Home
|
About Us
|
Cyber Knowledge Centre
|
Cyber Legal Consultancy
|
Cyber Forensics
|
Contact Us
Computers, Internet and New Technology Laws by Karnika Seth
Trail of the Trolls: Bullying and abuse on the Internet is on the rise, Smitha Verma,The Telegraph
Online censorship is sycophantic, stupid, & unconstitutional, The Sunday Guardian, Dec 11, 2011
Capital cry against Web gag, The Telegraph , Dec 8,2011
Google Sued for Showing Defamatory Results, Rob D Young , Hindustan Times June 23, 2011
THE PROMOTION OF A CULTURE OF SECURITY FOR INFORMATION

DIRECTORATE FOR SCIENCE, TECHNOLOGY AND INDUSTRY

COMMITTEE FOR INFORMATION, COMPUTER AND COMMUNICATIONS POLICY

FOREWORD

This report includes a detailed inventory of effective national initiatives to implement the 2002 OECD “Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security”. It was prepared by the Secretariat based on responses from 18 OECD member countries to a survey questionnaire circulated in November 2004. The analysis, synthesis and summary of responses contained in the report are current as of September 2005, and are all to be read as an interpretation of the information provided. The report follows up on a previous report released in 2003[1] to which all respondents had already contributed.

At its 18th meeting on 19-20 May 2005 in Paris, the Working Party on Information Security and Privacy (WPISP) discussed a first draft of the report and agreed to finalise it by written procedure. The Committee for Information, Computer and Communications Policy (ICCP) discussed the report at its 49th meeting on 6-7 October 2005 and declassified it by written procedure in November 2005.

The report is published under the responsibility of the Secretary-General of the OECD.

EXECUTIVE SUMMARY

This report is a major information resource on governments’ effective efforts to date (September 2005) to foster a shift in culture as called for in the 2002 OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security. It includes a detailed inventory of initiatives to implement the Guidelines in the following 18 OECD member countries: Australia, Austria, Canada, Czech Republic, Denmark, Finland, France, Germany, Japan, Korea, Netherlands, Norway, Portugal, Slovak Republic, Spain, Sweden, United Kingdom, and the United States. It also highlights main findings based on an analysis of common current trends in those countries and progress made since 2003.

The report is intended to:

  • Foster the sharing and dissemination of practical information and best practices among OECD member countries and with non-member economies.
  • Help monitor progress in national approaches to information security.
  • Be a resource for identifying key issues and best practices to further explore and address.
  • Provide new online resources to supplement the OECD “culture of security” Web site.[2]

The report is structured in two parts, including: 1) the main policy messages based on an analysis of the responses; and 2) a synthesis of the responses, question per question. More detailed country summaries and the questionnaire are to be found in Annexes 1 and 2.

Main findings

A first main finding is that e-government and the protection of national critical information infrastructures appear to be two main drivers for developing a culture of security at the national level.

A second finding is the importance of international co-operation for fostering a culture of security and, in particular, the role of regional fora in facilitating interactions and exchanges. International co-operation is consolidated in the area of cybercrime and Computer Emergency Response Teams (CERTs).

The report also highlights that member countries are adopting a multidisciplinary and multistakeholder approach and establishing a high-level governance structure for the implementation of national policies. They have made significant progress in both the development of a national policy framework and the implementation of the Awareness and Response Principles. Almost all countries have adapted their legal frameworks for combating cybercrime. All except two countries report one or more Computer Emergency Response Teams (CERTs) or Computer Security Incident Response Teams (CSIRTs), or are in the process of setting up such a function. Awareness raising and education initiatives still receive a high degree of attention. The sharing of best practices, development of partnerships among participants, and use of international standards are increasingly taken into consideration.

The report shows that responding countries seem to have devoted less attention to developing research and development for information security, metrics and benchmarks for measuring the effectiveness of their national policies, and initiatives for co-ordinated frameworks to address the specific needs of small and medium-sized enterprises (SMEs).

Structure of the synthesis

Part II of the report presents the main characteristics of national policies and strategies for the security of information systems and networks in the responding countries. It depicts national legal, regulatory, and institutional arrangements, highlighting specific areas such as cybercrime, computer incident watch and warning/response, critical infrastructure, risk assessment, government’s outreach to business, civil society, State and local government, education and training, science and technology, research and development, and international co-operation.

The synthesis also includes initiatives for voluntary, publicly available recommendations, and focuses on actions taken by governments as owners and operators of systems and networks to develop a culture of security. The most effective information security programmes and initiatives for users of government systems are also highlighted, as well as successful governmental initiatives with regard to co-operation with and outreach to business, in particular small and medium-sized enterprises (SMEs), and civil society. Finally, government efforts related to science and technology, research and development, and initiatives for measuring the impact and/or success of government initiatives are described.

