores the integrity, availability, and confidentiality of information assets to their expected state. Examples of recovery measures are fault tolerance, backup, and disaster recovery plans.

Information Security also includes education, awareness, and training measures that inform computer users of the "acceptable use" principles and practices that support the protection of information assets. The introduction of GASSP supports and strengthens these controls. These principles should be constructed to ensure that the information system reduces the possibility of a risk event and its impact.

1.2 Purpose

The GASSP Committee seeks to develop and maintain GASSP with guidance from information owners, information security practitioners, information technology product developers, and organizations having extensive experience in defining and stating the principles of information security.

1.3 Scope

The GASSP Committee seeks the creation, maintenance, monitoring of, and adherence to the GASSP for information security in the broadest context, on an international level, unifying and expanding upon existing authoritative sources.

1.4 Objectives

1.5 Background

In 1990, the USA National Research Council published Computers at Risk (CAR) [1], a landmark book that emphasized the urgent need for the nation to focus attention on information security. The GASSP document is a direct result of recommendation number one from the CAR report (see Appendix A for CAR recommendation details).

Recommendation 1 -- Promulgation of a comprehensive set of Generally Accepted System Security Principles, referred to originally as GSSP, that would provide a clear articulation of essential features, assurances, and practices.

The CAR report proposes the Generally Accepted Accounting Practices (GAAP) as a model for GASSP. It cites the Building Code and the Underwriter's Laboratory as examples of GASSP in other fields. It also recommends building on the experience captured by using the Trusted Computer System Evaluation Criteria (TCSEC), the Trusted Network Interpretation (TNI), and the Information Technology Security Evaluation Criteria (ITSEC) documents to create a broader set of criteria that will drive a more flexible process for evaluating single-vendor and conglomerate systems.

1.6 Definition of Key Terms

Generally Accepted

GASSP are conventional--that is, they become "generally accepted" by agreement (often tacit agreement) rather than formal derivation from a set of postulates or basic concepts. The principles have been developed on the basis of experience, reason, custom, usage, and, to a significant extent, practical necessity. The sources of established information security principles are generally the following:

The concept of generally accepted is to be distinguished from the concept of universally accepted. This distinction is made to address the case that all principles may have exceptions. For example, a library system may insist that the card catalog system have no accountability to preserve the privacy of the user. A process will be provided for use when it is deemed necessary to deviate from the published GASSP.

Generally Accepted System Security Principles (GASSP)

"Generally Accepted System Security Principles" incorporate the consensus, at a particular time, as to the principles, standards, conventions, and mechanisms that information security practitioners should employ, that information processing products should provide, and that information owners should acknowledge to ensure the security of information and information systems.

GASSP relates to physical, technical and administrative information security and encompasses pervasive, broad functional, and detailed security principles. GASSP nomenclature considers the terms policy, rules, procedures, and practices to relate to the organizational implementation of security. Information technology (IT) changes rapidly, and GASSP are expected to evolve accordingly. Consensus as to accepted information security principles is achieved first within the GASSP Committee followed by international IT community review.


The term "information" applies to any storage, communication, or receipt of knowledge, such as fact, data, or opinions, including numerical, graphic, or narrative forms, whether oral or maintained in any medium.

Information System

The term "information system" describes the organized collection, processing, transmission, and dissemination or information in accordance with defined procedures, whether automated or manual.

Information Security Principles

The term "information security principles" is used in its broadest context. It includes principles, standards, conventions and mechanisms. Three categories (pervasive, broad functional, and detailed) are used to collect, discuss, and organize security principles. The broad functional and detailed security principles are divided into principles for information security practitioners and information processing products.

GASSP will support information security professional certification, information security audit, and information technology product development from an information security perspective. GASSP will also provide authoritative guidance to the information security practitioners, enabling them to establish and maintain their credibility with management.


The term "system" is used as an umbrella term for the hardware, software, physical, administrative, and organizational issues that need to be considered when addressing the security of an organization's information resources. It implies that the GASSP address the broadest definition of information security. The term System is intended to be equivalent in scope of the terms Information Technology (IT), Automated Information System (AIS), Automated Data Processing Element (ADPE), etc.

Figure 1-1: Role of GASSP and Product Profiles in Relation to Information Systems Security Certification and the Body of Knowledge