generally accepted system security principles (gassp)

27

Generally Accepted System Security Principles

Release for Public Comment

Ralph Spencer Poore

The Generally Accepted System SecurityPrinciples (GASSP) Committee hasapproved this release of the GASSP for pub-lic comment. The introductory materialsand the sections through and includingSection 2.1

Pervasive Principles

are includedfor the reader’s information only.

PervasivePrinciples

have previously had a publiccomment period. The GASSPC asks theprofession to review and comment on Sec-tion 2.2

Broad Functional Principles

(themajority of the document). Section 2.3

Detailed Security Principles

remains a workin progress that will be built on the

BroadFunctional Principles

. We welcome yourcomments on all aspects of the document;however, we ask that you concentrate onsubstantive matters rather than editorial.

The Chairman asks that we provide spe-cial recognition to all those persons andorganizations that have contributed to theGASSP effort to date. In addition, he cites

the following individuals and organiza-tions for their exceptional contributions:Craig Schiller, who drafted the first straw-man in a Herculean original effort; theComputer Security Institute (CSI), whichhas consistently provided the GASSPCwith solid support; the MassachusettsInstitute of Technology (MIT), which hasprovided the GASSPC with a Web site;Charlie LeGrande and the Institute forInternal Auditors (IIA) for the same rea-son; as well as William H. Murray, IanRoss, Hal Tipton, Ross Leo, and RalphPoore. These organizations and individu-als made major contributions, often at sig-nificant personal sacrifice.

Please address your comments to RalphSpencer Poore at [email protected] with a copy to Will Ozier,Chairman, GASSPC at [email protected]. The public comment period willend 90 days after publication.

© Copyright 1996, 1997, 1998, 1999 by International Information Security Foundation; published with permission, all rights reserved.

28

Generally Accepted System Security Principles

The International Information Security Foundation (I

2

SF)-Sponsored Committee to Develop and Promulgate Generally Accepted System Security Principles

BACKGROUND

Formation of the I

2

SF-sponsored GASSPCommittee (GASSPC) began in mid-1992in response to Recommendation #1 of thereport

Computers at Risk (CAR),

publishedby the United States of America’s NationalResearch Council in 1990. That recom-mendation, “To Promulgate Comprehen-sive Generally Accepted System SecurityPrinciples,” and its subordinate elementssparked the genesis of a concerted effort toestablish a well-balanced committee popu-lation representing key elements of the pri-vate and public sectors from both theUnited States and abroad.

Both administrative and product-related principles are being addressed,individual and organizational privacyrights are being addressed, and, to consol-idate all the elements of a rapidly evolvingindustry, alliances are being established tothe International Information SystemsSecurity Certification Consortium (ISC)

2

,the international Common Criteria effortto develop information technology prod-uct-related information security princi-ples, and other organizations having aninterest in the security of information andassociated principles.

To consolidate and sustain the value ofcomprehensive GASSP effectively, theCAR recommendation envisions the cre-ation of an authoritative infrastructure tomaintain the GASSP, support their evolu-tion, enforce “compliance,” and provide avehicle for the authoritative approval ofreasonably founded exceptions or depar-tures from GASSP. This authoritativeinfrastructure would be modeled afterthose that support and sustain the Gener-ally Accepted Accounting Principles(GAAP) and like models of the interna-tional accounting profession.

The GASSP Committee kickoff meet-ing was held in the United States at the1992 National Computer Security Con-ference in Baltimore, Maryland, and wasattended by 25 leading information secu-rity experts from the United States, Can-ada, the United Kingdom, France,Germany, the Netherlands, Sweden, andthe European Commission (EC). Manydiffering perspectives and agendas werediscussed in an open exchange, but at theclose of the meeting, it was the consensusthat the objectives were important, neces-sary, and, perhaps most significant,achievable.

G E N E R A L L Y A C C E P T E D S Y S T E M S E C U R I T Y P R I N C I P L E S

F A L L 1 9 9 0

29

BENEFITS

■

The GASSP will promote good practice.

■

The GASSP will provide the authorita-tive point of reference and legal reference for information security principles, prac-tices, and opinions.

■

Good information security practice will increase the effectiveness and efficiency of business, promote trade and commerce, and improve productivity.

■

Good information security practice will help preserve the necessary public trust in the ability to leverage modern information technology while avoiding unintended consequences. This trust is necessary for the effective use of the technology.

■

The GASSP will improve the effective-ness and the efficiency of the information technology security functions and practi-tioners by promoting the best practice and reducing duplication of creative effort.

■

Global harmonization of information security principles will serve to minimize artificial barriers to the appropriately free flow of information that can result from conflicting standards and controls.

■

Information security professionals are practitioners certified and self-policed against a Common Body of Knowledge (CBK) main-tained through coordination between the GASSP infrastructure and (ISC)

2

. Thus, a globally known skill set will be assured.

■

Management will have increased confi-dence that information security practitio-ners’ decisions are in concert with GASSP.

■

Industry and government will be moti-vated to support GASSP, recognizing the broad efficiency achievable through the recognition of globally accepted GASSP.

■

Management worldwide will hold func-tional information security to the same set of rules.

■

Vendors will be able to develop prod-ucts with global conformance, rather than meeting variable local guidance, thus reducing both development andend-use costs.

■

Vendor products conforming to GASSP will enjoy increased customer confidence, trust, and acceptance.

APPROACH

Rather than another

ad hoc

effort, the GAS-SPC decided to establish an AuthoritativeFoundation of existing works that, throughtheir broad acceptance, have articulated, inone way or another, the GASSP of the infor-mation security profession. Recognizing thehierarchic nature of principles, it was deter-mined to use the Organization for Eco-nomic Cooperation and Development(OECD) Information Security Principles,with their international acceptance, as themodel for the foundation of the GASSPhierarchy, the Pervasive Principles, and,through a careful analysis and mapping ofthe Authoritative Foundation and deriva-tive works, to develop Broad FunctionalPrinciples, as accepted and supported byconsensus of the IT industry and profession.Finally the GASSPC will develop DetailedPrinciples, including “how to” guidance.

The development of a consensus-build-ing process is central to the success of thisapproach. Other key tasks include theestablishment of linkages to the CommonCriteria and the (ISC)

2

-sponsored CISSPdesignation.

Finally, two essential elements, whichwill be evolutionary in nature, are to bedeveloped. The first is the definition andestablishment of an authoritative infra-structure, or governing body. This efforthas been initiated. Second is the develop-ment of models for legislative/regulatoryinitiatives that have the support of the pro-fession, industry, and government. Theirpurpose will be to establish the “glue” thateffectively binds the consolidation of thesecomplex issues internationally.

OBJECTIVES

■

The international harmonization of cul-turally neutral information security.

■

The elimination of artificial barriers to the free flow of information worldwide.

■

The definition and implementation of a principled foundation for an industry, the success of which is critical to the future of the Information Age and its ramifications for privacy and security.

30

I N F O R M A T I O N S Y S T E M S S E C U R I T Y

F A L L 1 9 9 9

■

Provision for the rapidly evolving nature of information security methods, issues, and technology, and their articulation in principle.

■

Recognition and correlation to related management issues.

CURRENT STATUS

[

Note:

This section articulates currentproject status. In the final document, thissection will be replaced with a develop-ment history.]

The National Performance Review(NPR) Task Force, formed by the VicePresident of the United States of America,has recommended that the National Insti-tute of Standards and Technology (NIST),with advice from the National SecurityAgency (NSA) and the Office of Manage-ment and Budget (OMB), develop GASSPfor the federal government. The GASSPChas drafted strategic project plans to securefunds that will enable the GASSPC toaccelerate its efforts and develop GASSPthat NIST, in turn, can adapt in responseto its NPR task. It is essential now to securefunding and “in kind” support, identify afund administrator, and support the work-ing GASSP project team as appropriate.

The GASSP Pervasive Principles, basedon the OECD principles, have been devel-oped, based on comments received andaddressed to the GASSPC-approvedExposure Drafts, 1.0 and 2.0, which werepublished for comment and widely circu-lated. Work has begun on defining andmapping the GASSP Broad FunctionalPrinciples. A fully articulated outreach andawareness program is also under way.

Core tasks of the GASSP Project andtheir status are as follows:

■

Define and execute the outreach and awareness program (ongoing).

■

Research and complete the GASSPC Foundation Documents List (ongoing).

■

Develop and approve the framework for the GASSP (completed).

■

Map the GASSPC Foundation Docu-ments List of related authoritative works (ongoing).

■

Survey the industry to ascertain outside interest/support (ongoing).

■

Define/establish liaison with the Interna-tional Information Systems Security Certi-fication Consortium (ISC)

2

(completed).

■

Define and approve the Consensus Pro-cess I (Internal-GASSPC) and II (Exter-nal) (completed).

■

Develop Exposure Draft 1.0 of the GASSP Pervasive Principles, approve, and release for public comment (completed).

■

Address public comment to GASSP Pervasive Principles ED 1.0, approve, and release as GASSP Pervasive Principles Ver-sion 1.0 for public comment (completed).

■

Address public comment to GASSP Version 2.0, submit to the GASSPC for fi-nal review and comment, and release, without GASSPC voting member objec-tion, as GASSP Version 2.0 (in process).

■

Extract and define GASSP Broad Func-tional Principles from the GASSPC foun-dation Document List and map to Pervasive Principles (completed).

■

Execute the Consensus Process on GASSP Broad Functional Principles (completed).

■

Plan development of GASSP Detailed Principles (pending).

■

Execute development of GASSP De-tailed Principles (pending).

■

Define/establish liaison with the Com-mon Criteria Project (pending).

■

Define, approve, and establish the GASSPC governing infrastructure, the In-ternational Information Security Founda-tion (I

2

SF) (initiated).

■

Fund and populate the I

2

SF (pending).

THE GASSP INTERNATIONAL COMMITTEE MEMBERS

Belgium

■

David Herson —

European Commis-sion,

information only

Canada

■

Peter Davis —

Peter Davis & Associates,

voting member

■

Peter Kingston —

The Kingston Group,

voting member and liaison for Canadian Information Processing Society (CIPS)


F A L L 1 9 9 0

31

■

Ian Ross —

Communications Security Establishment,

voting member

France

■

Yvon Klein —

Centre National d’Etudes Spatial,

voting member

Germany

■

Ulrich van Essen —

Bundesamt für Sicherheit in der Informationstechnik,

vot-ing member

Japan

■

Haruki Tabuchi —

Fujitsu Limited,

vot-ing member

■

Junji Tezuka —

JEIDA,

observer

Mexico

■

Miguel Alvarado —

CONSI Group,

vot-ing member

■

Ana Dominguez —

Cabletron,

voting member

Netherlands

■

Fritz Taal —

National Communications Security Agency,

voting member

Sweden

■

Mats Ohlin —

Defense materiel Admin-istration,

voting member

United Kingdom

■

Nigel Hickson —

Department of Trade and Industry,

voting member

United States

■

Jim Appleyard —

IBM Corporation,

vot-ing member and liaison for SHARE■ Tom Austin — IBG Corporation, voting member■ Laura Brown — Ernst & Young LLP, voting member■ Stephen A. Carlton — Security Analysts Incorporated, voting member and liaison for the Standing Committee for the Safe-guarding of Proprietary Information of ASIS■ Cris R. Castro — Ernst & Young LLP, voting member

■ Lawrence Champion — voting member and liaison for the Computer Security Committee of ASIS■ Ken Cutler — Information Security In-stitute, observer■ Jim Flyzik — Department of the Trea-sury, information only■ Brian Kahin — Office of Science and Technology Policy, information only■ John Kinyon — Motorola Incorporated, observer■ Charles Le Grand — The Institute of In-ternal Auditors, voting member and liaison for IIA■ Ross Leo — Dynegy, Inc., voting mem-ber■ Landa McLain — PricewaterhouseCoo-pers LLP, observer■ William Hugh Murray — Deloitte & Touche LLP, voting member■ Peter G. Neumann — SRI Internation-al, information only■ Christopher Nichols — Ernst & Young LLP, voting member■ Kristen Noakes-Fry — Noakes-Fry Asso-ciates, voting member■ Thomas J. Orlowski — National Associ-ation of Manufacturers, voting member and liaison for NAM■ Will Ozier — OPA, Inc.–The Integrated Risk Management Group, chair and voting member■ Donn Parker — SRI International, vot-ing member■ Chuck Perkins — PricewaterhouseCoo-pers LLP, voting member■ Ralph S. Poore — Ernst & Young LLP, voting member■ Jeffrey Reich — Dell Computer Corpo-ration, voting member■ Craig Schiller — SAIC, voting member■ Hal Tipton — HFT & Associates, voting member■ Fred Tompkins — National Computer Security Association, voting member■ Dan White — Ernst & Young LLP (for-merly), voting member■ Lauren Wood — AlliedSignal, voting member and liaison for the International Standards Organization (ISO)

32

Generally Accepted SystemSecurity Principles (GASSP)Version 2.0June 1999

The International Information Security Foundation (I2SF)-Sponsored Committee to Develop and Promulgate Generally Accepted System Security Principles

ACKNOWLEDGMENTSSpecial thanks is due to the GASSP Com-mittee, to organizations that establishedliaisons with the GASSP Committee, andto the various organizations that employthe GASSP Committee members for theircontributions, comments, and support inthis voluntary endeavor. The effort of theGASSP Committee and the support oftheir respective employers were essentialin the preparation of this document.

1.0 INTRODUCTIONInformation security is a combination ofpreventive, detective, and recovery mea-sures. A preventive measure is a risk con-trol that avoids or deters the occurrence ofan undesirable event. Passwords, key-cards, badges, contingency plans, policies,firewalls, and encryption are examples ofpreventive measures. A detective measureis a risk control that identifies the occur-rence of an undesirable event. Visitor logs,audit trails, motion sensors, closed-circuitTV, and security reviews are examples ofdetective controls. Detective measuresalso provide a means for reporting the

occurrence of events. A recovery measureis a risk control that restores the integrity,availability, and confidentiality of infor-mation assets to their expected state.Examples of recovery measures are faulttolerance, backup, and disaster recoveryplans.

Information security also includes edu-cation, awareness, and training measuresthat inform computer users of the “accept-able use” principles and practices that sup-port the protection of information assets.The introduction of GASSP supports andstrengthens these controls. These princi-ples should be constructed to ensure thatthe information system reduces the possi-bility of a risk event and its impact.

1.1 PURPOSEThe GASSP Committee seeks to developand maintain GASSP with guidance frominformation owners, information securitypractitioners, information technologyproduct developers, and organizationshaving extensive experience in definingand stating the principles of informationsecurity.

© Copyright 1996, 1997, 1998, 1999 by International Information Security Foundation; published with permission, all rights reserved.


F A L L 1 9 9 0

33

1.2 SCOPEThe GASSP Committee seeks the cre-ation, maintenance, monitoring of, andadherence to the GASSP for informationsecurity in the broadest context, on aninternational level, unifying and expand-ing upon existing authoritative sources.

1.3 OBJECTIVES■ Identify and develop Pervasive, Broad Functional, and Detailed GASSP and pro-tection profiles in a comprehensive frame-work of emergent principles, standards, conventions, and mechanisms that will preserve the availability, confidentiality, and integrity of information.■ Be an authoritative source for opinions, practices, and principles for information owners, information security practitioners, information technology products, and in-formation systems.■ Define, implement, and subsequently operate under the governing GASSP infra-structure.■ Define and establish linkage to the Common Criteria Project.■ Maintain close liaison and coordination with other international authoritative bodies, that have developed related works, to establish and maintain GASSP based on these efforts.■ Define and establish liaison with bodies responsible for certifying professionals to encourage convergence.■ Promote broad awareness of informa-tion security and GASSP.■ GASSP will address management, user, and other interested parties’ concerns at all levels to gain the broadest acceptance.

1.4 BACKGROUNDIn 1990, the U.S. National Research Coun-cil published Computers at Risk (CAR),1 alandmark book that emphasized theurgent need for the nation to focus atten-tion on information security. The GASSPdocument is a direct result of recommen-dation number one from the CAR report(see Appendix A for CAR recommenda-tion details).

Recommendation 1 — Promulgation ofa comprehens ive set o f Genera l l yAccepted System Security Principles,referred to originally as GSSP, that wouldprovide a clear articulation of essential fea-tures, assurances, and practices.

The CAR report proposes the GenerallyAccepted Accounting Practices (GAAP)as a model for GASSP. It cites the Build-ing Code and the Underwriter’s Labora-tory as examples of GASSP in other fields.It also recommends building on the expe-rience captured by using the TrustedComputer System Evaluation Criteria(TCSEC), the Trusted Network Interpre-tation (TNI), and the Information Tech-nology Security Evaluation Criteria(ITSEC) documents to create a broaderset of criteria that will drive a more flexi-ble process for evaluating single-vendorand conglomerate systems.

