At last: an agreement on best security practices

William Jackson

One of the trickiest issues in securing computer systems and their data is that, although plenty of information is available, few practitioners agree about best practices.

An informal group of security experts is trying to create such a body of knowledge.

CASPR, short for commonly accepted security practices and recommendations, will be a series of peer-reviewed papers setting baseline best practices for a number of areas.

The idea is hardly unique, but the authors nevertheless expect CASPR to fill a void.

'We have found nothing comparable that is comprehensive and designed to be used by everyone,' said Bob Johnston, security adviser for Cogentric Inc. of Portsmouth, N.H., who is spearheading the project.

Several groups have agreed on best practices specific to their industries, such as insurance and financial services. And the International Standards Organization late last year published its Code of Practice for Information Security Management.

'We will probably be two levels finer than the ISO model,' Johnston said.

But the information security community remains fractious. It's almost unheard of for all involved to agree about anything. Help in establishing a baseline for best practices should be welcome, however.

CASPR started in April on a moderated Internet forum for security professionals who are certified by the International Information Systems Security Certification Consortium Inc., or ISC2, of Framingham, Mass. More than 200 of the forum's 900 members had signed on for the CASPR project as of early last month.

CASPR workgroups will produce papers about Unix security, certification and accreditation, security metrics, infosec awareness, incident handling, computer crime investigation, forensics, application development, database security, physical security, virtual private networks, firewalls, intrusion detection and public-key infrastructures.

Contributors do not have to be certified information systems security professionals, but each workgroup will have a CISSP editor. The CASPR membership will initially review each paper.

The papers will be freely available under the Gnu free documentation license of the Free Software Foundation Inc. of Boston. ISC2 is not directly involved in producing the papers, but CASPR turned to the certification group to provide copyright protection.
Having ISC2 hold the copyrights 'eliminates having to build a corporation' for CASPR, Johnston said.

The first papers should appear online at and late this year.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected