Disclosure Records of Recognized Certification Authorities

Disclosure Record for the Postmaster General

(This is page 2 of the disclosure record for the Postmaster General maintained by the Government Chief Information Officer ("GCIO") under section 31(1) of the Electronic Transactions Ordinance (Cap. 553) ("Ordinance"). Click this link to go back to page 1 of the disclosure record.)

Assessment Report (31 January 2000 - 31 December 2000)

The Postmaster General started his services as a recognized certification authority ("CA") under the Ordinance on 31 January 2000. In accordance with section 43(1) of the Ordinance, the Postmaster General must furnish to the then Director of Information Technology Services (the "then Director") an assessment report in respect of his CA services on or before 30 January 2001.

On 3 February 2001, the Postmaster General furnished an assessment report to the then Director as required under section 43(1), which covers the period between 31 January 2000 and 31 December 2000 in respect of the CA services of the Postmaster General. The Postmaster General explained that when preparing the assessment report, the assessor had to follow the Practice Note 870 (The Assessments of Certification Authorities under the Electronic Transactions Ordinance) published by the Hong Kong Society of Accountants. The Postmaster General further explained that since the Practice Note was published in December 2000, the assessor did not have sufficient time to complete the assessment report before 30 January 2001.

In accordance with section 43(3) of the Ordinance, the GCIO must publish in the disclosure record for the Postmaster General the date of and the material information in the assessment report on the CA services of the Postmaster General. Only those parts of the report containing material information are herewith published. The CA services of the Postmaster General are hereinafter referred to as "the Hongkong Post CA".

A. Date of the Report

• The date of the report is 2 February 2001.

B. Material Information

1. The assessment report is prepared by the assessor for the period between 31 January 2000 and 31 December 2000.
2. Except for the exceptions or deficiencies identified in the assessment report as set out in paragraph 5 below, the assessor has concluded that :
   1. the management assertions by Hongkong Post CA in respect of Hongkong Post CA's compliance with those sections of the Code of Practice for Recognized Certification Authorities ("Code of Practice") in respect of which a positive assurance is provided (as set out in Part 3A of Appendix 3 of Practice Note 870 published by the Hong Kong Society of Accountants) are reasonable;
   2. no information came to the attention of the assessor during the course of the assessment indicating that the management assertions in respect of Hongkong Post CA's compliance with those sections of the Code of Practice in respect of which a negative assurance may be provided (as set out in Part 3B of Appendix 3 of Practice Note 870) are not reasonable; and
   3. in respect of Hongkong Post CA's compliance with the provisions of the Ordinance applicable to a recognized CA :
      1. the management assertions in respect of (a) above are reasonable; and
      2. no information came to the attention of the assessor during the course of the assessment indicating that those management assertions in respect of (b) above are not reasonable.
3. In the assessor's opinion, in all material respects, the accounting policies upon which Hongkong Post CA's financial projections in respect of the CA's operations relevant under the Ordinance for the six month period intervals from 1st October 2000 to 31st March 2002 are based are consistent with those normally adopted by the Electronic Services Division of Hongkong Post and conform with generally accepted accounting principles adopted in Hong Kong, and the projections have been properly compiled on the basis of the assumptions made by management.
4. Because of the difficulties and uncertainty in determining Hongkong Post CA's potential liabilities and the limited history of past claims (both in Hong Kong and other parts of the world for risks of this nature), the assessor is unable to form an opinion as to whether management's assertion, that Hongkong Post CA has implemented and maintained effective procedures to determine and manage its potential liabilities in relation to the issuance of certificates, are reasonable.
5. The material exceptions or deficiencies identified by the assessor in the report are set out in the following table. It is the opinion of the then Director that the exceptions or deficiencies identified in the report have no immediate and no significant impact on the trustworthiness in respect of the operation of the Hongkong Post CA. Nevertheless, the then Director will follow up with the Hongkong Post CA to ensure that such exceptions or deficiencies are rectified as soon as possible.

