ISSA seeks to write information security bible

The group yesterday released high-level parts of what it calls the Generally Accepted Information Security Principles, and members said they expect to have detailed technology-level guidelines finished before 2003 is out.

Mike Rasmussen, director of information security research at Forrester Research Inc, is heading the committee that is developing GAISP. He told ComputerWire the work is meant to fill a critical hole in the industry.

In accounting there are generally accepted accounting principles, GAAP, the bible for accounting, Rasmussen said at the RSA Security 2003 show in San Francisco yesterday. What we’re doing is writing the bible for information security.

Legislation and government regulation in the US and elsewhere has created problems where companies can be sued and executives can go to jail as a result of not only having inadequate security, but having inadequate guidelines for establishing security.

The US Sarbanes-Oxley Act of 2002, brought in post-Enron, requires CEOs, CFOs and auditors to sign off financial reports. If an accounting system is insecure, these people are potentially jeopardizing their livelihoods by signing off on faked data.

Rasmussen said he is aware of one major auditor refusing to sign off a client’s accounts after the audit merely discovered the company’s accounting systems had allowed unprotected Telnet connections to be established.

ISSA will create three tiers of guidelines. Pervasive Principles take a high-level view, and are aimed at senior management and board-level readers. Broad Functional Principles break these down further into operational management guidelines.

Both these are already drafted. What will take a little longer are the Detailed Principles, aimed at technical readers, which will drill deeper into the expected functionality of specific types of security precaution. For example, what does a firewall need to do?

It’s ISSA’s intention to work with other standards organizations for some of its guidelines. Technical guidelines for the functionality found in various types of security products are already found in Common Criteria certifications, for example.

It’s not our intention to compete against other standards organizations, Rasmussen said. We’ll work with them, and the Common Criteria is a very important one for us.

The GAISP is a long-running project, with its roots in Recommendation #1 of the Computers at Risk report, published by the National Research Council in 1990: To promulgate comprehensive Generally Accepted System Security Principles.

Between then and now, the concept and breadth of information security has changed fundamentally. ISSA representatives said only in the last 12 to 24 months has the industry come to a point where the need for the principles is universally acknowledged.

ISSA said it has industry backing for the work: Archer Technologies, Computer Associates, netForensics, NetScreen Technologies, SecureInfo, Sun Microsystems and Symantec sponsored yesterday’s announcement.

Source: Computerwire

Sign up for our regular news round-up!

Give your business an edge with our leading Tech Monitor

Sign up