Skip the navigation

International group eyeing IT security principles, standards

The principles are broad, general and subject to interpretation.

May 21, 2002 12:00 PM ET

Computerworld - WASHINGTON -- An international body representing more than 30 nations, including the U.S., is developing a set of information security principles intended to help in the development of IT security standards, best practices and potential security-related laws.
The merits of that effort by the Organisation for Economic Cooperation and Development (OECD) was examined today at a U.S. Federal Trade Commission (FTC) workshop on information security.
The OECD first issued security guidelines for information systems in 1992 but is now working on a revision that takes into account the dramatic changes in IT since then, as well as the concerns raised by the Sept. 11 terrorist attacks in the U.S.
The principles are similar to those spelled out in a constitution: broad, general and potentially subject to interpretation. Even so, Mark McCarthy, senior vice president of public policy at Visa U.S.A. Inc. in Foster City, Calif., and a participant in the workshop, said the hope is that the OECD document will "focus attention of the business community and others on the importance of information security."
The OECD guidelines, which aren't binding for any nation or company, set out as an example an "awareness principle" that calls for owners and users of IT to understand security. The "ethics principle" says IT should be handled in a way that respects the rights and legitimate interests of others.
The main message of the OECD's work, said FTC Commissioner Orson Swindle, is that "security is important, that we're all players whether want to be or not ... and what we do has the capacity to hurt ourselves but even more important, [to] hurt other people." Swindle heads the U.S. delegation involved in the effort.
The OECD's intent is to create a document that's accessible to all participants, "but the technologist would look at this at a very high principle level only," said Joseph H. Alhadeff, Oracle Corp.'s vice president for global public policy and someone who has been involved in the OECD guideline drafting process. "These are the formative issues that you need to think about that set the framework" from which you develop best practices, he noted.
Regardless of whether the OECD has any impact, companies are being pushed to consider security by other forces.
For instance, in May 2001, Visa issued its own security rules to merchants covering the storage, encryption and access of credit card data. As part of that plan, the top 100 e-commerce merchants, who account for about 70% of Internet commerce in the Visa system, are required to have their online security systems validated by a third



Our Commenting Policies