1.5 DEFINITION OF KEY TERMSGenerally AcceptedGASSP are conventional — that is, theybecome generally accepted by agreement(often tacit agreement) rather than formalderivation from a set of postulates or basicconcepts. The principles have been devel-oped on the basis of experience, reason,custom, usage, and, to a significant extent,practical necessity. The sources of estab-lished information security principles aregenerally the following:

■ Pronouncements of an authoritative body (to be established), as appropriate, to establish information security principles.■ Pronouncements of bodies composed of expert information security practitioners that follow a due process procedure, in-cluding broad distribution of proposed in-formation security principles for public comment, for the intended purpose of es-tablishing information security principles or describing existing practices that are generally accepted. This includes informa-tion security audit guides and statements of position.

34 I N F O R M A T I O N S Y S T E M S S E C U R I T Y

F A L L 1 9 9 9

■ Practices or pronouncements that are generally accepted because they represent prevalent practice in a particular industry or the knowledgeable application to spe-cific circumstance of pronouncements. This includes interpretations and practices that are widely recognized and prevalent in the industry.■ Other information security literature including pronouncements of other pro-fessional associations or regulatory agen-cies and information security textbooks and articles.

The concept of generally accepted is tobe distinguished from the concept of uni-versally accepted. This distinction is madeto address the case that all principles mayhave exceptions. For example, a librarysystem may insist that the card catalog sys-tem have no accountability to preserve theprivacy of the user. A process will be pro-vided for use when it is deemed necessaryto deviate from the published GASSP.

Generally Accepted System Security Principles (GASSP)Generally Accepted System Security Princi-ples incorporate the consensus, at a particu-lar time, as to the principles, standards,conventions, and mechanisms that informa-tion security practitioners should employ,that information processing products shouldprovide, and that information ownersshould acknowledge to ensure the securityof information and information systems.

GASSP relates to physical, technical,and administrative information securityand encompasses pervasive, broad func-tional, and detailed security principles.GASSP nomenclature considers the termspolicy, rules, procedures, and practices torelate to the organizational implementa-tion of security. Information technology(IT) changes rapidly, and GASSP areexpected to evolve accordingly. Consensusregarding accepted information securityprinciples is achieved first within theGASSP Committee followed by interna-tional IT community review.

InformationThe term information applies to any stor-age, communication, or receipt of knowl-edge, such as fact, data, or opinions,including numerical, graphic, or narrativeforms, whether oral or maintained in anymedium.

Information SystemThe term information system describes theorganized collection, processing, transmis-sion, and dissemination of information inaccordance with defined procedures,whether automated or manual.

Information Security PrinciplesThe term information security principles isused in its broadest context. It includesprinciples, standards, conventions, andmechanisms. Three categories (pervasive,broad functional, and detailed) are used tocollect, discuss, and organize security prin-ciples. The broad functional and detailedsecurity principles are divided into princi-ples for information security practitionersand information processing products.

GASSP will support information secu-rity professional certification, informationsecurity audit, and information technol-ogy product development from an infor-mation security perspective. GASSP willalso provide authoritative guidance to theinformation security practitioners,enabling them to establish and maintaintheir credibility with management.

SystemThe term system is used as an umbrellaterm for the hardware, software, physical,administrative, and organizational issuesthat need to be considered when addressingthe security of an organization’s informa-tion resources (see Exhibit 1). It impliesthat the GASSP address the broadest defi-nition of information security. The termsystem is intended to be equivalent in scopeof the terms information technology (IT),automated information system (AIS), auto-mated data processing element (ADPE), etc.


F A L L 1 9 9 9

35

2.0 PRINCIPLESCandidate principles are organized in athree-level hierarchy. The hierarchy com-prises:

■ Pervasive Principles — few in number, fundamental in nature, and rarely changing.■ Broad Functional Principles — subordi-nate to one or more of the Pervasive Prin-ciples, are more numerous and specific, guide the development of more Detailed Principles, and change only when reflect-ing major developments in technology or other affecting issues.■ Detailed Principles — subordinate to one or more of the Broad Functional Prin-ciples, numerous, specific, emergent, and changing frequently as technology and other affecting issues evolve.

2.1 PERVASIVE PRINCIPLESThe Pervasive Principles address the fol-lowing properties of information:

■ Confidentiality■ Integrity■ Availability

The Pervasive Principles provide generalguidance to establish and maintain thesecurity of information. These principlesform the basis of Broad Functional Princi-ples and Detailed Principles. Security ofinformation is achieved through the pres-ervation of appropriate confidentiality,integrity, and availability. Confidentialityis the characteristic of information beingdisclosed only to authorized persons, enti-ties, and processes at authorized times andin the authorized manner. Integrity is thecharacteristic of information being accu-rate and complete and the information sys-tems’ preservation of accuracy andcompleteness. Availability is the character-istic of information and supporting infor-mation systems being accessible and usableon a timely basis in the required manner.

The Pervasive Principles are founded onthe Guidelines for Security of InformationSystems, developed by the InformationComputer and Communications Policy(ICCP) Committee and endorsed andpublished by the Organization for Eco-nomic Cooperation and Development(OECD).2 See Appendix B.

EXHIBIT 1 Role of GASSP and Product Profiles in Relation to Information Systems Security Certification and the Body of Knowledge


F A L L 1 9 9 9

The OECD principles have been inter-preted and extended using the Authorita-tive Foundation, a list of fundamentalworks on information security compiled bythe GASSP Committee to support thedevelopment of GASSP. See Appendix C.

Each Pervasive Principle is presented inthe following format:

■ GASSP Statement■ Rationale■ Example

2.1.1 Accountability PrincipleInformation security accountability andresponsibility must be clearly defined andacknowledged.

Rationale. Accountability characterizesthe ability to audit the actions of all partiesand processes which interact with infor-mation. Roles and responsibilities areclearly defined, identified, and authorizedat a level commensurate with the sensitiv-ity and criticality of information. The rela-tionship among all parties, processes, andinformation must be clearly defined, doc-umented, and acknowledged by all parties.All parties must have responsibilities forwhich they are held accountable.

Example. Information assets should becontrolled and monitored with an accom-panying audit log to report any modifica-t ion , addi t ion , o r de let ion to theinformation assets. These logs shouldreport the user or process that performedthe actions.

2.1.2 Awareness PrincipleAll parties, including but not limited toinformation owners and information secu-rity practitioners, with a need to knowshould have access to applied or availableprinciples, standards, conventions, ormechanisms for the security of informa-tion and information systems, and shouldbe informed of applicable threats to thesecurity of information.

Rationale. This principle applies betweenand within organizations. Awareness of

information security principles, standards,conventions, and mechanisms enhancesand enables controls and can help to miti-gate threats. Awareness of threats andtheir significance also increases useracceptance of controls. Without userawareness of the necessity for particularcontrols, the users can pose a risk to infor-mation by ignoring, bypassing, or over-coming existing control mechanisms. Theawareness principle applies to unautho-rized and authorized parties.

Example. The security mechanism ofwearing identification badges is weakenedif not exhaustively enforced. If unidenti-fied individuals go unchallenged, vulnera-bility is introduced to the system.

If every user, authorized or unautho-rized, is made aware of the organization’sposition on unauthorized use and itspotential consequences, e.g., via a logonbanner, some misuse can be avoided.

2.1.3 Ethics PrincipleInformation should be used, and theadministration of information securityshould be executed, in an ethical manner.

Rationale. Information systems pervadesocieties and cultures. Rules and expecta-tions are evolving with regard to the appro-priate provision and use of informationsystems and the security of information.Use of information and information sys-tems should match the expectations estab-lished by social norms, and obligations.

Example. Some organizations have devel-oped a Code of Ethical Conduct that out-lines for all employees a set of actions,behaviors, and conduct guidelines withrespect to information security and infor-mation use. The code sets forth expecta-tions for conduct that may not be illegal butmay be contrary to an organization’s policyor belief. Behavior outside the bounds ofthe code would be considered unethical.

2.1.4 Multidisciplinary PrinciplePrinciples, standards, conventions, andmechanisms for the security of informa-


F A L L 1 9 9 9

37

tion and information systems shouldaddress the considerations and viewpointsof all interested parties.

Rationale. In fo rmat ion s ecu r i t y i sachieved by the combined efforts of infor-mation owners, users, custodians, andinformation security personnel. Decisionsmade with due consideration of all rele-vant viewpoints and technical capabilitiescan enhance information security andreceive better acceptance.

Example. When developing contingencyplans, organizations can establish a contin-gency planning team of representativesfrom facilities management, technologymanagement, and other functional areasto identify better the various expectationsand viewpoints from across the organiza-tion and other recognized parties.

2.1.5 Proportionality PrincipleInformation security controls should be pro-portionate to the risks of modification, denialof use, or disclosure of the information.

Rationale. Security controls should becommensurate with the value of the infor-mation assets and the vulnerability. Con-sider the value, sensitivity and criticality ofthe information, and the probability, fre-quency, and severity of direct and indirectharm or loss. This principle recognizes thevalue of approaches to information securityranging from prevention to acceptance.

Example. Some organizations determineinformation security measures based on anexamination of the risks, associatedthreats, vulnerabilities, loss exposure, andrisk mitigation through cost/benefit analy-sis using a Risk Management Framework(see Exhibit 2).

Other organizations implement infor-mation security measures based on a pru-dent assessment of “due care” (such as theuse of reasonable safeguards based on thepractices of similar organizations),resource limitations, and priorities.

2.1.6 Integration PrinciplePrinciples, standards, conventions, andmechanisms for the security of informa-

EXHIBIT 2 IT Security Risk Management Framework


F A L L 1 9 9 9

tion should be coordinated and integratedwith each other and with the organiza-tion’s policies and procedures to createand maintain security throughout aninformation system.

Rationale. Many breaches of informationsecurity involve the compromise of morethan one safeguard. The most effectivecontrol measures are components of anintegrated system of controls. Informationsecurity is most efficient when planned,managed, and coordinated throughout theorganization’s system of controls and thelife of the information.

Example. Accounts and accesses may beproperly controlled when the informationowner selects the right type and level ofaccess for users, informs system managersof which users need accounts, andpromptly informs them of changes. If onecontrol in the system of controls is com-promised, other controls can provide asafety net to limit or prevent the loss.

2.1.7 Timeliness PrincipleAll accountable parties should act in atimely, coordinated manner to prevent orrespond to breaches of and threats to thesecurity of information and informationsystems.

Rationale. Organizations should be capa-ble of swift coordination and action toenable threat event prevention or mitiga-tion. This principle recognizes the needfor the public and private sectors to estab-lish jointly mechanisms and proceduresfor rapid and effective threat event report-ing and handling. Access to threat eventhistory could support effective response tothreat events and may help to preventfuture incidents.

Example. An organization with access totimely threat and vulnerability informa-tion can make prompt decisions that willprevent or mitigate an incident. Expertisecan be brought to bear on a problem, e.g.,

the introduction of a virus on an internalnetwork, if it is rapidly reported to an orga-nization’s incident handling team.

2.1.8 Assessment PrincipleThe risks to information and informationsystems should be assessed periodically.

Rationale. Information and the require-ments for its security vary over time. Risksto the information, to its value, and to theprobability, frequency, and severity ofdirect and indirect harm/loss shouldundergo periodic assessment. Periodicassessment identifies and measures thevariances from available and establishedsecurity measures and controls, such asthose articulated here in the GASSP, andthe risk associated with such variances.Periodic assessment enables accountableparties to make informed, informationrisk management decisions whether toaccept, mitigate, or transfer the identi-fied risks with due consideration of costeffectiveness.

Example. Listed below are events that maytrigger the need for a security assessment:

■ a significant change to the information system■ a significant change in the information or its value■ a significant change in the technology■ a significant change to the threats or vulnerabilities■ a significant change to available safe-guards■ a significant change in the user profiles■ a significant change in the potential loss of the system■ a significant change to the organiza-tion/enterprise■ a predetermined length of time since last assessment

2.1.9 Equity PrincipleManagement shall respect the rights anddignity of individuals when setting policy


F A L L 1 9 9 9

39

and when selecting, implementing, andenforcing security measures.

Rationale. Information security measuresimplemented by an organization shouldnot infringe upon the obligations, rights,and needs of legitimate users, owners, andothers affected by the information whenexercised within the legitimate parametersof the mission objectives.

Example. Individual privacy should beprotected. A system administrator mayneed access to private information forproblem diagnosis and resolution only.

2.2 BROAD FUNCTIONAL PRINCIPLESThe Broad Functional Principles (BFP)are derived from the Pervasive Principles(PP) that represent the conceptual goals of

information security. By providing theguidance for operational accomplishmentof the Pervasive Principles, the BroadFunctional Principles are the buildingblocks (what to do) that comprise the Per-vasive Principles and allow definition ofthe basic units of those principles. Becausethe Broad Functional Principles aresmaller in scope, they are easier to addressin terms of implementation planning andexecution.

Exhibit 3 presents the relationship ofBroad Functional Principles to PervasivePrinciples. Each Broad Functional Princi-ple is presented in the following manner:

■ BFP Title■ Statement of BFP■ Rationale■ Example

EXHIBIT 3 Cross-Impact Matrix Relating BFPs to PPs


F A L L 1 9 9 9

[Reference(s) to relevant “Control Objec-tives” from the ISACA CoBIT, the IIASAC, the EU BS-7799, the OECD Infor-mation Security Principles, and othersources of safeguard guidance found in theGASSP Committee Foundation Docu-ment List (Appendix C).]

2.2.1 Information Security PolicyManagement shall ensure that policy andsupporting standards, baselines, proce-dures, and guidelines are developed andmaintained to address all aspects of infor-mation security. Such guidance mustassign responsibility, the level of discretion,and how much risk each individual or orga-nizational entity is authorized to assume.

Rationale. To assure that informationassets are effectively and uniformly securedconsistent with their value and associatedrisk factors, management must clearly artic-ulate its security strategy and associatedexpectations. In the absence of this clarity,some resources will be undersecured —that is, ineffective; other resources will beoversecured — that is, inefficient.

It is essential that organizations estab-lish, maintain, and promulgate a clearlyarticulated hierarchy of policies and sup-porting standards, baselines, procedures,and guidelines, including lines of authorityand responsibility, that address the securityof the information assets — and support-ing Information Technology resources —the organization owns or for which it isresponsible. These policies should reflectthe mission statement of the owner of theinformation assets, as well as the value ofthe confidentiality, availability, and integ-rity of the information assets to the ownerand other relevant parties. The policiesmust also reflect changes in the organiza-tional mission statement as well as technol-ogy advances and other changes that could,if unrecognized or unaddressed, compro-mise the security of the information.

Development of a clearly articulated hier-archy of policies that address the security ofan organization’s information assets, or

information assets for which it is responsi-ble, assures that the owners, users, custodi-ans, and information security personnelhave clear guidance in effectively securingthe information assets. Without the analy-sis and development of a clearly articulatedhierarchy of policies addressing the securityof its information assets, or informationassets for which it is responsible, the owners,users, custodians, and information securitypersonnel will not have clear guidance inassuring that information assets are effec-tively and efficiently secured. This lack ofpolicy could result in the organization sub-jecting the information assets to undue risksand increasing the potential for unaccept-able loss, liability, or harm to the organiza-tion and other relevant parties. Further, thelack of policy could result in the loss of man-agement options for redress or remedy.

Example. Company ZYX developed pro-cedures for system development, accesscontrol, and disaster recovery planningwithin the information technologydepartment. These procedures, however,were not the result of management estab-lishing sound policy. They were the resultof IT management’s perception that itshould have documented procedures forsome of the more complex activities. Dur-ing routine system maintenance, “JackBlack,” who was unhappy with his man-ager and the company, realized there wasno prohibition of Trojan horses or othersimilarly malicious activity. Jack thus builta Trojan horse into a modification of theaccounts receivable application systemthat he routinely maintained. He thensubmitted his resignation and left thecompany. Six months later, the Trojanhorse, a logic bomb, began to corrupt filessystematically on the birthday of hisformer manager. At first, this corruptionappeared to be minor user errors and wasignored. But within a few weeks, the filewas severely contaminated, as were allbackup files. The result was a sustainedinability to generate invoices and relatedaccounts receivable.


F A L L 1 9 9 0

41

The ability of ZYX to prosecute Jackwas thwarted by the complete lack of pol-icy articulating management and owner-ship perception of the value of theinformation assets. Jack was thus success-ful in his vengeful attack at great cost andembarrassment to ZYX.

2.2.2 Education and AwarenessManagement shall communicate informa-tion security policy to all personnel andensure that all are appropriately aware.Education shall include standards, base-lines, procedures, guidelines, responsibili-ties, related enforcement measures, andconsequences of failure to comply.

