Information and Cyber Security Within the Government
Information security is about the protection of information regardless of whether it is in digital form, being stored on computers, or in transit over a network. With the rapid advancement of information and communications technologies (ICT), Hong Kong is increasingly reliant on the Internet, telecommunications infrastructure, and smart devices for economic development, entrepreneurship, business operations and daily life. Information security issues and the risks in the cyber environment could have various impacts on businesses and individuals.
The DPO attaches great importance to improving information and cyber security in the Government as well as to promoting awareness and preparedness in the wider community.
Information Security Management Framework
The Government places great emphasis on information security and the protection of its information and computer assets. Information systems and communication networks have become essential, if not critical, components in the course of electronic service delivery. The security of these components has profound impact on their reliability, availability and serviceability. Since year 2000, a central organisation, the Information Security Management Committee and IT Security Working Group were established to oversee information security within the whole government.
At the departmental level, a senior officer would be appointed to be the Departmental IT Security Officer who would lead the overall information security management of that department. The Information Security Incident Response Teams (ISIRTs) comprising management and technical staff would be established to deal with all matters on a day-to-day basis to prepare for, detect and respond to information security events and incidents.
Government IT Security Policy and Guidelines
The DPO has developed and maintained a comprehensive set of information technology (IT) security policies, standards, guidelines, procedures and relevant practice guides for use by government bureaux, departments, and agencies (B/Ds). These include a Baseline IT Security Policy, IT Security Guidelines, Practice Guide for Security Risk Assessment & Audit, and Practice Guide for Information Security Incident Handling. These procedures and guidelines were developed with reference to international standards, industry best practices, and professional resources. They would be reviewed from time to time to meet the challenges of evolving security threats posed by emerging technologies. These documents cover in considerable details the organisational, management, technical and procedural aspects to enable B/Ds to build up their information security framework and practice. Through various training and promotion activities and via different channels, B/Ds are furnished with best practices and information about changes in information security.
| Baseline IT Security Policy (S17) This document outlines the mandatory minimum security requirements for the protection of government’s information systems and data assets. |
| IT Security Guidelines (G3) This document elaborates on the policy requirements and sets the implementation standard on the security requirements specified in the Baseline IT Security Policy. |
| Practice Guide for Information Security Incident Handling (ISPG-SM02) This document provides the practical guidance and reference for handling information security incidents in the Government. |
| Practice Guide for IT Security Risk Management This document provides the practical guidance and reference for IT security risk management in the Government. |
| Practice Guide for IT Security Threat Management This document provides the practical guidance and reference for IT security threat management in the Government. |
| Practice Guide for Security by Design This document provides the practical guidance and reference for the adoption of Security by Design in the Government. |
| Practice Guide for Security Risk Assessment & Audit (ISPG-SM01) This document provides the practical guidance and reference for security risk assessment & audit in the Government. |
| Practice Guide for Penetration Testing This document provides the practical guidance and reference for the secure adoption of penetration testing in the Government. |
| Practice Guide for Internet Gateway Security This document provides the practical guidance and reference for the secure adoption of Internet gateway in the Government. |
| Practice Guide for Mobile Security (ISPG-SM03) This document provides the practical guidance and reference for the secure use of mobile devices and development of mobile apps in the Government. |
| Practice Guide for Cloud Computing Security (ISPG-SM04) This document provides the practical guidance and reference for the secure adoption of cloud computing technology in the Government. |
| Practice Guide for Internet of Things Security This document provides the practical guidance and reference for the secure adoption of Internet of Things (“IoT”) technology in the Government. |
| Practice Guide for Social Media Security This document provides the practical guidance and reference for secure management and use of social media in the Government. |
| Practice Guide for Wi-Fi Security This document provides the practical guidance and reference for secure design, management and operation of Wi-Fi network in the Government. |
Incident Management
We adopt the principle of “prevent, detect, respond and recover” and implement appropriate security controls and measures in ensuring the integrity of business transactions and information by guarding against various types of cyber attacks such as computer worms and viruses, malware, spamming, phishing, distributed denial-of-service (DDoS), hacking and computer crimes. We conduct regular security risk assessment and audit of the technical and procedural controls to ensure that such preventive measures can keep up with technology advancements and industry best practices, and changes in the system, network, or organisational environment.
 |
The DPO has taken proactive steps in combating threats related to IT security and cyber attacks by continuously monitoring IT security related vulnerabilities and threats, providing alerts and technical assistance to B/Ds in handling information security events and incidents. With the advent of the Internet and increasing trend of cyber attacks, closer collaboration locally with relevant stakeholders and globally with computer emergency response teams (CERTs) and international information security organisations become necessary and frequent.
In 2015, we established the Government Computer Emergency Response Team Hong Kong (GovCERT.HK, www.govcert.gov.hk) to centrally coordinate information and cyber security incidents as well as to collaborate with other CERT organisations. The GovCERT.HK is the coordination centre for government IT administrators and users on computer emergency response and incident handling. Locally, it would work closely with the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT, www.hkcert.org) on threats and incidents that would affect the private sectors and the community. Globally, GovCERT.HK would collaborate with other governmental and regional CERTs and international organisations with a view to facilitating exchange of information and knowledge needed to reduce vulnerabilities, mitigate risks, and react upon threats and attacks.
GovCERT.HK Annual Report:
www.govcert.gov.hk/en/annualreport.html
