2.0 Principles
Candidate principles are organized in a three-level hierarchy. The hierarchy is comprised of:
2.1 Pervasive Principles
The Pervasive Principles address the following properties of information:
The Pervasive Principles provide general guidance to establish and maintain the security of information. These principles form the basis of Broad Functional Principles and Detailed Principles. Security of information is achieved through the preservation of appropriate confidentiality, integrity, and availability. Confidentiality is the characteristic of information being disclosed only to authorized persons, entities, and processes at authorized times and in the authorized manner. Integrity is the characteristic of information being accurate and complete and the information systems=92 preservation of accuracy and completeness. Availability is the characteristic of information and supporting information systems being accessible and usable on a timely basis in the required manner.
The Pervasive Principles are founded on the Guidelines for Security of Information Systems, developed by the Information Computer and Communications Policy (ICCP) Committee and endorsed and published by the Organization for Economic Cooperation and Development (OECD). See Appendix B.
The OECD principles have been interpreted and extended using the Authoritative Foundation, a list of fundamental works on information security compiled by the GASSP Committee to support the development of GASSP. See Appendix C.
Each Pervasive Principle is presented in the following format:
2.1.1 Accountability Principle
Information security accountability and responsibility must be clearly defined and acknowledged.
Rationale:
Accountability characterizes the ability to audit the actions of all parties and processes which interact with information. Roles and responsibilities are clearly defined, identified, and authorized at a level commensurate with the sensitivity and criticality of information. The relationship between all parties, processes, and information must be clearly defined, documented, and acknowledged by all parties. All parties must have responsibilities for which they are held accountable.
Example:
Information assets should be controlled and monitored with an accompanying audit log to report any modification, addition, or deletion to the information assets. These logs should report the user or process which performed the actions.
2.1.2 Awareness Principle
All parties, including but not limited to information owners and information security practitioners, with a need to know should have access to applied or available principles, standards, conventions, or mechanisms for the security of information and information systems, and should be informed of applicable threats to the security of information.
Rationale:
This principle applies between and within organizations. Awareness of information security principles, standards, conventions, and mechanisms enhances and enables controls and can help to mitigate threats. Awareness of threats and their significance also increases user acceptance of controls. Without user awareness of the necessity for particular controls, the users can pose a risk to information by ignoring, bypassing, or overcoming existing control mechanisms. The awareness principle applies to unauthorized and authorized parties.
Example:
The security mechanism of wearing identification badges is weakened if not exhaustively enforced. If unidentified individuals go unchallenged, vulnerability is introduced to the system.
If every user, authorized or unauthorized, is made aware of the organization's position on unauthorized use and its potential consequences, e.g., via a logon banner, some misuse can be avoided.
2.1.3 Ethics Principle
Information should be used, and the administration of information security should be executed, in an ethical manner.
Rationale:
Information systems pervade our societies and cultures. Rules and expectations are evolving with regard to the appropriate provision and use of information systems and the security of information. Use of information and information systems should match the expectations established by social norms, and obligations.
Example:
Some organizations have developed a Code of Ethical Conduct that outlines for all employees a set of actions, behaviors, and conduct guidelines with respect to information security and information use. The code sets forth expectations for conduct that may not be illegal but may be contrary to an organization=92s policy or belief. Behavior outside the bounds of the code would be considered unethical.
2.1.4 Multidisciplinary Principle
Principles, standards, conventions, and mechanisms for the security of information and information systems should address the considerations and viewpoints of all interested parties.
Rationale:
Information security is achieved by the combined efforts of information owners, users, custodians, and information security personnel. Decisions made with due consideration of all relevant viewpoints and technical capabilities can enhance information security and receive better acceptance.
Example:
When developing contingency plans, organizations can establish a contingency planning team of representatives from facilities management, technology management, and other functional areas in order to better identify the various expectations and viewpoints from across the organization and other recognized parties.
2.1.5 Proportionality Principle
Information security controls should be proportionate to the risks of modification, denial of use, or disclosure of the information.
Rationale:
Security controls should be commensurate with the value of the information assets and the vulnerability. Consider the value, sensitivity and criticality of the information, and the probability, frequency and severity of direct and indirect harm or loss. This principle recognizes the value of approaches to information security ranging from prevention to acceptance.
Example:
Some organizations determine information security measures based on an examination of the risks, associated threats, vulnerabilities, loss exposure, and risk mitigation through cost/benefit analysis using a Risk Management Framework (see Figure 2: IT Security Risk Management Framework).
Other organizations implement information security measures based on a prudent assessment of "due care" (such as the use of reasonable safeguards based on the practices of similar organizations), resource limitations, and priorities.
Figure 2.1-1: IT Security Risk Management Framework
2.1.6 Integration Principle
Principles, standards, conventions, and mechanisms for the security of information should be coordinated and integrated with each other and with the organization's policies and procedures to create and maintain security throughout an information system.
Rationale:
Many breaches of information security involve the compromise of more than one safeguard. The most effective control measures are components of an integrated system of controls. Information security is most efficient when planned, managed and coordinated throughout the organization=92s system of controls and the life of the information.
