Generally Accepted Information Security Principles (GAISP)

Computer security is ultimately the responsibility of upper management.

GAISP will collect information security principles which have been proven in practice and accepted by practitioners, and will document those principles in a single repository. GAISP will draw upon established information security guidance and standards to create comprehensive, objective guidance for IS professionals, organizations, governments, and users. The use of existing, accepted documents and standards will ensure a high level of acceptance for the final GAISP product, and will enable a number of benefits to be gained.

The GAISP will establish and reference an Authoritative Foundation of existing works that, through their broad acceptance, have articulated, in one way or another, the GAISP of the information security profession. Recognizing the hierarchic nature of principles, GAISP will be organized in three levels: The Pervasive Principles which target governance and describe the conceptual goals of information security; the Broad Functional Principles which target management and describe specific building blocks (what to do) that comprise the Pervasive Principles; and the Detailed Principles, which target the information security professional and include specific "how to" guidance for implementation of optimal information security practices.

GAISP is based on a solid consensus-building process that is central to the success of this approach. Principles at all levels are developed by information security practitioners who fully understand the underlying issues of the documented practices and their application in the real world. Then, these principles will be reviewed and vetted by skilled information security experts and authorities who will ensure that each principle is:

• Accurate, complete, and consistent

• Compliant with its stated objective

• Technically reasonable

• Well-presented, grammatically and editorially correct

• Conforms to applicable standards and guideline

THE PRINCIPLES ARE:

Computer security supports the mission of the organization

Computer security is an integral element of sound management

Computer security should be cost-effective

Systems owners have security responsibilities outside their own organization

Computer security responsibilities and accountability should be made explicit

Computer security requires a comprehensive and integrated approach

Computer security should be periodically reassessed

Computer security is constrained by societal factors