Ministry of Economic Development Home| Contact MED|


Jump to Site Navigation Links
 
 
 

Links to this page were:

Section Subnavigation Links:

A Strategic Approach


A Strategic Consideration of ICT Security and Confidence in New Zealand: Discussion Paper for Key Agencies/Organisations

Resources and Networks Branch
[ Last Updated 16 March 2006 ]


Within this section …

A Culture of Security and Safety

13. A strategic approach to ICT security and confidence issues is important to ensure that there is a clear overall vision to underpin and guide planning and to harmonise actions by government and other participants.

14. The Organisation for Economic Cooperation and Development (OECD) sets out a global vision for ICT of developing and promoting a culture of security amongst all participants, namely government, business, other organisations and individual users. This means that security is factored into the development of information and communication systems and networks and that the actions and behaviours of all participants in the ICT area take account of security issues.

15. This paper focuses on safety and security issues because threats to safe use of information and communications technologies undermine confidence in their use.

16. It is proposed that the development and promotion of a culture of security and safety amongst all participants be a key strategy for building and maintaining confidence in ICT in New Zealand consistent with the objectives of the Digital Strategy.

Principles

17. To support the development of a culture of security, the OECD established nine principles to guide the actions and behaviour of participants in the ICT sector. It is proposed that the principles to guide the actions and behaviours of participants in the ICT sector in New Zealand include the nine OECD principles (with some additions and modifications).

18. The following principles are proposed:

  • Currency in that public policy and legislation impacting on ICT safety and security is up-to-date with current and emerging ICT technologies;
  • Awareness by participants of the need for security of information and communication systems and networks and what they can do to enhance security;
  • Responsibility being taken by all participants for the security of information and communication systems and networks;
  • Responsiveness in that all participants should act in a timely and co-operative manner to prevent, detect and respond to security incidents;
  • Ethics in that participants should respect the legitimate interests of others;
  • Constitutionally and legally sound in that the security of information and communication systems and networks should be compatible with New Zealand's constitutional and legal protections and freedoms;
  • Risk assessments should be conducted by all participants and factored into risk and security management practices;
  • Security design and implementation in that participants should incorporate security as an essential element of information and communication systems and networks;
  • Security management in that participants should adopt a comprehensive approach to security management, including the adoption of security practices as part of the governance framework of organisations;
  • Reassessment in that participants should regularly review and reassess the security of information and communication systems and networks, and make appropriate modifications to security policies, practices, measures and procedures;
  • Education and expertise in that government and business should promote education of good ICT practices and ensure that there is sufficient technical and professional expertise in ICT security available to support the required actions;
  • Co-operation in that the security of information and communication systems and networks should be supported by international co-operation and co-operation within government, between government and business, and between businesses and specialist ICT organisations.

Roles of Various Participants in the ICT Sector

Roles of Government

19. Government has the task of providing for the development of a culture of ICT security and safety. It can provide for this in each of its roles, including the development of public policy, the administration and enforcement of legislation, as owner and operator of systems and networks, as the provider of services, and as a user of such systems and networks.

20. The objective for government in developing public policy is the promotion of the security of information and communication systems and networks to engender confidence in their use and better ensure economic growth and overall security. In its public policy role government should respond to the need for a comprehensive policy and institutional infrastructure to ensure public safety, security and economic well-being in response to the threats and vulnerabilities associated with globally interconnected information and communication systems and networks. In addition government should assist with education and awareness-raising, the development of guidelines, and support and facilitate efforts by all participants to address ICT security and confidence issues.

21. As the administrator and enforcer of legislation it is important that government sufficiently resource and support these tasks to ensure good decision-making to support security and effective enforcement action against cyber-crime and ICT security threats generally. As owner and operator of information and communication systems and networks, government shares a role with businesses and other organisations and should lead by example by effectively applying the principles of risk assessment, security design and implementation, security management, and reassessment. As a user of information and communication systems and networks government shares the responsibility with businesses, other organisations, and individuals for ensuring use of the system and network consistent with a culture of security and safety.

Roles of Business and Industry Associations

22. Most information and communications systems and networks are owned or operated by private sector businesses. In addition, businesses are users of these networks and systems.

23. In their role as owner and operator of information and communication systems and networks businesses have an important role in ensuring the security of ICT infrastructure through the adoption of best practices, the meeting of industry standards, and applying the principles of risk assessment, security design and implementation, security management and reassessment.

24. As a user of information and communication systems and networks, business has a responsibility to ensure that its use is consistent with security management principles and good security practice. Industry associations can often have a role in educating and encouraging their industries to adopt good practice.

Role of the General Public, Communities and User Groups

25. Individual and organisational users of information and communication systems and networks have a responsibility to ensure that their use is consistent with good safety and security practice. User groups such as InternetNZ and the Internet Safety Group have important roles in educating and promoting to users these good safety and security practices.

Questions for Discussion

1. What is the best strategy for promoting confidence in the use of ICT in New Zealand?

2. Are the proposed guiding principles right and, if not, what changes should be made?

3. Are the suggested roles of government, business, specialist ICT organisations, and the general public and communities right and, if not, what should they be?


Back to Top



Jump to main page content.