Rationale. To ensure that all personnelare aware of security policy, managementmust effectively and regularly communi-cate its requirements. When personnel failto do what management expects, it is moreoften the result of an ineffective or imper-fect communication of what managementexpects, rather than the result of wrongfulmotive or intent on the part of the person-nel. The failure to communicate regularlyand effectively information security policy,standards, baselines, procedures, guide-lines, responsibilities, related enforcementmeasures, and the consequences of failingto comply to all relevant parties can causethe unintentional breach of policy by par-ties to whom the policy has not been effec-tively communicated. Such failure canalso result in the intentional breach of pol-icy by parties to whom the adverse conse-quences of such a breach have not beeneffectively communicated.

In both cases, the potential for harm,liability, or loss to the organization orother relevant parties can be significant.The failure to communicate informationsecurity policy effectively can also impairthe ability to apply enforcement measures,prosecute criminal activity, or seek civilredress successfully.

Example. ZYX Corp. decides to allowdial-up access to its Information Technol-

ogy environment but fails to put a publicnotice on the logon screen advising all par-ties of its information security policy. Sub-sequently, an individual hostile to ZYXaccessed the organization’s informationassets through the dial-up path and modi-fied critical product formulae information,resulting in a substantial loss to the organi-zation. In the civil litigation that followed,the court found in favor of the defendant,because there was no notice that the infor-mation was a valued asset and that unau-thorized access was prohibited and wouldbe prosecuted.

2.2.3 AccountabilityManagement shal l hold al l part iesaccountable for their access to and use ofinformation, e.g., additions, modifica-tions, copying and deletions, and support-ing Information Technology resources. Itmust be possible to affix the date, time,and responsibility, to the level of an indi-vidual, for all significant events.

Rationale. To assure that people behaveas expected, it is necessary to know whodid what and when it was done.

It is essential that organizations estab-lish and maintain a basis of control forinformation assets. Such a control frame-work requires individual and organiza-tional accountability at all levels. Theconcept of “accountability” refers to theaccepting of responsibility by all relevantparties or entities. Holding all partiesthusly accountable is intended to assurethat any use made of or actions taken oninformation assets and supporting Infor-mation Technology resources shall be forauthorized “business/mission purposesonly” and that such use or action can bereliably traced to the responsible party orparties, who will be held “accountable.”

Example. When reviewing the dailyaccess audit report, “Henry,” the Informa-tion Security Officer (ISO), found severalinvalid Payroll file access attempts by“Edwina” in Personnel. When the ISO


F A L L 1 9 9 9

spoke with her and her manager concern-ing this, it became obvious that she did infact require access to the particular file.She was accordingly granted limitedaccess. However, three other invalidattempts were found against the same file,and the owner of the userid was in theGraphic Arts Department. When the ISOspoke with “Jason” and his manager, it wasdetermined that Jason was planning to askfor a raise, and his invalid accesses resultedfrom his attempt to learn what others inhis department were being paid. Jasonstated that, armed with such information,he would have an idea of what an accept-able pay increase might be. He would thushave an advantage in the raise negotia-tions. The ISO turned the matter over toJason’s manager for disciplinary action.

2.2.4 Information ManagementManagement shall routinely catalog andvalue information assets, and assign levelsof sensitivity and criticality. Information,as an asset, must be uniquely identifiedand responsibility for it assigned.

Rationale. To manage information assetsefficiently, management must know whatto protect. To be effectively managed, it isessential to identify and enumerate thecore attributes of information as assets.These information asset attributesinclude:

■ identity■ ownership■ custody■ content■ value (ideally expressed in monetary terms) of the confidentiality, availability, and integrity of the information assets■ sensitivity (which relates directly to confidentiality)■ criticality (which relates directly to availability and integrity)

The organizational ownership of aninformation asset must be established.The person or agent/custodian legiti-mately established as the owner of an

information asset has the authority andresponsibility to make — or delegate —decisions regarding the security of theinformation asset. It is typically the organi-zation that will ultimately suffer liability,loss, or other harm if the confidentiality,availability, or integrity of the informationasset is compromised, although othersmay suffer harm or loss as well.

The identity and content of the informa-tion asset must be clearly established for theowner to make informed decisions regardingits security. Knowing the value of the infor-mation asset, as related to its confidentiality,availability, and integrity, enables the ownerto understand the financial risks and associ-ated threats that must be mitigated whenestablishing security requirements for theinformation asset.

Finally, these attributes should bereviewed regularly, because most informa-tion attributes change value over time —in some cases increasing and in othersdecreasing.

Example. XYZ, Inc., a Silicon Valleystart-up with breakthrough technology,the Cyberwidget, established “Mr. Doe,”vice president of Production, as the ownerof its Materials Requirements Planning(MRP) sys tems . The MRP sys temincluded functions addressing inventoryand shipping document production, andinput to the Accounts Receivable invoic-ing process. Mr. Doe was already heavilytasked — and stressed — with meeting anincreasing demand for the Cyberwidget.He repeatedly postponed meetings withthe Information Security Officer (ISO) todiscuss valuing the system and the sup-ported information asset.

Because there was no financial case inplace reflecting the value of the MRP sys-tem and supported information assets,management did not fund the previousyear’s ISO budget request for improvedinformation security and contingencyplanning. In the following winter, a mud-slide from a nearby hill swept into theinformation technology area dedicated to


F A L L 1 9 9 0

43

production and destroyed much of theequipment. The production floor, how-ever, suffered no direct impact.

The result was that the just-in-time(JIT) production process was interrupted,even though the production equipmentwas not damaged. Production was haltedand finished production could not beshipped for weeks because the MRP, withinventory control, parts ordering and posi-tioning, shipping documents, and sup-ported invoicing process, was inoperable.Management panicked, the system recov-ery effort was severely impaired — therewas no policy, recovery plan, or designa-tion of responsibility — and clients can-celed orders. Many clients reverted toproven vendors of similar, though less effi-cient, products. Consequently, the prom-i s ing s ta r t -up company went intobankruptcy and never recovered.

2.2.5 Environmental ManagementManagement shall consider and compen-sate for the risks inherent to the internaland external physical environment whereinformation assets and supporting Infor-mation Technology resources and assetsare stored, transmitted, or used.

Rationale. To protect the organizationalmission effectively, it is necessary to iden-tify and address environmental threatsthat can disrupt Information Technologyfunctionality. There are significant threats— and vulnerabilities — associated withthe location, construction, and equippingof Information Technology facilities.These threats include:

■ natural disaster threats (earthquake, flood, hurricane, tornado, landslides, etc.)■ unintentional or intentional physical threats (e.g., power outage, equipment failure, fire, proximity of potentially toxic or explosive industrial facilities and trans-portation infrastructures, local crime, and a wide array of accidents that could “ex-ploit” unrecognized or inadequately ad-dressed vulnerabilities of the physical environment)

For the optimum security strategy imple-mentation, it is essential to coordinate andintegrate information security efforts withoverall organizational security measuresand management. Failure to recognizeand effectively address local threats andassociated vulnerabilities, both internaland external, can result in a potentiallydisastrous disruption of InformationTechnology functionality.

Example. In the dead of winter, an organi-zation impacted by natural disaster con-tacted i t s contracted InformationTechnology Disaster Recovery hot site pro-vider, which offered a Disaster Recoveryfacility in the same geographic region. Justbefore the client’s Information Technologyrecovery staff boarded an airplane to fly tothe hot site, the roof of the facility collapsedfrom the weight of snow and ice on it. Thehot site provider had not considered the abil-ity of the facility roof to cope with the loadof a major snow and ice accumulation.Thus, the hot site provider’s building wasnot suitable to the mission, and no compen-sating provisions were made. Consequently,the hot site provider lost the client — andcredibility — and had to rebuild the DisasterRecovery hot site. A competing providerquickly rescued the client.

2.2.6 Personnel QualificationsManagement shall establish and verify thequalifications related to integrity, need-to-know, and technical competence of all par-ties provided access to information assetsor supporting Information Technologyresources.

Rationale. To implement security effec-tively for information assets and support-ing Information Technology resources, itis necessary that the personnel involvedare competent with respect to the knowl-edge and technical skill needed to performtheir roles reliably, that their integrity (asdemonstrated by work history, academicand training certification, and references)meets organizational requirements, and


F A L L 1 9 9 9

that their need-to-know is authoritativelyestablished. Such personnel include, at aminimum:

■ owners (as representatives of the organi-zation and its interests)■ users■ contractors and supplemental staff■ custodians■ information security personnel

Example. “Joe B.,” who represented him-self as a CISSP, was hired by XYZ Corpo-ration to develop and implement acorporatewide information security pro-gram. His first assignment was to conducta risk assessment to determine the currentstate of information security in the corpo-ration. After several weeks of effort, Joesubmitted his report. Knowledgeable man-agement, upon reviewing his report, notedthat an obvious exposure was not docu-mented in the report. XYZ Corporationhad failed to implement policy and relatedstandards, baselines, and procedures thatwould have addressed the prevention,detection, or containment of networkattacks. Top management was advised ofthe risk to information assets and informa-tion processing confidentiality, integrity,and availability.

Subsequent investigation disclosed thatJoe had not passed the CISSP examinationand had not previously performed a riskassessment. Closer review of his reportrevealed numerous errors and misrepre-sentations. Joe was dismissed immedi-ately, and personnel policy regarding theverification of credentials was augmentedto assure that all qualifications uponwhich management relied to select staffwere effectively validated.

Policy, standards, and procedures werethen developed to ensure that appropriatecountermeasures, safeguards, or controlswere in place and used effectively toreduce risk to an acceptable level. Trainingsessions were provided to owners, custodi-ans, and users to ensure that all concernedunderstood the need for and use of thecountermeasures.

2.2.7 System IntegrityManagement shall ensure that all proper-ties of systems and applications that areessential to or relied upon to support theorganization’s mission are established,preserved, and safeguarded.

Rationale. For management to be able torely upon the correct performance ofInformation Technology resources, it isnecessary to ensure that they are imple-mented as intended and are not subse-quently contaminated or corrupted bymalicious acts, uncorrected error condi-tions, or other failures. Unless controls arein place to protect systems and applica-tions from unauthorized modificationsand to ensure that authorized changes aretracked and perform as intended, systemscan fail in a way that impairs efficiency oreven the health of the organization. Fur-ther, such failures may not be detected ona timely basis, because managementassumes the integrity of the InformationTechnology resources.

Example. During month-end general led-ger processing, the closing account levelsfor the Purchasing Department showed anunexpected surplus of cash. All subsidiaryledger, journal, and accrual accounts relat-ing to Purchasing were then opened foradditional verification and validationchecking. During this review, it appearedthat the Sales Tax Accrual and Posting led-ger accounts were not as high as expected.When compared with earlier periods, itwas found that accruals were substantiallyless (30 percent), given that activity levelswere typically within 10 percent from oneperiod to the next.

A final validation run was executed, andit was found that the cash surplus was theamount that should have been posted tothe subsidiary ledger account with theentry of each purchase. All requiredadjusting entries were then performed,trial balances were calculated, and theresults produced the correct balances in allrelated accounts.


F A L L 1 9 9 0

45

A review was made to determine thecause of the errors. It was found thatchanges made to the Accounting System33 days earlier produced the errors, due tothe omission of critical internal controlfunctions. The routines necessary to per-form posting and validation performedcorrectly, but the account numbers usedby the routines were invalid. Thus, theentries to be posted were retained in theoriginal accounts, and, because no errorchecking was included in the changes, noerror reporting output was generated toalert anyone to the problem.

The necessary internal control func-tions were subsequently reestablished, andthe problem did not recur. Change controlprocedures were revisited and updated toprevent the omission of necessary controlin the future.

2.2.8 Information Systems Life CycleManagement shall ensure that security isaddressed at all stages of the system life cycle.

Rationale. For management to be able torely upon controls, they must be continu-ous. To be efficient, controls must be com-prehensive and applied early. The securityfunction must be fully integrated with sys-tem life cycle processes. Retrofit, repair, andother late remedies are always inefficient andmay be ineffective. Late application of a con-trol may be insufficient to restore a system toa desired or required robustness.

All in-place controls and countermea-sures must be fully documented and peri-odically reviewed. For preproductionsystems, phase reviews must assessintended security feature design, integra-tion, and effectiveness. For in-productionsystems, maintenance phase reviews mustbe performed at every step to ensure con-sistent and correct performance, contin-ued effectiveness and efficiency, accurateinterface(s) with other applications, andthe comprehensive maintenance of allcontingency planning measures.

All reviews must be conducted in con-formance with established guidelines that

define minimum acceptable requirementsfor the effectiveness of controls in supportof organizational standards for informa-tion confidentiality, system and dataintegrity, and the availability of the infor-mation asset and supporting InformationTechnology resources.

Example. Operating System (OS) main-tenance was planned for the EngineeringDesign Control Section system. It wasknown that the system held planning datafor all new plant designs, including detailsof proprietary processes, specifications ofvalve prototypes under consideration forinclusion, and other highly confidentialdata. The systems administrator knewfrom his analysis that three modules of theOS would be overwritten by new versions.He expressed concern that the in-placemodules would revert to the originalinstallation parameters, thus erasing allfile access rules and potentially exposingsensitive data to users having no authorityto access the information. The mainte-nance team agreed to test this concern inan isolated but identically configured envi-ronment before conversion.

During the test procedure, the mainte-nance team found that the system admin-istrator’s concerns were well founded —the file access rules were indeed erased.The team found a solution, which was tomake archival copies of the rules database,perform the conversion, then lay in therules database following conversion.Extensive testing in the isolated environ-ment proved that this option performedcorrectly, and the system maintenancesubsequently proceeded successfully.

2.2.9 Access ControlManagement shall establish appropriatecontrols to balance access to informationassets and supporting Information Tech-nology resources against the risk.

Rationale. To achieve a level of risk miti-gation commensurate with the value ofthe information asset to be secured, access


F A L L 1 9 9 9

to information assets and supportingInformation Technology resources shouldbe restricted to the smallest populationconsistent with other business needs,based on the criteria of a clearly delineated“need-to-know.” Through this standard,the information systems-dependent work-force is facilitated in the accomplishmentof assigned tasks by ensuring that allrequired information is available onlythrough appropriately controlled means.Specifically, individual employees andother parties are restricted from access toinformation assets and supporting Infor-mation Technology resources that do notdirectly relate to their work requirements,assigned objectives, or legitimate, autho-rized need.

By enforcing such a standard, the owneror custodian limits the exposure of poten-tially sensitive information assets and sup-porting Information Technology resourcesand enables management to assert appro-priate control over the access to, modifica-tion of, or the dissemination of sensitiveinformation assets in terms of content andrecipient. Therefore, potentially adverseconsequences resulting from uncontrolledaccess or distribution are minimized.

Example. “Diane Thomas,” Director ofBenefits and Compensation for XYZ, Inc.,was reviewing salary plans from all depart-ments, and found that proposed salaryincreases for the next fiscal year were 15percent higher than had been discussed ata budgetary planning meeting earlier thatyear. She met with the compensationmanager to discuss the unexpected figuresbefore returning them to the departmentmanagers to be reworked. Dave ques-tioned the figures and where the depart-ment managers got their justification. Themanager responded that the justificationused was the forecasted 25 percentincrease in company revenues over lastyear. Probing further, Diane asked wherethat information was obtained and wastold it was available online from theaccounting system. Diane ended the

meeting and went to see “Jay Brock,”Director of Finance.

After hearing the situation, Jay becamevery concerned that confidential budgetforecast information seemed to be freelyavailable instead of being limited to direc-tors and senior corporate officers. Dianerequested that “Maurice McDonnell,” theDirector of Information Systems, jointhem immediately. When Mauricearrived, and the situation was explained tohim, he promptly left to look into it. Mau-rice called his System Security Officer(SSO) in and asked for a report on theaccess control rules for the accounting sys-tem. Two hours later, the SSO returnedwith the report, and, in reviewing it, theyfound no rule in place for the file contain-ing the forecast information.

To remedy this, Maurice called Jay, andthey agreed to take the file off-line until anappropriate rule could be put in place.Thus, future inappropriate access was pre-vented, and what could have been thecostly disclosure of highly sensitive strate-gic information was limited to the discov-ery of an embarrassing lapse in accesscontrol management.

2.2.10 Operational Continuity and Contingency PlanningManagement shall plan for and operateInformation Technology in such a way asto preserve the continuity of organiza-tional operations.

Rationale. To protect information assetsand supporting Information Technologyresources from disruptive events, or to beable to rapidly restore their proper func-tioning in the case that such a disruptiveevent is unavoidable, it is essential thatorganizations establish a cohesive set ofpreventive, mitigative, and restorativemeasures, as determined to be appropriateand cost-effective by risk assessment.

