An industry group is promoting better handling of security policy within companies with an initiative that draws on firms' experience of accounting principles.
The Generally Accepted Information Security Principles (GAISP), launched at the RSA Conference in San Francisco, are intended as a set of guidelines like the Generally Accepted Accounting Principles (GAAP) that US corporations follow when they submit their accounts. GAISP will include a set of procedures by which any company can derive its own security architecture.
The industry group promoting them, ISSA (Information Systems Security Association), will promote GAISP as a badge of honour for companies that are secure, and hopes the analogy will make it easy for companies to grasp the value of following GAISP.
The work began in 1990 under the name GASSP (Generally Accepted System Security Principles), and draws on other work including IS 17799, the standard for a security code of practice from the International Organization for Standardization (ISO), which was originally developed by the British Standards Institute.
"It is an initiative for companies to prove their level of security," said Kurt Roemer, regional systems engineer at NetContinuum, and on the ISSA board. "Standards like IS 17799 are not prescriptive enough."
A more prescriptive part of the IS 17799 standard is being created, but even this allows companies to set their security targets low, and thereby appear to comply, according to the ISSA.
"GAISP will be consistent right from the board to the trenches," said risk management specialist Will Ozier, of ODA, a long-time worker on GAISP with ISSA. "It will use quantitative risk metrics, putting values on the data and the risks to it. The standard will get pretty damn specific."
Although GAAP is a US-only standard -- owing to the difference in accounting practices in different countries -- the ISSA hopes to make GAISP an international specification. It will be launched in Europe at the Infosec show in London on 29 April. ISSA, a volunteer organisation, was founded in the US 20 years ago, but has several chapters in Europe.
The group has mapped the ISO standard and others to GAISP, so that compliance to GAISP would automatically imply compliance with the looser IS 17799, which could be useful in countries that might mandate IS 17799. "We are not recreating the wheel," said Roemer. "We endorse IS 17799."
GAISP will be complete by the end of 2003, according to Mike Rasmussen, director of research at analyst firm Giga Information Group, and vice president of marketing for ISSA. "It will be a living document," he said. "It will be updated on a twice-yearly or quarterly basis."
The initiative has been funded by several security vendors, including Computer Associates, NetScreen, Sun Microsystems and Symantec. "It's a win-win situation with Sun's commitment to standards and best practice," said Joanne Masters, director of Sun's global security programmes office.
In time ISSA hopes that GAISP compliance will be audited by third parties, just as with GAAP, but the concept needs to gain more acceptance through take-up by companies.