Which of the following is NOT a Generally Accepted System Security Principle (GASSP)?
A.
Computer security supports the mission of the organization
B.
Computer security should be cost-effective
C.
The conception of computer viruses and worms is unethical.
D.
Systems owners have security responsibilities outside their organization.
Explanation:
The Generally Accepted System Security Principles (GASSP) are security- oriented principles and do not
specifically cover viruses or worms. However, it is not a best practice to create and distribute worms 🙂 GAISP
is based on a solid consensus-building process that is central to the success of this approach. Principles at all
levels are developed by information security practitioners who fully understand the underlying issues of the
documented practices and their application in the real world. Then, these principles will be reviewed and vetted
by skilled information security experts and authorities who will ensure that each principle is:
Accurate, complete, and consistent
Compliant with its stated objective
Technically reasonable
Well-presented, grammatically and editorially correct
Conforms to applicable standards and guideline
The principles are:
1. Computer security supports the mission of the organization
2. Computer security is an integral element of sound management
3. Computer security should be cost-effective
4. Systems owners have security responsibilities outside their own organization
5. Computer security responsibilities and accountability should be made explicit
6. Computer security requires a comprehensive and integrated approach
7. Computer security should be periodically reassessed
8. Computer security is constrained by societal factors
NOTE: The GAISP are no longer supported or active. NIST is now producing standards for the US government.
However, there are still remnant of GAISP on the exam and as you can see the list is most certainly applicable
today on the ethics side. The GAISP is also known as NIST SP 800-14.http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, John Wiley & Sons, 2001, Chapter 9: Law, Investigation, and Ethics (page 302).
http://all.net/books/standards/GAISP-v30.pdf