An international body representing more than 30 nations, including the U.S., is developing a set of information security principles intended to help in the development of IT security standards, best practices and potential security-related laws.
The merits of that effort by the Organisation for Economic Cooperation and Development (OECD) was examined today at a U.S. Federal Trade Commission (FTC) workshop on information security.
The OECD first issued security guidelines for information systems in 1992 but is now working on a revision that takes into account the dramatic changes in IT since then, as well as the concerns raised by the Sept. 11 terrorist attacks in the U.S.
The principles are similar to those spelled out in a constitution: broad, general and potentially subject to interpretation. Even so, Mark McCarthy, senior vice president of public policy at Visa U.S.A. Inc. in Foster City, Calif., and a participant in the workshop, said the hope is that the OECD document will "focus attention of the business community and others on the importance of information security."
The OECD guidelines, which aren't binding for any nation or company, set out as an example an "awareness principle" that calls for owners and users of IT to understand security. The "ethics principle" says IT should be handled in a way that respects the rights and legitimate interests of others.
The main message of the OECD's work, said FTC Commissioner Orson Swindle, is that "security is important, that we're all players whether want to be or not ... and what we do has the capacity to hurt ourselves but even more important, [to] hurt other people." Swindle heads the U.S. delegation involved in the effort.
The OECD's intent is to create a document that's accessible to all participants, "but the technologist would look at this at a very high principle level only," said Joseph H. Alhadeff, Oracle Corp.'s vice president for global public policy and someone who has been involved in the OECD guideline drafting process. "These are the formative issues that you need to think about that set the framework" from which you develop best practices, he noted.
Regardless of whether the OECD has any impact, companies are being pushed to consider security by other forces.
For instance, in May 2001, Visa issued its own security rules to merchants covering the storage, encryption and access of credit card data. As part of that plan, the top 100 e-commerce merchants, who account for about 70 percent of Internet commerce in the Visa system, are required to have their online security systems validated by a third party -- an accounting or security firm. Other companies are checked randomly, said McCarthy.
Companies that don't participate -- and none have refused so far -- could risk fines from Visa or even the loss of its business, said McCarthy.
Another looming threat is litigation.
Kimberly Kiefer, a Washington-based attorney who is co-chairwoman of the American Bar Association's Information Security Committee, said companies face legal peril when information security breaches compromise customer data.
So far, there have been few lawsuits stemming from releases of customer data, which Kiefer attributes to everything from lack of awareness to the difficulty of proving damages. But it might take only one case to prompt many lawsuits, she said.
"It's just a matter of time," said Kiefer. "This is one of these risks that is either on or it's off. It's going to be off until it's on."