   	Exceptions or Deficiencies Reported by the Assessor	Response of Hongkong Post CA
   i.	A fully independent compliance monitoring function over the CA operations was not in place during the assessment period.	Hongkong Post CA engaged an outside organisation in October 1999 to conduct an independent review on the CA operations covering the period from 21 October 1999 to 31 March 2000 and to perform an independent compliance monitoring and assurance function of the Hongkong Post CA prior to and after the live run of the Hongkong Post CA. To comply with Section 12 of Code of Practice, Hongkong Post CA engaged the assessor in November 2000 to conduct an independent assessment of the Hongkong Post CA covering the period from 31 January 2000 to 31 December 2000. As such, Hongkong Post CA considered that a form of independent compliance monitoring function did exist during the assessment period. Hongkong Post CA however noted the assessor's comments and will review the monitoring and assurance function of the Hongkong Post CA operations. Hongkong Post CA planned to have an independent compliance monitoring function within the Hongkong Post CA by end-September 2001. (Progress reported by Hongkong Post CA on 4 October 2001) An independent compliance monitoring function was established.
   ii.	A few sections of the e-Cert Certification Practice Statement ("CPS") were noted to be insufficient and did not fully comply with the business disclosure requirements as set out in the Appendix of the Code of Practice.	A number of updates have been applied to the e-Cert CPS since its first release on 31 January 2000 in an effort to make it in line with the requirements set out in the Appendix of the Code of Practice as far as possible. Along with the on-going enhancements of the CA services, the CPS itself will continue to be reviewed and updated. Hongkong Post CA noted the assessor's comments in this respect and will continue to review the CPS(s) according to the requirements set out in the Appendix of the Code of Practice. Hongkong Post CA planned to revise the CPS by end-April 2001. Hongkong Post CA published a revised CPS on 8 May 2001 taking into account comments made by the assessor regarding the CPS.
   iii.	System capacity monitoring procedures through the preparation of the monthly "System Activity Report" had not been formalized until October 2000. Formal and documented system capacity planning procedures were not in place.	Since the Hongkong Post CA commenced operations on 31 January 2000, Hongkong Post CA has been closely monitoring the capacity of the CA system. According to the projected number of certificates to be issued, it is estimated that the existing capacity of the CA system should be able to meet the demand of certificate issuance up to 31 March 2002, at least. As part of the capacity planning process, Hongkong Post CA is compiling an upgrade plan of the CA system to cater for the possible increase in demand of certificates beyond 2002. Hongkong Post CA noted the assessor's comments and will consider the formulation of the formal system capacity planning procedures. Hongkong Post CA planned to produce a formal system capacity planning procedure document by end-June 2001. (Progress reported by Hongkong Post CA on 6 July 2001) The system capacity planning procedures are in place. Hongkong Post CA plans to finalize the system capacity planning procedures document by end-July 2001. (Progress reported by Hongkong Post CA on 1 August 2001) Documentation on system capacity planning was finalized.
   iv.	The Risk Management Plan has not been tested since it was first developed. The IT systems disaster recovery plan (DRP) has not been tested during the period of assessment. Certain sections of the documented DRP were noted to be inadequate and will require updating.	Both the Risk Management Plan and the Disaster Recovery Plan are being reviewed and updated due to the implementation of new services including new types of certificates (e.g. Bank-Cert, m-Cert) and the Validation Service which may lead to changes to the configuration of the existing CA system. It is considered more practical and reasonable that the updates to the Risk Management Plan and Disaster Recovery Plan would be finalised after the completion of the implementation of the additional services by April 2001. The business continuity arrangements set out in the Risk Management Plan and Disaster Recovery Plan will be tested thereafter. Hongkong Post CA planned to have the Risk Management Plan and the Disaster Recovery Plan updated and tested by end-June 2001. (Progress reported by Hongkong Post CA on 6 July 2001) Hongkong Post CA updated and tested the Risk Management Plan in June 2001. Hongkong Post CA tested the Disaster Recovery Plan in June 2001, and plans to finalize the Disaster Recovery Plan document by end July 2001. (Progress reported by Hongkong Post CA on 1 August 2001) The Disaster Recovery Plan document was finalized.
   v.	Formal procedures for ensuring safe destruction of CA key pairs and any related devices have not been established.	At present, all CA keys are stored in Hardware Cryptographic Devices and the access to such Hardware Cryptographic Devices and the CA keys are currently under stringent procedural controls. On the other hand, the technical procedures of the destruction of CA keys stored in such Hardware Cryptographic Devices have been in place and documented in the respective system documents. Although the urgency of a formalised document for the destruction procedures of the CA keys is not considered high at present, Hongkong Post CA noted the assessor's comments and will proceed to compile a formal document for such procedures. Hongkong Post CA planned to produce a formal key destruction procedure document by end-June 2001. (Progress reported by Hongkong Post CA on 6 July 2001) Hongkong Post CA produced a formal key destruction procedure document in June 2001.
   vi.	A complete set of security policies and standards has not been fully customised for and strictly enforced on Hongkong Post's CA environment and operations.	The security policy document is a live document which is currently under on-going review and updates. The security policies currently adopted by Hongkong Post CA have been adequately and reasonably enforced in order to maintain the trustworthiness of the Hongkong Post CA operations. We noted the Assessor's comments in this respect. Taking into account our experiences in the CA operations, the security policy document is being reviewed and further customised with a view to compiling a fully customised security policy document. Hongkong Post CA planned to revise the security policy document by end-June 2001. (Progress reported by Hongkong Post CA on 27 June 2001) Revision to the security policy document was completed in June 2001.
   vii.	Monitoring of network access logs is not performed on a real-time basis, and logs are not reviewed during non-office hours. The Intrusion Detection System's attack signature file has not been updated since the CA system was launched.	We have noted the need of updating the Intrusion Detection System (IDS) attack signature file and have taken immediate actions to update the IDS attack signature file for the existing IDS. Since the IDS vendor does not release such attack signature file updates on a regular basis, we will maintain continuous monitoring of the release of such updates from the vendor and updating of the IDS signature file where necessary. To address the real-time monitoring system function, we have been in the process of implementing a real-time pager alert system for the IDS and the alert system is scheduled for a full implementation by March 2001. (Progress reported by Hongkong Post CA on 27 June 2001) The alert system for the IDS has been in place.

   Note :

   1. The response to the exceptions and deficiencies, the planned actions and dates for rectifying the exceptions and deficiencies as reported by the Hongkong Post CA in the above table are disclosed in accordance with section 31(2) of the Ordinance.