Disclosure Records of Recognized Certification Authorities

Disclosure Record for the Postmaster General

(This is page 4 of the disclosure record for the Postmaster General maintained by the Government Chief Information Officer ("GCIO") under section 31(1) of the Electronic Transactions Ordinance (Cap. 553) ("Ordinance"). Click this link to go back to page 1 of the disclosure record.)

Assessment Report (1 January 2002 - 31 December 2002)

In accordance with section 43(3) of the Ordinance, the GCIO must publish in the disclosure record for the Postmaster General as a recognized certification authority ("CA") the date of and the material information in the assessment report on the CA services of the Postmaster General. Only those parts of the report containing material information are herewith published. The Postmaster General is hereinafter referred to as the "Hongkong Post CA".

A. Date of the Report

• The date of the report is 22 January 2003.

B. Material Information

1. The assessment report is prepared by the assessor for the period between 1 January 2002 and 31 December 2002.

Recognized CA Practices

2. With the exception noted in paragraph 8 below, the assessor concluded that:
   1. the management assertions in respect of Hongkong Post CA's compliance with the sections of the Code of Practice (Note 1) set out in Part 3A of Appendix 3 to Practice Note 870 (Note 2) for the period from 1st January 2002 to 31st December 2002 are reasonable. In particular, Hongkong Post CA has:
      1. disclosed its business practices in its CPSs (Note 3) in accordance with the Ordinance applicable to a RCA (Note 4) and the Code of Practice and provided its services in accordance with its disclosed business practices;
      2. reasonably complied with the requirements in respect of the use of a trustworthy system to support its operations in accordance with section 37 of the Ordinance and the Code of Practice; and
      3. reasonably complied with the requirements in respect of recognition of its certificates in accordance with the provisions of the Ordinance applicable to a RCA and the Code of Practice;
   2. no information came to the attention of the assessor during the course of the assessment that would indicate that the management assertions in respect of Hongkong Post CA's compliance with the sections of the Code of Practice set out in Part 3B of Appendix 3 to Practice Note 870 for the period from 1st January 2002 to 31st December 2002 are not reasonable; and
   3. based on the conclusions drawn in paragraphs (a) and (b) above in respect of Hongkong Post CA's compliance with the provisions of the Ordinance applicable to a RCA for the period from 1st January 2002 to 31st December 2002:
      1. the management assertions in respect of (a) above are reasonable; and
      2. no information came to the attention of the assessor during the course of the assessment that would indicate that those assertions in respect of (b) above are not reasonable.

(Note: In respect of (c) above, the assessor subsequently clarified that based on the conclusions drawn in paragraphs (a) and (b) above, the management assertions in respect of Hongkong Post CA's compliance with the provisions of the Ordinance applicable to a recognized CA for the period from 1st January 2002 to 31st December 2002 are reasonable.)

Financial projections

3. Except for items (ii), (iii) and (iv) in paragraph 9 below, in the assessor's opinion, in all material respects, the accounting policies upon which Hongkong Post CA's cashflow projections and projection of operating costs for the period from 1st November 2002 to 31st January 2003 and financial position forecasts for the six month period intervals from 1st November 2002 to 31st October 2003 in respect of the RCA's operations relevant under the Ordinance are based, are consistent with those normally adopted by the Electronic Services Section of Hongkong Post and conform with generally accepted accounting principles adopted in Hong Kong, and the projections have been properly compiled on the basis of the assumptions made by the management of Hongkong Post CA.
4. It has been ascertained from Hongkong Post CA that the amount of net current assets (i.e. current assets less current liabilities) as shown in the unaudited management accounts of Hongkong Post CA for the period ended 31st October 2002 was in a net liability position.

(Note: Hongkong Post CA has confirmed that the Postmaster General as part of the HKSAR Government will continue to provide sufficient financial support for the Hongkong Post CA services.)

5. The assessor has not carried out any verification work on the unaudited management accounts of Hongkong Post CA for the period ended 31st October 2002.

Potential liabilities

6. Due to the nature of the industry in which Hongkong Post CA operates, there is uncertainty in determining Hongkong Post CA's potential liabilities given the limited history of past claims (both in Hong Kong and other parts of the world for risks of this nature). Despite this, the assessor noted that Hongkong Post CA purchased insurance policies for the purpose of settling any future potential liabilities in accordance with the requirements stipulated in paragraph B-18B of the Guidance Note (Note 5) with the exception noted in item (i) in paragraph 9 below.
7. On this basis, and except for item (i) noted in paragraph 9 below, in the assessor's opinion, in all material respects, the management assertion that Hongkong Post CA has implemented and maintained appropriate procedures to determine and manage its potential liabilities in relation to the issue of certificates are reasonable.

