Online security: for the new trust-e
Despite the headlines, electronic commerce is far from finished. It is just starting. It remains central
to the OECD’s vision of a networked world and the potential it holds for economic growth, job
creation, increased world trade and improved social conditions. And improving trust is central to
developing e-commerce. Consumers and businesses need to know that their use of network
services is secure and reliable, whether a company is tendering for an overseas contract by e-mail
or an individual is ordering an organic free-range turkey for Sunday lunch.
The OECD has been working in this area of trust since the information economy was in its infancy
and produced its first Security Guidelines for Information Systems a decade ago. But information
and communications technology (ICT) has changed substantially since then. That is why the 1992
Security Guidelines were updated in 2002 to take account of the latest developments in the online
world. A review every five years has been recommended by the OECD.
A key element of the new Guidelines is the fact that everyone connected with a network system,
whether the designer, the builder or the casual Internet user in his living-room, is part of an
increasingly interconnected, interdependent environment, and that all share responsibility for
keeping it safe. The Guidelines are designed to develop a “Culture of Security” among
governments, businesses and users and are organised around nine basic principles:
Awareness of the need for security of information systems and networks and what they can do to
enhance security; responsibility for the security of information systems and networks; response in
a timely and co-operative manner to prevent, detect and respond to security incidents; ethics:
participants should respect the legitimate interests of others; democracy: security of information
systems and networks should be compatible with essential values of democratic society;
participants should conduct risk assessments; security design and implementation: participants
should incorporate security as an essential element of information systems and networks;
participants should adopt a comprehensive approach to security management; reassessment:
participants should review and reassess the security of information systems and networks, and
make appropriate modifications to security policies, practices, measures and procedures.
Although the Guidelines are non-binding, they are the product of a consensus between OECD
governments, resulting from discussions that also involved representatives of the information
technology industry, business users and civil society. The issues addressed are also of concern
beyond OECD countries, wherever there is access to networked information systems. For that
reason, governments in non-OECD countries are invited to adopt a similar approach.