The OECD Council published on 17 September 2015 the Recommendation on Digital Security Risk Management for Economic and Social Prosperity and its Companion Document (the OECD Recommendation on DSRM) .
The OECD Recommendation on DSRM was the result of a multi-stakeholder process initiated in 2012 developed by the OECD Working Party on Security and Privacy in the Digital Economy (WPSPDE) to review the 2002 Recommendation of the Council concerning Guidelines for the Security of Information Systems and Networks: Toward a Culture of Security.
As it is mentioned in the OECD Recommendation on DSRM, the implementation of this recommendation will promote a more holistic public policy approach to digital security and establish new coordination mechanisms both within government and with non-governmental stakeholders as well as foster enhanced public-private cooperation at the domestic, regional and international levels.
General and Operational Principles
The OECD Recommendation on DSRM contains a set of general and operational principles, which are designed for all stakeholders to approach the use of the digital environment for economic and social prosperity. Section 1 contains four general principles:
1. Awareness, skills and empowerment stipulate that all stakeholders should understand digital security risks and its management implications and empowerment with the necessary skills and education to help manage security risks in the digital environment;
2. Responsibility provides that all stakeholders should be responsibly and be accountable for the management of digital security risk;
3. Human rights and fundamental values provides that all stakeholders should manage digital security risks in a transparent manner and consistent with human rights and fundamental values recognized by democratic societies, including the freedom of expression, the free flow of information, the confidentiality of information and communication, the protection of privacy and personal data, openness and fair process;
4. Co-operation should take place within governments, public and private organisations, as well as amongst them and individuals and it should be extended across borders at regional and international levels.
Section 2 of the OECD Recommendation on DSRM contains four operational principles:
5. Risk assessment and treatment cycle calls upon leaders and decision makers to ensure that digital security risk assessment should be carried out as an ongoing systematic and cyclical process and inform the decision making process for treating the risk;
6. Security measures call upon leaders and decision makers to ensure that security measures are appropriate to and commensurate with the risk;
7. Innovation call upon leaders and decision makers to ensure that Innovation is considered as integral to reducing digital security risk to the acceptable level determined in the risk assessment and treatment;
8. Preparedness and continuity call upon leaders and decision makers to ensure, that a preparedness and continuity plan are adopted in order to reduce the adverse effects of security incidents, and support the continuity and resilience of economic and social activities.
Likewise, the OECD Recommendation on DSRM contains twenty-four recommendations for the development of national cyber security strategies at the highest level of government. The strategies shall: (i) be tailored as appropriate to small and medium enterprises and to individuals, and articulate stakeholders’ responsibility and accountability according to their roles, ability to act and the context in which they operate; and (ii) result from a coordinated intra-governmental approach and an open and transparent process involving all stakeholders, be regularly reviewed and improved based on experience and best practices, using internationally comparable metrics where available.
Among the measures that governments should include in national strategies are inter alia:
(i) Adopting a comprehensive framework to manage digital security risk to the government’s own activities;
(ii) Establishing co-ordination mechanisms among all relevant governmental actors;
(iii) Establishing one or more Computer Security Incident Response Teams (CSIRT) at national level;
(iv) Encouraging the use of international standards and best practices on digital security risk management;
(v) Adopting innovative security techniques to manage digital security risk;
(vi) Coordinating and promoting public research and development on digital security risk management with a view to fostering innovation;
(vii) Supporting the development of a skilled workforce that can manage digital security risk;
(viii) Adopting and implementing a comprehensive framework to help mitigate cybercrime, drawing on existing international instruments;
(ix) Allocating sufficient resources to effectively implement the strategy;
(x) Strengthening international cooperation and mutual assistance;
(xi) Engaging with all the stakeholders; and
(xii) Creating the conditions for all stakeholders to collaborate in the management of digital security risk.
The OECD Recommendation on DSRM includes a Companion Document, which discusses the key concepts enshrined in the Recommendation, comments on the applicability of the principles to different stakeholders and provides an explanation for each principle outlined in the Recommendation.
The OECD is currently promoting the principles and recommendations contained in its Recommendation on DSRM among member and non-member countries and said organization will likely provide a preliminary report of the countries that have adopted the principles and best practices in the field of DSRM during the OECD Ministerial Meeting on the Digital Economy: Innovation, Growth and Social Prosperity to be held in Cancun, Mexico on 21-23 June 2016.
For further information on the OECD Recommendation on DSRM, see:
Recommendation of the Council on Digital Security Risk Management for Economic and Social Prosperity of 17 September 2015 C(2015)115.
Press release of the Internet Technical Advisory Committee (ITAC) of October 1, 2015.