1.0 Introduction

Information security is a combination of preventive, detective, and recovery measures. A preventive measure is a risk control that avoids or deters the occurrence of an undesirable event. Passwords, keycards, badges, contingency plans, policies, firewalls, and encryption are examples of preventive measures. A detective measure is a risk control that identifies the occurrence of an undesirable event. Visitor logs, audit trails, motion sensors, closed-circuit TV, and security reviews are examples of detective controls. Detective measures also provide a means for reporting the occurrence of events. A recovery measure is a risk control that restores the integrity, availability, and confidentiality of information assets to their expected state. Examples of recovery measures are fault tolerance, backup, and disaster recovery plans.

Information Security also includes education, awareness, and training measures that inform computer users of the "acceptable use" principles and practices that support the protection of information assets. The introduction of GASSP supports and strengthens these controls. These principles should be constructed to ensure that the information system reduces the possibility of a risk event and its impact.

The GASSP Committee seeks to develop and maintain GASSP with guidance from information owners, information security practitioners, information technology product developers, and organizations having extensive experience in defining and stating the principles of information security.

The GASSP Committee seeks the creation, maintenance, monitoring of, and adherence to the GASSP for information security in the broadest context, on an international level, unifying and expanding upon existing authoritative sources.

• Identify and develop Pervasive, Broad Functional, and Detailed GASSP and protection profiles in a comprehensive framework of emergent principles, standards, conventions, and mechanisms that will preserve the availability, confidentiality, and integrity of information.
• Be an authoritative source for opinions, practices, and principles for information owners, information security practitioners, information technology products, and information systems.
• Define, implement, and subsequently operate under the governing GASSP infrastructure.
• Define and establish linkage to the Common Criteria Project.
• Maintain close liaison and coordination with other international authoritative bodies, that have developed related works, to establish and maintain GASSP based on these efforts.
• Define and establish liaison with bodies responsible for certifying professionals to encourage convergence.
• Promote broad awareness of information security and GASSP.
• GASSP will address management, user, and other interested parties=92 concerns at all levels to gain the broadest acceptance.

In 1990, the USA National Research Council published Computers at Risk (CAR) [1], a landmark book that emphasized the urgent need for the nation to focus attention on information security. The GASSP document is a direct result of recommendation number one from the CAR report (see Appendix A for CAR recommendation details).

Recommendation 1 -- Promulgation of a comprehensive set of Generally Accepted System Security Principles, referred to originally as GSSP, that would provide a clear articulation of essential features, assurances, and practices.

The CAR report proposes the Generally Accepted Accounting Practices (GAAP) as a model for GASSP. It cites the Building Code and the Underwriter's Laboratory as examples of GASSP in other fields. It also recommends building on the experience captured by using the Trusted Computer System Evaluation Criteria (TCSEC), the Trusted Network Interpretation (TNI), and the Information Technology Security Evaluation Criteria (ITSEC) documents to create a broader set of criteria that will drive a more flexible process for evaluating single-vendor and conglomerate systems.

GASSP are conventional--that is, they become "generally accepted" by agreement (often tacit agreement) rather than formal derivation from a set of postulates or basic concepts. The principles have been developed on the basis of experience, reason, custom, usage, and, to a significant extent, practical necessity. The sources of established information security principles are generally the following:

• Pronouncements of an authoritative body (to be established), as appropriate, to establish information security principles.
• Pronouncements of bodies composed of expert information security practitioners that follow a due process procedure, including broad distribution of proposed information security principles for public comment, for the intended purpose of establishing information security principles or describing existing practices that are generally accepted. This includes information security audit guides and statements of position.
• Practices or pronouncements that are generally accepted because they represent prevalent practice in a particular industry or the knowledgeable application to specific circumstance of pronouncements. This includes interpretations and practices that are widely recognized and prevalent in the industry.
• Other information security literature including pronouncements of other professional associations or regulatory agencies and information security textbooks and articles.

The concept of generally accepted is to be distinguished from the concept of universally accepted. This distinction is made to address the case that all principles may have exceptions. For example, a library system may insist that the card catalog system have no accountability to preserve the privacy of the user. A process will be provided for use when it is deemed necessary to deviate from the published GASSP.

"Generally Accepted System Security Principles" incorporate the consensus, at a particular time, as to the principles, standards, conventions, and mechanisms that information security practitioners should employ, that information processing products should provide, and that information owners should acknowledge to ensure the security of information and information systems.

GASSP relates to physical, technical and administrative information security and encompasses pervasive, broad functional, and detailed security principles. GASSP nomenclature considers the terms policy, rules, procedures, and practices to relate to the organizational implementation of security. Information technology (IT) changes rapidly, and GASSP are expected to evolve accordingly. Consensus as to accepted information security principles is achieved first within the GASSP Committee followed by international IT community review.

The term "information" applies to any storage, communication, or receipt of knowledge, such as fact, data, or opinions, including numerical, graphic, or narrative forms, whether oral or maintained in any medium.

The term "information system" describes the organized collection, processing, transmission, and dissemination or information in accordance with defined procedures, whether automated or manual.

The term "information security principles" is used in its broadest context. It includes principles, standards, conventions and mechanisms. Three categories (pervasive, broad functional, and detailed) are used to collect, discuss, and organize security principles. The broad functional and detailed security principles are divided into principles for information security practitioners and information processing products.

GASSP will support information security professional certification, information security audit, and information technology product development from an information security perspective. GASSP will also provide authoritative guidance to the information security practitioners, enabling them to establish and maintain their credibility with management.

The term "system" is used as an umbrella term for the hardware, software, physical, administrative, and organizational issues that need to be considered when addressing the security of an organization's information resources. It implies that the GASSP address the broadest definition of information security. The term System is intended to be equivalent in scope of the terms Information Technology (IT), Automated Information System (AIS), Automated Data Processing Element (ADPE), etc.

Figure 1-1: Role of GASSP and Product Profiles in Relation to Information Systems Security Certification and the Body of Knowledge