Mr Timms introduced the guidelines at the First International 7799 Users Conference, a major new forum for global security issues. They overhaul the original guidelines published by the OECD ten years ago.
The guidelines are based on the following principles:
Speaking at the conference, Stephen Timms said:
"We are faced with a major challenge of making the information age a safe place to do business. Today's launch marks a turning point in how we rise to that challenge. Security systems play an integral part in the development of information systems, giving us a strong and healthy information technology environment.
"The UK has very actively supported and contributed to the revision of the original guidelines laid out by the OECD in 1992. The new guidelines provide a set of principles that will help us create a culture of security."
A recent Information Security Breaches Survey by the DTI showed a number of areas that need to be addressed. For example, less than a third of businesses encrypt files containing confidential customer details and over a third of web sites have no firewall in place, giving hackers easy access. Viruses are the major cause of the most serious security breaches, with four in ten companies admitting to virus infection. Despite this, 17% of businesses still have no software in place to guard against attacks.
Stephen Timms also took the opportunity to praise the updated British standard for information security management published today (see below).
Timms stressed the value of having a tool by which all organisations can manage the security of their information assets as a core business activity. This Standard aims to bring information security into the mainstream of good business practice and is a practical way to demonstrate commitment, at the organisation level, to the OECD guidelines.
The Guidelines were developed at the OECD by representatives of Governments from the OECD's 30 Member Countries and by representatives of industry under the Business Industry Advisory Council. The CBI is UK representative to BIAC.
The Guidelines are available as a 16-page PDF from:
www.oecd.org/pdf/M00033000/M00033182.pdf
The new edition has been produced to harmonize it with other management system standards such as BS EN ISO 9001:2000 and BS EN ISO 14001:1996 to provide consistent and integrated implementation and operation of management systems.
It was also developed due to a need for continual improvement processes to ensure that effective information security management is established and maintained.
The new edition introduces a Plan-Do-Check-Act process model as part of a management system approach to developing, implementing, and improving the effectiveness of an organization's information security management system within the context of the organization's overall business risks:
The revised standard has improved definition and clarification of the links between the risk assessment process, the selection of controls, and the contents of the Statement of Applicability. It also includes guidance on how to use the new edition.
The new edition is available from today at £52 from British Standards Online.