Group promotes "culture of security"

In time for the first anniversary of the Sept. 11 attacks, the Organization for Economic Cooperation and Development has issued new guidelines for securing information systems and networks in anticipation of cyberterrorist attacks or intrusions.

The OECD, an international organization composed of governments from around the world and charged with tackling the challenges of a global economy, hopes to develop a "culture of security" among government and businesses that increasingly depend on network connections across national borders.

"Along with the incredible benefits we enjoy through (computer networks), there are inherent vulnerabilities that must be recognized and addressed by all who use computers, modems, the Internet, and networks," Orson Swindle, a member of the U.S. Federal Trade Commission who heads the U.S. delegation to the OECD, said in a statement. "The more we depend upon interconnected information systems and networks, the greater our vulnerability--unless we act prudently."

Since last year's attacks, in which hijacked jet airplanes slammed into the World Trade Center in New York and the Pentagon in Washington, D.C., there has been growing urgency to prepare for possible attacks on the Internet. Governments, businesses and law enforcement agencies around the world are rushing to fortify their systems in preparation for coordinated cyberattacks that they fear could halt economic activity or plunge emergency response networks into disarray.

The OECD's voluntary guidelines urge those depending on information technology to adhere to nine basic principles spanning such areas as security awareness and responsibilities. Those nine principles include the following:

• Risk Assessment: Conduct analyses to identify threats to and vulnerabilities in their information systems.

		Special report E-terrorism Are cyberterror myths diverting attention from true threats?

• Response: Act in a timely and cooperative manner to prevent, detect and respond to security incidents.

• Ethics: Respect the legitimate interests of others and recognize that their action or inaction may harm others.

• Security design and implementation: Incorporate security as an essential element of information systems and networks.

• Security management: Adopt a comprehensive approach to security management.

• Reassessment: Review and reassess the security of information systems and networks, and make appropriate modifications to security policies, measures and practices.

The OECD said the suggestions are a product of a consensus among OECD member governments after lengthy discussions with experts in the information technology industry, business users and consumer advocates. These guidelines replace others first issued in 1992 as a basis for improving international coordination and cooperation to meet the evolving challenges and risks posed by threats to information systems and networks.