August 08, 2002, 8:39 AM — In response to a U.S. call made in October 2001 that it update its principles on security of information systems and networks, the 30-member inter-governmental Organization for Economic Cooperation and Development (OECD) has made public its latest guidelines.
The new guidelines, which were adopted as a recommendation of the OECD Council in late July, were published this week and represent the first time in 10 years that the 30-member inter-governmental group has updated its cyber-security guidelines. The first noticeable change comes in the title, "Guidelines for the Security of Information Systems and Networks," which adds recognition for network security.
The new principles seek to recognize the growing reliance on information networks and the increasing number of threats against the security of those networks. They have already been commended by the U.S. State Department as helping to mark a "new international understanding of the need to safeguard the information systems on which we increasingly depend for our way of life."
At their heart, the guidelines call for a culture of security to be developed in all aspects of information systems, from designing and planning through to everyday use, and among all participants, from government down through business to consumers. This call is backed up with a list of nine principles for information system security.
The main points of the principles are:
-- awareness. Participants should be aware of the need for security of information systems and networks and what they can do to enhance security.
-- responsibility. All participants are responsible for the security of information systems and networks.
-- response. Participants should act in a timely and cooperative manner to prevent, detect and respond to security incidents.
-- ethics. Participants should respect the legitimate interests of others.
-- democracy. The security of information systems and networks should be compatible with essential values of a democratic society.
-- risk assessment. Participants should conduct risk assessments.
-- security design and implementation. Participants should incorporate security as an essential element of information systems and networks.
-- security management. Participants should adopt a comprehensive approach to security management.
-- reassessment. Participants should review and reassess the security of information systems and networks, and make appropriate modifications to security policies, practices, measures and procedures.
The OECD said the guidelines are intended to promote a culture of security and raise awareness about the risk to systems, and the need to adopt security policies. It also said it hopes they will promote cooperation at an international level and get nations to work together, despite them being non-binding among the 30 member nations.
The U.S. has already said it will use them as the basis for a number of security initiatives.
"Completion of the guidelines is only the first step," said Philip Reeker, a spokesman for the State Department in a statement. "U.S. government agencies are developing plans and materials to use the guidelines in their outreach activities to the private sector, the public and other governments."
The guidelines can be found online in English, French and Spanish at the following respective locations: http://www.oecd.org/pdf/M00033000/M00033182.pdf, http://webdev1.oecd.org/pdf/M00033000/M00033183.pdf and http://webdev1.oecd.org/pdf/M00033000/M00033189.pdf.
