1 Information Security Seminar 2013 Mr. Victor Lam, JP Deputy Government Chief Information Officer Office of the Government Chief Information Officer The Government of the Hong Kong Special Administrative Region 24 July 2013
2 Agenda 1. Introduction 2. Information Security Posture & Programmes 3. Hong Kong SAR Government Cloud Adoption 4. Cloud Challenges & Risk Mitigation 5. Closing 1
3 Who s Peeking At You? Security & Privacy Data Protection Outsourcing Data Location 2
5 Local ICT Environment 2.26M broadband accounts 86% household with broadband access public Wi-Fi access points 5 mobile network operators 19 local fixed network operators 193 Internet Service Providers (ISP) 4
6 Local ICT Environment Strong foundation for Cloud Computing Well established legal system with good protection of intellectual property rights and personal data World-class infrastructure and ideal location in Asia for data centres Pro-business culture Proximity to the Mainland of China Talented ICT professionals 5
7 Set up on 1 July 2004 Provides a streamlined government structure and leadership for delivering the ICT functions within Government Enables the Government to take a proactive, leading role in championing ICT development in the community Headed by Government Chief Information Officer (GCIO), deputised by two Deputy Government Chief Information Officers (DGCIOs) 6
8 ICT Facts and Figures in the Government 400+ Government web sites 50+ e-government mobile apps 29 Government data centres 1300 Government IT Professionals 2500 Contract IT Professionals 7
10 Information Security Major Stakeholders Security Bureau Provide policy steer, advice and support on Government s security requirements and security incidents OGCIO Provide policy steer, advice and support on Government information security requirements and matters Coordinate and facilitate the handling of IT security incidents within Government Protect Government s central IT infrastructure and information Ensure compliance with information security policy and requirements Conduct IT security awareness promotion and training for government staff and the public Information Security Hong Kong Police Force Prevent and detect technology crime Establish the Cyber Security Centre to strengthen resilience against cyber attacks Collaborate with OGCIO & HKCERT to conduct awareness promotion and training for the public Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) Coordinate computer security incident response Disseminate security alerts to the public Collaborate with OGCIO & Police to conduct awareness promotion and training for the public Conduct security drill 9
11 Review of Information Security Requirements To ensure that government information security requirements can keep in pace with the advancement of technology, security trends and latest development of international/industry practices. Cloud Computing Security Social Networking Security Mobile Device Security Security Regulations, Policies and Guidelines Review, Revise and Promulgate Government Bureaux and Departments (B/Ds) 10
12 Security Risk Assessment and Audit To ensure information security risks of government information systems are properly managed and appropriate mitigation measures are effectively implemented. Identify security threats, vulnerabilities and corresponding impacts Information Security Risk Assessment and Third-party Audit Ensure compliance of information security policies Information Systems Adopt effective information security measures 11
13 Security Governance To better monitor the security status of B/Ds and help them achieve compliance with government security requirements. Security Survey Government Bureaux and Departments (B/Ds) Security Risk Assessment Result Visit & Review 12
14 Awareness Promotion to the Public To empower citizens to withstand new and ever-changing security threats. Thematic website Public Seminars Radio clips Leaflets Multimedia materials Posters 13
16 Government Cloud Computing Strategy Outsourced Private Cloud (at contractor data centres) In-house Private Cloud (at government data centres) Public Cloud E-Government Services with Classified data Government Cloud (GovCloud) E-Government Infrastructure Services Central Computer Centre Virtualised Infrastructure E-Government Public Services without Classified data 15
17 Government Cloud Adoption A step by step approach to take full advantage of this new IT model while at the same time minimise the associated risks Pilot and Testing Portal for Public Sector Information (PSI) Central Computer Centre Virtualization Mar 2011 Government Cloud Computing Strategy 2013 Provision of Shared Services Electronic Information Mgt, Human Resource Mgt, e-procurement, etc and beyond 2012 Funding and Contracting Rollout and Review GovCloud Cloud-enabled Platform (EGIS) Government Public Cloud services 16
19 Cloud Challenges Data Protection Data location Multi-tenancy Outsourcing Data Ownership Service Continuity Off-Premises Security & Privacy Changes to Infrastructure Changes to Processes Changes to User Behaviour 18
20 Cloud Security Trends Source of Information: Cloud end-user survey conducted by the SME Global Alliance and Hong Kong Productivity Council in
21 Security Challenge & Risk Mitigation in Cloud Adoption Challenge Risk Mitigation Lack of corporate directions and relevant policies and guidelines Cloud adoption strategy Review of policies and guidelines Control on user authentication Access control security User education and training Assurance of information security and privacy in cloud Cloud security certifications and standards Conduct of risk assessments and audits Contractual agreement Protection of data out of organisational control boundary Data protection best practices Incident response mechanism 20
22 Promotion of Best Practices in Cloud Adoption 雲 資 訊 網 Practice Guide for Procuring Cloud Services Service Cost Service Level On Boarding & Off Boarding Service Operation Security and Privacy Protections Service Commitments/Warranties Data Ownership & Location and IP Ownership Service Default Contracting (Terms of Service) Expert Group on Cloud Computing Services and Standards OGCIO Security Checklists for Cloud Service Consumers Checklist for SMEs on selecting Cloud Service Provider Checklist for SMEs on using Cloud Services Checklist for Individuals on protecting their data in the Cloud Environment Security & Privacy Checklist for Cloud Service Providers in Handling Personal Identifiable Information in Cloud Platforms Policy Management Data Protection Principles Subcontractors Management Staff Management 21
24 Summary Hong Kong : Strong Foundation for Cloud Computing Cloud : Adoption through Risk Mitigation Government : Extensive Information Security Programmes 23
Priority III: A National Cyberspace Security Awareness and Training Program Everyone who relies on part of cyberspace is encouraged to help secure the part of cyberspace that they can influence or control.