Organizational entities depend on theirInformation Technology resource infra-structure now more than at any previoustime in history to deliver mission-critical


F A L L 1 9 9 0

47

information in a timely fashion. The oper-ational importance of information assets,whether based on cost or time factors, issuch that organizations can ill afford toendure the consequences of significantlydisruptive events impacting supportingInformation Technology resources or theinformation assets directly.

Example. A risk assessment performed atXYZ, Inc., showed that the ground-floorCentral Computing Services Complex(CCSC) was well isolated from mostmajor disruptive agents, except for flood-ing. The executive in charge of Informa-tion Technology stated that when the ten-story structure was built, area floodinghad occurred no more recently than 15years ago, and all steps then believedappropriate to mitigate this threat weretaken. The systems security officer, “JohnW.,” CISSP, pointed out that in the inter-vening period, additional constructionhad occurred, but no corresponding floodcontrol measures had been taken. Addi-tionally, Joe mentioned that weather sta-tistics showed that each year the tropicalstorm count increased, as had the atten-dant rainfall amounts, with the result thatlarger amounts of water pooled for longerperiods in places where they had not 15years earlier.

It was generally recognized that a floodwould damage or destroy the InformationTechnology facilities on the first floor.Historically, flood cleanup had requiredfour to six weeks in this area. Also, a serviceoutage of greater than 14 days would ren-der XYZ, Inc., financially insolvent. Whenasked for recommendations, Joe statedthat the XYZ flood insurance must bereviewed to ensure that it is commensu-rate with asset values and corporaterequirements as they currently stand.

Joe further recommended that manage-ment consider relocating the CCSC to ahigher floor in the building, or away fromthe current building, where the threat offlooding could be reduced or eliminated.When questioned concerning the cost of

these and other measures, Joe stated thatthe most costly recommendation was lessthan $700K, while the estimated cost toclean up the facility and replace all dam-aged equipment in the event of total lossexceeded $15M. He further stated that anappropriate increase in flood insurancewould add less than 0.5 percent to theinsurance expense line of the corporateoperational budget.

2.2.11 Information Risk ManagementManagement shall ensure that informa-tion security measures are appropriate tothe value of the assets and the threats towhich they are vulnerable.

Rationale. To choose effective and effi-cient information security measures, man-agement must identify the assets to beprotected, the threats to the assets, andthe vulnerability of the assets or their envi-ronment to the threats.

The security of information assets, withregard to the value of their confidentiality,integrity, and availability, and the securityof the supporting Information Technologyresources must be assured by well-informedowners, managers, custodians, or otherresponsible parties. Such an approach (per-formed strategically, on an ongoing basis, oras changes dictate) must enable well-informed decisions regarding whether toaccept, mitigate, or transfer the risks associ-ated with the information assets and sup-porting Information Technology resources.These decisions should be based on themonetary value of the assets, probabilityand consequences of direct or indirectharm or loss, related threats, effectivenessof existing safeguards and controls, andwhether additional safeguards or controlscould be expected to provide cost-effectiveincremental risk mitigation.

Example. In migrating to a newer versionof the standard corporate e-mail, a team ofanalysts working for ABC, Inc., assessedwhether or not the in-place access ruleswould migrate intact. This was regarded as


F A L L 1 9 9 9

a critical factor, since highly confidentialproject information was passed regularlyfrom one department head to another. Inthe post-migration test analysis, the teamfound that proxy rules did not transfer,with the result that mail became visible tothe “public.” Also found was a failure ofthe encryption feature, due to versionincompatibilities, when applied to mailsent externally.

The directors of internal audit and corpo-rate legal reviewed the matter for potentialramifications. Given the kind of informa-tion that could have been compromised,their consensus was that exposure to loss ofintellectual property, and possible violationof employee privacy, could have exposed thecompany to an estimated $39M in totallosses; $9M of loss would stem from a com-bination of litigation costs and settlementsin privacy matters, and another $30M fromredevelopment costs due to exposure of pro-prietary process details while in transit toremote corporate sites. Consequently, thetransition effort was halted until the prob-lem was fully resolved and effective securitymeasures were implemented and success-fully tested.

2.2.12 Network and Infrastructure SecurityManagement shall consider the potentialimpact on the shared global infrastructure,e.g., the Internet, public-switched net-works, and other connected systems whenestablishing network security measures.

Rationale. To compensate fo r theincreased vulnerability from and to thingsoutside of the organization, as created byconnection to systems beyond the organiza-tion, the threat and risk model must bechanged to reflect the threat from and tothings outside the organization. For exam-ple, connecting a UNIX system to the publicswitched network puts the UNIX system atrisk, and connecting the UNIX system tothe Internet puts other systems at risk.

All methods for accessing InformationTechnology resource connectivity must

contain controls and countermeasures thatimplement the established security policy ofthe organization appropriate to the sensitiv-ity or criticality level of the InformationTechnology resources and supported infor-mation assets. Such controls must, at a min-imum, reflect the same security level as theinformation itself to ensure consistency andcohesiveness of overall policy implementa-tion. This consideration must extend to thephysical as well as the logical aspect of theconnectivity.

The potential to subvert access to theInformation Technology resources andsupported information assets is greatest interms of connectivity through persistentconnections, but increases with temporaryconnections. This same potential exists,however, through in-house networks,although these are inherently less flexiblein their vulnerability to exploitation.Therefore, the security implementationmust first identify the specific weaknessesin each access method and the potentialconsequences of their exploitation. Theneach weakness can be addressed throughthe application of measures intended toachieve a level of protection commensu-rate with the sensitivity/criticality of theInformation Technology resource and thesupported information assets.

Example. Having rece ived the f i r s trequest for dial-in access, “Joe A.” carefullyassessed the stated need and the descrip-tion of the resources required. Thenational sales manager carried a laptopand required access from several companylocations throughout the country, some ofwhich had no in-house computer access.The data he would transmit was going tobe sales volumes and dollar amounts, bothconsidered very confidential. Joe knewthat strong security steps would berequired to meet this unique situation.

Looking at several options, Joe selecteda combination of SmartCard, encryption,and callback measures to secure the dialaccess port link. The callback would con-firm physical location (linked to a tele-


F A L L 1 9 9 0

49

phone line with no “Call-Forward”feature), encryption would provide dataconfidentiality, and the SmartCard facil-ity would serve to provide user identifica-tion and authentication. Given that thedatabase that the national sales managerwould access had its own built-in useridand password routine, Joe believed thattogether these measures would provideproper security.

2.2.13 Legal, Regulatory, and Contractual Requirements of Information SecurityManagement shall take steps to be awareof and address all legal, regulatory, andcontractual requirements pertaining toinformation assets.

Rationale. For an organization to complydiligently with all legal, regulatory, and con-tractual requirements associated with itsoperations, it is necessary to ensure that norequirement exists for which compliancemeasures have not been put in place. As partof this effort, plans should also be in place toaddress potential actions against the organi-zation should their policy, processes, oractions be called into question.

Example. During the final review of XYZCompany’s Statement of Work for itsDepartment of Energy (DoE) contractprior to “Best-and-Final” submission, itwas noted by the director of engineeringthat no provisions had been included spe-cifically regarding protection of informa-tion assets belonging to the government.There was only general text that reflectedawareness of the confidential nature of thework. This prompted a review of the con-tract to determine what specificationsaddressed this topic, and what the poten-tial liability of XYZ would be by leavingunaddressed any such specifications. Thereview showed that penalties of up to$10,000 per day would accrue for failure tocomply with stated performance require-ments. Additionally, until compliance was

reestablished, the contractor would forfeitall accrued performance awards.

A contract review meeting was called,and the contracting officers, along withDoE personnel, discussed informationasset protection requirements. Subse-quent to the meeting, the Statement ofWork was amended to address the statedspecifications. It was determined that hadXYZ failed to address this matter from theinception of the contract, a four-monthperiod would have been required to ini-tiate and complete compliance efforts.This would have resulted in a loss of$120K in penalties, $500K in accrued per-formance awards, and compliance effortcosts of $110K when performed after con-tract inception. The cost added to thecontract to perform the work from incep-tion was, by comparison, estimated to beless than $60K.

2.2.14 Ethical PracticesManagement shall respect the rights anddignity of individuals when setting policyand when selecting, implementing, andenforcing security measures.

Rationale. To preserve employee moraleand the perception of the organization andits management as fair and ethical, andrecognizing that security measures may beor become unduly intrusive, managementmust be candid, fair, and conservative indeveloping and enforcing security policy.

Management must carefully consideremployee privacy. The key to successfulpolicy is strict observance of fairness andrespect for the individual. No policy iscomplete proof against culpability, butcareful construction and consistentlyunbiased execution contribute positivelyto the organization’s overall risk manage-ment program.

Policy provisions, including conse-quences for noncompliance, must beunderstandable and enforceable, andenforcement must be fairly applied. Can-dor helps ensure fairness. Security mea-


F A L L 1 9 9 9

sures that cannot be disclosed should notbe applied.

Owner’s conservative rule: Ownersshould assume that others would treattheir assets as belonging to the publicdomain. Therefore, they should explicitlydeclare (in reasonably visible ways) theproducts of their efforts and their propertyto be either private or public.

User’s conservative rule: Assume thatany tangible or intangible item belongsto somebody else unless an explicit dec-laration or convention identifies it asbeing in the public domain or authorizedfor your use.

Example. BCA Corp. hired “Jim Blue” toimplement and manage its logical accesscontrol policy. Jim promptly found thatmany userids and passwords belonging toterminated employees were still active,although their owners were gone, some forseveral years. He also found that one ofthese userid/password combinations hadbeen used subsequent to the owner’sdeparture. Files accessed included confi-dential personnel and payroll records of akey executive. Although no one hadnoticed, the executive’s files had beenaltered to imply that a medical conditionhad become a significant risk. This fabri-cated medical problem could haveaffected the executive’s career upon hisnext review, given the high stress nature ofhis job.

Assuming that the departed party hadviolated the company’s privacy policy, Jimwrote a letter to the executive accusingthe former employee of a breach of pri-vacy. The executive was outraged. Aninvestigation ensued, the police were con-sulted, and the individual accused wasinterrogated aggressively. In addition,Jim, feeling guilty for having made hisaccusation perhaps prematurely, carefullyreviewed logical access management pro-cedures and practices applied prior toJim’s being hired. The investigationrevealed that the management of logical

access controls had previously been sopoor that a significant number of employ-ees could have executed the inappropriatemodification, and determining who wasresponsible was impossible.

The unethical action of accusing theformer employee prior to establishing thefacts resulted in substantial embarrass-ment to the company, which avoided apotentially costly lawsuit only by promptlyoffering a generous settlement.

2.3 DETAILED SECURITY PRINCIPLESThe Detailed Security Principles specifi-cally address methods of achieving compli-ance with the Broad Functional Principleswith respect to existing environments andavailable technology. There will be manydetailed information security principlessupporting one or more Broad FunctionalPrinciples. The Detailed Principles willaddress differing technologies, environ-ments, standards, practices, and conceptsthat are relevant to the Broad FunctionalPrinciples. The Detailed Principles areexpected to evolve continuously to meetthe challenges of emerging technology andnew threats.

Following is an example of a DetailedPrinciple (and its underlying rationale)supporting a Broad Functional Principle(Access Control), which supports the Per-vasive Principle (Proportionality):

Use one-time passwords to control logical access to all information assets deemed critical to an organization.

Multiple-use passwords were originally the only technique available to control access to a system. Changes in technology made the multiple-use password obsolete in many environ-ments. Therefore, the one-time password evolved. Future technological advances will probably result in the use of smart card technology, replacing current password technology. (There will be separate Detailed Principles that expand upon and guide the application security mechanisms in the users’ environment.)


F A L L 1 9 9 0

51

3.0 REFERENCES1. National Research Council, Dr. David

Clark (MIT), committee chair, Com-puters at Risk, National Academy Press, 1991.

2. Organization for Economic Coopera-tion and Development (OECD), Guidelines for the Security of Informa-tion Systems, 1992.

3.1 BIBLIOGRAPHYAn Introduction to Computer Security: The

NIST Handbook (Draft), National In-stitute of Standards and Technology, 1994.

Nathan Bisk, Jr., CPA Comprehensive Exam Review: Auditing, 1985.

GASSP Committee Project Plan Draft 3.0, GASSP Committee, September 1994.

Glossary of Computer Security Terminolo-gy, NIST IR 4659, National Institute of Standards and Technology, September 1991.

M. E. Kabay, “Social Psychology and IN-FOSEC: Psychosocial Factors in the Implementation of Information Secu-rity Policy.”

Robin Moses, Ian Glover, and Len Watts, “Updated Framework for Comput-

er/Communications Security Risk Management,” from Proceedings of the 3rd International Computer Security Risk Management Model Builders’ Workshop, sponsored by Los Alamos National Laboratory, NIST, and MSCS, 1990.

Ali Mosleh, “A Framework for Computer Security Risk Management,” from Pro-ceedings of the 3rd International Com-puter Security Risk Management Model Builders’ Workshop, sponsored by Los Alamos National Laboratory, NIST, and NCSC, 1989.

Donn Parker, “Information Security for Applications in Distributed Comput-ing,” from the Proceedings for the Sec-ond AIS Security Technology for Space Operations Conference (NASA/JSC Mission Operations Directorate and the Texas Gulf Coast Chapter of the ISSA cosponsors), 1993.

Micki Krause and Harold F. Tipton, Eds., Information Security Management Handbook, Auerbach Publications, Boca Raton, FL, 2000.

Charles Cressen Wood, Information Integ-rity: Principles of Secure Information Systems Design, Elsevier Science, New York, 1990.

52

Appendix A:Guidance from Computers at Risk

Major recommendations from Computersat Risk that are addressed by GASSP:

1. Promulgation of a comprehensive set of Generally Accepted System Security Principles, referred to as GASSP, which would provide a clear articula-tion of essential features, assurances, and practices.

2. A set of short-term actions for system vendors and users that build on readily available capabilities and would yield immediate benefits.

3. Directions for a comprehensive pro-gram of research.

4. Establishment of a new organization to nurture the development, commercial-ization, and proper use of trust tech-nology, referred to as the Information Security Foundation, or ISF.

Specific guidance from CAR for recom-mendation 1 and others related to GASSPis as follows:

1. Promulgate comprehensive Generally Accepted System Security Principles (GASSP).a. Establish a set of GASSP for com-

puter systems.b. Consider the system requirements

specified by the Orange Book for the C2 and B1 levels as a short-term definition of GASSP and a starting point for more extensive defini-tions.

c. Establish methods, guidelines, and facilities for evaluation of products for conformance to GASSP.

d. Use GASSP as a basis for resolving differences between U.S. and for-eign criteria for trustworthy systems and as a vehicle for shaping inputs to international discussions of secu-rity and safety standards.

2. Take specific short-term actions that build on readily available capabilities.a. Develop security policies.b. Use as a first step the Orange Book’s

C2 and B1 criteria.c. Use sound methodology and mod-

ern technology to develop high-quality software.

d. Implement emerging security stan-dards and participate actively in their design.

3. Establish an Information Security Foundation to address needs that are not likely to be met adequately by ex-isting entities.a. Establishment of GASSP.b. Research on computer system secu-

rity, including evaluation tech-niques.

c. System evaluation.d. Brokering and enhancing commu-

nications between commercial and national security interests.

e. Focused participation in interna-tional standardization and harmo-nization efforts for commercial security practice.

53

Appendix B:Organization for Economic Cooperation and Development (OECD)Guidelines for the Security ofInformation Systems

Paris 1992

PREFACEExplosive growth in the use of informationsystems for all manner of applications inall parts of life has made provision ofproper security essential. Security of infor-mation systems is an international matterbecause the information systems them-selves often cross national boundaries andthe issues to which they give rise may mosteffectively be resolved by internationalconsultation and cooperation.

In 1990, the Information, Computerand Communications Policy (ICCP)Committee created a Group of Experts toprepare Guidelines for the Security ofInformation Systems. The Group ofExperts included governmental delegates,scholars in the fields of law, mathematics,and computer science, and representativesof the private sector, including computerand communication goods and servicesproviders and users. The Expert Groupwas chaired by the Hon. Michael Kirby,President of the Court of Appeals,Supreme Court of New South Wales, Aus-tralia. Ms. Deborah Hurley of the Informa-tion, Computer and CommunicationsPolicy Division of the OECD Directoratefor Science, Technology and Industrydrafted the Recommendation, the Guide-lines, and the Explanatory Memorandum,

based upon the deliberations of the ExpertGroup at its meetings.

The Expert Group met six times over 20months — in January 1991, March 1991,September 1991, January 1992, June 1992,and September 1992 — to prepare the Rec-ommendation of the Council ConcerningGuidelines for the Security of InformationSystems, the Guidelines for the Security ofInformation Systems, and the ExplanatoryMemorandum to Accompany the Guide-lines. The Group of Experts submitted thefinal version of the three texts to the ICCPCommittee at its 22nd session on 14–15October 1992. The ICCP Committeeapproved the texts and their transmissionto the Council of the OECD.

