22.1

This Resolution follows a Commission Communication proposing a European policy on network and information security[61] and two Resolutions. One, dated 30 May 2001, noted the Communication, recognised the importance of the issue, and referred back to the emphasis given to it in the eEurope Action Plan.[62] The other, dated 28 January 2002, included an action plan and agreement on a limited number of key issues, together with target dates.[63]

22.2

The present Resolution recalls the earlier documents, acknowledges the importance and wide scope of information security, and points to the OECD Guidelines as a valuable model for developing policies which achieve a culture of security while respecting democratic values and the importance of personal data protection. Its goals are:

—  to define and attribute responsibility for the security of networks and information systems for all stakeholders (specifically consumers, businesses, service providers and governments);

—  to improve responses to security incidents;

—  to encourage the integration of the management of security risks into mainstream management thinking and "business engineering"; and

—  to take a "holistic" view of the risks associated with information systems and include human failings and physical events in threat assessments.

The Government's view

22.3

The Minister for E-Commerce and Competitiveness, Department of Trade and Industry (Mr Stephen Timms) says that the Resolution encourages continued effort by the Member States to create the right policy framework to improve the security of networks and information systems. He says that it does this by taking a more strategic view of the policy objectives. It is less orientated towards actions than the previous Resolution, which was seen to some extent as an immediate response to the events of 11 September 2001.

22.4

The Minister notes that the UK has already taken action on many of the issues addressed in the Resolution, in particular by promoting the use of the OECD guidelines.

Conclusion

22.5

We see the main purpose of this Resolution as securing agreement on a common policy of pursuing the guidelines published recently by the OECD[64], as well as giving fresh momentum to pursuit of the goals it sets out. We understand that some Member States have taken the view that a tight regulatory approach would be appropriate, whereas the UK Government regards the OECD approach as providing a more flexible framework with greater freedom to react to the development over time of new technologies and processes. Differences of approach between the Member States in the Council have slowed progress.

22.6

When we considered the 28 January 2002 Resolution, we urged the Government to press for broader solutions which recognised that the issues were of global concern, and we supported the Commission's suggestion that there should be increased dialogue with international organisations and partners.

22.7

We therefore welcome the Government's approach and the decision of the Danish Presidency to put this Resolution to the 5/6 December Council.

1.8

We now clear the document.

62  (22580) -; see HC 152-ii (2001-02), paragraph 34 (17 October 2001). Back

63  (23093) -; see HC 152-xiv (2001-02), paragraph 15 (23 January 2002). Back

64  Information Security Management Systems - Specification with Guidance for Use (BS7799-2:2002).  Back