************************************************************
The Government took information security and the need to protect personal data extremely seriously as any leakage of personal data was of grave concern and inconvenience to the individuals affected, the Government Chief Information Officer, Mr Jeremy Godfrey, told the Information Technology and Broadcasting Panel of the Legislative Council today (May 13).
Mr Godfrey said that full investigations into the recent data leakage incidents were continuing but in general, it appeared that a significant contributing factor to many of the incidents had been lack of awareness of the established security regulations and procedures, and a consequent failure to comply with them.
"The Government has therefore taken immediate measures to minimise the risks and consequences of future non-compliance, and we plan to take further steps in the coming months," Mr Godfrey said.
The Director of Administration last week issued guidelines to all civil servants reminding them of the relevant regulations and advising them of practical means to comply. These guidelines remind officers of existing requirements and introduce some new requirements in relation to the storage of personal or classified data on portable electronic storage devices:
- Officers have been reminded to consider alternative ways of storing and accessing personal or classified data, such as working on it in its original location, or transferring it using a secure network
- Officers are now required to seek authorisation from their superiors on each occasion that they consider it necessary to store data on a portable storage device
- Officers have been reminded to encrypt any personal or classified data before storage and have been provided with advice about convenient software that they can use for this purpose
- Officers have been reminded to limit the amount of personal data they store, such as by deleting items such as names and ID card numbers unless absolutely necessary for operational reasons, and by limiting the number of records and/or fields they download from a database
- Officers are reminded that portable storage devices should be used only for occasional or one-off purposes. They are now required to inform their department IT Security Officer if they have a regular requirement, so that alternative, more secure, arrangements can be made
- Officers have been reminded that they should never store personal or confidential data on a personally-owned storage device or PC, because of the greater risk that a non-government PC might be infected with malicious software or be exposed to other risks, such as theft
"We consider that issuing this interim guidance will help raise awareness of the need to safeguard personal and classified data, will provide officers with practical guidance on how to do so, and will reduce both the risk of future breaches and the exposure in the event that any such breach does occur," Mr Godfrey said.
Looking ahead, Mr Godfrey said that the Government was taking a number of steps to build on the interim guidance.
"First, the Government will increase the communication to all public servants with the aim of building and sustaining a high level of awareness of the security regulations, a high level of commitment to compliance with the regulations, and a high degree of awareness of how to comply in practice," he said.
The Office of the Government Chief Information Officer, Security Bureau and Civil Service Bureau would work with departmental IT Security Officers and Heads of Bureaus and Departments to design and implement this programme over the coming months, he said.
"Second, we are enhancing the programme of independent security audits to place additional emphasis on compliance with the regulations on use of portable storage devices. We will also ask bureaus and departments who have already been audited to provide supplementary information to confirm their compliance with these regulations.
"And third, between now and the end of September, we will review IT security policies, regulations and practices in the light of the findings of investigations into the recent incidents," he said.
He revealed that the review would address, among other things:
- Whether any changes are needed to the policies and regulations
- Whether any changes are needed to the mechanisms used to ensure that the policies and regulations are being fully implemented
- What else needs to be done to ensure a high-level of compliance, including further communications, additional training and investment in departmental IT systems and networks
Mr Godfrey emphasised the Government's determination to educate and assist officials to secure the greatest possible degree of compliance with information security regulations and hence the greatest level of security for the personal data of Hong Kong citizens.
Ends/Tuesday, May 13, 2008
Issued at HKT 17:59
NNNN