On 26 November 1992, the Council ofthe OECD adopted the Recommendationof the Council Concerning Guidelines forthe Security of Information Systems andthe 24 OECD Member countries adoptedthe Guidelines for the Security of Informa-tion Systems.

RECOMMENDATION OF THE COUNCIL CONCERNING GUIDELINES FOR THE SECURITY OF INFORMATION SYSTEMS 26 NOVEMBER 1992THE COUNCIL, HAVING REGARDTO:

the Convention on the Organization forEconomic Cooperation and Development


F A L L 1 9 9 9

of 14 December 1960, in particular, arti-cles 1 (b), 1 (c), 3 (a), and 5 (b) thereof;

the Recommendation of the Councilconcerning Guidelines Governing the Pro-tection of Privacy and Transborder Flowsof Personal Data of 23 September 1980[C(80)58(Final)];

the Declaration on Transborder DataFlows adopted by the Governments ofOECD Member countries on 11 April1985 [C(85)139, Annex].

RECOGNIZING:the increasing use and value of comput-

ers, communication facilities, computerand communication networks and dataand information that may be stored, pro-cessed, retrieved or transmitted by them,including programs, specifications andprocedures for their operation, use andmaintenance (all hereinafter referred tocollectively as “information systems”);

the international nature of informationsystems and their worldwide proliferation;that the increasingly significant role of infor-mation systems and growing dependence onthem in national and international econo-mies and trade and in social, cultural, andpolitical life call for special efforts to fosterconfidence in information systems;

that, in the absence of appropriate safe-guards, data and information in informationsystems acquire a distinct sensitivity andvulnerability, as compared with paper docu-ments, due to risks arising from availablemeans of unauthorized access, use, misap-propriation, alteration, and destruction;

the need to raise awareness of risks toinformation systems and of the safeguardsavailable to meet those risks;

that present measures, practices, proce-dures, and institutions may not adequatelymeet the challenges posed by informationsystems and the concomitant need for rightsand obligations, of enforcement of rights,and of recourse and redress for violation ofrights relating to information systems andthe security of information systems;

the desirability of greater internationalcoordination and cooperation in meetingthe challenges posed by information sys-

tems, the potential detrimental effects of alack of coordination and cooperation onnational and international economies andtrade and on participation in social, cul-tural, and political life, and the commoninterest in promoting the security of infor-mation systems;

AND FURTHER RECOGNIZING:that the Guidelines do not affect the sov-

ereign rights of national governments inrespect of national security and public order(“order public”), subject always to therequirements of national law; that, in the par-ticular case of federal countries, the obser-vance of the Guidelines may be affected bythe division of powers in the federation;

RECOMMENDS THAT MEMBERCOUNTRIES:

1. establish measures, practices, and pro-cedures to reflect the principles con-cerning the security of information systems set forth in the Guidelines con-tained in the Annex to the Recommen-dation, which is an integral part hereof;

2. consult, coordinate, and cooperate in the implementation of the Guidelines, including international collaboration to develop compatible standards, mea-sures, practices, and procedures for the security of information systems;

3. agree as expeditiously as possible on specific initiatives for the application of the Guidelines;

4. disseminate extensively the principles contained in the Guidelines;

5. review the Guidelines every five years with a view to improving international cooperation on issues relating to the se-curity of information systems.

Annex to the Recommendation of theCouncil of 26 November 1992

GUIDELINE FOR THE SECURITY OF INFORMATION SYSTEMS 26 NOVEMBER 1992I. AimsThe Guidelines are intended:


F A L L 1 9 9 0

55

■ to raise awareness of risks to informa-tion systems and of the safeguards avail-able to meet those risks;■ to create a general framework to assist those responsible, in the public and pri-vate sectors, for the development and im-plementation of coherent measures, practices, and procedures for the security of information systems;■ to promote cooperation between the public and private sectors in the develop-ment and implementation of such mea-sures, practices, and procedures;■ to foster confidence in information sys-tems and the manner in which they are provided and used;■ to facilitate development and use of in-formation systems, nationally and interna-tionally, and■ to promote international cooperation in achieving security of information systems

II. ScopeThe Guidelines are addressed to the pub-

lic and private sectors.The Guidelines apply to all information

systems.The Guidelines are capable of being sup-

plemented by additional practices and procedures for the provision of the secu-rity of information systems.

III. DefinitionsFor the purposes of these Guidelines:

■ data means a representation of facts, concepts, or instructions in a formalized manner suitable for communication, in-terpretation, or processing by human be-ings or by automatic means■ information is the meaning assigned to data by means of conventions applied to that data■ information systems means computers, communication facilities, computer and communication networks, and data and information that may be stored, processed, retrieved, or transmitted by them, includ-ing programs, specifications, and proce-dures for their operation, use, and maintenance

■ availability means the characteristic of data, information, and information sys-tems being accessible and usable on a timely basis in the required manner■ confidentiality means the characteristic of data and information being disclosed only to authorized persons, entities, and processes at authorized times and in the authorized manner■ integrity means the characteristic of data and information being accurate and complete and the preservation of accuracy and completeness

IV. Security ObjectiveThe objective of security of informationsystems is the protection of the interests ofthose relying on information systems fromharm resulting from failures of availability,confidentiality, and integrity.

V. Principles1. Accountability PrincipleThe responsibilities and accountability ofowners, providers, and users of informa-tion systems and other parties concernedwith the security of information systemsshould be explicit.

2. Awareness PrincipleTo foster confidence in information sys-tems, owners, providers and users of infor-mation systems and other parties shouldreadily be able, consistent with maintain-ing security, to gain appropriate knowl-edge of and be informed about theexistence and general extent of measures,practices, and procedures for the securityof information systems.

3. Ethics PrincipleInformation systems and the security ofinformation systems should be providedand used in such a manner that the rightsand legitimate interests of others arerespected.

4. Multidisciplinary PrincipleMeasures, practices, and procedures for thesecurity of information systems should takeaccount of and address all relevant consider-


F A L L 1 9 9 9

ations and viewpoints, including technical,administrative, organizational, operational,commercial, educational, and legal.

5. Proportionality PrincipleSecurity levels, costs, measures, practices,and procedures should be appropriate andproportionate to the value of and degree ofreliance on the information systems and tothe severity, probability, and extent ofpotential harm, as the requirements forsecurity vary depending upon the particu-lar information systems.

6. Integration PrincipleMeasures, practices, and procedures forthe security of information systems shouldbe coordinated and integrated with eachother and with other measures, practices,and procedures of the organization so as tocreate a coherent system of security.

7. Timeliness PrinciplePublic and private parties, at both nationaland international levels, should act in atimely coordinated manner to prevent andto respond to breaches of security of infor-mation systems.

8. Reassessment PrincipleThe security of information systemsshould be reassessed periodically, as infor-mation systems and the requirements fortheir security vary over time.

9. Equity PrincipleThe security of information systemsshould be compatible with the legitimateuse and flow of data and information in ademocratic society.

VI. ImplementationGovernments, the public sector, and theprivate sector should take steps to protectinformation systems and to provide fortheir security in accordance with the Prin-ciples of the Guidelines. In achieving theSecurity Objective and in implementingthe Principles, they are urged, as appropri-ate, to establish and to encourage and sup-po r t the e s t ab l i shment o f l ega l ,

administrative self-regulatory, and othermeasures, practices, procedures, and insti-tutions for the security of information sys-tems. Where provision has not alreadybeen made, they should, in particular:

Policy Development■ Adopt and encourage the adoption of appropriate policies, laws, decrees, rules, and international agreements, including provision for:

– harmonized worldwide technical standards, methods, and codes of prac-tice– promotion of expertise and best prac-tice in the security of information sys-tems– formation and validity of contracts and other documents created and executed in or by means of information systems– allocation of risks and liability for failures of the security of information systems– penal, administrative, or other sanc-tions for misuse of information systems– jurisdictional competence of courts, including rules on extraterritorial juris-diction, and administrative competence of other bodies– mutual assistance, extradition, and other international cooperation in mat-ters relating to the security of informa-tion systems– means of obtaining evidence in infor-mation systems and the admissibility of such evidence in penal and nonpenal le-gal and administrative proceedings

Education and Training■ Promote awareness of the necessity for and the goals of security of information systems, including:

– ethical conduct in the use of infor-mation systems– adoption of good security practices

■ Provide and foster education and train-ing of:

– developers, owners, providers, and users of information systems– specialists and auditors of informa-tion systems


F A L L 1 9 9 0

57

– specialists and auditors of security of information systems– law enforcement authorities, investi-gators, attorneys and judges

Enforcement and Redress■ Provide accessible and adequate means for the exercise and enforcement of rights arising from the implementation of the Guidelines and for recourse and redress for violations of those rights.■ Provide prompt assistance in procedural and investigative matters relating to breaches of security of information systems.

Exchange of Information■ Facilitate the exchange of information relating to the Guidelines and their imple-mentation.■ Publish generally measures, practices, and procedures established in observance of the Guidelines and for the security of information systems.

Cooperation■ On national and international levels, consult, coordinate, and cooperate be-tween and among governments and the private sector to encourage implementa-tion of the Guidelines and to harmonize as completely as possible measures, practices, and procedures for the security of informa-tion systems.

EXPLANATORY MEMORANDUMto Accompany the Guidelines for theSecurity of Information Systems

PrefaceIn October 1988, the Committee for Infor-mation, Computer and CommunicationsPolicy (ICCP) of the OECD approved thepreparation by the OECD Secretariat of astudy on the subject of security of infor-mation systems. The report, entitledInformation Network Security, was sub-mitted to the ICCP Committee in Octo-ber 1989. Fol lowing review of theSecretariat document, the ICCP Commit-tee endorsed the convocation of a meeting

of experts to explore in greater depth theissues raised in the report.

Based upon the advice of the experts,the ICCP Committee, in March 1990,approved the creation of a Group ofExperts to draft Guidelines for the Secu-rity of Information Systems. The Group ofExperts included governmental delegates,scholars in the fields of law, mathematics,and computer science, and representa-tives of the private sector, including com-puter and communication goods andservices providers and users. The Group ofExperts met six times between January1991 and September 1992 to prepare theRecommendation of the Council con-cerning Guidelines for the Security ofInformation Systems, the Guidelines forthe Security of Information Systems, andthe Explanatory Memorandum to Accom-pany the Guidelines.

The OECD is well-positioned to play acentral role in building awareness of theneed for security of information systemsand of measures that might be under-taken to meet that end. OECD member-ship encompasses North America, thePacific region, and Europe. The lion’sshare of development and exploitation ofinformation systems occurs in OECDmember countries. Through the ICCPCommittee, the OECD provides direc-tion and coalesces opinion at an earlystage on issues related to information,computer and communication technolo-gies and policies, and their effects on soci-ety, with a view to raising awareness on aninternational level and assisting govern-ments and the private sector as theyundertake national deliberations.

The Guidelines for the Security ofInformation Systems are intended to pro-vide a foundation upon which countriesand the private sector, acting singly and inconcert, may construct a framework forsecurity of information systems. Theframework will include laws, codes of con-duct, technical measures, managementand user practices, and public educationand awareness activities; it is hoped that


F A L L 1 9 9 9

the Guidelines will serve as a benchmarkagainst which governments, the publicsector, the private sector, and society maymeasure their progress.

IntroductionA computer, a computer program, anddata constitute basic elements of an infor-mation system. The computer may beconnected by communication equipmentand devices into a network with terminalsor other computers or communicationfacilities. A network may be a private localarea network (LAN), an extended privatenetwork, such as a wide area network(WAN) or global network, or an externalcommunication link open to anyone withthe technological means to gain access toit. Many networks are composed of a com-bination of internal and external links.Communication networks include datacommunication, telephone, and facsimile.Other ancillary equipment, printers, forexample, may be attached to the com-puter and communications hardware. Thecomputer programs might include opera-tion system and application software,which may be custom-designed or pur-chased ready-made. The software, may beinstalled in the computer or stored onmagnetic, optical, or other media. Papermanuals and documentation support theoperation, use, and maintenance of thehardware and software. This entire struc-ture is created for the purpose of storing,processing, retrieving, and transmittingdata and information. These various ele-ments may be combined to form an infor-mation system.

Expanding Uses and Benefits of Information SystemsThe significance of computer and commu-nications technologies, economically,socially, and politically, is widely accepted.They are key technologies not only in theirown right but also as conduits for andcomponents of other goods, services, andactivities.

Recent years have witnessed:

■ proliferation of computers■ increase of computing power with si-multaneous decrease in costs■ convergence of computer and commu-nication technologies■ greater interconnectivity and interoper-ability of computer and communication systems■ increasing decentralization of comput-ing and communication functions and■ growth of computer use to the point that, in many countries, every individual is an actual or potential user of computer and communication networks

The global information society has arrived.It is borderless, unconstrained by distanceor time. Economies, politics, and societiesare based less on geography and physicalinfrastructure than previously, and moreon information system infrastructures.

Information systems benefit govern-ments, international organizations, privateenterprise, and individuals. They havebecome integral to national and interna-tional security, trade, and financial activ-ity. They are widely used by governmentadministrations, fiscal authorities, busi-ness organizations, and research institu-tions. They are critical to the provision ofhealth care, energy transport, and commu-nications. Information systems may beused for trading, voting, learning, and lei-sure. Expanded use of information sys-tems offers possibilities of greater access toresources, experience, learning, and partic-ipation in cultural and civic life.

DependencyEvery person, enterprise, and governmentis affected by information systems and hasbecome dependent on their continuedproper funct ioning . For example ,increased use of information systems haswrought fundamental changes in internalsystems has wrought fundamental changesin internal organizational procedures andhas altered the way that organizationsinteract. In the event of an informationsystem failure, it may be neither possibleto continue present procedures without


F A L L 1 9 9 0

59

information systems nor practicable toreturn to former methods. There may notbe sufficient paper records, staff skills, oreven numbers of staff to permit an organi-zation to continue to work as productivelyas it does with its information system inoperation, and as effectively as its compet-itors. Consider, for example, the effect ofinformation system failure on the func-tioning and efficiency of airlines, banks, orsecurities exchanges.

Dependence on information systems isgrowing. Concomitant is a mounting needfor confidence that the systems will con-tinue to be available and to operate in theexpected manner.

VulnerabilityAs use of information systems hasincreased enormously, generating manybenefits, it has, in its wake, created anever-larger gap between the need to pro-tect systems and the degree of protectionutilized at present. Society, includingbusiness, public services, and individuals,has become very dependent on technolo-gies that are not yet sufficiently depend-able. All the uses of information systemsidentified above are vulnerable to attacksupon or failures of information systems.There are risks of loss from unauthorizedaccess, use, misappropriation, modifica-tion, or destruction of information sys-tems, which may be caused accidentally orresult from purposeful activity. Certaininformation systems, both public and pri-vate, such as those used in military ordefense installations, nuclear powerplants, hospitals, transport systems, andsecurities exchanges, offer fertile groundfor antisocial behavior or terrorism.

The developments identified above,proliferation of computers, increased com-puting power, interconnectivity, decen-tralization, growth of networks and thenumbers of users, while enhancing theutility of information systems, alsoincrease system vulnerability. It may beharder to locate a system problem and itscauses, to correct it in balance with other

system functions and requirements, and toprevent its recurrence or the occurrence ofother lapses. As systems decentralize andgrow larger, it is important to keep accountof their interdependent components,which, increasingly, may come from multi-ple vendors and sources. Moreover, thegrowing interconnectivity of network sys-tems and use of external networks multi-ply points of possible information systemfailures. These externalities lie outside thedirect control of the system operators andthe rights and duties of the parties in theevent of breaches may be unclear.

Technical change is uneven. It leapsahead in some areas while lagging in others.Inability to adapt to and absorb technolog-ical developments at the same rate at whichthey occur, such as failure to test or coordi-nate system changes adequately, may leadto system problems. Technological devel-opments may be implemented before alltheir ramifications and relations to existingtechnologies are understood. Unequal dis-tribution of system capabilities may givesome persons more control of and access toinformation systems than is intended ordesirable. Increasing numbers of users haveaccess to information systems, while, at thesame time, system owners or providersdecreasingly control them directly.

Failures of information systems mayresult in direct financial loss, such as lossof orders or payment, or in losses that aremore indirect or perhaps less quantifiableby, for example, disclosure of informationthat is personal, important to nationalsecurity, of competitive value, or otherwisesensitive or confidential.

The evolution of the law is not always instep with technological progress. It issometimes insufficient at the nationallevel and in a number of cases still unde-veloped at the international level. Harmo-nization of legislation is an important goalto be actively pursued.

