HAVING REGARD to Article 5 b) of the Convention on the Organisation for Economic Co-operation and Development of 14 December 1960;
HAVING REGARD to the Recommendation of the Council concerning Guidelines for the Security of Information Systems and Networks - Towards a Culture of Security [C(2002)131], hereinafter the "Security Guidelines";
HAVING REGARD to the Resolution 58/199 adopted by the General Assembly of the United Nations on the creation of a global culture of cybersecurity and the protection of critical information infrastructures;
RECOGNISING that the functioning of our economies and societies increasingly relies on information systems and networks that are interconnected and interdependent, domestically and across borders; that a number of those systems and networks are of national critical importance; and that their protection is a priority area for national policy and international cooperation;
RECOGNISING that in order to improve the protection of domestic and cross-border critical information infrastructures, Member countries need to share their knowledge and experience in developing policies and practices and co-operate more closely between themselves as well as with non member economies;
RECOGNISING that the protection of critical information infrastructures requires coordination domestically and across borders with the private sector owners and operators of such infrastructures, hereinafter the "private sector";
On the proposal of the Committee for Information, Computer and Communication Policy:
For the purposes of this Recommendation, critical information infrastructures, hereinafter "CII", should be understood as referring to those interconnected information systems and networks, the disruption or destruction of which would have a serious impact on the health, safety, security, or economic well-being of citizens, or on the effective functioning of government or the economy;
National CII are identified through a risk assessment process and typically include one or more of the following:
● Information components supporting critical infrastructures; and/or.
● Information infrastructures supporting essential components of government business; and/or
● Information infrastructures essential to the national economy.
Member countries introduce and maintain an effective framework to implement the OECD Security Guidelines in relation to the protection of CII, taking into account the specific policy and operational guidance set out herein;
PART I. Protection of Critical Information Infrastructures at the Domestic Level
Member countries should:
Demonstrate government leadership and commitment to protect CII by:
Manage risks to CII by:
1. The appropriate organisational structure to provide guidelines and promote good security practices at the national level and to manage and monitor progress, as well as a complete set of processes to ensure preparedness, including prevention, protection, response and recovery from natural and malicious threats;
2. A system of measurement to evaluate and appraise measures in place (including exercises and tests as appropriate) and allow for feedback and continuous update;
Work in partnership with the private sector by:
· Establishing trusted public-private partnerships with a focus on risk management, incident response and recovery;
· Enabling mutual and regular exchange of information by establishing information sharing arrangements that acknowledge the sensitivity of certain information;
· Fostering innovation through public-private research and development projects focused on the improvement of the security of CII and as appropriate, sharing these innovations across borders.
PART II. Protecting Critical Information Infrastructures Across Borders
Member countries should co-operate among themselves and with the private sector at the strategy, policy and operational levels to ensure the protection of CII against events and circumstances beyond the capacity of individual countries to address alone.
They should in particular proactively engage in bilateral and multilateral co-operation at regional and global levels with a view to:
1. Risk management applicable to cross-border dependencies and interdependencies;
2. Generic vulnerabilities, threats and impacts on the CII, to facilitate collective action to address those that are widespread, such as security flaws and malicious software, as well as to improve risk management strategies and policies;
Member countries to disseminate this Recommendation throughout the public and private sectors, including governments, businesses and other international organisations to encourage all relevant participants to take the necessary steps for the protection of CII;
Non-member economies to take account of this Recommendation and collaborate with Member countries in its implementation.
INSTRUCTS the OECD Committee for Information, Computer and Communication Policy to promote the implementation of this Recommendation and review it every five years to foster international co-operation on issues relating to the protection of CII.