**********************************************************
Following are the welcoming remarks by the Deputy Government Chief Information Officer, Mr Stephen Mak, at the 9th Info-Security Conference 2008 this (May 21) morning:
Honorable Sin Chung-kai, Jolly, Mr Schneier, distinguished speakers, ladies and gentlemen,
Good morning! I am honoured to be invited to address you at this 9th Info-Security Conference 2008.
The advent of technologies and new styles of communication have meant that information is being processed and generated at speeds and in ways that are simply mind-boggling. According to ITU's 2007 Opportunity Index, the average annual growth rates of the medium to high growth economies were in high two-digit figures, with some well in excess of 100%. Nowadays, electronic means are commonly used to communicate, do business, pay bills, transfer money, purchase goods, manage personal finance and many more. A lot of these activities are carried out when people are on the go, using wireless and mobile technologies. They make use of networks and platforms that are easily the subjects of powerful search engines, crawling, data-mining and sharing software, some of which are posing severe risks and threats to the integrity and confidentiality of the data. By extension, the risks and threats to the personal and corporate well-being of the people involved are not difficult to visualise. So, in order to succeed in a world of shifting risk and threat, a challenge we have set the agenda for today, the bottom line is not to become a victim of the threats by putting in place proper risk management to protect our information assets.
In the old days, people wax-sealed documents to protect sensitive information from unauthorised access and to detect tampering. Security threats then were largely due to disclosure of sensitive paper documents, tapped conversations or disposal of computer printouts. Nowadays, the Internet, portable storage devices, mobile equipment and large databases are constantly threatened by new challenges such as computer virus spreading, hacking, credential theft, and terrorism. I feel uneasy to know that online fraudsters can now rent a service that offers an all-in-one hosting server allowing them to create their own botnet. As Mr Bruce Schneier has pointed out in one of his books, "Secrets and Lies", "our passion for technology has a price: increased exposure to security threats." I'm sure he will have more to share with you in his keynote in a moment.
Governments, financial institutions, hospitals, and private businesses collect, process and maintain large amounts of confidential information about their employees, customers, products, research, and financial status. Protecting confidential information is a business requirement, and in many cases also an ethical and legal requirement. Any breach of security could lead to lost business, lawsuits or even bankruptcy of the business.
Information security aims to protect information from unauthorised access, use, disclosure, disruption, modification, or destruction. The protection life cycle starts from the initial creation to the final disposal of the information, while in motion or at rest. Of course, for any given security risk, the choice of counter-measures used must strike a balance among productivity, cost, ease of compliance and effectiveness of the measures on the one hand, and the value of the information asset being protected on the other. To complete the picture, businesses also need to have readily executable business continuity plans in order to deal with the consequences of realised risks if they occurred.
I will use the HKSAR Government's information security risk management framework to illustrate the implementation of security controls to protect our information assets. I say this not to be complacent with what we have put in place, as even the safest roads and vehicles in the world will not be able to guarantee the elimination of accidents, but to make the point that we need to manage information security in a holistic way.
To enforce administrative control, the Office of the Government Chief Information Officer (OGCIO) has in consultation with the Security Bureau developed and maintained comprehensive IT security regulations, policy and guidelines to be adopted by all Government departments (including bureaux). Among others, they include a Baseline IT Security Policy, formal guidelines on IT Security, Security Risk Assessment and Audit, Information Security Incident Handling and Software Asset Management. These policies, procedures and guidelines were developed with reference to international best practices and are reviewed from time to time to reflect changes in technology and security threats. To oversee and enforce these information security requirements, we have established an Information Security Management Committee and an IT Security Working Group to ensure promulgation and compliance monitoring among departments.
At the departmental level, all departments are required to establish their own information security policy, and implement the necessary security management mechanisms which include appointing the departmental E-business coordinator, departmental IT security officer, network administrator and an information security incident response team to coordinate and administer business applications, IT resources, information security protection and incident response handling. Besides, departments are required to conduct security risk assessments on their information systems, networks and services at least once every two years to keep abreast of changes in technology and security threats. Nevertheless, they are required to report security incidents to the Government Information Security Incident Response Office depending on the severity of the case. A centrally managed security audit is carried out for each department periodically.
To strengthen access control to information, the OGCIO has published the Risk Assessment and e-Authentication Framework in 2004 to ensure that risk assessment and appropriate protection measures are carried out by departments when implementing their e-government services. We also customised a version of this framework for reference by the public in 2007. In December 2007, we have promulgated the Unified Identity Management Framework to ensure that citizens will be provided with a unified customer interface and account management process during user registration, service enrolment and user authentication when new e-government services are introduced. The framework also purports to strike a balance between convenience to the public on the one hand and safeguarding information assets on the other.
To improve staff awareness, knowledge and skills in information security, the OGCIO periodically issues reminders to departments, drawing their attention to emerging software vulnerabilities, security threats and providing tips on protecting their information assets. They are also reminded to ensure that these notices and alerts are circulated to their staff including the outsourcing contractors. We also pay great attention to staff training on information security. A comprehensive network is also established to disseminate relevant information on security threats and alerts to the entire government.
For e-business to prosper, a reliable and secure environment is essential. Hong Kong can pride itself on having made an early start in creating the legal framework for secure electronic transactions, through the Electronic Transactions Ordinance and the Unsolicited Electronic Messages Ordinance, the Personal Data (Privacy) Ordinance, among others. We have also facilitated the establishment of a voluntary certification authority recognition scheme and provided citizens with the option of embedding a recognised digital certificate into their smart ID card should they want one. Whilst the 'user-friendliness' of the digital certificate is often a subject of public debate and feedback, we submit that the 'utility' of the certificate in being able to sign and encrypt digital information is often under-estimated or under-stated. We believe careful analysis of the security risks and prudent choice of the appropriate risk aversion techniques will go a long way in helping us succeed in a world of shifting risk and threat.
We are glad to see Hong Kong being ranked second in this year's e-readiness survey by the Economist Intelligence Unit. By JiWire's measure, Hong Kong is one of the top five cities in the world in terms of density of Wi-Fi hotspots. This represents the success of Hong Kong in providing businesses with premium conditions for investment and an excellent location to host their e-readiness. The transition to an information society is an unchangeable journey and the development of a secure and reliable e-community requires the concerted effort of all sectors. Communication and sharing of information will be increasingly ubiquitous, timely and contextual. Government is keen to share its knowledge and experience with the community on information security to grow the public support for building a healthy e-community.
Information security is an ongoing process and the responsibility of everyone. I am glad to see such a major gathering of executives, IT professionals, users and field experts today to share knowledge, opinions and experience on this very important topic. I thank the organisers for giving me the opportunity to address you, and hope you will enjoy the rest of the programme.
Thank you.
Ends/Wednesday, May 21, 2008
Issued at HKT 14:32
NNNN
