(ISC)² Opening remarks by Mr. John S C Wong, Assistant Government Chief Information Officer, at the (ISC)² Knowledge Sharing Session on "Building a More Secured Online World".
13 July 2007

Professor Schou, Distinguished Speakers, Ladies and Gentlemen,

Good Afternoon! I am delighted to address you at this Knowledge Sharing Session on "Building a More Secured Online World".

The Internet has moved the world into an information age. Network connectivity has made linking with someone across the globe practically the same as in the neighbourhood. The demand for the electronic mode of communication, service transaction and knowledge sharing will continue to increase rapidly.

However, the Internet also makes it easier for someone with malicious intent to play tricks or conduct illegal business at the expense of other people's rights and assets by compromising systems and networks. For example, keylogger is something intended to protect sensitive information from accidental leakage but can also be used by Internet criminals to capture the credential information of their victims.

While some of information security threats are technology-specific, others are often caused by operation errors, lack of awareness or misconduct. Computer crimes and information exposure are often the result of loopholes in implementation or operation of security requirements. In order to safeguard the business processes, operation procedures and access to valuable information assets, it is necessary to ensure that protection measures are put in place and proven effective.

The effectiveness of security safeguards depends on two crucial requirements being met. They are setting out the information security requirements comprehensively, and ensuring that such requirements are executed properly. Moreover, they have to work in one piece. Therefore, during the establishment of the information security requirements that include the necessary policy, standards, rules, procedures, guidelines and resources, provisions must be made to ensure that these requirements are fully implemented and complied with by all the business functions and people in the organization. Simply put, security requirements are made for compliance.

In order to protect their businesses and customers against various kinds of security attacks, more and more industries are specifying their common security standards or requirements, and are enforcing strict compliance by their business users or partners. An example is the Payment Card Industry Data Security Scheme which has specified a baseline policy for all processors, handlers or collectors of cardholder data of member organizations and required their compliance in operating their network, data encryption, policy, vulnerability management, strong access control measures and regular checking/testing procedures. Moreover, there will be penalty of non-compliance. Similar developments are also taking place in other industries such as medical networks operations, etc.

Below, I want to share with you our experience in the HKSAR Government of how we design for compliance with our information security requirements and ensure adherence by our Bureaux and Departments (B/Ds).

In the first place, compliance is as good as what the requirements entail, so compliance requirements must be clearly stated and understood by the B /Ds. This is the first crucial requirement for effective safeguard.

In the government, security compliance is the responsibility of every staff. Our information security management organization includes senior management, departmental IT security officers, departmental incident response team commanders, information owners, network and system administrators, application teams, end users of information systems and contractors. They all have their specific roles to play in strengthening information security posture and ensuring the necessary requirements are fully met.

The Office of the Government Chief Information Officer (OGCIO) has put in place a core set of information security policies and guidelines for B/Ds to follow, that include a Base IT Security Policy and detailed implementation guidelines for Internet Gateways, Security Risk Assessment & Audit, Electronic Authentication Framework and Information Security Incident Handling. All B/Ds are required to implement the necessary security measures in a timely and efficient manner, e.g. the application of patches to address software vulnerabilities or response to security incidents. B/Ds are also required to ensure that IT services contractors follow the same security requirements. As a standard practice, B/Ds are required to perform periodic risk assessments and security assurance reviews on their mission critical systems in addition to define and test out their business contingency and disaster recovery plans.

The second crucial factor for effective safeguard is to ensure that security requirements are executed properly. Compliance on paper may not be the same status as in practice. There might be blind spots or unintended omissions due to various reasons such as operational changes, staff turnover, etc. Insider access without proper privileges given/managed or lack of encryptions to protect sensitive data, personal diary information, untimely patch applications or outdated operation procedures, etc. can easily cause unexpected security breach incidents. Therefore, we have incorporated standard procedures to ascertain that compliance is achieved in reality or otherwise we are able to identify discrepancies and actions to amend.

Compliance assurance checking consists of both self-motivated and audited actions. Each year, B/Ds will do a self-assessment of their security compliance status, and confirm to the centre by a report signed by their management. If necessary, there may be random or surprise compliance checking to supplement the annual assessment exercise.

The government has also launched a centrally managed security audit programme for all B/Ds to confirm that they have conducted their regular risk assessments and security review on information systems as well as timely implementation and testing of any recommended improvements.

In summary, a secure electronic business environment does not come by chance, and needs the concerted efforts of all the stakeholders who can each play a useful role. Indeed, continuous surveillance and learning on what could conceivably become information security loopholes, and finding cost-effective solutions and introducing them in an unobtrusive way are essential.

Nowadays, mentality that security is an impediment to operations and career advancement should be rectified. Earlier I mentioned about the Payment Card Industry Data Security Standard led by the major credit card companies. Through the assurance process, retailers are forced to prove compliance. That means they have to self-discipline and adopt a standard and structured approach to gear up their level of knowledge, skill and experience in order to continue to play ball. In fact, similar initiatives can also be adopted in other business sectors to enhance their security profiles and reliability of business environments.

Finally, adherence to standards and good practices is crucial to the success in achieving our information security objectives as well as to realize the full benefit of the business investments in security measures.

Thank you.

- END -