Building ConfidenceUsers must have confidence that informa-tion systems will operate as intended with-


F A L L 1 9 9 9

out unanticipated failures or problems.Otherwise, the systems and their underly-ing technologies may not be exploited tothe extent possible and further growth andinnovation may be inhibited. Access tosecure networks and establishment ofsecurity standards has already emerged asgeneral user requirements. Loss of confi-dence may stem equally from outrightmalfunction or from functioning that doesnot meet expectations.

Uncertainties may be met and confi-dence fostered by building consensusabout the use of information systems.Accepted procedures and rules are neededto provide conditions to increase the reli-ability of information systems. Develop-ers, operators, and users of informationsystems deserve reassurance regardingtheir rights and obligations, includingresponsibility for system failures. Clear,uniform, predictable rules should be inplace to ease and encourage growth andexploitation of information systems.

The security of information systems isan international issue because informationsystems and the ability to use them fre-quently cross national boundaries. It is aproblem that may be ameliorated by inter-national cooperation. Indeed, given thedisregard of information systems for geo-graphic and jurisdictional boundaries,agreements are best promulgated andaccepted on an international level.

Experience in other sectors involvingnew technologies with the potential forserious harm reveals a three-part chal-lenge: developing and implementing thetechnology; providing for avoiding andmeeting the failures of the technology;and gaining public support and approval ofuse of the technology. The air transportindustry has been fairly successful inimplementing safety techniques andrequirements. It facilitates the smoothfunctioning of air transport and inspirespublic confidence. Similarly, the shippingindustry has successfully used ship certifi-cation systems to rank the safety of vessels.The field of biotechnology is now grap-

pling to meet the requirements of permit-ting technological development andpreventing harm from exploitation of thetechnology and subsequent loss of publicsupport. For information and communica-tion technologies, the goal of avoiding andmeeting fai lures of the technologyincludes the additional task of preventingand handling actual or potential intrusionto information systems.

Security of Information SystemsSecurity of information systems is the pro-tection of availability, confidentiality, andintegrity. Information systems have theattribute “availability” if they are accessi-ble and usable on a timely basis and in therequired manner. Confidentiality is thecharacteristic of data and informationbeing disclosed only to authorized per-sons, entities, and processes at authorizedtimes and in the authorized manner.Integrity is the characteristic of data andinformation being accurate and completeand the preservation of accuracy and com-pleteness. The relative priority and signif-icance of availability, confidentiality, andintegrity vary according to the informa-tion system.

Threats to Information SystemsTechnological development, technical prob-lems, extreme environmental events, adversephysical plant conditions, human institu-tions, all present challenges to the smoothfunctioning of information systems.Threats to information systems may arisefrom intentional or unintentional acts andmay come from internal or external sources.They range from cataclysmic events tominor, daily inefficiencies. Downtimes, forexample, may be caused by a large break-down or by frequent slow-ups or service deg-radations. The frequency and duration ofdisturbances, however minor, should beconsidered when planning for security.Large and small events may be equally dis-ruptive to system functioning and use andmay be equally debilitating to the organiza-tion’s effective operation.


F A L L 1 9 9 0

61

Technical factors leading to failures ofinformation systems are numerous, some-times not well understood, and constantlychanging. They may be computer andcommunications hardware or softwarefaults and malfunctions, caused by bugs,overloads, or other operational or qualityproblems. The difficulty may arise in aninternal system component (system col-lection of computer system or a distrib-uted system; application and operatingsystem software, such as a compiler or edi-tor; LANs), an external system component(telecommunication circuits, satellites) orfrom the interaction of different parts ofthe system.

Technical problems may be caused byintentional attacks on the system. Viruses,often introduced into the system viainfected software, parasites, trap doors,Trojan horses, worms, and logic bombs aresome of the technical means used to dis-rupt, distort, or destroy normal systemfunctions.

The difficulty of providing security fornetworks and information is compoundedin multiple-vendor environments. Forexample, a significant problem is the avail-ability of access-control software, a com-monly used security measure, that iscompatible with the entire system in amultiple-vendor environment. To facili-tate development of effective security forinformation systems, standards bodies,governments, and vendors and users ofinformation systems must agree on stan-dards for security measures.

Physical threats to information systemsfall into two broad categories: extremeenvironmental events and adverse physicalplant conditions. Extreme environmentalevents include earthquake, fire, flood,electrical storms, and excessive heat andhumidity. The information system may behoused in a building, in which, in additionto computers and communication lineslocated throughout the building, theremay be dedicated computer rooms anddata storage rooms. Connections forpower supply and communication may

lead to and from the building. Adversephysical plant conditions may arise frombreach of physical security measures,power failures or surges, air conditioningmalfunction, water leaks, static electricity,and dust. An organization may be affectedby lapses either directly at its premises orindirectly at a vital point outside the orga-nization, such as power supply or telecom-munication channels.

Human beings and the institutions theyestablish to reflect their values, whethersocial, economic, or political, as well as thelack of such institutions, all contribute tosecurity problems. The diversity of systemusers — employees, consultants, custom-ers, competitors, or the general public —and their various levels of awareness, train-ing, and interest compound the potentialdifficulties of providing security.

Lack of training and follow-up aboutsecurity and its importance perpetuateignorance about proper use of informationsystems. Without proper training, opera-tors and users may not be aware of thepotential for harm from system misuse.Poor security practice abounds. Operatorsand users may not take even the most rudi-mentary security measures.

The choice of a password, a nearly uni-versal user activity and usually a user’s firstactivity on a system, provides a strikingexample . A l though passwords a reemployed to control access to most infor-mation systems, few users are instructedon the need for password security, on themanner in which to create a password, oron penalties for misuse of the system.Without guidance, many users chooseobvious passwords that may be easilyascertained, such as family or pet names,joke words, or words related to the task.After logging in to the system, untrainedusers may leave active terminals con-nected to network systems unattended,display passwords on the side of terminals,fail to create backup data files, share useridentification codes and passwords, andleave open access-control doors into high-security areas. These are threshold security


F A L L 1 9 9 9

problems that arise from entering a room,switching on a computer or terminal, pos-sessing a password, and logging in.

Errors and omissions may occur in gath-ering, creating, processing, storing, trans-mi t t ing , and de l e t ing da ta andinformation. Failure to back up criticalfiles and software multiplies the negativeeffects of errors and omissions. If files havenot been backed up, the organization mayincur significant expense in time andmoney in recreating them.

Intentional misuse of authorized sys-tem access and unauthorized systemaccess (“hacking”) for the purposes of mis-chief, vandalism, sabotage, fraud, or theftare additional serious threats to systemand organizational viability. Unauthorizedcopying of software (software piracy), forexample, is widespread. Popular concep-tion holds that the greater part of threatsto information systems comes from exter-nal sources. On the contrary, persons whohave been granted authorized access to thesystem may pose a larger threat to infor-mation systems. They may be honest, well-intentioned employees who, because offatigue, inadequate training, or negli-gence, commit an inadvertent act thatdeletes massive amounts of data. Theymay be disgruntled or dishonest employ-ees who misuse or exceed authorizedaccess to tamper deliberately with the sys-tem for their own enrichment or to thedetriment of the organization.

Computer programs are an importantelement of information systems and apotentially fertile terrain for threats toinformation systems. A program containinga virus that is introduced into an informa-tion system may affect the availability, con-fidentiality, and integrity of that system byoverloading the system, changing the list ofauthorized users of certain parts of the sys-tem, or altering data or information in thesystem. Violations of provisions of licensingagreements relating to the information sys-tem (e.g., software licensing agreements,database licensing agreements) may posean additional security threat. Unauthorized

alteration of the licensed program, forexample, may trigger malfunctions as themodified software interacts with other partsof the system. Disclosure of proprietaryinformation may damage an organization’scompetitive position.

Proper procedures must extend beyondthe computer terminal and communica-tion lines to the entire information arena.Improper handling of data and informa-tion storage media (whether paper, mag-netic, or other) and improper handlingand disposal of discarded computer print-outs may lead to security breaches. Com-puter printouts may contain proprietary orcompetitive information or clues regard-ing system access. Yet, many companieshave no policy for their disposal. Onceused for the organization’s purpose, theyare considered worthless and discardedalong with the day’s used envelopes andpencil shavings. There may, however, beno expectation of privacy in trash, at leastin trash that is outside the premises.

Insufficient use of systems may alsolead to security problems, such as main-taining information availability or integ-rity in the event of shortages of qualifiedpersonnel, whether as a result of employ-ees changing jobs, the introduction of newtechnologies requiring new skill, or workslowdowns, stoppages, or strikes.

Social, political, and economic institu-tions have not kept pace with technologi-cal development and growth in use ofinformation systems. The price is uncer-tainty and lack of uniformity, whichincrease expense, cause delays, and, if per-mitted to continue, might impede futuregrowth. There is a glaring deficiency ofcodes of practice, standards, and legalguidance and apportionment of legalrights and obligations.

Harm Resulting from Security FailuresSecurity failures may result in direct andconsequential losses. Direct losses are thoseto the hardware, including processors, work-stations, printers, disks and tapes, and com-munication equipment; the software,


F A L L 1 9 9 0

63

including systems and applications softwarefor central and remote devices; the docu-mentation, including specifications, usermanuals, and operation procedures; the per-sonnel, including operators, users, and man-agerial, technical, and support staff; and thephysical environment, including computerrooms, communications rooms, air condi-tioning and power supply equipment.Although direct losses may account for asmall percentage of total losses arising froma security failure, nonetheless, the absoluteinvestment in developing and operating thesystem will usually have been significant.The system requires protection in its ownright as the container and channel for thedata and information. The need to protectthe system and the manner of doing so areinextricably linked to protecting the dataand information that the system stores, pro-cesses, and transmits in order both to pre-serve the availability, confidentiality, andintegrity of the data and information and toprevent alteration or damage of the con-tainer and channel through introduction ofdata and information, such as viruses, thatmay have a deleterious effect on operationand use of the system.

A consequential loss may occur when aninformation system fails to perform asintended. Consequential losses resultingfrom security failures may include loss ofgoods, other tangible assets, funds, or intel-lectual property; loss of valuable informa-tion; loss of competitive advantage;reduction in cash flow; loss of orders busi-ness; loss of production efficiency, effective-ness, or safety; loss of customer or suppliergoodwill; penalties from violation of statu-tory obligations; and public embarrassmentand loss of business credibility. Consequen-tial losses account for most of the losses aris-ing from security lapses. In light of that fact,protection against consequential loss,which, above all, means protecting the dataand information, must be a top priority.

Enhancing SecurityThe goals of confidentiality, integrity, andavailability must be balanced both against

other organizational priorities, such as cost-efficiency, and against the negative conse-quences of security breaches. The cost mustnot exceed the benefit. Similarly, from theviewpoint of deterring those who wouldattempt to enter information systems toview, manipulate, or obtain information,security controls should be sufficient to ren-der the costs or the amount of time requiredgreater than the possible value to be gainedfrom the intrusion.

Adequate measures for security of infor-mation systems help to ensure the smoothfunctioning of information systems. Inaddition to the commercial and social ben-efits of information systems already men-tioned, security of information systemsmay assist in the protection of personaldata and privacy and of intellectual prop-erty in information systems. Similarly, pro-tection of personal data and privacy and ofintellectual property may serve to enhancethe security of the information system.

The use of information systems to col-lect, store, and cross-reference personaldata has increased the need to protectsuch systems from unauthorized accessand use. Methods to protect informationsystems include user verification orauthentication, file access control, termi-nal controls, and network monitoring.Such measures generally contribute bothto the security of information systems andto the protection of personal data and pri-vacy. It is possible that certain measuresadopted for the security of informationsystems might be misused so to violatethe privacy of individuals. For example, anindividual using the system might bemonitored for a non-security-related pur-pose or information about the user madeavailable through the user verificationprocess might permit computerized link-ing of the user’s financial, employment,medical, and other personal data. Theprinciples of the Guidelines (for example,the Proportionality Principle and the Eth-ics Principle) and those of the OECDGuidelines on the Protection of Privacyand Transborder Flows of Personal Data


F A L L 1 9 9 9

give guidance in achieving compatiblerealization of the goals of security of infor-mation systems and protection of per-sonal data and privacy.

Information systems may includehardware, computer programs, databases,layout designs for semiconductor chips,data, and information, elements of whichmay be protected by intellectual andindustrial property laws. Intellectualproperty in information systems is intan-gible, may cross borders virtually imper-ceptibly, and may be vulnerable to theftby the effort of one finger in a matter ofseconds without taking the original andwithout leaving a trace. Security of infor-mation systems may reinforce the protec-tion of intellectual property by limitingunauthorized access to components ofthe system, such as software or competi-tive information.

Since contracts, transactions, and dis-putes relating to information systems mayinvolve parties, actions, and evidence inmany different jurisdictions, it may be use-ful to clarify existing rules or presumptionsor to establish new ones with regard to thelaw applicable in matters relating to thesecurity of information systems. Given thatdisputes related to the security of informa-tion systems may involve complex factualsituations as well as parties, actions, and evi-dence that may be situated in multiple juris-dictions, it may also be advisable to developnonjudicial means, including arbitration,for resolution of disputes.

Guidelines for the Security of Information SystemsAimsThis section of the Guidelines sets forththe purposes to be served by their formula-tion and adoption by governments and theprivate sector . The Guidel ines areintended to assist the further developmentand use of information systems. To do so,it is viewed as necessary to raise awarenessof risks to information systems and to pro-vide reassurance of the reliability of infor-mation systems and their provision and

use. In recognition of the ubiquity of infor-mation systems, governments and the pri-vate sector are urged to cooperate to createan international framework for security ofinformation systems. It is hoped that theGuidelines will contribute to increasingawareness of the importance of security ofinformation systems and to dispellingreluctance to report security breaches,which might permit the compilation ofmore national and international statistics.

ScopeThe Guidelines are intended to apply to allinformation systems, whether owned,operated, or used by public or private enti-ties or for public or private purposes. Theinformation systems may be of a public orprivate nature and elements of them maybe protected by intellectual property orindustrial property laws or other laws (e.g.,trade secrets, official secrets). The Guide-lines are not intended to supersede or oth-erwise affect the 1980 OECD Guidelineson the Protection of Privacy and Transbor-der Flows of Personal Data. The objectiveof the Guidelines is to avoid the evolutionof a dual approach, one for informationsystems related to national security andone for all other information systems. Not-withstanding these intentions, it is fullyaccepted that governments may find itnecessary to depart from the Guidelines.This is the case in the areas of nationalsecurity and maintenance of public order(“order public”). The fact that govern-ments have the sovereign right to whatthey must in these vital areas is recognizedin the Recommendation of the CouncilConcerning Guidelines for the Security ofInformation Systems. However, it isexpected that any departure from theGuidelines will relate more to the sectionon implementation than to the nine prin-ciples. The general idea is that exceptionsto the Guidelines would be few and, sincethey relate to “sovereign” matters, wouldbe of the highest order of importance. Fur-thermore, it was foreseen that appropriateinformation relating to departures from


F A L L 1 9 9 0

65

the Guidelines, whether involving a publicor private information system, would gen-erally be made known to the public and allinterested parties.

DefinitionsThe definition of information systemsincludes computer hardware; intercon-nected peripheral equipment; software,firmware, and other means of expressingcomputer programs; algorithms and otherspecifications either embedded within oraccessed by such computer programs;manuals and documentation on paper,magnetic, optical, and other media; com-munication facilities, such as termi-nal/customer premises equipment andmultiplexers, on the information systemside or the network termination point ofpublic telecommunication transport net-works as well as equipment for private tele-communication networks not offered tothe public generally; security controlparameters; storage, processing, retrieval,transmission, and communication data,such as check digits and packet switchingcodes and procedures; data and informa-tion about parties accessing informationsystems; and user identification and verifi-cation measures (whether knowledgebased, token based, biometric, behavioral,or other). This definition may include ele-ments that are proprietary or nonpropri-etary, public or private. This definitionapplies to elements whether or not theyinteract with the data being transmittedby the system or are necessary for the oper-ation, use, and maintenance of the othercomponents of the system.

Confidentiality and integrity apply todata and information. The words data andinformation are repeated in the definitionof availability, even though the term infor-mation systems includes them, to empha-size that availability also covers data andinformation. Confidentiality, integrity,and availability may be important for rea-sons of competitive advantage, nationalsecurity, or to fulfill legal, regulatory, orethical obligations, such as fiduciaryduties, protection of personal data and pri-

vacy or medical confidentiality. Examplesof availability are up-time and responsetime of the information system.

