Generally Accepted System Security Principles
Appendix A: Guidance from Computers at Risk
Appendix A: Guidance from Computers at Risk
Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved
Major recommendations from Computers at Risk that are addressed by
GSSP.
- 1. Promulgation of a comprehensive set of Generally Accepted
System Security Principles, referred to as GSSP, which would provide a
clear articulation of essential features, assurances, and practices.
- 2. A set of short-term actions for system vendors and users that
build on readily available capabilities and would yield immediate
benefits.
- 3. Directions for a comprehensive program of research.
- 4. Establishment of a new organization to nurture the development,
commercialization, and proper use of trust technology, referred to as
the Information Security Foundation, or ISF.
Specific guidance from CAR for recommendation 1 and others related
to GSSP is as follows:
- 1. Promulgate comprehensive Generally Accepted System Security
Principles (GSSP).
- a. Establish a set of GSSP for computer systems.
- b. Consider the system requirements specified by the Orange Book
for the C2 and B1 levels as a short-term definition of GSSP and a
starting point for more extensive definitions.
- c. Establish methods, guidelines, and facilities for evaluating
products for conformance to GSSP.
- d. Use GSSP as a basis for resolving differences between U.S. and
foreign criteria for trustworthy systems and as a vehicle for shaping
inputs to international discussions of security and safety standards.
- 2. Take specific short-term actions that build on readily
available capabilities.
- a. Develop security policies.
- b. Use as a first step the Orange Book's C2 and B1 criteria.
- c. Use sound methodology and modern technology to develop
high-quality software.
- d. Implement emerging security standards and participate actively
in their design.
- 3. Establish an Information Security Foundation to address needs
that are not likely to be met adequately by existing entities.
- a. Establishment of GSSP
- b. Research on computer system security, including evaluation
techniques
- c. System evaluation
- d. Brokering and enhancing communications between commercial and
national security interests
- e. Focused participation in international standardization and
harmonization efforts for commercial security practice