Exception and issues

8. As a result of its assessment, the assessor drew attention to the exception below which the assessor considered to be of particular significance.

   	Exception	Response of Hongkong Post CA
   i.	A compliance monitoring function, using resources independent of ESS (Note 6), was in place covering the e-Cert and Mobile e-Cert systems and operations located at Hongkong Post CA. However, the Mobile e-Cert systems and operations located at an outside organisation were not covered by this compliance function until 23rd December 2002.	Hongkong Post CA has alerted the outside organisation to pay attention to the requirements of compliance function that they have included such in their daily operations since 23rd December 2002. They will also be reminded on regular intervals on such requirements.

9. In addition to the exception noted in paragraph 8 above, the assessor had identified other issues relating to the requirements stipulated in the Guidance Note on Compliance Assessment of Certification Authorities under the Electronic Transactions Ordinance (Cap. 553) and all subsequent supplementary notes issued by the Director to date. The assessor drew attention to the following such issues below which the assessor considered to be of particular significance.

   	Issues identified	Response of Hongkong Post CA
   i.	In the Hongkong Post CA Mobile e-Cert insurance policy, the limit of indemnity for each and every single claim was set at HK$200,000 during the assessment period. The aforementioned limit of indemnity set for each and every single claim did not comply with the requirements as stipulated in paragraph B-18B of the Second Supplementary Note to the Guidance Note on Compliance Assessment of Certification Authorities (Note 5).	The reliance limit of Mobile e-Cert was reduced from HK$200,000 to HK$20,000 with effect from 8 March 2003, thus fulfilling the relevant requirements as stipulated in paragraph B-18B of the Second Supplementary Note to the Guidance Note on Compliance Assessment of Certification Authorities (Note 5).
   ii.	Hongkong Post CA depreciated its computer systems and equipment on a straight-line basis over the period of their estimated useful life. The estimated useful life appeared to be longer than general industry practice for similar computer systems and equipment.	This (i.e. accounting depreciation) follows the accounting practice of Hongkong Post and is accepted by the Treasury of the HKSAR Government.
   iii.	Included in the cashflow forecast are a number of new business initiatives for Hongkong Post CA. The assessor had not been able to satisfy itself as to whether the assumptions underlying the projections for the new revenue streams were reasonable as these revenue streams mainly related to new business initiatives and, as such, there was little or no historical data or other reference information available.	The new cashflow projection for the new revenue streams are mainly driven from the new SmartID Card replacement project in which free e-Cert will be issued for embedding into the SmartID Card. Such cashflow projection has no historical data or other reference information to cross-examine. There is no proof to ascertain that the projections are unreasonable. The above response of Hongkong Post CA also includes new cashflow projections relating to Mobile e-Certs.
   iv.	During the years, the Hong Kong SAR Government had assigned funds for upgrading certain computer systems to support the issuance of free e-Certs by Hongkong Post CA. Under the Statements of Standard Accounting Practice 35 issued by the Hong Kong Society of Accountants, the hardware and software components of these projects that were intended to be beneficially used and maintained by Hongkong Post CA should be included as fixed assets.	As the inclusion/exclusion of these expenses and income has no implication on the viability of Hongkong Post CA from accounting point of view, Hongkong Post CA shall maintain status quo. This practice is accepted by the policy bureaux providing the grant.

Notes

1. Code of Practice for Recognized Certification Authorities (Version 1.0) issued by the then Director of Information Technology Services (the "then Director") under section 33 of the Ordinance.
2. Practice Note 870 "The Assessment of Certification Authorities under the Electronic Transactions Ordinance" issued by the then Hong Kong Society of Accountants.
3. Certification practice statements.
4. Recognized certification authorities.
5. "Second Supplementary Note to the Guidance Note on Compliance Assessment of Certification Authorities under the Electronic Transactions Ordinance (Cap. 553)" issued by the then Director on 7 February 2001.
6. Electronic Services Section of Hongkong Post.
7. The responses to the exception and issues as reported by Hongkong Post CA and the notes in the above paragraphs are disclosed in accordance with section 31(2) of the Ordinance.