Security ObjectiveThe Principles of the Guidelines, whichfollow the Security Objective, expressessential concepts to be considered in pro-tecting information systems and providingfor their security. The Principles are pre-ceded by a simple declaration of the pur-pose and goals of security of informationsystems. Security of information systems isthe protection of availability, confidential-ity, and integrity. In the absence of suffi-cient security, information systems and,more generally, information and commu-nication technologies may not be used totheir full potentials. Lack of security orlack of confidence in the security of infor-mation systems may act as a brake oninformation system development and useand on development and use of new infor-mation and communication technologies.One goal, therefore, is the protection ofindividuals and organizations from harmresulting from failures of security. All indi-viduals and organizations potentially relyon the proper functioning of informationsystems. Clear examples are the informa-tion systems in hospitals, air traffic controlsystems, and nuclear power plants. Secu-rity, therefore, is directed at preserving theeffectiveness of information systems. Inaddition to the goal of ensuring that thelevel of availability, confidentiality, andintegrity of information systems is noteroded, the security of information sys-tems and the Guidelines are directedtoward facilitating the development anduse of information systems by individualsand for new and different purposes thanthose for which they are at presentemployed, as well as toward facilitating thedevelopment and exploitation of informa-tion and communication technologies.

PrinciplesThe Guidelines identify nine principles inconnection with security of informationsystems. They are the Accountability Prin-


F A L L 1 9 9 9

ciple; the Awareness Principle; the EthicsPrinciple; the Multidisciplinary Principle;the Proportionality Principle; the Integra-tion Principle; the Timeliness Principle;the Reassessment Principle; and theEquity Principle.

Accountability Principle. There shouldbe an express and timely apportionment ofresponsibilities and accountability withrespect to the security of information sys-tems among owners, providers, and usersof information systems and others. Thephrase “other parties concerned with thesecurity of information systems” includesexecutive management, programmers,maintenance providers, information sys-tem managers (software managers, opera-tions managers, and network managers),software development managers, manag-ers charged with security of informationsystems, and internal and external infor-mation system auditors.

Awareness Principle. This principle ismeant to assist those with a legitimateinterest to learn of or be informed aboutsecurity of an information system. It is notintended as an opening to gain access tothe information system or specific securitymeasures and should not be construed astending to jeopardize security. The level ofinformation sought pursuant to this prin-ciple should be able to be obtained with-out compromising security.

Owners and providers are included inthe Awareness Principle for there may becircumstances in which they, too, mayneed to acquire information about thesecurity of a system. For example, anowner of a network may enter into anagreement whereby another organizationwould use the network to provide servicesfor third parties. The owner may require,as part of the agreement, the certain levelsof security be offered or available. In thiscircumstance, the owner may wish to beable to be informed of the security of theinformation system. Similarly, and organi-zation that contracts with a computer or

network owner to provide services maydesire assurances regarding security andthe ability independently to verify secu-rity. Users are also included in the Aware-ness Principle. For example, a customerchoosing a bank may have a legitimateinterest in being generally informed aboutthe existence of security policies and pro-grams of various banks. Depending uponcustomer demand, security might evencome to be used as a marketing tool.

Ethics Principle. Information systemspervade societies and cultures. Rules andexpectations are evolving with regard tothe appropriate provision and use of infor-mation systems and the security of infor-mation systems. This principle supportsthe development of social norms in theseareas. Important aspects are the expres-sion of these norms to all members of soci-ety and inculcation of these concepts froma very young age.

Multidisciplinary Principle. When devis-ing and maintaining measures, practices,and procedures for the security of informa-tion systems, it is important to review thefull spectrum of security needs and avail-able security options. In an organization,for example, this would involve consulta-tion with technical personnel, manage-ment, the legal department, users, andothers. All these resources that should beconsulted and combined to produce anoptimal level of security for the informa-tion system. Similarly, on a policy level,technical standards, codes of practice, leg-islation, public awareness, education, andtraining for security of information sys-tems may be mutually reinforcing.

From another aspect, this principleacknowledges that information systemsmay be used for very different purposesand that the security requirements mayvary as a result. For example, the civil andmilitary branches of government may havedissimilar needs for security as may differ-ent types of businesses or the commercialsector and private individuals.


F A L L 1 9 9 0

67

Proportionality Principle. Every infor-mation system does not require maximumsecurity. As it is important that systemsnot be insufficiently secure, so is it futile toprovide security beyond the reasonablerequirements of the system? Rather, thereis a hierarchy of information systems andtheir security needs that differs for eachorganization. For this reason, there is noone security solution.

In assessing security needs, the informa-tion should first be identified and a valueassigned. Possible security measures, prac-tices, and procedures available to protectthe various elements of the informationsystem should be enumerated and thecosts of implementing and maintainingeach of the security options calculated.The level and type of security should thenbe weighed against the severity and proba-bility of harm and its costs as well as thecost of the security measures. This analysisshould be carried out for the informationsystem in the context of all other relevantprocedures and systems, including otherinformation systems.

Integration Principle. Security of infor-mation systems is best considered whenthe system is being designed. Measures forsecurity may be formulated and tested toavoid incompatibility. Overall costs ofsecurity may also be reduced. Security isrequired at all phases of the informationcycle — gathering, creating, processing,storing, transmitting, and deleting. Secu-rity is only as good as the weakest link inthe system.

Timeliness Principle. In the environmentof the interconnected information systemsthat span the globe, the importance oftime and place are diminished. It is possi-ble to gain access to information systemsregardless of physical location. The Time-liness Principle acknowledges that, due tothe interconnected and transborder natureof information systems and the potentialfor damage to systems to occur rapidly,parties may need to act together swiftly tomeet challenges to the security of informa-

tion systems. Depending upon the securitybreach, the relevant parties may be mem-bers of the public and private sectors andmay be located in different countries orjurisdictions. This principle recognizes theneed for the public and private sectors toestablish mechanisms and procedures forrapid and effective cooperation inresponse to serious security breaches.

Reassessment Principle. This principlerecognizes that information systems aredynamic. System technology and users, thedata and information in the system, and,accordingly, the security requirements ofthe system are ever-changing. The informa-tion systems, their value, and the severity,probability, and extent of potential harmshould, therefore, undergo periodic reassess-ment. Follow-up is as important as imple-mentation, especially in light of newtechnological developments, whether thoseadopted by the system owner on those avail-able for use by others.

Equity Principle. The security interestsof owners, developers, operators, and usersof information systems must be weighedagainst the legitimate interests in the useand flow of information with the aim ofstriking a balance in accordance with theprinciples of a democratic society. Thoseunfamiliar with security of informationsystems may presuppose that security ofinformation systems may lead only torestrictions to access to and movement ofdata and information. On the contrary,security may enhance access and flow ofdata and information by providing moreaccurate, reliable, and available systems.For example, harmonization of technicalsecurity standards will help to prevent dataand information islands and other barriersto data and information flows.

ImplementationNational governments should strive toensure that territorial subdivisions in theircountries are aware of the Guidelines andtheir implications for areas within thecompetence of the subdivisions. They


F A L L 1 9 9 9

should communicate at the political levelto all territorial subdivisions the text of theGuidelines, undertake every effort to urgetheir implementation, and consult regard-ing difficulties that may arise.

Self-regulation may take the form ofcodes of conduct or practice developedand adopted by individual organizations,industry, or professional associations orpublic sector agencies.

Policy Development: Worldwide Harmo-nization of Standards. There is a need forcreation of appropriate technical securitystandards (including product and systemevaluation criteria) with the widest possi-ble geographic range of applicability. Theirdevelopment should be the product of col-laboration between, among others, gov-ernments, standards bodies, and vendorsand users of information systems.

While seeking harmonized standards, itshould be recalled that, as to individual sit-uations, there can be no one security solu-tion. Security needs vary considerablyfrom sector to sector, company to com-pany, department to department, and, asto given information systems, over time.Lack of an informed and balanced under-standing of users’ needs may create a sig-nificant risk of “off-target” technologystandardization. A productive first step isrecognition of the inherent diversity andheterogeneity of users’ needs for informa-tion system safeguards.

Promotion of Expertise and Best Prac-tice. Governments, public sector agencies,industry and professional associations andorganizations should work together to pro-mote expertise and to develop and promoteawareness of concepts of “best practice” inthe field of security of information systems.This may include notions of risk analysis,risk management, insurance, or audits. Theparticular program adopted may vary fromorganization to organization and from sec-tor to sector. The security requirements ofthe banking sector, for example, may differfrom those of other sectors.

Contract Formation and Validity. Thegoals of parties to an electronic transac-tion are not very different from those in apaper transaction. Generally, the partici-pants in an information transfer, whetherelectronic or nonelectronic, want to knowthat the information came from the per-son who purports to have sent it, that it isreceived only by persons intended toreceive it, and that it arrived in theintended form, unaltered and unmanipu-lated. Although the goals of parties toelectronic and nonelectronic transactionsmay be basically the same, the manners ofachieving these aims are not. They differas a function of the means of creation,use, transmission, storage, and access toelectronic and nonelectronic information.The manners in which the two types ofinformation are protected perforce differas well.

The challenge is to bring to electronicdealings the same level of confidence thatat present exists for paper transactions.This may be accomplished in several ways.First, existing rules may be applicable toelectronic situations. As necessary, exist-ing rules may be modified and new onesdeveloped. Technological means may alsobe employed. Further study and refine-ment of commercial laws involving elec-tronic transactions might be useful,including rules relating to the validity ofelectronic signatures, the formation andvalidity of contracts created and executedin information systems, and enforcementof and liability for such contracts.

Allocation of Risks and Liability. Thereseems to be a dearth of rules relating toallocation of risks and liability for damagearising from security lapses. The relevantparties may include vendors, distributors,telecommunication operators, service pro-viders, and users. Several systems may beinvolved in an information transfer, oftenincluding systems outside the ownershipof control of the information processor ortransmitter. The rights and duties of theparties involved may be unclear in cases of


F A L L 1 9 9 0

69

mistakes, omissions, failures of the varioussystems or other mishaps.

The need for such rules exists and isillustrated when funds that are electroni-cally transferred between two financialinstitutions are lost or stolen. Such transfersmay involve vast amounts of money, arecommon financial practice, and are madealmost instantaneously and across interna-tional boundaries. Where existing rules arenot sufficient, further development andrefinement on the national and interna-tional levels on the manner in which toassign liability in cases of fraudulent or neg-ligent wire transfers is supported.

Sanctions. Sanctions for misuse of infor-mation systems are an important means toprotect the interests of those relying oninformation systems from harm resultingfrom attacks to the availability, confidenti-ality and integrity of information systemsand their components. Examples of suchattacks include damaging or disruptinginformation systems by inserting virusesand worms, alteration of data, illegalaccess to data, computer fraud or forgery,and unauthorized reproduction of com-puter programs. In combating such dan-gers, countries have chosen to describeand respond to the offending acts in a vari-ety of ways. There is growing internationalagreement on the core of computer-related offenses that should be covered bynational penal laws. This is reflected in thedevelopment of computer crime and dataprotection legislation in OECD membercountries during the last two decades andin the work of the OECD and other inter-national bodies on legislation to combatcomputer-related crime. National legisla-tion should be reviewed periodically toensure that it adequately meets the dan-gers arising from the misuse of informa-tion systems.

At the same time, it is recognized thatmany factors may aggravate or mitigatethe seriousness of the conduct: the specificintent of the actor, the type of dataaffected (e.g., national security or medical

data), the extent of the harm, and theextent to which the actor exceeded autho-rization. For minor violations, the use ofadministrative sanctions, such as theimposition of nonpenal fines by an admin-istrative agency, is considered by somenations (especially in the area of data pro-tection) to be sufficient. Other types ofsanctions may include, for example, disci-plinary measures against civil servants orcivil sanctions.

The development of legislation inOECD member countries has already led,particularly under the influence of interna-tional organizations, including the OECD,to a certain degree of harmonization. Tofurther international cooperation in penalmatters (including in the areas of mutualassistance, extradition and other interna-tional cooperation described below), thisharmonization process should be sup-ported and taken into account by coun-tries when reviewing their legislation.

Jurisdictional Competence. In additionto the jurisdictional competence of courtsin matters relating to the security of infor-mation systems, some countries may wishto grant certain administrative agenciesrights to impose administrative sanctions.

The transborder character of data flowon the one hand and the mobility ofoffenders on the other hand may createproblems in prosecuting computer crimi-nals. Ideally, there should be harmonizedrules on extraterritorial jurisdiction. How-ever, pending the development of suchrules, individual countries should reviewthe suitability of their domestic jurisdic-tional rules to deal with transborderoffenses. In countries where the doctrineof ubiquity (a crime is committed whereone of its elements takes place) is notacknowledged, difficulties arise as to theapplication of national computer crimelaws. In such countries, it may be neces-sary to introduce special jurisdictionalrules, as, for instance, was done in theUnited Kingdom, where the ComputerMisuse Act 1990 claims jurisdiction when


F A L L 1 9 9 9

the hacker or computer is in the UnitedKingdom or where the interference makesuse of a computer in the United Kingdom.

If a national of a state commits a com-puter-related crime in another state, prob-lems may also arise when the crime isdetected and the perpetrator is in thehome country. Many countries do notextradite nationals. In such situations, anextension of the existing rules of extrater-ritorial jurisdiction (or the possibility oftransfer of proceedings (see the followingparagraph) should be considered with aview to creating the necessary prerequi-sites for a successful prosecution in at leastone state.

Mutual Assistance and Extradition.Mutual assistance agreements, extraditionlaws, recognition and reciprocity provi-sion, transfer of proceedings, and otherinternational cooperation in matters relat-ing to the security of information systemsmay facilitate assistance to other countriesin their investigations.

Evidence. Improved security of informa-tion systems, by enhancing the accuracy,completeness, and availability of data andinformation in the information systemand, accordingly, by increasing the abilityto rely on data and information in the sys-tem, may assist the introduction and useof such evidence in legal and administra-tive proceedings. Similarly, in legal sys-tems with special formal requirementsregarding evidence, clear rules of evi-dence in both penal and civil legal andadministrative proceedings may makeinformation systems more secure by pro-viding more predictability in actionsinvolving failures or breaches of securityand by the potentially deterrent effect ofsuch actions.

At present, electronic records maypresent problems for existing laws of evi-dence. For European continental coun-tries, which have civil law systems, theadmissibility of evidence in court is basedupon the principle of free introduction

and free evaluation of evidence. This isalso the situation in Japan with respect tononpenal matters. In theory, under suchlegal systems, a court may admit any mate-rial as evidence, including computerrecords, but it must then decide the valuesuch material will be afforded as evidence.

In common law countries, however,the admissibility of evidence is subject toobjection and governed by complex rules.Computer records, like any other docu-ments, may present two issues. The firstis authentication: Are the documentsaccurate and genuine? Are the printoutsfrom the computer admissible either as“originals” or “copies” of the data in thesystem? In the United States, for exam-ple, the federal rules expressly allowauthentication and admission of com-puter records. The second issue that com-mon law systems must address withrespect to any document is whether ornot it contains hearsay. This pertains notto the form of the document (whetherelectronic data or handwritten) but to itscontent. Generally, it is possible to testifyonly about matters of which one hasdirect knowledge and not about some-thing learned from secondary sources.This rule applies to documents as well asto individuals and, while the hearsay rulehas many exceptions (the businessrecords rule, for example), this issue mustbe recognized and anticipated.

Education and Training. An overarchingtask is the increase of awareness at everylevel of society, in governments and theprivate sector and among individuals, ofthe necessity for and the goals of securityof information systems and good securitypractices. Promotion of awareness shouldalso include awareness of the risks to infor-mation systems and of safeguards availableto meet those risks. It is important todevelop social consensus about proper useof information systems.

In building awareness, it is essential tohave the cooperation of users of informa-tion systems and the commitment of man-


F A L L 1 9 9 0

71

agement, especially senior management,to providing for security of informationsystems.

Education and training should beincluded in school curricula and should beprovided for users, executive manage-ment, programmers, maintenance provid-ers , informat ion system managers(software managers, operations managers,and network managers), software develop-ment managers, managers charged withsecurity of information systems, and audi-tors of information systems and of secu-rity of information systems, both internaland independent auditors. Trained, pro-fessionally qualified auditors shouldinspect and evaluate an information sys-tem. Information system auditors shouldpossess knowledge of planning, develop-ment, and operation of information sys-tems and of general auditing and shouldhave actual experience in performinginformation system audits. It is equallyimportant that law enforcement authori-ties, including police and investigators,and attorneys and judges receive adequateeducation and training.

Enforcement and Redress. There shouldbe provided accessible and adequatemeans for exercise and enforcement ofrights related to the security of informa-tion systems and for recourse and redressof violations of such rights. This includesaccess to courts and provision of means foradequate investigative powers. Securitybreaches include failures and violations ofsecurity of information systems. There is aneed for better cross-education, commu-

nication, cooperation, and sharing ofinformation among law enforcementagencies, communications operators andservice providers, and banks at nationaland international levels. Law enforcementauthorities should cooperate to facilitateinvestigations in other countries.