Example:
Accounts and accesses may be properly controlled when the information owner selects the right type and level of access for users, informs system managers of which users need accounts, and promptly informs them of changes. If one control in the system of controls is compromised, other controls can provide a safety net to limit or prevent the loss.
2.1.7 Timeliness Principle
All accountable parties should act in a timely, coordinated manner to prevent or respond to breaches of and threats to the security of information and information systems.
Rationale:
Organizations should be capable of swift coordination and action to enable threat event prevention or mitigation. This principle recognizes the need for the public and private sectors to jointly establish mechanisms and procedures for rapid and effective threat event reporting and handling. Access to threat event history could support effective response to threat events and may help to prevent future incidents.
Example:
An organization with access to timely threat and vulnerability information can make prompt decisions that will prevent or mitigate an incident. Expertise can be brought to bear on a problem, e.g., the introduction of a virus on an internal network, if it is rapidly reported to an organization's incident handling team.
2.1.8 Assessment Principle
The risks to information and information systems should be assessed periodically.
Rationale:
Information and the requirements for its security vary over time. Risks to the information; its value; and the probability, frequency, and severity of direct and indirect harm/loss should undergo periodic assessment. Periodic assessment identifies and measures the variances from available and established security measures and controls, such as those articulated here in the GASSP, and the risk associated with such variances. Periodic assessment enables accountable parties to make informed, information risk management decisions whether to accept, mitigate, or transfer the identified risks with due consideration of cost effectiveness.
Example:
Listed below are events that may trigger the need for a security assessment:
2.1.9 Equity Principle
Management shall respect the rights and dignity of individuals when setting policy and when selecting, implementing, and enforcing security measures.
Rationale:
Information security measures implemented by an organization should not infringe upon the obligations, rights, and needs of legitimate users, owners, and others affected by the information when exercised within the legitimate parameters of the mission objectives.
Example:
Individual privacy should be protected. A system administrator may need access to private information for problem diagnosis and resolution only.
2.2 Broad Functional Principles
The Broad Functional Principles (BFP) are derived from the Pervasive Principles (PP) that represent the conceptual goals of information security. By providing the guidance for operational accomplishment of the Pervasive Principles, the Broad Functional Principles are the building blocks (what to do) that comprise the Pervasive Principles and allow definition of the basic units of those principles. Because the Broad Functional Principles are smaller in scope, they are easier to address in terms of implementation planning and execution.
The following matrix presents the relationship of Broad Functional Principles to Pervasive Principles:
|
PP-1 |
PP-2 |
PP-3 |
PP-4 |
PP-5 |
PP-6 |
PP-7 |
PP-8 |
PP-9 |
BFP-1 |
X |
X |
X |
X |
X |
X |
X |
X |
X |
BFP-2 |
X |
X |
X |
X |
|
|
|
|
X |
BFP-3 |
X |
X |
X |
X |
|
|
|
|
X |
BFP-4 |
X |
X |
|
X |
|
|
|
X |
|
BFP-5 |
X |
X |
X |
X |
X |
|
|
X |
|
BFP-6 |
X |
X |
|
X |
|
|
|
|
X |
BFP-7 |
X |
|
|
X |
X |
X |
X |
X |
|
BFP-8 |
X |
|
|
X |
X |
X |
X |
X |
|
BFP-9 |
X |
|
|
X |
X |
X |
X |
X |
|
BFP-10 |
X |
|
|
X |
X |
X |
|
X |
|
BFP-11 |
X |
X |
|
X |
X |
X |
X |
X |
|
BFP-12 |
X |
|
|
X |
X |
|
X |
X |
|
BFP-13 |
X |
X |
X |
X |
|
|
|
|
X |
BFP-14 |
|
X |
X |
X |
|
|
|
|
X |
Figure 2.2-1: Cross-Impact Matrix Relating BFP=92s to PP=92s.
Each Broad Functional Principle is presented in the following manner:
(Reference(s) to relevant "Control Objectives" from ISACA's CoBIT, IIA's SAC, the EU=92s BS-7799, OECD=92s Information Security Principles, and other sources of safeguard guidance found in the GASSP Committee Foundation Document List (Appendix C).)
2.2.1 Information Security Policy
Management shall ensure that policy and supporting standards, baselines, procedures, and guidelines are developed and maintained to address all aspects of information security. Such guidance must assign responsibility, the level of discretion, and how much risk each individual or organizational entity is authorized to assume.
Rationale:
In order to assure that Information assets are effectively and uniformly secured consistent with their value and associated risk factors, management must clearly articulate its security strategy and associated expectations. In the absence of this clarity, some resources will be under-secured - that is, ineffective; other resources will be over-secured - that is, inefficient.
It is essential that organizations establish, maintain, and promulgate a clearly articulated hierarchy of policies and supporting standards, baselines, procedures, and guidelines, including lines of authority and responsibility, that address the security of the information assets - and supporting Information Technology resources - the organization owns or for which it is responsible. These policies should reflect the information assets=92 owner's mission statement as well as the value of the confidentiality, availability, and integrity of the information assets to the owner and other relevant parties. The policies must also reflect changes in the organizational mission statement as well as technology advances and other changes that could, if unrecognized or unaddressed, compromise the security of the information.