Filling in security GAAPs

An initiative launched at the RSA Conference in San Francisco this week aims to answer those questions through the establishment of practical guidance that draws on corporate experience with accounting principles.

The Generally Accepted Information Security Principles (GAISP) are intended to be a set of guidelines similar to the Generally Accepted Accounting Principles (GAAP) that U.S. corporations follow when they submit their financial reports. GAISP will include a set of procedures by which any company can derive its own security architecture.

The industry group promoting the principles, Information Systems Security Association (ISSA), will pitch GAISP as a badge of honor that companies can use to boast that they are secure.

The work began in 1990 under the name GASSP (Generally Accepted System Security Principles), and draws on other work including IS 17799, the standard for a security code of practice from the International Organization for Standardization (ISO), which was originally developed by the British Standards Institute.

?It is an initiative for companies to prove their level of security,? said Kurt Roemer, a regional systems engineer at NetContinuum who is a member of ISSA?s board. ?Standards like IS 17799 are not prescriptive enough.? A second part of the IS 17799 standard that is in progress describes a process to create a security strategy, but even this allows companies to set low targets.

?GAISP will be consistent right from the board to the trenches,? said risk management specialist Will Ozier of ODA. ?It will use quantitative risk metrics, putting values on the data and the risks to it. The standard will get pretty damn specific.?

Although GAAP is a U.S.-only standard--different accounting practices are used in different countries--ISSA hopes to make GAISP a global standard. It will be launched in Europe at the Infosec show in London later this month. ISSA, a volunteer organization, was founded in the United States 20 years ago and has several chapters in Europe.

The group has mapped the ISO standard and others to GAISP, so that compliance to those principles would automatically imply compliance with the looser IS 17799, which could be useful in countries that might mandate it. ?We are not recreating the wheel,? said Roemer. ?We endorse IS 17799.?

GAISP will be complete by the end of 2003, according to Mike Rasmussen, director of research at analyst firm Giga and vice president of marketing for ISSA. ?It will be a living document,? he said. ?It will be updated on a twice-yearly or quarterly basis.?

The initiative has been funded by several security vendors, including Computer Associates, NetScreen, Sun Microsystems and Symantec. ?It?s a win-win situation with Sun?s commitment to standards and best practices,? said Joanne Masters, director of Sun?s global security programs office.

ISSA hopes that GAISP compliance eventually will be audited by third parties, just as with GAAP, but the concept first needs to gain more acceptance among companies.