International group eyeing IT security principles, standards
The principles are broad, general and subject to interpretation.
Computerworld - WASHINGTON -- An international body representing more than 30 nations, including the U.S., is developing a set of information security principles intended to help in the development of IT security standards, best practices and potential security-related laws.
The merits of that effort by the Organisation for Economic Cooperation and Development (OECD) was examined today at a U.S. Federal Trade Commission (FTC) workshop on information security.
The OECD first issued security guidelines for information systems in 1992 but is now working on a revision that takes into account the dramatic changes in IT since then, as well as the concerns raised by the Sept. 11 terrorist attacks in the U.S.
The principles are similar to those spelled out in a constitution: broad, general and potentially subject to interpretation. Even so, Mark McCarthy, senior vice president of public policy at Visa U.S.A. Inc. in Foster City, Calif., and a participant in the workshop, said the hope is that the OECD document will "focus attention of the business community and others on the importance of information security."
The OECD guidelines, which aren't binding for any nation or company, set out as an example an "awareness principle" that calls for owners and users of IT to understand security. The "ethics principle" says IT should be handled in a way that respects the rights and legitimate interests of others.
The main message of the OECD's work, said FTC Commissioner Orson Swindle, is that "security is important, that we're all players whether want to be or not ... and what we do has the capacity to hurt ourselves but even more important, [to] hurt other people." Swindle heads the U.S. delegation involved in the effort.
The OECD's intent is to create a document that's accessible to all participants, "but the technologist would look at this at a very high principle level only," said Joseph H. Alhadeff, Oracle Corp.'s vice president for global public policy and someone who has been involved in the OECD guideline drafting process. "These are the formative issues that you need to think about that set the framework" from which you develop best practices, he noted.
Regardless of whether the OECD has any impact, companies are being pushed to consider security by other forces.
For instance, in May 2001, Visa issued its own security rules to merchants covering the storage, encryption and access of credit card data. As part of that plan, the top 100 e-commerce merchants, who account for about 70% of Internet commerce in the Visa system, are required to have their online security systems validated by a third
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- Capabilities You Need in an IP Address Management Solution A mismanaged IP space can cripple an otherwise healthy network. Take a moment to understand what you need in an enterprise-ready IPAM solution.
- IPv6 Fundamentals IPv6 is needed to sustain the growth of the Internet. The transition from IPv4 will require planning and likely some degree of support...
- Optimize IT Performance & Availability: Four Steps to Establish Effective IT Management Baselines More than ever before, your company's ability to grow hinges on IT performance and availability. Download this how-to report on establishing IT baselines,...
- Accelerate your innovation with IBM Bluemix™ Join us for a webcast introducing the new IBM BluemixTM. IBM Bluemix (www.bluemix.net) is a developer oriented Platform as a Service (PaaS) environment...
- Maximizing Availability for the Modern Data Center Check out this information-packed resource center for help in maximizing the availability of your data center - from overcoming challenges to choosing the... All Topic Center White Papers | Webcasts