Qatar National Cyber Security Strategy MAY 2014 i ii TABLE OF CONTENTS FOREWORD... v EXECUTIVE SUMMARY... vi 1. INTRODUCTION...1 2. THE IMPORTANCE OF CYBER SECURITY TO QATAR...3 2.1 Threats... 3 2.2 Challenges...
Reducing the Cyber Risk in 10 Critical Areas Information Risk Management Regime Establish a governance framework Enable and support risk management across the organisation. Determine your risk appetite
OVERVIEW OPTUS MANAGED SERVICES AND DELIVERY LETTING YOU GET ON WITH YOUR BUSINESS CONTENTS WELCOME TO OPTUS MANAGED SERVICES AND DELIVERY 01 A QUICK OVERVIEW 02 OUR SERVICES 03 WHAT IS INCLUDED IN MANAGED
The National Cyber Security Strategy Our Forward Plans December 2013 1 The UK Cyber Security Strategy Report on progress December 2013 Our Forward Plans Two years have passed since we first set out our
CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to
Consumerization of IT: Risk Mitigation Strategies [Deliverable 2012-12-19] Consumerization of IT: Risk Mitigation Strategies I Acknowledgements This report has been produced by ENISA using input and comments
The National Cyber Security Strategy (NCSS) Success through cooperation 1. Introduction The Netherlands stands for safe and reliable ICT 1 and the protection of the openness and freedom of the Internet.
Framework for Enterprise Risk Management 2013 Johnson & Johnson Contents Introduction.... 4 J&J Strategic Framework... 5 What is Risk?.......................................................... 7 J&J Approach
United States Department of Justice Federal Bureau of Investigation Information Technology Strategic Plan FY 2010 2015 CIO s Vision to deliver reliable and effective technology solutions needed to fulfill
EUROPEAN COMMISSION Brussels, 6.5.2015 COM(2015) 192 final COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE
Department of State IT STRATEGIC PLAN Fiscal Years 2014 2016 Table of Contents Message from the Chief Information Officer 1 Introduction 2 Strategic IT Vision 3 Transitioning Forward 6 Goals and Objectives
Marist College Information Security Policy February 2005 INTRODUCTION... 3 PURPOSE OF INFORMATION SECURITY POLICY... 3 INFORMATION SECURITY - DEFINITION... 4 APPLICABILITY... 4 ROLES AND RESPONSIBILITIES...
Cyber Security: Designing and Maintaining Resilience White paper presented by: Georgia Tech Research Institute Cyber Technology and Information Security Laboratory Dr. George A. Wright Chief Engineer Terrye
CYBERSECURITY WORKFORCE DEVELOPMENT MATRIX RESOURCE GUIDE October 2011 CIO.GOV Workforce Development Matrix Resource Guide 1 Table of Contents Introduction & Purpose... 2 The Workforce Development Matrix
Small Business Friendly Concordat Good Practice Guidance people sustainability impr e-commerce leadership cost r using multiple skills increasing capacity potential saving money innovation oving services
Practice Guide Reliance by Internal Audit on Other Assurance Providers DECEMBER 2011 Table of Contents Executive Summary... 1 Introduction... 1 Principles for Relying on the Work of Internal or External
Fusion Center Guidelines Developing and Sharing Information and Intelligence in a New Era Guidelines for Establishing and Operating Fusion Centers at the Local, State, and Federal Levels Law Enforcement
Government ICT Strategy and Action Plan to 2017 June 2013 Forewords From the Minister of Internal Affairs The Government has brought the challenge of managing ICT front and centre. We are serious about
Last revision: 23 March, 2012 National Policy on Information and Communication Technology (ICT) In School Education Department of School Education and Literacy Ministry of Human Resource Development Government
A STEP-BY-STEP APPROACH ON HOW TO SET UP A CSIRT Including examples and a checklist in form of a project plan Deliverable WP2006/5.1(CERT-D1/D2) Index 1 Management Summary... 2 2 Legal Notice... 2 3 Acknowledgements...
ISO Action Plan for developing countries 2011-2015 ISO the International Organization for Standardization ISO has a membership of 163* national standards bodies from countries large and small, industrialized,
National Spatial Data Infrastructure Strategic Plan 2014 2016 Federal Geographic Data Committee December 2013 Federal Geographic Data Committee Federal Geographic Data Committee, Reston, Virginia: 2013
GUIDELINES FOR THE ENGAGEMENT OF CONSULTANTS AND OTHER EXTERNAL SUPPORT BY THE CIVIL SERVICE Department of Finance 2006 1 INTRODUCTION... - 4-1.1 CONSULTANTS, CONTRACTORS AND EXTERNAL SERVICE PROVIDERS...-
BEST PRACTICES WHITE PAPER A path to improving the end-user experience By David Williams, Vice President of Strategy, Office of the CTO, BMC Software TABLE OF CONTENTS EXECUTIVE SUMMARY...............................................