A. Comprehensive statement of strategy
Has your country developed a national policy and/or strategy on the security of information systems and networks and the promotion of a culture of security? Is such a strategy currently being developed or are there any plans for doing this in the future?
If yes, please:
• Describe the process used to develop the strategy, including:
− Assignment of responsibility for developing the policy.
− Assignment for following up on the policy.
− Involvement of relevant participants from government, the private sector and civil society in the development of the policy.
• Describe nature and scope of the strategy, including:
− Objectives.
− Definitions of significant terms.
− Applicability to public/private sectors.
− Action items covered and priorities for their implementation.
− Timeframe and assignment of responsibilities for implementation.
− Assessment/reassessment of the impact of the policy.
− Consistency with the Security Guidelines and/or other international or regional policy instruments.
− How the national policy is communicated to all participants.
• Describe the involvement and roles in policy development and implementation by the private sector, users and others.
• Provide Web citations.
• Provide English and/or French translations of policy documents as available and indicate whether you would like them to be published on the OECD culture of security Web site (www.oecd.org/sti/cultureofsecurity).
455. Questions 1-3 are primarily related to the policy-oriented principles (1-5) of the 2002 OECD Security Guidelines.
B. Legal, regulatory, and institutional arrangements to oversee and implement a culture of security
What legal, regulatory and institutional456 arrangements has your country made to implement a culture of security? Are such arrangements currently being made or are there any plans for doing this in the future?
Please address the nine areas identified in the list below and cover the following, as far as possible:
• Describe and provide detail on the arrangements and implementation, including division of responsibilities, among various government bodies.
• Address international co-operation and information sharing, and provide points of contact for international co-operation and information sharing for items (a), (b) and (c) below.
• Describe how your country incorporates existing and developing international best practices.
• Provide Web citations.
Nine areas to address with regard to legal, regulatory and institutional arrangements
a) Cybercrime, including:
• Substantive and procedural legislation (including pending legislation).
• Enforcement.
• Other (e.g. prevention).
b) Computer incident watch and warning, and response.
c) Critical infrastructure.
d) Risk assessment.
e) Outreach to business, civil society and others.
f) Outreach to state and local government.
g) Education and training.
h) Science and technology (S&T) and research and development (R&D).
i) International outreach and co-operation.
C. Recommendations and other voluntary efforts
Has your country developed voluntary, publicly available recommendations to assist government, business and/or users to address the security of information systems and networks? Are such recommendations currently being developed or are there any plans for doing this in the future?
If yes, please identify significant examples and provide information including:
• The nature of the recommendations.
• How they were developed.
• The involvement of the private sector and others.
• How they are disseminated.
456. For example, creating a specific body in the public administration to co-ordinate information security activities.
Section II: Government as owner and operator of systems and networks
What action has your government taken to develop a culture of security within the government itself?
Is there any distinct government plan for this? What measures have been taken in each of the possible areas of government action related to its role as owner and operator of systems and networks to develop a culture of security identified in the list below? Are such measures currently being developed or are there any plans for doing this in the future? 457
• Provide information on:
− The assignment of responsibility for implementation.
− Institutional arrangements (e.g. creating a specific body in the public administration to co-ordinate information security activities).
− Specific initiatives taken or to be taken.
− Creation or support of measures for self assessment (e.g. checklists for evaluating the security of existing systems).
• Provide details on implementation, including:
− Priorities for implementation.
− Progress to date on implementation and actions taken.
• Include Web citations.
Possible areas of government action related to its role as owner and operator of systems and networks a) To secure government systems, including co-ordination among agencies/ministries.
b) To provide watch and warning and incident response for government systems. Please also address:
− The creation of or participation in computer security incident reporting team (CSIRT) or CSIRT-like institutions.
− Efforts to co-ordinate among government agencies on watch and warning and incident response (including information about criteria for and co-ordination on issuing alerts).
− Co-ordination with other stakeholders in regard to vulnerability discovery, disclosure and patch management.
c) To co-operate and co-ordinate with non-government owners and operators in your country.
d) To monitor and evaluate security compliance and effectiveness of agency owners and operators,458 the use of risk assessments and/or audits (whether voluntary or mandatory); the methodology used, entity in charge of the audit, time periods for re-auditing, assignment of budget for auditing activities, etc.; the use of security standards in procurement; and the use of penetration tests.
Do you collect information and/or statistics on the budget for security of information systems and networks in the public sector? Do you set targets for the proportion of information security spending in the public sector in your country? If not, do you plan such or similar measures for the future?459
457. Question 4 is primarily related to the operation-oriented principles (6-9) of the 2002 OECD Security Guidelines.
458. “Agency owners and operators” refers to any government entity that would own and operate information systems and networks, such as government ministries, agencies, departments, etc.
459. This question is primarily related to the policy-oriented principles (1-5) of the 2002 OECD Security Guidelines.