Review of the OECD Security Guidelines: An Update

June 19, 2014

By Jane Hamilton, Senior Policy Advisor, Industry Canada, Chair, OECD Working Party on Security and Privacy in the Digital Economy

jane_hamilton_highres

In 2013, the Working Party on Security and Privacy in the Digital Economy Information Security and Privacy[1] launched its review of the 2002 OECD Guidelines for the Security of Information Systems and Networks by organizing an informal multistakeholder consultation of experts from its membership and beyond, to facilitate a discussion of the need for revisions to the Guidelines.  The scope of the discussion was broad and ambitious.  We explored how the core security principles should be modernized, identified what recommendations the OECD should make to governments, and shared ideas on how international co-operation should be addressed.

Over the course of 12 months, more than 100 experts with a diverse range of perspectives discussed six working papers through exchanges in physical meetings, electronic discussions and by written contributions. The participation of non-governmental stakeholders representing the Internet technical community, civil society and business proved instrumental in the collection of key input to feed the reflection on this complex subject matter.  As Chair of the Working Party, I am extremely grateful for the  commitment of all to this work.  Under the active leadership of ITAC, the debates spilled over into other fora such as the February WSIS+10 meeting hosted at UNESCO in Paris and the October 2013 Internet Governance Forum (IGF) held in Indonesia, with fruitful discussions under the thought-provoking theme “Cybersecurity: Throwing out pre-conceptions”.

These vibrant discussions led to agreement in December 2013 that the Guidelines should be revised.  A new and more formal process has now begun, with the aim of reaching a consensus among all Working Party delegations, including those representing non-governmental stakeholders, on the extent and specific nature of the revisions.

Awareness raising about “security of information systems and networks” was the primary objective of the OECD in 2002. However, as security incidents are making the headlines more and more, today’s OECD priority is to help government public policy makers and decision makers in public and private organizations to understand cybersecurity as the management of economic and social risks associated with the use of ICTs and the Internet to realize economic and social benefits. The participation of all stakeholders in contributing to the thinking and shaping of the consensus, as well as promoting the OECD’s final messages after the adoption of the revised Guidelines, is essential.

As Chair of the Working Party, I look forward to the continued active participation of ITAC in this very important work and the expertise and informed perspectives its members bring to the discussions.  I am particularly appreciative of the contributions made by Christine Runnegar and her team during our very lively meeting debates.

[1] Formerly known as the Working Party on Information Security and Privacy (WPISP).

_________________________________________________

Jane Hamilton has been working with the Canadian federal government since 1998.  In her current capacity as Senior Policy Advisor with Industry Canada’s Digital Policy Branch, Jane’s focus is on policy development related to building trust and confidence in the digital economy.  This work involves both security and privacy aspects.

Prior to working with the federal government, Jane worked for over 12 years in the financial services industry.  As a member of the senior management team of the Canadian Payments Association, Jane was responsible for the development of polices and standards for new forms of electronic payment. Jane assumed the role of Chair of the OECD’s Working Party on Security and Privacy in the Digital Economy in 2011.