International review of criminal policy - Nos. 43 and 44/International security of information systems
- G. International security of information systems
234. Lack of international coordination and cooperation can have detrimental effects on national and international economies, on trade and on participation in social, cultural and politic life. International understanding of, and domestic implementation of measures that are required to enhance the security of information systems and facilitate the international exchange of data and commerce are important. Confidence that countries are abiding by security principles promotes confidence in international trade and commerce.
235. It has been noted throughout this Manual that the present measures, practices, procedures and institutions may not adequately meet the challenges posed. There is a need for clarity, predictability, certainly and uniformity of rights and obligations, of enforcement of rights, and of recourse and redress for the violation of rights relating to information systems and their security.
236. The OECD guidelines for the security of information systems were developed to provide a foundation on which countries and the private sector acting singly and in concert may construct a framework for the security of information systems. The framework includes laws code s of conduct, technical measures, management and user practices and public education and awareness activities. The guidelines are intended to serve as a benchmark against which Governments, the public sector, the private sector and society may measure their progress.
237. The guidelines are addressed to the information systems. They are intended to accomplish the following:
- Promote cooperation between the public and private sectors in the development and implementation of such measures, practices and procedures;
- Foster confidence in information systems and the manner in which they are provided and used;
- Facilitate development and use of information systems, nationally and internationally;
- Promote international cooperation in achieving security of information systems."
238. guidelines are based on nine principles:
- Accountability principle
The responsibilities and accountability of owners, providers and users of information systems and other parties concerned with the security of information systems should be explicit.
- Awareness principle
In order to foster confidence in information systems, owners, providers and users and other parties should readily be able, consistent with maintaining security, to gain appropriate knowledge of and be informed about the existence and general extant of measures, practices and procedures for the security of information systems.
- Ethics principle
Information systems and the security of information systems should be provided and used in such a manner that the rights and legitimate interests of others are respected.
- Multidisciplinary principles
Measures, practices and procedures for the security of information systems should take account of and address all relevant considerations and viewpoints, including technical, administrative, organizational, operational, commercial, educational and legal considerations and viewpoints.
- Proportionality principle
Security levels, costs, measures, practices and procedures should be appropriate and proportionate to the value of and degree of reliance on the information system and to be severity, probability and extent of potential harm, as the requirements for security vary depending on the information system.
- Integration principle
Measures, practices and procedures for the security of information systems should be coordinated and integrated with each other and other measures, practice and procedures of the organization so as to create a coherent system of security.
- Timelines principle
Public and private parties, at both the national and international levels, should act in a timely and coordinated manner to prevent and to respond to branches of security of information systems.
- Reassessment principle
The security of information systems should be reassessed periodically, as information systems and the requirements for their security vary over time.
- Democracy principle
The security of information systems should be compatible with the legitimate use and flow of data and information in a democratic society."