OECD Issues Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security

The Organization for Economic Cooperation and Development (OECD) formally has released its Guidelines for the Security of Information Systems and Networks. The Guidelines consist of nine principles that aim to increase public awareness, education, information sharing, and training that can lead to a better understanding of online security and the adoption of best practices. "A Culture of Security" represents a new way of thinking -- one in which everyone using computers and networks like the Internet has a role to play. The Guidelines represent the consensus views of all 30 OECD member countries and support the OECD's larger goal of promoting economic growth, trade, and development. These Guidelines replace the Guidelines for the Security of Information Systems that the OECD issued in 1992. Under Chairman Timothy J. Muris' leadership, this year, the Federal Trade Commission has undertaken a campaign to encourage a safer and more secure information environment. In December 2001, Commissioner Orson Swindle of the FTC became head of the U.S. government delegation to the OECD Experts Group for review of the 1992 Guidelines. Swindle led the U.S. government delegation, which included the FTC and the Departments of Commerce, State, Justice, and Treasury. The delegation benefitted from public input by consumer groups, academics and U.S. business.

"I compliment the timely efforts of the OECD in releasing these practical and meaningful Security Guidelines," Commissioner Swindle said. "Today, we are all linked together through powerful information systems and networks. We bank, conduct business, communicate with friends and family, pay bills, shop, do schoolwork, and listen to music through the marvels of information technology. Even more important, the critical infrastructures of our society rely upon the same information systems and networks."

"Along with the incredible benefits we enjoy through this technology, there are inherent vulnerabilities that must be recognized and addressed by all who use computers, modems, the Internet, and networks. We are all too familiar with the horror stories about viruses, hackers, and worms."

"These vulnerabilities make it possible for very costly harm to be done to our critical infrastructure, our daily activities, and our home computers by those with mischief or worse on their minds. September 11th obviously tells us that there are those who would do us great harm. The more we depend upon interconnected information systems and networks, the greater our vulnerability - unless we act prudently."

"The OECD's Guidelines provide each of us, young and old, with sound principles that should increase our understanding of the importance of good security practices when using computers and the Internet. We need a new way of thinking about security in which we understand our personal roles and responsibilities as we participate on the Internet from our homes, schools, and offices.

We need to adopt a 'culture of security' in which everyone takes proper precautions instinctively, not unlike looking both ways before crossing the street or locking the doors to our cars and homes."

The nine principles of the newly announced Security Guidelines include:

• Awareness. Participants should be aware of the need for security information system and networks and what they can do to enhance security.
• Responsibility. Participants are responsible for the security of information systems and networks.
• Response. Participants should act in a timely and cooperative manner to prevent, detect, and respond to security incidents.
• Ethics. Participants should respect the legitimate interests of others and recognize that their action or inaction may harm others.
• Democracy. The security of information systems and networks should be compatible with essential values of a democratic society.
• Risk Assessment. Participants should conduct risk assessments to identify threats and vulnerabilities to their information systems.
• Security Design and Implementation. Participants should incorporate security as an essential element of information systems and networks.
• Security Management. Participants should adopt a comprehensive approach to security management.
• Reassessment. Participants should review and reassess the security of information systems and networks, and make appropriate modifications to security policies, measures, and practices.

Although the Guidelines are voluntary, they represent a consensus among OECD governments resulting from discussions that also involved representatives of the information technology industry and consumer advocates. OECD members, industry, and other participants will draw on the Guidelines in establishing policies, measures and training programs for online security.

The Guidelines encourage governments in other countries to adopt a similar approach, and ask businesses to factor security into the design and use of their systems and networks and provide security information and updates to users. The Guidelines urge all individual users to be aware and responsible and take preventive measures to lessen the security risks inherent in an interconnected world.

In May, the FTC held a workshop on Consumer Information Security, where participants emphasized the primary need for greater consumer awareness of on-line security risks, vulnerabilities and solutions. In response to the workshop and consistent with the OECD Security Guidelines, the FTC is developing practical advice for safer use of information system technologies, including upcoming tips on the safe use of 'always on' broadband technology.

Accessing the Guidelines

The newly announced OECD Security Guidelines can be found at the following site: www.oecd.org/sti/security-privacy. For more information on the Guidelines and other aspects of OECD work on communications technology, journalists should contact: Hugh Stevenson, Associate Director of the FTC's Division of International Consumer Protection at 202-326-3511 or by e-mail at hstevenson@ftc.gov.

The FTC works for the consumer to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. To file a complaint, or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.