Many privacy guidelines and security standards are advocated today, and they often confuse, rather than help, network administrators who are trying to employ best practices, particularly with respect to commercial Web sites.
In response, the Organization of Economic Cooperation and Development plans to release in September a set of security principles that might move the guidelines and standards toward common ground.
The Paris-based OECD is revising principles written in 1992, well before the Internet became the ubiquitous business tool it is today. While many of the original points will be reiterated in the new release, there will also be more tangible recommendations that enterprises can apply to reduce liabilities, particularly in regard to online commerce.
The new guidelines will reflect the widespread use of the Internet, and they will emphasize that all users, even the least technologically savvy, must play a role in protecting its security.
“Before, people were really just focused on the periphery [of the network] and they forgot to focus on the people on the inside [of an organization],” said Joe Alhadeff, chief privacy officer and vice president of global public policy at Oracle Corp., in Redwood Shores, Calif. “The biggest vulnerability can be a person who is just trying to be helpful to a customer.”
Alhadeff, who participates in the OECD security review, said network security no longer fits solely under the rubric of IT policies. “Some are called personnel policies; some are called privacy policies,” he said at a workshop on consumer information security sponsored by the Federal Trade Commission last week in Washington. “Its not just your IT department that has to worry about this issue anymore.”
The OECD guidelines will offer more operational concepts than the earlier, more theoretical version, according to Alhadeff. “There will be recognizable steps, common-sense approaches to what you do with security,” he said.
Advocates from a spectrum of industries are seeking ways to simplify the varying approaches to network privacy and security, and the OECD guidelines are expected to point in that direction.
“Were looking for a blending of a lot of the different principles ultimately,” Peggy Lipps, senior director for security and risk assessment at the Washington-based Financial Services Roundtable, said at the workshop. “If there is an umbrella set of principles under which all other initiatives could fall, that would be a good thing.”
Other security experts in Washington said they expect the insurance industry to play a growing role in shaping standards for both consumers and for the businesses that serve them.