Disclosure Records of Recognized Certification Authorities

Disclosure Record for the Postmaster General

(This is page 22 of the disclosure record for the Postmaster General maintained by the Government Chief Information Officer ("GCIO") under section 31(1) of the Electronic Transactions Ordinance (Cap. 553) ("ETO"). Click this link to go back to page 1 of the disclosure record.)

Assessment Report and Statutory Declaration in respect of the upgrade of Hongkong Post Certification Authority Infrastructure

Postmaster General (hereinafter referred to as Hongkong Post CA) is upgrading the Hongkong Post CA infrastructure which includes in general the upgrade of the Hongkong Post CA system hardware and software.

The GCIO considered that the changes involved in the above infrastructure upgrade as major changes.  In this light, the GCIO had, by notice given to the Hongkong Post CA, required the Hongkong Post CA to furnish to the GCIO an assessment report and a statutory declaration pursuant to section 43A(1) of the ETO.  In this connection, the Hongkong Post CA arranged the preparation of an assessment report produced by an independent assessor as well as furnished a statutory declaration made by a responsible officer of the Hongkong Post CA in respect of the Hongkong Post CA infrastructure upgrade.

In accordance with section 43A(3) of the ETO, the GCIO must publish in the disclosure record for the Hongkong Post CA as a recognized CA the dates of and the material information in the assessment report and statutory declaration on the CA services of the Hongkong Post CA. Only those parts of the report and statutory declaration containing material information are herewith published.

Assessment Report

A. Date of the Report

• The date of the report is 21 March 2014.

B. Material Information

1. Apart from the matters noted in paragraph 2 below, in the assessor's opinion, in all material respects,
   1. The management assertions, in respect of Hongkong Post CA’s the capability to comply with the relevant sections of Code of Practice (see Note 1) set out in Part 3A of Appendix 3 to Practice Note 870 (Note 2) as a result of the Hongkong Post CA Infrastructure Upgrade as of the date of assessment 21 March 2014, are reasonable.  In particular, Hongkong Post CA is capable of,
      1. disclosed its business practices in its CPSs (Note 3) in accordance with the ETO applicable to a RCA (Note 4) and the Code of Practice and provided its services in accordance with its disclosed business practices;
      2. reasonably complying with the relevant requirements in respect of the use of a trustworthy system and repositories implemented through such trustworthy system, where they are affected by the Hongkong Post CA Infrastructure Upgrade;
   2. no information came to the assessor’s attention during the course of the assessment that would indicate that the management assertions, in respect of HKPCA's capability to comply with the relevant sections of the Code of Practice set out in Part 3B of Appendix 3 to Practice Note 870 as a result of the Hongkong Post CA Infrastructure Upgrade as of the date of assessment 21 March 2014, are not reasonable; and
   3. based on the conclusions drawn in paragraphs (a) and (b) above in respect of Hong Kong Post CA's capability to comply with the relevant provisions of the ETO applicable to a RCA as a result of the Hongkong Post CA Infrastructure Upgrade as of date of assessment 21 March 2014, the management assertions, in respect of Hongkong Post CA's capability to comply with the relevant provisions of the ETO applicable to a RCA as a result of the Hongkong Post CA Infrastructure Upgrade, are reasonable.

Matters Arising (Note 5)

2. 	Matters Arising	Response of Hongkong Post CA
   a.	Given the fact that certain procedures and controls designed to ensure compliance with the ETO and COP would be implemented either between 21 March 2014 (i.e. the completion date of the assessor’s assessment work) and the scheduled system launch date of 28 April 2014, or after the system launch date, including: Prior to system go-live: Remediation of recommended actions from the Security Risk Assessment; finalisation of the system migration plan and its execution; completion of remaining user training components, finalisation of disaster recovery ("DR") procedures based on results of mock DR drill exercises; completion and sign-off of certain outstanding project documentation (e.g., documented user acceptance test results despite having completed the tests); Post system go-live: "Nursing" services provided by external service contractors after system launch (with details to be fully defined before go-live); production DR drill; secure handling of replaced or obsolete computer servers and other equipment; and Any other tasks carried out or to be carried out after the completion date of the assessment, as a result the assessor was unable to ascertain if such procedures and controls would be effectively implemented or executed. Despite the above, the assessor understood that HKPCA and its Agent had put in place an implementation plan for these procedures and controls which the assessor understood from HKPCA and its Agent will be implemented.	The outstanding tasks and any other tasks prior to system go-live have already been completed by external service contractors, the project team and the operator, Certizen. These deliverables were properly managed, monitored and examined by PSC in April before the system launch and in accordance to the planned schedule. The tasks after post system go-live has been arranged and to be carried out by the external service contractor and the project team according to the project plan and schedule as agreed, monitored and managed by PSC. Thus, the tasks mentioned in section G of the assessment report have already completed or arranged by external service contractor, and would not affect the current assessment result on HKPCA's capability to comply with the relevant provision of the ETO and the Code of Practice as a result of the HKPCA infrastructure upgrade.

Statutory Declaration

A. Date of the Declaration

• The date of the declaration is 17 April 2014.

B. Material Information

• Having regard to the upgrade of Hongkong Post CA infrastructure, a responsible officer of Hongkong Post CA declares that Hongkong Post CA as a RCA is capable of complying with the provisions of the Code of Practice which have been set out under paragraph 2 of Appendix 2 of the Code of Practice.

Notes

1. Code of Practice for Recognized Certification Authorities issued under section 33 of the ETO.
2. Practice Note 870 "The Assessment of Certification Authorities under the Electronic Transactions Ordinance" issued by the Hong Kong Institute of Certified Public Accountants.
3. Certification practice statements (CPS).
4. Recognized certification authority.
5. Matters disclosed from the assessment.
6. The responses to the matters arising as reported by Hongkong Post CA and the notes in the above paragraphs are disclosed in accordance with section 31(2) of the ETO.