The worh busness organzaton Information security assurance for executives An itemationalbusiess com panin to the 2002 OECD Guidelies frthe securiy ofnetworks and nfom aton system s: Towards a cuhure ofsecurity Pub lished n Novem ber2003 by INTERNATIONAL CHAMBER OF COMMERCE Tbe world business organization 38 cours Abertler 75008 Paris, France Copyright @ 2003 Busines s and Industry Advis ory Committee to the OECD (BIAC) and International Chamber of Commerce Arights reserved. No partofthis work m ay be reproduced orcopéd n any fom recordng, tapng ornform aton retrevalsystem s w ihoutw riten perm issin ofrc TABLE OF CONTENTS PART I: EXECUTIVE SUMMARY ntoductol M eetg the requiem ents ofnfom aton assurance 5 Foundation prncpes Socalpricpes .. Security liecyce pricpes PART II: BACKGROUND AND OBJECTIVES W hy devebp this paper? PART III: TOWARDS A CULTURE OF SECURITY... OEcD G uidelnes forthe securityofnfom ation system s and networks ...... Foundaton prhcpes ...... 11 Socalpricpes ... 12 Securiy lifecych prncpes 12 The ro ofbusness n a cuhure ofsecuriy 12 How can busness beneftfiom the G uidelnes? . 13 Approprate to rob, sectorand size .16 G bbalnterdependencies - Cooperaton w ih otherstakehoHers .. PARTIV: SECURITY AS SURANCE CHECKLIST . 19 Stucture and checklist . Foundation prhcpes 19 Socälpricpes . Security liecyce pricpk NFORMATDN SECURITYASSURANCEFOREXECUTVES Foundationpricpes 21 Awareness 21 Responsbilty .24 Response ... .27 .29 Dem ocracy .. .30 Securiy liecych prncpes .. .31 Risk and risk assessm ent.. .31 Securiy m anagem ent 35 Reassessm ent 37 CONCLUSION .40 NFORMATDNSECURTYASSURANCEFOREXECUTVES PART I: EXECUTIVE SUMMARY Introduction A Ibusiess is a m atteroftust. Tnustcan onydevebp w here the particpants n a tansacton feelsecure. Securty fiom a busness perspectve m ust therefore be seen as a busness enaber notas a cost. This docum ent considers how the O EcD G uidelnes forthe Securiyofnform aton System s jo arn e daaap sassausnq a a pasn aq ue spoan pe security w ithin theirown organzaton, w ih partners and w ih custom ers. Information Security Assurance for Executives has been devebped by the Busiess and ndustry AdvisoryCom m itee to the O ECD (BAC) and the ntematonalcham berofcom m erce. is partofthe effortofiter natonalbushess to create a tuly gbbal cuhure ofsecuriy'. Meeting the requirements ofinformation assurance This docum entpresents an nform aton assurance checklist, based around the nie prcpes ofthe O EcD nfom aton SecuriyG uidelnes.W th the use ofsected exam pes tsets outto dem onstate to busnesses how the requiem ents ofthis checklistm ightbe m et. Information assurance checklist The nne OEcD prncpes are aranged ito three categores,as folbws: Foundation principles 1. Awareness 2. Responsibility 3. Response Socialprinciples 4&5 Ethics and democracy 1 Avaiab at htp :/hr ww .oecd .org/dataoecd/59/0/1946946 pdf NFORMATDN SECURITY ASSURANCE FOR EXECUTVES Security lifecycle principles 6. Risk assessment 7. Security design and implementation 8. Security management 9. Reassessment The bushess checklistis as folbw s: 1. Awareness 1.1 Do you have w riten nform aton securtypolicées thateveryone know s and understands? Are yourpersonnelsecurity aware and securtyeducated? 12 w hatdo you do to raise securtyaw areness across yourpartners, 1.3 supplers and users? ? 2. Responsibility Do you have an hform aton securiy functon (eihera person or 2.1 a group) thatreports to senbrm anagem ent such as the Board orexecutive com m itee? 22 D oes yoursecuriy finctbn have suffcéntpowerand resources nas abeue u sdas dadde Are your em pbyees aware oftheir responsbiltes to hep 2.3 m antan securiy? 3. Response 3.1 Knoas ay buea pe bupodsatg sanpaoardara a ncidents? 32 Do you have a cearbusness conthuiy phn that is widely understood and reguhry tested? 4&5 Ethics and democracy 4.1 Are you aw are ofthe egishton, reguhtbn and custom erexpec- tatons that m ay in pact your coporate nfom aton security practices? 2 The tem "users" ncl