Standard Practice, Best Practice, Due Diligence, Due Care

I am NOT a legal professional. Theses notes describe how there is a civil court “breach of care” liability if secure practices are not implemented. The “principle of culpable negligence” is the other phrase I was looking for.

There are Generally Accepted System Security Principles (GASSP) and Generally Accepted Principles and Practices for Securing Information Technology Systems (GAPPSITS). The National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC) Federal Information Security Management Act (FISMA) Implementation Project is another publicly available source of information systems best practices. Therefore there are documented standards of care; practices which a reasonable and prudent person would employ.

Civil cases, law of torts law could hold you liable if you do not act as a reasonable and prudent person would. See, for example, Tort Law by Mark Lunney, Ken Oliphant (3 ed. p. 170). Be familiar with regulatory requirements, criminal law and be familiar with these standard practices.

Note: The White House May 2009 Cyberspace Policy Review states that “legal concepts for ‘standard of care’ to date do not exist for cyberspace.” 1. I am NOT a legal professional. 2. Note the phrase “to date,” meaning “no case law.” September 2, 2009: Court allows negligence claim against Citizens Financial Bank for not implementing strong security. Allowing the claim is not case law. Allowing the claim does recognize that user name and password authentication could be found insufficient.

In the 1991 U.S. Federal Sentencing Guidelines, punishment is a function of the extent to which the organization has demonstrated due diligence. Responsibility is placed upon senior organizational management with fines of up to $290 million.

Security practices should not be an odious burden; they are generally what a reasonable and prudent person would do.

The [GASSP] Broad Functional Principles (BFP) are derived from the Pervasive Principles (PP) that represent the conceptual goals of information security.

The GASSP Broad Functional Principles are:

  1. Information Security Policy – Management shall ensure that policy and supporting standards, baselines, procedures, and guidelines are developed and maintained to address all aspects of information security. Such guidance must assign responsibility, the level of discretion, and how much risk each individual or organizational entity is authorized to assume.
  2. Education and Awareness – Management shall communicate information security policy to all personnel and ensure that all are appropriately aware. Education shall include standards, baselines, procedures, guidelines, responsibilities, related enforcement measures,
  3. Accountability – Management shall hold all parties accountable for their access to and use of information, e.g., additions, modifications, copying and deletions, and supporting Information Technology resources. It must be possible to affix the date, time, and responsibility, to the level of an individual, for all significant events.
  4. Information Management – Management shall routinely catalog and value information assets, and assign levels of sensitivity and criticality. Information, as an asset, must be uniquely identified and responsibility for it assigned.
  5. Environmental Management – Management shall consider and compensate for the risks inherent to the internal and external physical environment where information assets and supporting Information Technology resources and assets are stored, transmitted, or used.
  6. Personnel Qualifications – Management shall establish and verify the qualifications related to integrity, need-to-know, and technical competence of all parties provided access to information assets or supporting Information Technology resources.
  7. System Integrity – Management shall ensure that all properties of systems and applications that are essential to or relied upon to support the organization’s mission are established, preserved, and safeguarded.
  8. Information Systems Life Cycle – Management shall ensure that security is addressed at all stages of the system life cycle.
  9. Access Control – Management shall establish appropriate controls to balance access to information assets and supporting Information Technology resources against the risk.
  10. Operational Continuity and Contingency Planning – Management shall plan for and operate Information Technology in such a way as to preserve the continuity of organizational operations.
  11. Information Risk Management – Management shall ensure that information security measures are appropriate to the value of the assets and the threats to which they are vulnerable.
  12. Network and Infrastructure Security – Management shall consider the potential impact on the shared global infrastructure, e.g., the Internet, public-switched networks, and other connected systems when establishing network security measures.
  13. Legal, Regulatory, and Contractual Requirements of Information Security – Management shall take steps to be aware of and address all legal, regulatory, and contractual requirements pertaining to information assets.
  14. Ethical Practices – Management shall respect the rights and dignity of individuals when setting policy and when selecting, implementing, and enforcing security measures.

The National Institute of Standards and Technology (NIST) subsequently produced its Generally Accepted Principles and Practices for Securing Information Technology Systems:

Generally Accepted System Security Principles

  1. Computer Security Supports the Mission of the Organization
  2. Computer Security is an Integral Element of Sound Management
  3. Computer Security Should Be Cost-Effective
  4. Systems Owners Have Security Responsibilities Outside Their Own Organizations
  5. Computer Security Responsibilities and Accountability Should Be Made Explicit
  6. Computer Security Requires a Comprehensive and Integrated Approach
  7. Computer Security Should Be Periodically Reassessed
  8. Computer Security is Constrained by Societal Factors

Common IT Security Practices

  1. Policy
    1. Program Policy
    2. Issue-Specific Policy
    3. System-Specific Policy
    4. All Policies
  2. Program Management
    1. Central Security Program
    2. System-Level Program
  3. Risk Management
    1. Risk Assessment
    2. Risk Mitigation
    3. Uncertainty Analysis
  4. Life Cycle Planning
    1. Security Plan
    2. Initiation Phase
    3. Development/Acquisition Phase
    4. Implementation Phase
    5. Operation/Maintenance Phase
    6. Disposal Phase
  5. Personnel/User Issues
    1. Staffing
    2. User Administration
  6. Preparing for Contingencies and Disasters
    1. Business Plan
    2. Identify Resources
    3. Develop Scenarios
    4. Develop Strategies
    5. Test and Revise Plan
  7. Computer Security Incident Handling
    1. Uses of a Capability
    2. Characteristics
  8. Awareness and Training
  9. Security Considerations in Computer Support and Operations
  10. Physical and Environmental Security
  11. Identification and Authentication
    1. Identification
    2. Authentication
    3. Passwords
    4. Advanced Authentication
  12. Logical Access Control
    1. Access Criteria
    2. Access Control Mechanisms
  13. Audit Trails
    1. Contents of Audit Trail Records
    2. Audit Trail Security
    3. Audit Trail Reviews
    4. Keystroke Monitoring
  14. Cryptography

ISO and ITIL best practices would not enjoy the same “civil enforceability status” as these publicly available standards of care. You need to pay to read the ISO and ITIL best practices. Reading the ISO and ITIL best practices is still a good idea; you get the expertise of others very inexpensively. However, in a civil case, if one introduced an ISO or ITIL best practice as that which a reasonable and prudent person would perform, the counter argument is that the ISO or ITIL best practice must include some proprietary or secret information. Therefore, simply appearing in an ISO or ITIL best practice does not meet the “reasonable and prudent person” threshold.

ISO IEC 27002 2005 (née 17790 2005) summarized by Praxiom Reasearch Group Limited. ISO 17799 2000 summarized by Praxiom Reasearch Group Limited. Summaries at (to registered users).

UK: Financial Services Authority (FSA) delivers largest data loss fine yet. Unencrypted customer data lost in the mail, left on shelves.

Comments are closed.