THE COUNCIL,
HAVING REGARD to Article 5 b) of the Convention on the Organisation for Economic Co-operation and Development of 14 December 1960;
CONSIDERING that the OECD has worked on digital security since the adoption in 1992 of the first international standard on digital security, the Recommendation of the Council concerning Guidelines for the Security of Information Systems [OECD/LEGAL/0271], and that it has been at the cutting edge in this area updating its standard in 2002 with the Recommendation of the Council Concerning Guidelines for the Security of Information Systems and Networks - Towards a Culture of Security [OECD/LEGAL/0312] and in 2015 with the Recommendation of the Council on Digital Security Risk Management for Economic and Social Prosperity [OECD/LEGAL/0415], which this Recommendation partially replaces;
HAVING REGARD to the Recommendation of the Council on National Digital Security Strategies [OECD/LEGAL/0480]; the Recommendation of the Council on Digital Security of Critical Activities [OECD/LEGAL/0456]; the Recommendation of the Council on Digital Security of Products [OECD/LEGAL/0481], the Recommendation on the Treatment of Digital Security Vulnerabilities [OECD/LEGAL/0482], the Recommendation of the Council concerning Guidelines for Cryptography Policy [OECD/LEGAL/0289], and the Recommendation on Electronic Authentication [OECD/LEGAL/0353], which form with the present Recommendation a comprehensive set of international standards on digital security featured in the OECD Policy Framework on Digital Security [C(2022)145/ADD1];
HAVING REGARD to the standards developed by the OECD in the area of privacy and transborder flows of personal data; Internet policy making digital economy, innovation, growth and social prosperity; artificial intelligence; digital government strategies and responsible business conduct;
RECOGNISING that the digital environment is essential to the functioning of our economies and societies, underpins digital transformation, and is a source of growth, innovation, improved well-being and inclusiveness;
RECOGNISING that the benefits from the digital environment and digital transformation span across all sectors of the economy and all aspects of social progress; that these benefits stem from the open, secure, stable, accessible, interoperable and peaceful nature of information and communication technologies and infrastructure, and in particular the Internet;
RECOGNISING that digital security incidents create uncertainties which are dynamic in nature and can affect the digital and physical environments, damaging stakeholders’ objectives, reputation, human rights and fundamental values such as freedom of expression and privacy, protection of data, trust, economic interests, business operations, physical assets and safety, and affecting competitiveness, well-being, and public welfare;
RECOGNISING that digital security risk management is a flexible, adaptable, agile, and cost-effective approach to address these uncertainties, to establish resilience, and to achieve the expected social and economic benefits while innovating and creating trust, to deliver critical activities, to preserve human rights and fundamental values, to protect individuals from digital security threats, and to increase their safety ;
RECOGNISING that some stakeholders such as individuals, small and medium entreprises, and civil society organisations have limited ability and capacity to manage digital security risk;
RECOGNISING that stakeholders implementing digital security risk management need to mitigate the digital security risk related to potential supply-chain attacks;
EMPHASISING that digital security risk management provides a robust foundation to implement the “Security Safeguards Principle” in the Recommendation of the Council concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data [OECD/LEGAL/0188] (OECD Privacy Guidelines) and, more generally, that this Recommendation and the OECD Privacy Guidelines mutually reinforce each other;
MINDFUL that governments, public and private organisations, as well as individuals share responsibility, based on their roles and the context, for managing digital security risk and for protecting the digital environment; and that co-operation is essential at domestic, regional and international levels.
On the proposal of the Committee on Digital Economy Policy:
I. AGREES that, for the purposes of this Recommendation:
● Digital security risk refers to a category of risk (i.e. the effect of uncertainty on objectives) related to the use, development and management of the digital environment in the course of any activity, which:
o can result from the combination of threats and vulnerabilities in the digital environment;
o can undermine the achievement of economic and social objectives including physical safety by disrupting the availability, integrity, and confidentiality of the data, information systems and networks;
o is dynamic in nature;
o includes aspects related to the digital and physical environments, the people involved in the activity and the organisational processes supporting it.
