IS Group Takes Stewardship of Security Accounting

SAN FRANCISCO — Taking its cue from the financial industry’s generally accepted accounting principles (GAAP), an Internet security board said it will soon finalize similar standards for protecting IT infrastructures.

The Information Systems Security Association (ISSA) this week said it will take ownership of completing the Generally Accepted Information Security Principles (GAISP). The idea is to give the security community a globally consistent, practical framework for protecting information. The Owl Creek, WI-based non-profit presented its proposal at the RSA Security conference here.

“While the security industry has made great progress over the last five years, there is a lack of guidance for the security professional as a whole,” said newly appointed GAISP Committee chair Michael Rasmussen. He recently served as vice president of the ISSA International Board and director of research for information security at Forrester Research.

The ISSA international board consists of representatives from Dell Computer, EDS, Forrester, Symantec and Washington Mutual.

“We intend to work with existing standards and government regulations to formulate a body of guidance that is developed, published, and maintained by the information security profession.”

The GAISP originated over ten years ago in response to Recommendation #1 of the report, “Computers at Risk”, published by the National Research Council in 1990. The paper recommended, “to promulgate comprehensive Generally Accepted System Security Principles (GASSP).” The new framework is also loosely based on IS 17799, the standard for a security code of practice from the International Organization for Standardization (ISO). ISSA said the name has been changed to Generally Accepted Information Security Principles to reflect the protection of information as the primary objective.

The final body of the GAISP will consist of the Pervasive Principles, which target organizational governance and executive management; the Broad Functional Principles, which target operational management; and the Detailed Principles, intended to address the practical measures necessary for an organization to consider in its efforts to achieve the conceptual goals of the Pervasive Principles.

ISSA says the three levels of security guidance will give organizations an overall reference for developing a strategically sound and effective security system.

The GASSP initiative has since been carried by the International Information Security Foundation (IISF), which has made notable progress in this effort. ISSA said it now sees the opportunity to take over what has been accomplished so far and use its collective knowledge to complete this important document.