It remains central to the OECD’s vision of a networked world and the potential it holds for economic growth, job creation, increased world trade and improved social conditions. And improving trust is central to developing e-commerce. Consumers and businesses need to know that their use of network services is secure and reliable, whether a company is tendering for an overseas contract by e-mail or an individual is ordering an organic free-range turkey for Sunday lunch.
The OECD has been working in this area of trust since the information economy was in its infancy and produced its first Security Guidelines for Information Systems a decade ago. But information and communications technology (ICT) has changed substantially since then. That is why the 1992 Security Guidelines were updated in 2002 to take account of the latest developments in the online world. A review every five years has been recommended by the OECD.
A key element of the new Guidelines is the fact that everyone connected with a network system, whether the designer, the builder or the casual Internet user in his living-room, is part of an increasingly interconnected, interdependent environment, and that all share responsibility for keeping it safe. The Guidelines are designed to develop a “Culture of Security” among governments, businesses and users and are organised around nine basic principles:
Awareness of the need for security of information systems and networks and what they can do to enhance security; responsibility for the security of information systems and networks; response in a timely and co-operative manner to prevent, detect and respond to security incidents; ethics: participants should respect the legitimate interests of others; democracy: security of information systems and networks should be compatible with essential values of democratic society; participants should conduct risk assessments; security design and implementation: participants should incorporate security as an essential element of information systems and networks; participants should adopt a comprehensive approach to security management; reassessment: participants should review and reassess the security of information systems and networks, and make appropriate modifications to security policies, practices, measures and procedures.
Although the Guidelines are non-binding, they are the product of a consensus between OECD governments, resulting from discussions that also involved representatives of the information technology industry, business users and civil society. The issues addressed are also of concern beyond OECD countries, wherever there is access to networked information systems. For that reason, governments in non-OECD countries are invited to adopt a similar approach.
©OECD Observer No 235, December 2002