● Digital security risk management refers to the set of coordinated actions taken within an organisation and/or among organisations, to address digital security risk while maximising opportunities, which:
o is an integral part of decision making and of an overall framework to manage risk to economic and social activities;
o relies on a holistic, systematic and flexible set of cyclical processes that is as transparent and as explicit as possible;
o helps to ensure that digital security risk management measures (“security measures”) are appropriate to and commensurate with the risk and economic and social objectives at stake.
● Digital security refers to the set of measures taken to manage digital security risk. Digital security can be viewed as the economic and social dimension of cybersecurity.
● Stakeholders refers to the governments, public and private organisations and the individuals, who rely on the digital environment for all or part of their economic and social activities. They can take on different roles. For example, organisations may be part of a supply chain.
● Leaders and decision makers refers to those stakeholders at the highest level of leadership in governments and in public and private organisations.
II. RECOMMENDS that Members and non-Members adhering to this Recommendation (hereafter the “Adherents”) adopt a digital security risk management approach to build trust and take advantage of the open digital environment for economic and social prosperity, applicable at all levels of government and in public organisations; based on the following principles, which are complementary, should be taken as a whole, and are meant to be consistent with risk management processes, best practices, methodologies, and technical standards; and CALLS on private organisations to promote and implement the following principles;
GENERAL PRINCIPLES
1. Digital security culture: awareness, skills and empowerment
All stakeholders should create a culture of digital security based on the understanding of digital security risk and how to manage it.
To that effect, the stakeholders should be:
a) aware that digital security risk can affect the achievement of their economic and social objectives and that their management of digital security risk can affect others, including the delivery of critical activities;
b) empowered with the education and skills necessary to understand this risk, to help manage it, and to evaluate the potential impact of their digital security risk management decisions on their activities and the overall digital environment;
c) aware of the role of security researchers in improving digital security by reporting vulnerabilities according to good practice.
2. Responsibility and liability
All stakeholders should take responsibility for the management of digital security risk based on their roles, the context and their ability to act.
To that effect, the stakeholders should:
a) act responsibly, be accountable for the management of digital security risk and for taking into account the potential impact of their decisions on others.
b) recognise that, because there is no absolute security, they are responsible for determining the level of residual risk that is acceptable in order to achieve economic and social objectives, and to treat the risk accordingly.
c) appoint responsible owners of this risk, and be aware of potential liabilities.
3. Human rights and fundamental values
All stakeholders should manage digital security risk in a transparent manner and consistently with human rights and fundamental values.
To that effect, the stakeholders should:
a) implement digital security in a manner that is consistent with and supports human rights obligations and fundamental values recognised by democratic societies, including the freedom of expression, the free flow of information, the confidentiality of information and communication, the protection of privacy and personal data, freedom of association, non-discrimination, openness and fair process.
b) base their digital security on ethical conduct which respects and recognises the legitimate interests of others and of the society as a whole.
Public and private organisations should have a general policy of transparency about their practices and procedures to manage digital security risk.
4. Co-operation
All stakeholders should co-operate, including across borders.
All stakeholders should co-operate on digital security risk management as global interconnectedness creates interdependencies between stakeholders. To that effect, all stakeholders should co-operate:
a) in an inclusive manner so that all stakeholders, including across supply chains participate in digital security.
b) within governments, public and private organisations, as well as amongst them and with individuals, civil society, the technical community and academia, as appropriate.
c) across borders at regional and international levels.
Governments and public and private organisations should work together to empower individuals and small and medium enterprises to collaboratively manage digital security risk.
OPERATIONAL PRINCIPLES
5. Strategy and Governance
Leaders and decision makers should ensure that digital security risk is integrated in their overall risk management strategy, and managed as a strategic risk requiring operational implementation.
