The latest guidelines, which were adopted as a recommendation of the OECD Council late last month, were published this week and represent the first time in 10 years that the inter-governmental group has updated its cyber-security guidelines.
The first noticeable change comes in the title, "Guidelines for the Security of Information Systems and Networks", which adds recognition for network security.
The new principles seek to recognise the growing reliance on information networks and the increasing number of threats against the security of those networks. They have already been commended by the US State Department as helping to mark a "new international understanding of the need to safeguard the information systems on which we increasingly depend for our way of life".
The OECD said the guidelines are intended to promote a culture of security and raise awareness about the risk to systems, and the need to adopt security policies. It added that it hopes they will promote cooperation at an international level and get nations to work together, despite them being non-binding among the 30 member nations.
The main points of the principles are:
Awareness Participants should be aware of the need for security of information systems and networks and what they can do to enhance security.
Responsibility All participants are responsible for the security of information systems and networks.
Response Participants should act in a timely and co-operative manner to prevent, detect and respond to security incidents.
Ethics Participants should respect the legitimate interests of others.
Democracy The security of information systems and networks should be compatible with essential values of a democratic society.
Risk assessment Participants should conduct risk assessments.
Security design and implementation Participants should incorporate security as an essential element of information systems and networks.
Security management Participants should adopt a comprehensive approach to security management.
Reassessment Participants should review and reassess the security of information systems and networks, and make appropriate modifications to security policies, practices, measures and procedures.