Publications and Press Releases - Speeches and Presentations

Office of the Government Chief Information Officer, The Government of the Hong Kong Special Administrative Region

	Publications and Press Releases > Speeches and Presentations

Opening Keynote by Mr Stephen HS Mak, Deputy Government Chief Information Officer, at the IT Support Convention, Polytechnic University
22 May 2007

Director Woo, Distinguished Speakers, Ladies and Gentlemen,

Good morning!

It's a great honour for me to be speaking with you this morning to kick off the IT Support Convention. Before I came, I said to myself - speaking on Information Security twice in 7 days is a great challenge. I run the risk of repeating myself. But then I look at the programme for the Convention with awe and admiration: you are going to spend four days in a row with information security prominently ingrained in every agenda item, from asset management, e-campus transaction, on-line credit card payment systems, to web conferencing, e-learning etc, etc. It only goes to show that security is indeed rightly receiving your attention.

The fast development and wide adoption of information technology today has enabled business activities to prosper as well as enriched our modern life style.

The university is a place for academic freedom and open exchange of information and ideas. With the use of the Internet, it is arguably one of the largest services provider as well as user of IT, offering various tools and delivery channels for information dissemination, knowledge-sharing, innovation and research. Nowadays, e-learning allows teaching staff and students of registered study groups on campus or remotely to gain access to lectures, course materials, project work and interactive discussion forums. Through high speed and broadband links, research partners from different parts of the world can collaborate in joint projects such as tele-medicine, astronomy and multi-cultural studies. The Web also serves as an important platform for the university to publish papers, reference materials, periodicals and information for various purposes. The university plays a unique role as the manager of different brands and a large collection of computers running on various networks and accessing a virtually unlimited number of databases.

While IT has become part of the university's operation and services, cyber intruders are constantly finding ways to compromise the information systems, networks or databases through malicious activities include botnets, hacking, phishing, spyware, software vulnerability exploits, network access hijacking or information contamination. Exposure to these security threats may cause productivity loss, service disruption, sensitive information leakage, damage to the image of the university and various kinds of cyber crime.

Our ability to prevent these cyber attacks that may create havoc to our already busy campus activities depends on our conscious efforts to put in place the necessary IT security governance and measures. It would not be an exaggeration if I assert that the potential financial and practical damage that can be brought about by security breaches in a campus environment would be no less than a typical, major corporation. In fact, there is so much intellectual property and knowledge at stake that the sheer thought of the potential for losses is mind-boggling. In this regard, I see at least four important angles from which we have to look at the issue of IT security governance. Let me spend a few moments on each of these.

First, at the university-wide, council level, it calls for an Information Security Management Framework covering the corporate security mandate and oversight mechanism. This is important because, without proper recognition at this level, any further work or bids for resources to enhance information security will be out of step with the corporate development direction and resource allocation priorities. This is also an appropriate level for the baseline security policies to be set.

Second, at the Facilities Management and Service Provision level, as in the case of Information Technology Services of this university, it calls for a robust set of facilitation measures, which may range from explicit and comprehensive security specifications in service levels, written policies and practice guidelines on authentication, access control, information asset management policy, and security requirements in outsourcing or contracting situations. This is the level where it is important to keep abreast of industry developments at both the local and international levels, as well as striking a balance between user-friendliness of the security requirements on the one hand and the risk profiles of the service or assets to be secured on the other.

Third, at the Professional Practitioner or IT Service Delivery level, it calls for continuous surveillance and learning on what could conceivably become information security loopholes, and finding cost-effective solutions and introducing them in an unobtrusive way. Admittedly, most challenges occur at this level because security checks and balances are often seen as standing in the way of user convenience. One typical example at this level is the filtering of spam mail by the IT service provider. While the user may lament the fact that some spam mails are able to perpetrate through the network, it would be comforting to note that the service provider might have successfully turned away 10 million other spam mails during the month. The rapport that the IT Service has to garner from both the university governors as well as the end users indeed requires a fine balance.

Fourth, as you might have guessed, it calls for self-discipline and adherence to standards and good practices at the User level. I'm sure you will agree with me that in a highly dynamic and intellectual environment of a university this is much easier said than done. However, it is perhaps the most rewarding area of IT security governance, if it is done well. It is also why events such as the one we are starting today are so important in giving security the needed visibility, awareness, resonance and eventually compliance from the different angles I mentioned.

I think I better stop here because I know I'm speaking to the converted. I'm sure the convention will offer a lot of useful and up-to-date information for participants to take away. In fact, I would imagine it may spark off some new ideas for research, innovation and case studies to the betterment of all of us. I thank you for your attention and wish you a most enjoyable convention.

Thank you.

- END -

Top

2003

| Important notices

Last revision date : 25 May 2007