To that effect, leaders and decision makers should:
a) Understand the strategic and systemic economic and social aspects of digital security risk;
b) Adopt and update through a continuous improvement cycle a strategic digital security risk management plan including the allocation of resources, allowing for the progressive implementation of the security baseline and response plans;
c) Set clear roles, responsibilities, and processes as well as appropriate resources to ensure that leaders and decision makers who are responsible for the benefits of an activity are also responsible for its related digital security risk (risk ownership), and for identifying how enhanced digital security can contribute to the value, effectiveness and competitiveness of the organisation and of its products and services, including by increasing its partners’ trust;
d) Regularly receive risk-related reports and be responsible for acting on such reporting by making appropriate risk treatment decisions in a timely manner;
e) Take into account, in their internal digital security strategy, technical and organisational aspects as well as the human factor, for example through training and awareness raising, in order to empower employees and users who are targeted by cyberattackers to protect themselves.
6. Risk assessment and treatment cycle
Leaders and decision makers should ensure that digital security risk is treated on the basis of continuous risk assessment.
To that effect, leaders and decision makers should:
a) Carry out digital security risk assessment as an ongoing systematic and cyclical process by evaluating and monitoring the threats, the vulnerabilities that they could exploit, and their possible impact to the economic and social activities at stake, including safety.
b) Take into account in their risk assessment the risk affecting the activity’s supply chain, internal and/or external advice as well as contextualised cyber threat intelligence (CTI) that can be shared among stakeholders in order to increase the efficiency of digital security strategies and reduce digital security costs.
c) Treat the risk, on the basis of the risk assessment, in order to reduce it to an acceptable level relative to the economic and social benefits expected from those activities while taking into account the potential impact on the legitimate interests of others, and legal requirements. Risk treatment includes various options: accepting the risk, reducing it, transferring it (for example through insurance), avoiding it or a combination of those.
7. Security measures
Leaders and decision makers should ensure that security measures are appropriate to and commensurate with the risk.
To that effect, leaders and decision makers should:
a) Select, operate and improve security measures based on the digital security risk assessment and with a view to reduce the digital security risk to the level deemed acceptable when treating the risk.
b) Adopt security measures that are appropriate to and commensurate with the risk, and take into account their potential negative and positive impact on the economic and social activities they aim to protect, on human rights and fundamental values, and on the legitimate interests of others.
c) Consider all types of measures, whether they are physical, digital, or related to people, processes or technologies involved in the activities.
Governments as well as public and private organisations should seek out and appropriately address vulnerabilities as soon as possible.
8. Innovation
Leaders and decision makers should ensure that innovation is considered.
To that effect, leaders and decision makers should:
a) Consider innovation as integral to reducing the digital security risk to the acceptable level determined in the risk assessment and treatment.
b) Consider the effects of digital security on innovation and its positive and negative impact on efficiency, competitiveness and human rights, recognising that digital security risk management can boost or undermine innovation depending on how it is implemented.
c) Foster innovation both in the design and operation of the economic and social activities relying on the digital environment as well as in the design and development of security measures.
9. Resilience, preparedness and continuity
Leaders and decision makers should ensure that a preparedness and continuity plan based on digital security risk assessment is adopted, implemented and tested, to ensure resilience.
To that effect, in their preparedness and continuity plan, leaders and decision makers should:
a) Aim at reducing the adverse effects of security incidents, and supporting the continuity and resilience of economic and social activities.
b) Identify measures to protect, detect, respond and recover from digital security incidents.
c) Encompass participants in the supply chain such as suppliers and third-party partners, to the extent possible.
d) Provide mechanisms to ascribe clear levels of escalation based on the magnitude and severity of the effects of digital security incidents, as well as their potential to extend to others in the digital environment.
e) Develop appropriate notification procedures.
***
III. INVITES the Secretary-General to disseminate this Recommendation.
IV. INVITES Adherents to disseminate this Recommendation at all levels of government.
IV. INVITES non-Adherents to take due account of, and adhere to, this Recommendation.
VI. INSTRUCTS the Committee on Digital Economy Policy, through the Working Party on Security in the Digital Economy, to:
a) Serve as a forum for:
i. exchanging information on digital security to identify good practice in coordination with other international organisations and fora, and
ii. developing analytical work to support the implementation of this Recommendation;
b) Report to the Council on the implementation, dissemination, and continued relevance of this Recommendation no later than five years following its adoption and at least every ten years thereafter.