9 August 2002
Source: http://usinfo.state.gov/cgi-bin/washfile/display.pl?p=/products/washfile/latest&f=02080702.clt&t=/products/washfile/newsitem.shtml


US Department of State
International Information Programs

Washington File
_________________________________

07 August 2002

U.S. Welcomes Information System Guidelines, Official Says

(OECD guidance offers new ways of thinking about security) (690)

The United States welcomes new information system guidelines adopted
July 25 by the Organization for Cooperation and Development (OECD), a
State Department spokesperson says.

"The guidelines call for new ways of thinking and behaving when using
information systems," Philip Reeker, State Department deputy
spokesman, said in an August 7 statement.

The guidelines replace the original guidelines adopted in 1992. They
were developed in response to a proposal by the United States to
review guidance for online security and were completed ahead of a May
2003 deadline.

OECD countries will use the guidelines to establish policies, measures
and training for security programs, according to an August 7 OECD
press release. The guidelines, which are non-binding, are available on
the Internet at: http://www.oecd.org/pdf/M00033000/M00033182.pdf

The guidelines address awareness, responsibility, response, ethics,
democracy, risk assessment, security design and implementation,
security management and reassessment.

Following is the text of the State Department statement:

(begin text)

Statement by Philip T. Reeker, Deputy Spokesman

OECD Calls for Culture of Security for Information Systems

We welcome the announcement today (August 7) of completion of
"Guidelines for the Security of Information Systems and Networks:
Towards a Culture of Security" by the Organization for Economic
Cooperation and Development (OECD).

Responding to the dramatic changes in computing power, use of the
Internet, and development of networked systems, today's announcement
is a milestone marking a new international understanding of the need
to safeguard the information systems on which we increasingly depend
for our way of life. These new OECD guidelines, which replace the
original guidelines published in 1992, provide a set of principles to
help ensure the security of today's interconnected communications
systems and networks. They are applicable to all, from those who
manufacture, own, and operate information systems to those individual
users who connect through home PCs. Importantly, the guidelines call
for new ways of thinking and behaving when using information systems.
They encourage the development of a "Culture of Security" as a mindset
to respond to the threats and vulnerabilities of communications
networks. The nine principles address Awareness, Responsibility,
Response, Ethics, Democracy, Risk Assessment, Security Design and
Implementation, Security Management, and Reassessment. The guidelines
were developed with the full cooperation of the OECD's Business
Industry Advisory Council (BIAC) and representatives of civil society.

In October 2001 the OECD Committee on Information, Computer, and
Communication Policy (ICCP) responded positively to a US proposal for
an expedited review of the security guidelines. The OECD member
countries, businesses, civil society and the OECD Secretariat shared
our sense of urgency and responded with full cooperation and support.
Originally scheduled for completion in May 2003, the adoption of these
guidelines by the OECD Council on July 25 demonstrates the ability of
the OECD to respond to global challenges and shows the continuing
relevance of the OECD to today's important issues.

Completion of the guidelines is only the first step. U.S. Government
agencies are developing plans and materials to use the guidelines in
their outreach activities to the private sector, the public and other
governments. We encourage business, industry and consumer groups to
join us in using the guidelines as they develop their own approaches
to security of information systems and networks, and in the
development of a Culture of Security for information systems and
networks.

(end text)

(Distributed by the Office of International Information Programs, U.S.
Department of State. Web site: http://usinfo.state.gov)