Most successful government collaborative initiatives with, and outreach to, small and medium-sized enterprises (SMEs) to promote a culture of security (Q7).
Almost all respondents report initiatives directed at small and medium-sized enterprises (SME). In three countries, an ongoing dialogue with business associations helped design and/or implement the initiatives (Canada, Denmark, Germany) and two countries (Germany and the United States) mention the use of public-private partnerships. Several countries report initiatives targeting home users and micro or small enterprises at the same time (Japan, Netherlands, Spain, Sweden and the United States). Technical information provided to SMEs is delivered in an understandable technical language, or in both non-technical and non-technical languages. The United States reports plans for assessing the effectiveness of its various approaches and material.
Portugal plans to include SMEs in the National Information Security Framework and outlined its strategy to create national awareness about information security. Two countries (Czech Republic and Slovak republic) reported no initiative.
Initiatives include:
• Making information material available (off line and on line), e.g. booklets, manuals, handbooks, model policies and concepts, and SME-specific protection profiles: Australia, Austria, Canada, Germany, Sweden, United Kingdom, United States.
• Setting up Web sites specifically targeted at SMEs: Canada, Germany, Japan and Sweden.
• Providing an alert system on emerging threats specifically tailored to the needs of users with little or no technical knowledge: Germany,12 Netherlands, United States.
• Provision of (online) training (e.g. for system administrators, or users): Korea, United States.
• Seminars, conferences and workshops: Austria, Canada, Finland.
• Setting up a specific unit in a government agency to provide technical advice and assistance to IT security product manufacturers so as to increase the security of their products in the design phase, and to facilitate the certification process: France.
• Conducting online and on-site security check-ups for SMEs: Korea.
• Provision of an online self-assessment tool for SMEs: United Kingdom.
• Developing software tools to facilitate the integration of electronic signature into SMEs’ services and applications: Austria.
• Gathering statistics on the state of IT security in SMEs: Denmark.
• Offering financial assistance and tax support for fostering the production and procurement of secure systems: Japan.
12. The MCert initiative reported by Germany was presented in the « OECD Global Forum on Information Systems and Networks Security: Towards a Culture of Security » held in Oslo on 13-14 October 2003. See the proceedings in DSTI/ICCP/REG(2004)1.
Most successful initiatives and approaches used by governments for outreach to business and industry in order to foster a culture of security among business and industry and to develop public-private co-operation in various areas (Q8)
Almost all respondents report collaborative awareness raising initiatives. This result reinforces the findings of the 2003 survey: governments – as foreseen in the guidelines, and in the corresponding implementation plan –make awareness-raising a starting point for, and a central activity within their efforts to implement a culture of security. Collaborative activities across sectors are reported from some respondents. They are most frequent in the United States.
Many respondents also co-operate with business and industry with regard to education and training.
Institutions tasked with such initiatives range from government agencies specialised in IT security, to law enforcement agencies (one example includes the local police force). Almost all respondents make training material available on the Internet. Other activities include seminars. One country (Spain) has set up a discussion forum on the Internet dedicated to security of information systems and networks.
In the March 2003 report of the US National Cyber Security Partnership Task Force on awareness and outreach, task force members (mostly from the private sector) provided their perspectives on best practices in education and awareness. They made suggestions for how a public/private national outreach awareness campaign could reach 50 million home users and small businesses in the US in the course of one year, through paid media, ISP’s, security vendors, and other channels. The United States also report an initiative to define a job skill profile for security experts in the public and the private sectors. The United Kingdom is creating a new professional body for information security professionals.
Regarding watch and warning and emergency response, most respondents have CERTs or CERT-like institutions in place, some of which are operated by public private partnerships,13 Most of these institutions target more specific audiences (e.g. the public sector, or a specific industry sector), while some are directed at the general public.
On corporate Governance and ethics, a few respondents report collaborative initiatives with the private sector. These include awareness-raising through Web sites and creation of a specific Committee (Japan), or hosting or co-hosting specifically tailored conferences (Germany). In the United States, one of the Task Forces of the National Cyber Security Partnership (NCSP) has published a report, which identifies cyber security roles and responsibilities within the corporate management structure, referencing and combining best practices and metrics that would foster accountability.
Many respondents have undertaken co-operative efforts with the business sector for the creation and implementation of corporate security policies. Some countries have made material (e.g. model policies or handbooks) available and are offering opportunities for voluntary certification (Austria, Germany).
Korea posts criteria for security diagnosis on a portal site to be used by enterprises for self-testing. Norway has mandatory “ICT-regulations” for the financial sector. In Japan, the prefectural police is working with companies in critical infrastructure sectors to create corporate security policies.
No figures have been reported on the percentage of companies in the responding countries that have implemented corporate security policies, nor how having or not having a security policy impacts the frequency of security incidents in companies.
A few other co-operative efforts aim to prevent and combat cybercrime. Australia has formed an Investigations Team for the Banking and Finance sectors comprising staff from law enforcement and from
13. See also question 2.
the banking industry. Canada has a voluntary code of conduct for Internet Providers, and their public and private sectors co-operate in the ITAC Cyber Security Forum. Japan makes reference to preventive measures (tax incentives and a loan programme to foster production and application of secure systems and products, information material and seminars for businesses, analysis of Internet traffic data). Korea has created a national consortium of CERTs to foster co-operation among these institutions. Norway has established a cyber-crime unit in the Norwegian police. Another initiative in this context is the effort of the US Department of Justice to foster the underwriting of insurance policies covering cyber risks with insurance industry groups.
A few initiatives have also been reported regarding co-operative efforts across sectors for the development of secure software. Two countries have conducted or commissioned the development of secure software components related to digital signatures, involving co-operation between the public and the private sectors to different extents (Austria and Germany). Other countries promote research on secure operating systems (Japan – public sector), and on security incident response technologies (Korea). In one country (the United States) the government has promoted secure software development with industry. In addition, an agency of the Department of Homeland Security has developed a software assurance plan.14
A majority of respondents reported initiatives with respect to technical standards and management standards. The activities include the development of national standards in the area of information security, as well as co-operating on and participating in the further development of existing standardisation instruments at the international level. A number of respondents mention the use of national standards or methodologies for security certification of products, information systems and networks (e.g. Austria and Germany). However, no information was provided on whether these standards and methodologies are compatible with internationally recognised instruments.15
With respect to independent certification of the security of information technology, the standards most frequently referred to are the “Common Criteria” (CC or ISO/IEC 15408) and ISO/IEC 17799:
• The Common Criteria are mentioned by eight countries (Austria, Canada, France, Germany, Japan, Norway, Sweden, United States). Some countries mention the Common Criteria mutual recognition agreement.16
• ISO/IEC 17799 or corresponding national implementation is also mentioned by seven countries (Austria, Denmark – public sector, Finland, Norway, Portugal, Spain, United Kingdom).
Finally, certification functions for national standards or quasi-standards have been introduced, such as the German IT Baseline Protection Manual or the Austrian Security Handbook, in Japan, the ISMS scheme, in Korea, telecommunications provider certification and security “check-up”, in Norway, financial sector ICT regulations and in the United States, cryptographic modules, in the United Kingdom, BS 7799 Part 2 – implementation of an information security management system.
No information was provided on how the existing certification approaches are received by users.
14. See also this item under question 4.
15. See also question 4.
16. . This agreement has been signed by 18 OECD countries.