Opening Address by Mr. John Wong, Assistant Government Chief Information Officer At the IT Management Showcase
4 September 2007

Mr. Fung, Distinguished Guests, Ladies and Gentlemen,

Good morning! It is my pleasure to deliver the opening address for the IT Management Showcase. This gives me the opportunity to share with you my experience on information security that is one of the key themes of the event today.

The fast pace of Information and Communications Technology (ICT) development and adoption has transformed our work and life style. The traditional way of single direction flow for information access or electronic transaction is changing to multiple dimensions, multiple channels and multiple players. We can find many examples in e-auction or blog sharing. Without choice, we have become a citizen of the Information Society where we share bountiful knowledge resources, ubiquitous accessibility, innovative re-use and production of information based output.

ICT plays a central role in the creation, distribution, diffusion, use, and manipulation of information. In Hong Kong, most citizens have experience in using electronic services in their personal and business activities, e.g. paying with the Octopus card on public transportation or for supermarket purchases, going through immigration clearance checks or booking public tennis courts with the Smart Hong Kong Identity Card, transferring money or buying shares with banks on the Internet, etc. The list practically gets longer and longer.

In any society, be it the real world or on the Internet, we need to be cautious and take measures to stay away from traps set by people of malicious intent. The Internet being a free platform is full of cyber security threats. Common tricks used by crooks include virus spreading, hacking, email spoofing, phishing, spyware seeding, keyboard logging, network hijacking, etc. with the ultimate objective of stealing something from or via the victims.

To guard against cyber attacks such as identity theft or credential leakage, we require protection measures and good practices that are effective and commensurate with the security assurance level of the concerned information and financial assets. Both the management and staff are responsible for implementing and upholding the information security of the organization. Unless cyber threats are properly addressed and effective protection measures implemented, any security incident could result in loss of customer confidence, image corruption and revenue loss that may lead to crisis to the organization. According to research by the Gartner Group, the cost of a data breach can be as much as 15 times the cost of securing the data by encryption.

Like managing our time, finance, or contracts, we also have to manage the risks of our information assets. As security attacks frequently come unexpected, we need the capability to protect against and detect them at any time. If hit by a security incident, we also need the capability to handle it in order to control the situation, remove the problem, continue the business as well as recover from any damages. All these call for proper information security management. I would like to share with you the Government's experience in this important work area.

In order to manage, the first step is to devise a plan to identify what the risk areas are, as well as the impact and the protection required. As a minimum, critical assets must be covered by a corresponding business continuity and error recovery plan. In the Government, we have established our Baseline Security Policy, Guidelines and Best Practices for Bureaux and Departments to follow.

Action follows planning. The Government has set up a management framework to steer and oversee the overall implementation of all the information security requirements as well as within individual Bureaux and Departments. People factor is a common cause of security incidents like information leakage, data corruption or even fraudulent transactions. It is important that everyone in the organization understands well one's role and responsibility in the corporate programme of information assets protection.

The Government regularly monitors and conducts checks to ensure that the security framework works properly through self-assessment, security assurance, crisis management drills and compliance auditing. Moreover, the Government has launched a centrally managed security audit programme for all bureaux and departments to confirm that they have conducted their regular security risk assessments and security review on information systems as well as timely implementation and testing of recommended improvements. Periodic checking not only ensures that things work as planned, it also raises people's readiness and preparedness for security incidents handling and contingency plan activation.

Information security can only be effective if people pay attention to it and fulfill their roles in strengthening the overall security status of the organization. Sufficient awareness promotion, job training, guidelines and procedures updating as well as security alert should be provided to staff.

OGCIO has launched a series of radio programmes for promoting security awareness to the public. Topics covered include online shopping, wireless network, information security management, cyber crimes, etc. Moreover, we produce pamphlets and posters on information protection, information security management, Internet surfing and data protection for distribution to the public. To share our experience with the public, the Government has posted reference information on security policy, management guidelines and good practices on the Web (at http://www.infosec.gov.hk). We will also publish a guide on electronic authentication for public reference later this year.

Finally, in an information society, information security protection is simply not an option. Information security requires the involvement of the whole community. Customers will base on your security protection and reliability posture to decide whether they want to be your business partners.

Building awareness requires all stakeholders, citizens and ICT professionals to cooperate and devote time and efforts to learn about the subject matters and keep updated about the developments. I wish you all a most fruitful experience from this event. Thank you.

- END -