The 30-member inter-governmental Organization for Economic
Cooperation and Development (OECD) has updated its principles on
security of information systems and networks
The latest guidelines, which were adopted as a recommendation of
the OECD Council late last month, were published this week and
represent the first time in 10 years that the inter-governmental
group has updated its cyber-security guidelines.
The first noticeable change comes in the title, "Guidelines for the
Security of Information Systems and Networks", which adds
recognition for network security.
The new principles seek to recognise the growing reliance on
information networks and the increasing number of threats against
the security of those networks. They have already been commended by
the US State Department as helping to mark a "new international
understanding of the need to safeguard the information systems on
which we increasingly depend for our way of life".
The OECD said the guidelines are intended to promote a culture of
security and raise awareness about the risk to systems, and the
need to adopt security policies. It added that it hopes they will
promote cooperation at an international level and get nations to
work together, despite them being non-binding among the 30 member
nations.
The main points of the principles are:
Awareness Participants should be aware of the need for
security of information systems and networks and what they can do
to enhance security.
Responsibility All participants are responsible for the
security of information systems and networks.
Response Participants should act in a timely and
co-operative manner to prevent, detect and respond to security
incidents.
Ethics Participants should respect the legitimate interests
of others.
Democracy The security of information systems and networks
should be compatible with essential values of a democratic
society.
Risk assessment Participants should conduct risk
assessments.
Security design and implementation Participants should
incorporate security as an essential element of information systems
and networks.
Security management Participants should adopt a
comprehensive approach to security management.
Reassessment Participants should review and reassess the
security of information systems and networks, and make appropriate
modifications to security policies, practices, measures and
procedures.