Opening Address by Mr. Alan Wong, Director of Information Technology Services at the Information Security Summit 2003
17 - 11 - 2003

Mr. Yeung, Distinguished Guests, Ladies and Gentlemen,

Good morning! I am honoured to be here to join you at the opening ceremony of the Information Security Summit 2003.

Today, experts from Australia, China, France, Germany, Japan, New Zealand, Singapore, UK, USA and Hong Kong gather here to share their knowledge and experience in information security. The high level of international participation at this Summit signifies the importance of information security in our globally connected world, in which cyber terrorism is no longer a figment of imagination but a real threat.

I would like to take this opportunity to share our experience with you by describing in detail the work done by the Hong Kong Special Administrative Region (in short, HKSAR) Government on information security in Hong Kong.

The HKSAR Government published its first Digital 21 Strategy in 1998 which laid down a blueprint for the adoption and development of information and communication technologies (or ICT) in Hong Kong. Since then, we have made great strides in the building of our information infrastructure as well as application systems to facilitate e-government and e-commerce. Recently, following an interim review a couple of years ago, we have reviewed the strategy again and published last month a consultation document seeking comments from the general public on the way forward with a view to publishing the next version of the Strategy in 2004.

It is pleasing to note that the bursting of the "dotcom bubble" has not hindered the healthy development of e-commerce and e-government in Hong Kong. Both Government and business enterprises are keen to offer their goods or services over the Internet, and the community is accepting the e-options gradually. Indeed the use of ICT is penetrating into every facet of our daily lives. It changes the way we conduct business and interact with Government. To minimise the risk of disruption to the delivery of services which will arise from the increasing digitisation of daily life, Hong Kong has implemented a range of measures to ensure the security and reliability of electronic transactions. These measures are very important because without them it would be very difficult to inspire public confidence in using the e-options.

The ICT infrastructure we have built in recent years includes the enactment of legislation for e-business, that is, the Electronic Transactions Ordinance which provides a clear and conducive legal framework for e-business to prosper; an architectural framework for secure transactions through the establishment of the public key infrastructure (PKI) and the voluntary certification authority recognition scheme; the setting up of the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT/CC) to enhance Hong Kong's information security incident response capability; and recently the issuing of Multi-Application Smart ID Cards (MASC) to all Hong Kong citizens, which may accommodate e-certificates for secure transactions.

The HKSAR Government has done a lot to strengthen the information security infrastructure of Hong Kong. Our aim is to ensure the integrity of business transactions and information by guarding against various types of cyber attacks such as worms and viruses, hacking, spamming and computer crimes. Deploying state-of-the-art technology, we use firewalls, anti-virus software, intrusion detection systems and other defensive mechanisms to monitor, detect and block suspected and potential attacks on our computer networks and systems. We keep these systems up-to-date by applying the necessary patches and fixes regularly.

Now, I would like to describe in detail what we are doing in the HKSAR Government, mainly by or through my department, the ITSD, to ensure the security of information systems. I hope you will accept this account as our modest contribution to the Summit. Our practice may not be the best, but it works pretty well, and I believe it should provide useful reference to many of you.

We closely monitor, and disseminate, the information on computer security published by international and local organizations, in order to keep ourselves up-to-date on the trends of computer security attacks and the solutions available against such attacks. This will enable all government departments to take effective and prompt actions to protect government information assets. All government computer systems are subject to periodic security reviews and audits to ensure that they can keep up with technology advancement, development of international and industry best practices, and changes in the systems as well as organizational environment.

With the increasing number and complexity of computer systems and networks in the Government, ITSD has developed comprehensive IT security policies, procedures and relevant guidelines in addition to technical measures. These provisions are adopted by all departments which are required to comply with the Government's Security Regulations. A Baseline IT Security Policy was first published in February 2000, under which an Information Security Management Committee (ISMC) and an IT Security Working Group (ITSWG) have been established to oversee the information security management and operation within Government departments, and help enforce the IT security policy in each and every department. The Baseline IT Security Policy and related guidelines are regularly reviewed and updated in keeping with technology advancement and changes in the government IT environment. We have published the Baseline Policy and guidelines on the ITSD web site for public reference.

The Baseline Policy also requires all departments to appoint a senior officer to be the Departmental IT Security Officer (DITSO) who is charged with the responsibility for the overall information security management and operation of his or her department. In addition, an Information Security Incident Response Team (ISIRT) must be set up in every department to deal with all matters on a day-to-day basis relating to security incident reporting and response.

Centrally, the HKSAR Government has established a Government Information Security Incident Response Office (GIRO) which co-ordinates and supports all departments in the handling of Government information security incidents. A Standing Office has been formed in ITSD to act as the central contact point for ISIRTs. The GIRO Standing Office monitors round the clock computer virus and information security incidents, outbreaks or alarms from all sources globally, and reports to the relevant units in the security framework as and when necessary. Virus alerts and security reminders are issued to departments as soon as a security problem is identified and assessed to be serious. On checks and balances, we require the administrators of major government infrastructure systems to submit a weekly information report (WIR) to the ITSD on the security status of their systems and other issues relating to IT security for management monitoring and control purposes.

Of course, having the security frameworks and practices in place is not sufficient. We need good people as well, I mean, IT security personnel that are technically competent, self-motivated, alert, responsive and reliable. We encourage our IT professionals to acquire IT security knowledge actively and seek professional qualifications such as CISSP (Certified Information Systems Security Professional) and CISA (Certified Information Systems Auditor). We are also developing a community of practice within our knowledge management framework to facilitate the sharing of ideas, intelligence and experience among security professionals, system developers and managers as well as IT users.

Finally, I would like to mention briefly our engagement with the public. We actively collaborate with various agencies in organising exhibitions, seminars and conferences, etc. to promote public awareness of IT security. An InfoSec web site was set up last year, which is a one-stop portal, to facilitate public access to information security related resources and updates on the web. This web site "www.infosec.gov.hk" is designed in such a way to address the needs of different groups of users so that they can obtain the information they want precisely and speedily. It has proved to be very popular. Apart from information dissemination, it also provides a channel for comments and contributions of content by the users. Besides, we also publish information leaflets and promotional materials, and produce radio episodes and TV features, to educate the public on information security.

The Information Security Summit 2003 provides an excellent opportunity for all of us to exchange ideas and share insights with each other on a broad range of issues, and to hear the words of wisdom from the many 'heavy weight' experts on information security coming from different parts of the world. I am sure your participation in this event will be a rewarding experience. I wish the Summit a great success.

Thank you.

- END -