37
and other OECD statements, as well as laws and policies around the
world,31 have direct implications for the security of data and electronic
communications systems. Both implicit and explicit are the requirements
that data be protected from intrusion and deliberate or accidental release
or alteration. Related to this is also the issue of cryptography. Effective
implementation of an ICT Strategy will depend, among other matters, on
secure systems and networks. Businesses, governments, consumers,
foreign investors, foreign governments and others will want to be
assured that data is secure and that networks are secure.
5.3.2
The technical side of this issue is being handled by the Infrastructure
Task Force and will be reflected in the observations and
recommendations from that Task Force and the Action Plans being
developed to implement the Infrastructure portions of Maitlamo.
However, the development of proposals to implement protections of
personal information and privacy must be accompanied by policies to
ensure that personal data is secure in a practical sense. Some of these
issues relate to network design, but others relate to organisational design
and records management and data practices found in governments,
parastatal organisations and businesses. Among the actions that should
be considered are the dissemination and implementation of the OECD
Guidelines for the Security of Information Systems and Networks:
Towards a Culture of Security.32 Following the publication of the
Guidelines in 2002, OECD Member Countries adopted Implementation
Plans.
5.3.3
A number of countries and businesses have relied on internationally
recognised standards. ISO/IEC 17799 is a standard code of practice that
provides an organisation with default guidelines on the types of security
controls the organisation should implement to safeguard its assets.
BS7799, which is a management standard specification for Information
Security Management Systems, sets up the necessary steps required to
establish a management framework. ISO/IEC 15408 sets out “Evaluation
Criteria for Information Technology Security”. Formal certification and
audit to these standards may be too elaborate and expensive for most
businesses in Botswana, just as the ISO 9000 series of Quality
Management Standards can be expensive to certify and maintain.
Nonetheless, they can provide a structure against which government and
31
See, for example, APEC Cybersecurity Strategy,
www.apecsec.org.sg/content/apec/apec_groups/working_groups/telecommunications_and_infor
mation.html. Australia, E-Security National Agenda, September 2001,
www.noie.gov.au/projects/confidence/Protecting/nat-agenda.htm.
32
www.oecd.org/sti/security-privacy