The Generally Accepted System Security Principles (GSSP) are based on principles developed by Organization for Economic Co-operation and Development's (OECD) Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security. Developed in 1992, the OECD Guidelines provide a foundation from which governments and the private sector, acting singly and in concert, can construct a framework for securing IT systems. The OECD Guidelines are the current international guidelines which have been endorsed by the United States. In developing the GSSP, NIST drew upon the OECD Guidelines, added material, combined some principles, and clarified others.
The GSSPs provide a baseline which is useful for addressing liability issues. The extent to which liability-related organizations or entities (such as insurance firms, juries, or internal organizations) make use of GSSPs is up to those entities. GSSPs, however, do not provide the "right answer" that fits all organizations and situations. In addressing liability, recognize the most fundamental assumption of computer security: computers cannot ever be fully secured.
- NIST, Generally Accepted System Security Principles (GSSPs): Guidance on Securing Information Technology (IT) Systems (full-text).