Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security

Citation

Organization for Economic Cooperation and Development, Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (Nov. 26, 2002) (full-text).

Overview

These Guidelines apply to all participants in the new information society and suggest the need for a greater awareness and understanding of security issues, including the need to develop a "culture of security" — that is, a focus on security in the development of information systems and networks, and the adoption of new ways of thinking and behaving when using and interacting within information systems and networks. The guidelines constitute a foundation for work towards a culture of security throughout society.

{{Quote|A key concept of the Security Guidelines is the recognition that static security measures are not effective in an open networked environment where the threats and the vulnerabilities are constantly evolving. Instead, the Guidelines promote a risk-based approach to security where risk is defined as the result of threats exploiting vulnerabilities and generating impact on business. To enhance security in an ever changing environment, security should result from a cycle including risk assessment, risk management and reassessment. In addition, security should be incorporated as an essential element of information systems and networks. According to this approach, cloud computing risks are highly contextual as the three components of risk vary as a function of many factors, such as the cloud service and deployment model in use, the nature of the cloud user (e.g. whether the user is a consumer, a SME or a multinational enterprise), and of the degree of criticality of the activity carried out in the cloud. Accordingly, it is important to identify and evaluate all key threats, vulnerabilities and their impact for the cloud service in use and the data involved. In addition, when assessing the risks of cloud computing services, it is always important to evaluate these risks against the risks carried by alternative scenarios.

Whereas the potential impact of the threats is highly contextual, vulnerabilities might, to a certain degree, be more characteristic of cloud computing. An Annex provides an illustrative overview of main vulnerabilities involved in cloud computing that have been reported in several studies (e.g. related to the availability of service). In addition, it presents the other side of the coin: the potential for cloud computing to diminish vulnerabilities — an aspect that is sometimes neglected.^[1]

Principles

The Guidelines set forth nine principles to be followed by participants:

1. Awareness. Participants should be aware of the need for security of information systems and networks and what they can do to enhance security.
2. Responsibility. All participants are responsible for the security of information systems and networks.
3. Response. Participants should act in a timely and co-operative manner to prevent, detect and respond to security incidents.
4. Ethics. Participants should respect the legitimate interests of others.
5. Democracy. The security of information systems and networks should be compatible with essential values of a democratic society.
6. Risk assessment. Participants should conduct risk assessments.
7. Security design and implementation. Participants should incorporate security as an essential element of information systems and networks.
8. Security management. Participants should adopt a comprehensive approach to security management.
9. Reassessment. Participants should review and reassess the security of information systems and networks, and make appropriate modifications to security policies, practices, measures and procedures.

References

1. Cloud Computing: The Concept, Impacts and the Role of Government Policy, at 19.