Exchange of Information. Governments,the public sector, and the private sectorshould exchange information and estab-lish procedures to facilitate the exchangeof information relating to the Guidelinesand their implementation. As part of theirefforts, they should publish generally mea-sures, practices, and procedures estab-lished in observance of the Guidelines andfor the security of information systems. Itis desirable that national governmentsmake known to the OECD, other interna-tional bodies, and other governments theiractivities and those of their territorial sub-divisions relating to the security of infor-mation systems, the Guidelines, and theirimplementation.

Cooperation. Governments, the publicsector, and the private sector shoulddevelop measures, practices, and proce-dures that are simple and compatible withthose of other parties that comply with theGuidelines taking into consideration intheir development the measures, prac-tices, and procedures developed by others,so to avoid, where possible, conflicts orobstacles. All laws adopted on regional,national, or provincial levels should be har-monized to meet the challenges of aworldwide technology.

72

Appendix C:GASSP Committee FoundationDocument List

FOUNDATION DOCUMENT LIST (INCLUSIVE TO DATE) (DRAFT, 6/13/94)The list is arranged alphabetically by con-tributing organization with individualdocuments shown numerically. Each doc-ument includes line items for title, pub-lishing organization, individual author,and a brief description, where appropriate.

AMERICAN INSTITUTE OF CERTIFIED PUBLIC ACCOUNTS1. Statements of the Accounting Principles

Board — Copyright 1993, Chapter 6, Generally Accepted Accounting Prin-ciples (GAAP) — Pervasive PrinciplesAmerican Institute of Certified Public Accountants, Inc. (AICPA)

BELLCORE, BELL COMMUNICATIONS1. Bellcore Operations Systems Security

Requirements — Issue 1, 6/91Bellcore, Bell Communications Re-search Technical Advisory TA-STS-001194

2. Bellcore Standard Operating Environ-ment Security Requirements — Issue 2, 6/91, Bellcore

DEPARTMENT OF TRADE AND INDUSTRY (DTI)1. A Code of Practice for Information Se-

curity Management — Copyright 1993Department of Trade and Industry (DTI) Commercial IT Security Group with Business Standards Institution (BSI)

2. The U.K. IT Security Evaluation and Certification Scheme — 10/92The Department of Trade and Indus-try (DTI) for Enterprise

3. User Requirements for IT Security Stan-dards — Crown copyright 1992, U.K.Department of Trade and Industry (DTI) with BSI/DISC in association with the Sema Group

COMMISSION OF THE EUROPEAN COMMUNITIES (SOG-IS)1. Green Book on the Security of Informa-

tion Systems — Draft 3.7, 10/5/93 (Re-places 2.6 of 7/14/93)Commission of the European Com-munities, Senior Officials Group —Information Security (SOG-IS)

2. Information Technology Security Evalu-ation Criteria (ITSEC) — Provisional Harmonized Criteria — 6/92Commission of the European Com-munities, Senior Officials Group, In-formation Security (SOG-IS)

3. Information Technology Security Evalu-ation Manual (ITSEM) — V.1.0, 9/10/93 (replaces V.0.2, 4/92)Commission of the European Com-munities, DG XIII/B/B6

4. Joint Workplan for EC/US Cooperation on Security of Information Systems — DG XIII/F, 1, 2/27/92Senior Officials Group, Information Security (SOG-IS)

5. INFOSEC ’93 Security Investigations — 7/5/93


F A L L 1 9 9 0

73

Commission of the European Com-munities, DGXIII/BRoland Huber, Director DGXIII/B

6. Information Security — INFOSEC ’92 — Security Investigations — 1/92Senior Officials Group, Information Security (SOG-IS)

FEDERAL LAWS (U.S.)1. Brooks Act (Pub. L. 89-306)2. Paperwork Reduction Act (Pub. L. 96-

511)3. Warner (ASPA) Amendment (Pub. L.

97-86)4. Federal Managers’ Financial Integrity

Act of 1982 (Pub. L. 97-225)5. Paperwork Reauthorization Act of

1986 (Pub. L. 99-500)6. Competition in Contracting Act (Pub.

L. 98-369)7. Computer Security Act of (Pub. L.

100-235)8. Privacy Act of 1974 (Pub. L. 93-579)9. Copyright Act of 1980 (17 USC)10. Trade Secrets Act (18 USC 1905)11. Patent and Trademark Laws (31 USC)12. Electronic Communications Privacy

Act (Pub. L. 99-508)13. Counterfeit Access Device and Com-

puter Fraud and Abuse Acts (Pub. L. 98-473, Pub. L. 99-474)

14. Public Printing and Documents Act (44 USC 33)

15. Computer Matching and Privacy Pro-tection Act (Pub. L. 100-503)

16. Freedom of Information Act (Pub. L. 90-23)

FEDERAL REGULATIONS (U.S.)1. Federal Acquisition Regulation (FAR)

(48 CFR 1-51)2. Federal Information Resources Man-

agement Regulation (FIRMR) (41 CFR 101)

INFOSEC BUSINESS ADVISORY GROUP (IBAG)1. INFOSEC Business Advisory Group,

Draft Constitution, Rules of Procedure,

Draft ObjectiveInfosec Business Advisory Group (IBAG)

2. The IBAG Framework for Commercial IT Security — V 2.0, 9/93 (Replaces Discussion Draft, 2/93)Infosec Business Advisory Group (IBAG)

COMMISSION OF THE EUROPEAN COMMUNITY (CEC)1. Proceedings of the Third Concertation

Meeting for the Security Investigations Projects — 6/18-19/92Commission of the European Com-munity (CEC)

COMMITTEE OF SPONSORING ORGANIZATIONS OF THE TREADWAY COMMISSION (COSO)1. Internal Control — Integrated Frame-

work — 9/92Committee of Sponsoring Organiza-tions of the Treadway Commission (COSO)Coopers & Lybrand, Author

COMMUNICATIONS SECURITY ESTABLISHMENT (CSE), GOVERNMENT OF CANADA1. Trusted Systems Environment Guide-

line — (CID/09/17) Interim, 12/92Communications Security Establish-ment (CSE), Government of Canada

DEPARTMENT OF DEFENSE (U.S.)1. Department of Defense Trusted Com-

puter System Evaluation Criteria — DOD 5200.28.STD (Orange Book), 12/85Department of Defense Standard, U.S. Department of Defense

EDP AUDITORS FOUNDATION, INC.1. Control Objectives, Copyright 1992

EDP Auditors Foundation, Inc.David H. Li, Ph.D., CPA, Director of Research


F A L L 1 9 9 9

GASSP COMMITTEE1. Generally Accepted Security Principles

(GASP)GASSP CommitteeHal Tipton

2. Generally Accepted System Security Principles — Draft, Rev. 4.1., 3/30/94GASSP CommitteeJim Appleyard

IBM1. Information Systems Security Controls

and Procedures — Data Security Sup-port Programs — Third Edition, 2/86IBM

INFORMATION SYSTEMS SECURITY ASSOCIATION (ISSA)1. Information Systems Security Common

Body of Knowledge — 10/4/89ISSA Committee on the Information Systems Security Common Body of KnowledgeBill Murray, Chairman

2. The Consensus Common Body of Knowledge — 2nd Draft, 9/93The Forum Invitational Workshop on Information Technology Security Training and Professional Develop-mentBill Murray, Chairman

INSTITUTE OF INTERNAL AUDITORS (IIA)1. Systems Auditability and Control

(SAC) — 1994Institute of Internal Auditors Research Foundation (IIA RF)

INTERNATIONAL STANDARDS ORGANIZATION (ISO)1. Resolutions Taken at the First Plenary

Meeting of ISO/IEC JTC1/SC27, Stock-holm, Sweden — 4/24–26/90International Standards Organization (ISO) XC27 Secretariat

MINISTRY OF INTERNATIONAL TRADE AND INDUSTRY (MITI)1. Study Document for Assurance Require-

ments in Japanese Computer Security Criteria — 10/93Ministry of International Trade and In-dustry (MITI)

NATIONAL FIRE PROTECTION ASSOCIATION1. The NFPA Standards-Making System

National Fire Protection AssociationArthur E. Cote, P.E., Secretary, Stan-dards Council

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) (U.S.)1. Workshop on Security Procedures for

the Interchance of Electronic Docu-ments: Selected Papers and Results — NISTIR 5247, 8/93National Institute of Standards and Technology (NIST)Roy G. Saltman, Editor

2. Minimum Security Functionality Re-quirements for Multi-User Operating Systems — Draft, Issue 1, 1/27/92, Fed-eral Criteria Project #1National Institute of Standards and Technology (NIST), Computer Secu-rity Division

3. Minimum Security Requirements for Multi-User Operating Systems — A Protection Profile for the USA Infor-mation Security Standard, Issue 2, Federal Criteria Project #2, 8/7/92National Institute of Standards and Technology (NIST), Gaithersburg, MD

4. Federal Criteria for Information Tech-nology Security — Volume I, Protec-tion Profile Development — Version 1.0, Federal Criteria Project #3, 12/92National Institute of Standards and Technology (NIST) and National Se-curity Agency (NSA)

5. Federal Criteria for Information Tech-nology Security Workshop Proceedings


F A L L 1 9 9 0

75

— Issue 1.0, Federal Criteria Project #4, 7/30/93U.S. Department of Commerce, Na-tional Institute of Standards and Tech-nology, Department of Defense, National Security Agency

OFFICE OF MANAGEMENT AND BUDGET (OMB) CIRCULARS (U.S.)1. OMB Circular A-123, Internal Control

Systems2. OMB Circular A-127, Financial Man-

agement Systems3. OMB Circular A-130, Management of

Federal Information Resources

OFFICE OF PERSONNEL MANAGEMENT REGULATIONS (U.S.)1. The Office of Personnel Management’s

(OPM) Regulation (5 CFR 930)2. OPM’s Federal Personnel Manual (Ch.

731, 732, and 736)

SYSTEM SECURITY STUDY COMMITTEE, NATIONAL RESEARCH COUNCIL (U.S.)1. Computers At Risk — Safe Computing

in the Information Age — 4/92System Security Study Committee, Computer Science and Telecommuni-cations Board, Commission on Physi-cal Sciences, Mathematics, and Applications, National Research Council

ORGANIZATION FOR ECONOMIC COOPERATION AND DEVELOPMENT (OECD)1. Guidelines for the Security of Informa-

tion Systems — 11/26/92Organization for Economic Coopera-tion and Development (OECD)DG(92)190

2. Ad Hoc Group of Experts on Guidelines for the Security of Information Systems — 9/18/92Organization for Economic Coopera-tion and Development (OECD), Di-rectorate for Science, Technology and

Industry, Committee for Information, Computer and Communications Policy

3. Guidelines on the Protection of Privacy and Transborder Flows of Personal Data — 9/23/81Organization for Economic Coopera-tion and Development (OECD)

PANACEA LIMITED, U.K.1. Information Systems Security and the

Multinational Enterprise — 11/8/93Panacea Limited, U.K.Clive W. Blatchford

SENSORMATIC ELECTRONICS CORPORATION1. Investment in the Future — Computer

and Information Security Embedded in Integrated Corporate Security Plan, Version 1.0, 6/93Sensormatic Electronics Corporation (Prepared for American Society for In-dustrial Security, ASIS)Samuel G. Shirley

SRI INTERNATIONAL1. I-4 Baseline Controls: A Checklist —

Draft, 4/93SRI International, International Infor-mation Integrity Institute (I-4)

2. The Baseline Controls — Copyright 1988SRI International, International Infor-mation Integrity Institute (I-4)

3. Commercial International Security Re-quirements (CISR) — 4/92SRI International, International Infor-mation Integrity Institute (I-4)Ken Cutler, American Express and Fred Jones, Electronic Data Systems

SIMPLOT DECISION CENTER, IDAHO STATE UNIVERSITY1. The Body of Knowledge — Draft,

11/4/93Simplot Decision Center, Idaho State UniversityBill Murray, Chairman

76

Appendix D:GASSP Management Infrastructure

1. FrameworkThe GASSP infrastructure is in the processof being defined though a deliberative pro-cess of the GASSP Committee under theauspices of the International InformationSecurity Foundation (I2SF) with inputfrom other interested parties.

1.1 GASSP Governing BoardIt is the committed purpose of the I2SF tosustain continued leadership and supportthis important effort. This effort was initi-ated as an ISSA President’s Committee.The structure for the I2SF Committee forGenerally Accepted System Security Prin-ciples (GASSP) is as follows.

1.1.1 GASSP Oversight Committee. TheGASSP Oversight Committee, hereafterreferred to as Oversight Committee, hasbeen established to provide independentreview of GASSP Committee operations,to coordinate liaison activities, to monitorthe management process, and to performquality assurance reviews. The Chair ofthe Oversight Committee is the I2SFChairman of the Board of Directors. TheChair is to be initially assisted by a selectcommittee of four (4) information systemssecurity specialists: one representativefrom a standard-setting organization; oneI2SF member who is a certified auditor;and two I2SF members who are CertifiedInformation Systems Security Profession-als. Members of the Oversight Committeemay not be currently serving on theGASSP Committee. The Oversight Com-mittee Chair will appoint the members of

the Oversight Committee, with the con-currence of the I2SF Chairman. The Over-sight Committee will periodically reviewthe status and progress of the GASSPproject and report the results to the I2SFBoard of Directors.

1.1.2 GASSP Advisory Council.The Oversight Committee Chair, withinput from the GASSP Committee Chair,will appoint, with the concurrence of theI2SF Chairman, an eight (8)-memberGASSP Advisory Council, hereafterreferred to as the Advisory Council. TheAdvisory Council will comprise four recog-nized information security specialistsknowledgeable of the GASSP process, butnot a member of the GASSP Committee,and will include a representative from theNational Institute of Standards and Tech-nology (NIST) and three representativesfrom the international community. One ofthe Advisory Council members will beappointed as the Advisory Council Chairby the Oversight Committee Chair. TheAdvisory Council will be responsible forreviewing and commenting on all GASSPCommittee activities, products, and mate-rials. The Advisory Council will provide itsadvice, and on a periodic schedule andupon request, written reports to the I2SFBoard of Directors through the OversightCommittee Chair.

1.1.3 GASSP Committee. The GASSPCommittee will select a chairperson.Working groups will be formed, drawingon GASSP Committee membership, to


F A L L 1 9 9 0

77

address specific tasks in execution of theGASSP project plan (as represented in theGASSP Strategic and Business Plans).Tasks not specifically addressed by theplan, or requiring more specific guidancethan provided by the plan, will require thedevelopment of a not-to-exceed one pagedescription of each new task. The one-page task description will include a tasksummary (e.g., what is to be accom-plished, how it will be completed), objec-tives, deliverables, milestones, andschedule for completion. The new taskdescriptions will be developed with theadvice and consultation of the AdvisoryCouncil and be forwarded to the OversightCommittee Chair to provide advancenotice of the work effort. The OversightCommittee Chair may provide guidanceon new tasks as necessary. The GASSPCommittee Chair will coordinate allGASSP activities with the Advisory Coun-cil and the Oversight Committee, whichincludes producing quarterly statusreports of progress based on the GASSPplan, new tasks, and schedules. All GASSPproducts will be developed with the activeadvice and consultation of the AdvisoryCouncil in advance of being submitted tothe Oversight Committee Chair. All com-munications of the GASSP Committeewill be issued by either the I2SF Board ofDirectors or the GASSP Committee Chairfollowing prior approval of the OversightCommittee Chair. All final products of theGASSP Committee will be issued or pub-lished by the Oversight Committee.

1.2 Information Security Principles BoardThe GASSP Information Security Princi-ples Board will consist of respected infor-mation security practitioners, industrialists,

educators, and government employees. Theboard will:

■ Publish proposed and approved opin-ions of the profession about accepted prin-ciples, standards, conventions, and mechanisms.■ Establish a process for gathering and evaluating comments about proposed opinions and including merited opinions in the GASSP.■ Establish processes for reporting and recommending disciplinary action to certi-fied bodies for professional conduct not in accordance with GASSP.■ Establish processes for professionals to secure authorization to deviate from GAS-SP without censure or loss of certification.■ Utilize and support the Body of Knowl-edge upon which certification of informa-tion security professionals is based.

1.3 Information Security Profiles BoardAn Information Security Profiles Boardwill be established to publish proposedand approved opinions regarding princi-ples, standards, conventions, mechanismsto be included or adhered to in informa-tion technology products, and informationsecurity considerations. A product certifi-cation process and periodic audits of prod-uct compliance with GASSP will supportthese opinions. Product certification willbe addressed by the Common Criteria.

The Common Criteria is a documentand process being developed by NIST,NSA, and international organizations tocreate protection profiles that may be usedby vendors to build information technol-ogy products that meet organizations’needs. The process of creating a profileincludes a step for specifying evaluationcriteria.