TABLE OF CONTENTS

XXX

PART I: MAIN FINDINGS

This chapter offers an analysis of the survey findings broken into a few main themes. It includes the main policy messages derived from member countries’ responses. As many references as possible are made to the results of the 2003 survey.[3] When interpreting the information contained in the report, and especially when comparing results from the 2003 and 2005 surveys, it needs to be kept in mind that the 2005 survey asked respondents to provide information about their most successful activities in an area, and not all activities in each area.

1. Key drivers for a culture of security

The survey has identified two main drivers which support the development of a culture of security at the national level:

  • E-government applications and services.
  • Protection of national critical information infrastructures.

E-government applications and services

As indicated in most responses, national administrations are implementing e-government applications and services to both improve their internal operations and provide better services to the private sector and to citizens. These initiatives have a common policy characteristic: they do not address the security of information systems and network solely from the technological perspective. They encompass elements such as risk prevention, risk management and users’ awareness. Public officials are increasingly aware of the importance of information security for the overall success of government online activities.

Interestingly, by comparison with the 2003 survey, the beneficial impact of e-government activities is moving beyond the public administration towards the private sector and individuals. E-government initiatives appear to act as a multiplier fostering the diffusion of a culture of security. For example, two countries request the private sector and citizens to implement information security controls and approaches within their own information and network systems as a prerequisite to securely accessing government services or to exchanging data with public administrations. As a result, companies and citizens are provided with guidance, best practices and documentation about information security. They are also invited to participate in events such as conferences and workshops where they are made aware of issues associated with information and network security.

The protection of national critical information infrastructures

The survey also shows that the protection of critical information infrastructures is another core area for the development and implementation of national policies for the security of information systems and networks. Government, industry, citizens and society at large rely on a number of critical information infrastructures (e.g. energy, water supply, transport, financial sector, telecommunications, health-care services), and the need to avoid any disruption in the operation of these infrastructures has led governments to develop and implement policies aimed at reaching out to industry, as the primary owner and operator of these infrastructures. In some countries, the dialogue between industry and government has been facilitated through the establishment of public-private partnerships and the sharing of best practices and information about the technical, management and human complexities of information systems and networks security.

Privacy as an indirect driver

Several responses also indicate that national privacy legislation is an additional indirect driver for the development of a culture of security. In particular, the need to protect personal data, inter alia, is important for the success of e-government activities targeting citizens, and has led both public and private organisations to consider information security as a means to satisfy privacy requirements. In several countries, security awareness-raising activities have been organised to help organisations satisfy privacy needs and legal requirements. These initiatives seem to have acted as a multiplier for the development of both security and privacy policies.

2. Commonalities in approaches to developing and implementing national policies for a culture of security

Almost all countries have finalised their national strategy for fostering a culture of security.

Interestingly, the survey highlights two main commonalities in member countries’ approach to developing and implementing national policies for a culture of security. Governments adopt:

  • A multidisciplinary and multi-stakeholder approach.
  • A high-level governance structure.

Multidisciplinary and multi-stakeholder approach

National policies for the security of information systems and networks share a common characteristic: they are the result of a multidisciplinary and multi-stakeholder approach. Responses emphasise that a culture of information security cannot just arise from technical solutions. A comprehensive approach is needed that addresses socio-economic and legal considerations, hence the multidisciplinary dimension of national policies. Further, governments alone cannot address the whole range of issues associated with fostering a culture of security, hence the involvement of the private sector and civil society. However, differences appear in the way this multi-stakeholder approach is implemented. As illustrated in three countries, the private sector and civil society can be directly involved through public-private partnerships, the development of best practices and other common initiatives. In other countries, they provide advice and overall policy support by taking part in working groups or advisory councils.

Responses also show that governments frequently resort to industry for advice on technological developments and overall implementation issues. As indicated by two countries, they may contract with academics and independent experts who are tasked with providing policy advice and/or evidence to justify the need to develop certain policies. Finally, the survey indicates the limited direct involvement of civil society representatives in preparing national or sector-based information security policies. Their role is foreseen, instead, in the implementation phase.


[1].DSTI/ICCP/REG(2003)8/FINAL; www.olis.oecd.org/olis/2003doc.nsf/LinkTo/dsti-iccp-reg(2003)8-final

[2].Cf. www.oecd.org/sti/cultureofsecurity

[3].DSTI/ICCP/REG(2003)8/FINAL; www.olis.oecd.org/olis/2003doc.nsf/LinkTo/dsti-iccp-reg(2003)8-final<–>

Disclaimer
|
Sitemap
|
Contact Us
Copyright @2008 CCC