SearchLanguageMobile menu

OGCIO

Information and Cyber Security Within the Government

Information security is about the protection of information regardless of whether it is in digital form, being stored on computers, or in transit over a network. With the rapid advancement of information and communications technologies (ICT), Hong Kong is increasingly reliant on the Internet, telecommunications infrastructure, and smart devices for economic development, entrepreneurship, business operations and daily life. Information security issues and the risks in the cyber environment could have various impacts on businesses and individuals.

The OGCIO attaches great importance to improving information and cyber security in the Government as well as to promoting awareness and preparedness in the wider community.

Information Security Management Framework

The Government places great emphasis on information security and the protection of its information and computer assets. Information systems and communication networks have become essential, if not critical, components in the course of electronic service delivery. The security of these components has profound impact on their reliability, availability and serviceability. Since year 2000, a central organisation, the Information Security Management Committee and IT Security Working Group were established to oversee information security within the whole government.

At the departmental level, a senior officer would be appointed to be the Departmental IT Security Officer who would lead the overall information security management of that department. The Information Security Incident Response Teams (ISIRTs) comprising management and technical staff would be established to deal with all matters on a day-to-day basis to prepare for, detect and respond to information security events and incidents.

Government IT Security Policy and Guidelines

The OGCIO has developed and maintained a comprehensive set of information technology (IT) security policies, standards, guidelines, procedures and relevant practice guides for use by government bureaux, departments, and agencies (B/Ds). These include a Baseline IT Security Policy, IT Security Guidelines, Practice Guide for Security Risk Assessment & Audit, and Practice Guide for Information Security Incident Handling. These procedures and guidelines were developed with reference to international standards, industry best practices, and professional resources. They would be reviewed from time to time to meet the challenges of evolving security threats posed by emerging technologies. These documents cover in considerable details the organisational, management, technical and procedural aspects to enable B/Ds to build up their information security framework and practice. Through various training and promotion activities and via different channels, B/Ds are furnished with best practices and information about changes in information security.

Incident Management

We adopt the principle of “prevent, detect, respond and recover” and implement appropriate security controls and measures in ensuring the integrity of business transactions and information by guarding against various types of cyber attacks such as computer worms and viruses, malware, spamming, phishing, distributed denial-of-service (DDoS), hacking and computer crimes. We conduct regular security risk assessment and audit of the technical and procedural controls to ensure that such preventive measures can keep up with technology advancements and industry best practices, and changes in the system, network, or organisational environment.

The OGCIO has taken proactive steps in combating threats related to IT security and cyber attacks by continuously monitoring IT security related vulnerabilities and threats, providing alerts and technical assistance to B/Ds in handling information security events and incidents. With the advent of the Internet and increasing trend of cyber attacks, closer collaboration locally with relevant stakeholders and globally with computer emergency response teams (CERTs) and international information security organisations become necessary and frequent.

In 2015, we established the Government Computer Emergency Response Team Hong Kong (GovCERT.HK, www.govcert.gov.hk) to centrally coordinate information and cyber security incidents as well as to collaborate with other CERT organisations. The GovCERT.HK is the coordination centre for government IT administrators and users on computer emergency response and incident handling. Locally, it would work closely with the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT, www.hkcert.org) on threats and incidents that would affect the private sectors and the community. Globally, GovCERT.HK would collaborate with other governmental and regional CERTs and international organisations with a view to facilitating exchange of information and knowledge needed to reduce vulnerabilities, mitigate risks, and react upon threats and attacks.

GovCERT.HK Annual Report:
www.govcert.gov.hk/en/annualreport.html