[ISN] OECD publishes cyber-security guidelines

From: InfoSec News (isnat_private)
Date: Thu Aug 08 2002 - 23:29:09 PDT

  • Next message: InfoSec News: "[ISN] Bug Finders: Should They Be Paid?"

    By Martyn Williams 
    August 7, 2002 11:38 pm PT
    IN RESPONSE TO a U.S. call made in October 2001 that it update its
    principles on security of information systems and networks, the
    30-member inter-governmental Organization for Economic Cooperation and
    Development (OECD) has made public its latest guidelines.
    The new guidelines, which were adopted as a recommendation of the OECD
    Council in late July, were published this week and represent the first
    time in 10 years that the 30-member inter-governmental group has
    updated its cyber-security guidelines. The first noticeable change
    comes in the title, "Guidelines for the Security of Information
    Systems and Networks," which adds recognition for network security.
    The new principles seek to recognize the growing reliance on
    information networks and the increasing number of threats against the
    security of those networks. They have already been commended by the
    U.S. State Department as helping to mark a "new international
    understanding of the need to safeguard the information systems on
    which we increasingly depend for our way of life."
    At their heart, the guidelines call for a culture of security to be
    developed in all aspects of information systems, from designing and
    planning through to everyday use, and among all participants, from
    government down through business to consumers. This call is backed up
    with a list of nine principles for information system security.
    The main points of the principles are:
    -- awareness. Participants should be aware of the need for security of 
       information systems and networks and what they can do to enhance 
    -- responsibility. All participants are responsible for the security 
       of information systems and networks.
    -- response. Participants should act in a timely and cooperative 
       manner to prevent, detect and respond to security incidents.
    -- ethics. Participants should respect the legitimate interests of 
    -- democracy. The security of information systems and networks should 
       be compatible with essential values of a democratic society.
    -- risk assessment. Participants should conduct risk assessments.
    -- security design and implementation. Participants should incorporate 
       security as an essential element of information systems and 
    -- security management. Participants should adopt a comprehensive 
       approach to security management.
    -- reassessment. Participants should review and reassess the security 
       of information systems and networks, and make appropriate 
       modifications to security policies, practices, measures and 
    The OECD said the guidelines are intended to promote a culture of 
    security and raise awareness about the risk to systems, and the need 
    to adopt security policies. It also said it hopes they will promote 
    cooperation at an international level and get nations to work 
    together, despite them being non-binding among the 30 member nations.
    The U.S. has already said it will use them as the basis for a number 
    of security initiatives.
    "Completion of the guidelines is only the first step," said Philip 
    Reeker, a spokesman for the State Department in a statement. "U.S. 
    government agencies are developing plans and materials to use the 
    guidelines in their outreach activities to the private sector, the 
    public and other governments."
    The guidelines can be found online in English, French and Spanish at
    the following respective locations:
    http://www.oecd.org/pdf/M00033000/M00033182.pdf , 
    http://webdev1.oecd.org/pdf/M00033000/M00033183.pdf and 
    http://webdev1.oecd.org/pdf/M00033000/M00033189.pdf .
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Aug 09 2002 - 03:01:10 PDT