October 5, 2015
The Organisation for Economic Cooperation and Development (OECD) has released the Digital Risk Management Recommendation, the latest revision of the well established Digital Security Guidelines. The Civil Society Information Society Advisory Council (CSISAC) has actively contributed to this revision, focusing on preserving human rights and fundamental values, and working to ensure that responsibility is to be assumed not only by the end user. A multi-stakeholder approach should be followed by governments for the development of national security strategies.
CSISAC fosters Human Rights, Responsibility and Multi-Stakeholder Design
The CSISAC has worked together with the OECD, member states and other stakeholders as an interface to facilitate the contribution of acknowledged experts and academics from Civil Society.
Among the improvements of the guidelines, CSISAC is proud to see reflected Human Rights and Fundamental Values as one of the four General Principles. We believe that this improves the role of transparency in the management of digital security risk by all stakeholders.
The inclusion of the Responsibility Principle is also a welcome outcome, as it helps in ensuring that all involved stakeholders take their responsibility in the management of risk in the digital realm. In the case of disruptions of infrastructures and services, the responsibility cannot be delegate only to the final user. This principle helps in keeping the continuity in the responsibility chain.
Another prominent signal is the explicit recommendation of a multi-stakeholder approach for the development of national security strategies. As the recent revelations about governmental pervasive surveillance programs show, the benefits of including civil society in the development of those strategies is necessary to help prevent similar disfunctions in the future. CSISAC will be happy to continue contributing to a productive dialogue with the member states through the work of the OECD Committee for the Digital Economy Policy.
The OECD Digital Risk Management Recommendation
The OECD Digital Risk Management Recommendation is one of the fundamental references for leaders and CEOs of public and private sectors in global policy making.
Disruption of operations, financial loss, reputational damage, loss of competitiveness, lawsuits, as well as loss of trust among customers, employees, shareholders and partners: recent high-profile examples illustrate the far-reaching economic consequences that digital security incidents can have for organisations. Security incidents also affect individuals through a multitude of less known privacy breaches and incidents with potential harmful consequences.
The OECD, whose last Recommendation on digital security was in 2002, offers eight principles to guide digital security risk management, including on the responsibility of different actors, co-operation between stakeholders and the role of innovation. It recommends that countries adopt national plans to ensure that measures are identified and implemented to prevent, detect, respond to and recover from digital security incidents. The emphasis of the Recommendation on the notion of 'risk' is one of the main characteristics of this new version, one strongly supported by CSISAC because the previous focus on security did not adequately acknowledge the value of preserving and fostering fundamental issues like human rights and privacy.
The OECD Recommendation on Digital Security Risk Management was prepared under the guidance of the OECD Committee on Digital Economy (CDEP) with the input of the Working Parties on Communication Infrastructure and Services Policy (CISP), Measurement and Analysis in the Digital Economy (MADE), Security and Privacy in the Digital Economy (SPDE), together with expert groups and advisory panels. Thanks to the support of its funders and the voluntary contribution of its membership, the CSISAC has managed to extend civil society participation to the full set of policy assessment environments at the OECD CDEP.
The final version of the Recommendation can be found at the OECD Library (http://oe.cd/dsrm).