Generally Accepted System Security Principles

by Dr. Greg Miles - 2/15/00

Alright, no feedback from last month, so here goes another one. I cheated a little. This is an a couple of pages from mydissertation. Just some facts.

Generally Accepted System Security Principles

The Information Systems Security Association (ISSA) developed a set of Generally Accepted System Security Principles (GSSP)for implementing information protection. The 17 GSSPs are as follows:

P1 Accountability Principle - Information system security accountability and responsibility should be explicit.

P2 Awareness Principle - Owners, providers, and users of information systems and other parties should be informed about (or readily be able to gain appropriate knowledge of) the existence and general extent of measures, practices, procedures, and institutions for the security of information systems.

P3 Ethics Principle - Information systems and the security of information systems should be provided and used in accordance with the information security professionals' Code of Ethical Conduct.

P4 Multidisciplinary Principle - Measures, practices, and procedures for the security of information systems should address all relevant considerations and viewpoints, including technical (e.g., software and system engineering), administrative, organizational, operational, commercial, educational, and legal.

P5 Proportionality Principle - Security levels, costs, measures, practices, and procedures should be appropriate and proportionate to the value of and degree of reliance on the information systems and to the severity, probability, and extent of the potential for direct and indirect harm. The principle also applies to the level of management support necessary for a successful security program.

P6 Integration Principle - Measures, practices, and procedures for the security of information systems should be coordinated and integrated with each other and with other measures, practices, and procedures of the organization so as to create a coherent system of security.

P7 Timeliness Principle - Public and private parties, at both national and international levels, should act in a timely coordinated manner to prevent and to respond to breaches of the security of information systems.

P8 Reassessment Principle - The security of information systems should be reassessed periodically.

P9 Democracy Principle - The security of an information system should be weighed against the rights of users and other individuals affected by the system.

P10 Certification and Accreditation Principle - Information systems and information security professionals should be certified to be technically competent and management should approve them for operations.

P11 Internal Control Principle - Information security forms the core of an organization's information internal control system.

P12 Adversary Principle - Controls, security strategies, architectures, policies, standards, procedures, and guidelines should be developed and implemented in anticipation of attack from intelligent, rational, and irrational adversaries with harmful intent or harm from negligent or accidental actions.

P13 Least Privilege Principle - A individual should be granted enough privilege to accomplish assigned tasks, but no more. This principle should be applied in direct proportion and with increased rigor as the potential for damage to a system rises. For example, on general-purpose systems, users may be divided into only two groups, a small group of privileged users to perform system administration and security and a larger group of normal users. On mission-critical systems, the system may be segmented into small groups, each with a well- defined role and access to group-specific data and capabilities.

P14 Separation of Duty Principle - Responsibilities and privileges should be allocated in such a way that prevents an individual or a small group of collaborating individuals from inappropriately controlling multiple key aspects of a process and causing unacceptable harm or loss.

P15 Continuity Principle - Information security professionals should identify their organization's needs for continuity of operations and should prepare the organization and its information systems accordingly.

P16 Simplicity Principle - Information security professionals should favor small and simple safeguards over large and complex safeguards.

P17 Policy Centered Security Principle - Policies, standards, and procedures should be established to serve as a basis for management planning, control, and evaluation of information security activities. (p. 30-34)

It is suggested that if information protection professionals adhere to the GSSP principles and systems comply with standards, thenthe overall information environment will be more secure.

(Source of information is Cooper, F., Goggans, C., Halvey, J., Hughes, L., Morgan, L., Siyan, K., Stallings, W., & Stephenson, P. ( 1995). Implementing Internet Security. Indianapolis, IN: New Riders Publishing.)