OECD publishes cyber-security guidelines

[InfoSec News <isn () c4i org>]

http://www.infoworld.com/articles/hn/xml/02/08/07/020807hnoecdguide.xml

By Martyn Williams 
August 7, 2002 11:38 pm PT

IN RESPONSE TO a U.S. call made in October 2001 that it update its
principles on security of information systems and networks, the
30-member inter-governmental Organization for Economic Cooperation and
Development (OECD) has made public its latest guidelines.

The new guidelines, which were adopted as a recommendation of the OECD
Council in late July, were published this week and represent the first
time in 10 years that the 30-member inter-governmental group has
updated its cyber-security guidelines. The first noticeable change
comes in the title, "Guidelines for the Security of Information
Systems and Networks," which adds recognition for network security.

The new principles seek to recognize the growing reliance on
information networks and the increasing number of threats against the
security of those networks. They have already been commended by the
U.S. State Department as helping to mark a "new international
understanding of the need to safeguard the information systems on
which we increasingly depend for our way of life."

At their heart, the guidelines call for a culture of security to be
developed in all aspects of information systems, from designing and
planning through to everyday use, and among all participants, from
government down through business to consumers. This call is backed up
with a list of nine principles for information system security.

The main points of the principles are:

-- awareness. Participants should be aware of the need for security of 
   information systems and networks and what they can do to enhance 
   security.

-- responsibility. All participants are responsible for the security 
   of information systems and networks.

-- response. Participants should act in a timely and cooperative 
   manner to prevent, detect and respond to security incidents.

-- ethics. Participants should respect the legitimate interests of 
   others.

-- democracy. The security of information systems and networks should 
   be compatible with essential values of a democratic society.

-- risk assessment. Participants should conduct risk assessments.

-- security design and implementation. Participants should incorporate 
   security as an essential element of information systems and 
   networks.

-- security management. Participants should adopt a comprehensive 
   approach to security management.

-- reassessment. Participants should review and reassess the security 
   of information systems and networks, and make appropriate 
   modifications to security policies, practices, measures and 
   procedures.

The OECD said the guidelines are intended to promote a culture of 
security and raise awareness about the risk to systems, and the need 
to adopt security policies. It also said it hopes they will promote 
cooperation at an international level and get nations to work 
together, despite them being non-binding among the 30 member nations.

The U.S. has already said it will use them as the basis for a number 
of security initiatives.

"Completion of the guidelines is only the first step," said Philip 
Reeker, a spokesman for the State Department in a statement. "U.S. 
government agencies are developing plans and materials to use the 
guidelines in their outreach activities to the private sector, the 
public and other governments."

The guidelines can be found online in English, French and Spanish at
the following respective locations:

http://www.oecd.org/pdf/M00033000/M00033182.pdf , 
http://webdev1.oecd.org/pdf/M00033000/M00033183.pdf and 
http://webdev1.oecd.org/pdf/M00033000/M00033189.pdf .
 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.