In July 2002, the OECD published a new set of guidelines in relation to Information security, called, 'Guidelines for the Security of Information Systems and Networks'. They replace the OECDs' existing guidelines on security of information systems, which was published in 1992.
The new guidelines are recognition that today's global information economy presents new challenges to developed economies that were not present in the early 90s. This includes the widespread use of technology like the internet which now supports so much critical infrastructure such as energy, finance and government information systems, as well as important private businesses that make up a country's economy. This coupled with the 'interconnectivity' of modern IT and telecommunication systems, and the fact that IT security threats are no longer country or industry sector specific, means a coordinated response from industrialised nations to the problem is needed. Viruses such as Bug Bear, Love Bug and Melissa, have demonstrated how rapidly threats can spread and damage economies on a global scale.
One of the key principles articulated in the guidelines is the recognition that a modern economy is made up of 'participants', both private and public who are transacting at an ever increasing rate. Due to the rapid expansion in the use of technology, these transactions will become increasingly difficult for regulatory authorities to police. Recent empirical evidence suggests that regulatory authorities are currently far from coping adequately with the problem, let alone equipped to deal with future contingencies. In a joint survey of US business by the American Society for Industrial Security, Pricewaterhouse Coopers and the US Chamber of Commerce, it was found that US corporations lost US$59 billion in proprietary information and intellectual property in 2001.
Key recommendations in the guidelines include:
Principle 2 – Responsibility
The 'interconnectivity' of all participants means each participant needs to be responsible for the security of its own information systems and networks. This includes participants reviewing their own policies and procedures in relation to security.
Principle 3 – Response
Given the potential for rapid and widespread damage by information systems and network breaches, participants need to act in a timely and cooperative manner when responding to security incidents to minimise potential harm.
Principle 4 – Risk assessment
Each participant should conduct risk assessments of potential threats and vulnerabilities to determine what systems they need to implement to adequately deal with the threats. This includes regular review and reassessment to catch new and emerging threats.
Although the guidelines are non-binding, they are a product of extensive consultation with private business groups and consensus between OECD governments. The main aim of the guidelines are to develop a 'culture of security' among governments and businesses.
Already much of the language surrounding the guidelines has found its ways into domestic laws and policies being formulated in different OECD countries. For instance, the draft 'US National Strategy to Secure Cyberspace', released by President Bush on the 18 September 2002, adopts much of the same emphasis and language. Briefing Papers by the Australian Attorney General's Department, also contain similar rhetoric. All this material has an underlying current to it, that if organisations are unable to get their houses in order concerning IT security, the government will force them to. As the UK E-Commerce Minister, Stephen Timm, recently said:
'If you are connected, you are responsible for conducting yourself in a way which ensures you do not damage the interests of others. This will require companies to give security of their network and systems serious thought in the years ahead.'
This newsletter provides a summary only of the subject matter covered, without the assumption of a duty of care by Freehills. The summary is not intended to be nor should it be relied upon as a substitute for legal or other professional advice. Copyright in this newsletter is owned by Freehills.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The issue of recording telephone calls was recently considered in the Federal Court in Furnari v Ziegert  FCA 1080.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).