Generally Accepted System Security Principles

In September 1996, the National Institute of Standards and Technology in the Technology Administration of the U.S. Department of Commerce developed Principles and Practice for securing Information Technology Systems. The document provides a baseline that organizations can use to establish or review their IT Security Systems. The eight principles address computer security from a high level viewpoint. The fourteen practices guide organizations on the types of controls, objectives, and procedures that compromise an effective IT security program.
The eight principles in the following list provide an anchor or guide when creating new systems, practices, or policies. The United States endorsed the international OECD Guidelines that were developed to provide a foundation from which governments and the private sector could construct a framework for securing IT systems. The principles were based on guidelines as documented in the NIST Special Publication (SP) 800-14. http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf

Generally Accepted Principles

1. Computer Security Supports the Mission of the Organization
Security helps the organization’s mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assts.

2. Computer Security is an Integral Element of Sound Management
Organization managers have to decide what level of risk they are willing to accept, taking into account the cost of security controls.

3. Computer Security Should Be Cost-Effective
Security should be appropriate and proportionate to the value of and degree of reliance on the IT systems and to the severity, probability, and extent of potential harm.

4. Systems Owners Have Security Responsibilities Outside Their Own Organizations
If a system has external users, its owners have a responsibility to share appropriate knowledge about the existence and general extent of security measures so that other users can be confident that the system is adequately secure.

5. Computer Security Responsibilities and Accountability Should Be Made Explicit
This principle implicitly states (documents) that people and other entities (such as corporations or governments) have responsibility and accountability related to IT systems which may be shared.

6. Computer Security Requires a Comprehensive and Integrated Approach
Managers should recognize how computer security relates to other areas of systems and organizational management. Many other important interdependencies may exist that are often unique to the organization or system environment.

7. Computer Security Should Be Periodically Reassessed
Changes in the system or the environment can create new vulnerabilities. Strict adherence to procedures is rare and become outdated over time. These issues make it necessary to reassess periodically the security of IT systems.

8. Computer Security is Constrained by Societal Factors
The flow of information, especially between a government and its citizens, is a situation where security may need to be modified to support a societal goal. In addition, some authentication measures may be considered invasive in some environments and cultures.

Generally Accepted Practices

The practices serve as a companion to the NIST Special Publication, 800-12, An Introduction to Computer Security: The NIST Handbook. The following lists practices currently employed in an effective computer security program. http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf


1. Policy
Directives for senior management to create a computer security program, establish its goals, and assign responsibilities.

2. Program Management
Program management of computer security at multiple levels is important because it contributes to the overall program utilizing different types of expertise, authority, and resources.

3. Risk Management
Require the analysis of risk, relative to potential benefits, consideration of alternatives, and implementation of what management determines to be the appropriate course of action.

4. Life Cycle Planning
Most IT system life cycle models contain five basic phases: initiation, development/acquisition, implementation, operation, and disposal.

5. Personnel/User Issues
No IT system can be secured without properly addressing a broad range of security issues related to how individuals interact with computers, access and authorities they need to do their job.

6. Preparing for Contingencies and Disasters
Contingency planning addresses how to keep an organization’s critical functions operating in the event of disruptions, both large and small.

7. Computer Security Incident Handling
An incident handling capability may be viewed as a component of contingency planning, because it provides the ability to react quickly and efficiently to disruptions in normal processing.

8. Awareness Training
An effective computer security awareness and training program requires proper planning, implementation, maintenance, and periodic evaluation.

9. Security Considerations in Computer Support and Operations
Failure to consider security as part of the support and operations of IT systems is a significant weakness. It must be included in user and software support. Any changes in configuration management, backups, and media controls are just some of the areas that must take security into consideration.

10. Physical and Environmental Security
Physical and environmental security controls are implemented to protect the facility housing systems resources, the system resources themselves, and the facilities used to support their operations.

11. Identification and Authentication
A critical building block of computer security since it is the basis for most types of access control and for establishing user accountability.

12. Logical Access Control
Organizations should implement logical access control based on policy made by a management official responsible for a particular system, application, subsystem, or group of systems.

13. Audit Trails
Audit trails can provide a means to help accomplish several security related objectives, including individual accountability, reconstruction of events, intrusion detection, and problem identification.

14. Cryptology
Cryptography provides an important tool for protecting information and is used in computer security. Several important issues should be considered when designing, implementing, and integrating cryptography in an IT system.