Archive - Year 2006

Office of the Government Chief Information Officer, The Government of the Hong Kong Special Administrative Region

	Archive > Year 2006 > OGCIO > Speeches and Presentations in Year 2006

Welcome Remarks by Mr. John Wong, Assistant Government Chief Information Officer, at the 7th Info-Security Conference 2006
09 - 05 - 2006

Distinguished Guests, Ladies and Gentlemen,

Good morning! I have great pleasure to be here to deliver the welcome speech for the 7th Info-Security Conference 2006, and to share some of my thoughts with you.

Introduction

The Internet has become a utility after years of development and widespread adoption. In Hong Kong, 65% households and 55% in the business sector have Internet connections. The population of Internet users and the use of the Internet as the electronic channel for communication and transactions are increasing at great speed. Perhaps, very soon, the electronic mode of service delivery will dominate the traditional way. Information and Communication Technology (ICT) makes life easy and efficient for the users.

Security Threats

Like the human society, the cyber world is susceptible to malicious attacks and fraudulent tricks. Last year, a data security breach possibly the largest to date had happened in the US resulting in the exposure of more than 40 million credit card accounts to fraud. I hope that none of you had been affected by this incident and had to replace your credit cards or bank accounts. Recently, a similar incident happened again. It was reported that some fraudsters stole the details of 2,000 credit card holders in a major security breach last month. Luckily, the theft was detected and necessary action taken to stop the fraudster from exploiting the card information.

Security Management Issues

Business executives are now very concerned about the rising trend of cyber security threats attacking personal and corporate users through various means. Implementation of security devices, measures and other mechanisms to monitor, detect and block suspected and potential attacks on the computer networks are essential. According to the Information Security Survey conducted by the HKCERT, although the awareness and implementation of protective measures of information security of Hong Kong companies had increased significantly, the percentage of interviewed companies that had information security risk assessment and audit, information security policy and incident response procedures in place was still low. In order to protect the personal and business information, it is crucial to establish an effective information security management framework and implement the necessary governance structure to ensure compliance with the security requirements.

Information Security Management Framework in Government

Government places great importance on information security governance to oversee and enforce information security within Government. We have established the security management framework that comprises the management committee, working group and standing offices to provide central services and support to the Government departments. Individual departments are required to appoint their own departmental IT Security Officer (DITSO) and Departmental Information Security Incident Response Team (ISIRT) responsible for the information security issues in that department.

The OGCIO has recently carried out a survey on the security arrangements implemented by the public organizations. According to their feedback, they have implemented various protective measures and incidents response procedures in handling security threats. In addition, the Government has taken appropriate measures to ensure that the IT security of these organizations is maintained at a satisfactory level. These include participating in their management board/committee, promulgating related guidelines on information security, by way of their obligation under applicable legislation frameworks, etc.

Enforcement of Information Security Requirements

Policies and Regulations
Government has led by example, and developed comprehensive IT security policy and guidelines to be adopted by all departments. These include a Baseline IT Security Policy, IT Security Guidelines, Security Risk Assessment and Audit Guidelines, and Information Security Incident Handling Guidelines. These procedures and guidelines were developed with reference to international best practices, professional sources and are reviewed from time to time to reflect changes in technology and security threats.

All Government departments are required to comply with the security policies and Government's Security Regulations (SR) which has a dedicated section covering information systems and related topics on the storage, processing and transmission of information, including classified information, cryptographic key management, physical security, and proper destruction of classified information. Ad hoc and periodic surveys on information security are conducted to monitor the compliance status of the departments.

Security Audit and Review
Information security is not a static feature. To continuously maintain a high level of security protection, organisations should conduct regular assessment and review on their information systems to confirm the health condition of the information systems, data and networks as well as evaluate potential risks. Any identified loopholes should be plugged without delay. Government departments are also required to conduct security risk assessments at least once every two years to keep abreast with changes in technology and security threats.

Strengthening in Outsourcing Projects
Outsourcing is one of our major initiatives under the Digital 21 Strategy for IT development and service delivery. Applicable measures have been put in place for ensuring the contractor's compliance with our information security requirements in respect of centrally administered procurement contracts. There are also contract provisions under which the Contractor is required to treat as confidential all information and data, use such confidential information solely for the purpose of the contract and comply with the relevant Government policies, procedures and guidelines, data protection procedures, etc.

Internal Education
Government places great attention to the management practices and cultures in information security in departments. We continue to educate government staff about information security and how to safeguard the information. Relevant training courses, seminars and meetings are conducted for the staff at various levels. Reminders on security policies and regulations are also issued to departments periodically. Nonetheless, up-to-date material is posted on the intranet website to ensure that departments are aware of the latest technology, development in information security and security news and alerts.

Public Education and Awareness

No doubt, information security has to be taken seriously. Public education plays an important role in raising security awareness and promoting ethics of the community. Government is keen to share its knowledge and experience with the community on information security through various communication and information dissemination channels such as the INFOSEC website (www.infosec.gov.hk), radio/TV broadcast, seminars and conferences.

In closing, this Conference provides an excellent opportunity to share experience and exchange views in information security. I wish it every success.

Thank you.

- END -

Top

2003

| Important notices | Privacy Policy

Last review date : 31 August 2008