OECD Releases Information Security Guidelines
U.S. businesses and developers of information systems may wish to familiarize themselves with the "Guidelines for the Security of Information," formally released by the Organization for Economic Cooperation and Development ("OECD") on August 7, 2002. The OECD, an international organization of 30 Member States, seeks to promote economic development by identifying key issues and policies. The long-term regulatory exposure arising from the security guidelines could be the enactment of laws requiring businesses to adopt specific security practices or to manufacture devices with specific security functions. Past OECD proposals have provided the impetus for legislation in the European Union and other OECD member states. For example, the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data helped lay the groundwork for the restrictive 1995 EU Directive on Data Protection.
U.S. agencies also are encouraging U.S. businesses and consumer groups to implement the guidelines. Federal Trade Commissioner Orson Swindle, who headed the U.S. delegation to the OECD, explained, "the grids of our power system, electric generation system, our air transportation system, our air control system-all these things are remotely integrated into these interconnected systems." If a hacker gains access to one computer, he could gain access to other critical infrastructure systems. Consequently, Commissioner Swindle encouraged businesses, consumers and government to make security a permanent fixture in their daily routines and information systems.
1992 Guidelines Updated
These new security guidelines replace similar 1992 guidelines, and represent the OECD's attempt to promote a global culture of security. By updating the guidelines, the OECD hopes to increase awareness about security risks, encourage the implementation of security measures, and boost confidence in information systems. The idea to update the guidelines came after the events of September 11, 2001 highlighted the increased danger of security breaches in information systems.
The guidelines, intended for governments, businesses, organizations, and individual developers and users of information systems, do not propose specific legislation for the 30 OECD Member States, located throughout Europe and the world. Instead, the guidelines present nine broad principles to promote awareness and security in the current environment of increased use of information systems and networks. Member States are encouraged to use the principles to establish new policies, amend existing policies, and promote a culture of security. The guidelines also encourage OECD member states to emphasize to non-members the importance of information security.
The Nine Principles
The nine principles outlined in the guidelines encourage participants in the information society to gain a basic knowledge about information security, engage in active risk assessment, and integrate security into system designs. The guidelines recognize a need to balance the free flow of information with the need to maintain confidentiality. The nine guidelines, as set forth by the OECD, are:
- Awareness: Participants should be aware of the need for security of information systems and networks and what they can do to enhance security.
Responsibility: All participants are responsible for the security of information systems and networks.
Response: Participants should act in a timely and co-operative manner to prevent, detect and respond to security incidents.
Ethics: Participants should respect the legitimate interests of others.
Democracy: The security of information systems and networks should be compatible with essential values of a democratic society.
Risk Assessment: Participants should conduct risk assessment.
Security Design and Implementation: Participants should incorporate security as an essential element of information systems and networks.
Security Management: Participants should adopt a comprehensive approach to security management.
Reassessment: Participants should review and reassess the security of information systems
and networks, and make appropriate modifications to security policies, practices, measures