Information Security Seminar 2013 Mr. Victor Lam, JP Deputy Government Chief Information Officer Office of the Government Chief Information Officer The Government of the Hong Kong Special Administrative Region 24 July 2013
Agenda 1. Introduction 2. Information Security Posture & Programmes 3. Hong Kong SAR Government Cloud Adoption 4. Cloud Challenges & Risk Mitigation 5. Closing 1
Who s Peeking At You? Security & Privacy Data Protection Outsourcing Data Location 2
3
Local ICT Environment 2.26M broadband accounts 86% household with broadband access 19 004 public Wi-Fi access points 5 mobile network operators 19 local fixed network operators 193 Internet Service Providers (ISP) 4
Local ICT Environment Strong foundation for Cloud Computing Well established legal system with good protection of intellectual property rights and personal data World-class infrastructure and ideal location in Asia for data centres Pro-business culture Proximity to the Mainland of China Talented ICT professionals 5
Set up on 1 July 2004 Provides a streamlined government structure and leadership for delivering the ICT functions within Government Enables the Government to take a proactive, leading role in championing ICT development in the community Headed by Government Chief Information Officer (GCIO), deputised by two Deputy Government Chief Information Officers (DGCIOs) 6
ICT Facts and Figures in the Government 400+ Government web sites 50+ e-government mobile apps 29 Government data centres 1300 Government IT Professionals 2500 Contract IT Professionals 7
8
Information Security Major Stakeholders Security Bureau Provide policy steer, advice and support on Government s security requirements and security incidents OGCIO Provide policy steer, advice and support on Government information security requirements and matters Coordinate and facilitate the handling of IT security incidents within Government Protect Government s central IT infrastructure and information Ensure compliance with information security policy and requirements Conduct IT security awareness promotion and training for government staff and the public Information Security Hong Kong Police Force Prevent and detect technology crime Establish the Cyber Security Centre to strengthen resilience against cyber attacks Collaborate with OGCIO & HKCERT to conduct awareness promotion and training for the public Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) Coordinate computer security incident response Disseminate security alerts to the public Collaborate with OGCIO & Police to conduct awareness promotion and training for the public Conduct security drill 9
Review of Information Security Requirements To ensure that government information security requirements can keep in pace with the advancement of technology, security trends and latest development of international/industry practices. Cloud Computing Security Social Networking Security Mobile Device Security Security Regulations, Policies and Guidelines Review, Revise and Promulgate Government Bureaux and Departments (B/Ds) 10
Security Risk Assessment and Audit To ensure information security risks of government information systems are properly managed and appropriate mitigation measures are effectively implemented. Identify security threats, vulnerabilities and corresponding impacts Information Security Risk Assessment and Third-party Audit Ensure compliance of information security policies Information Systems Adopt effective information security measures 11
Security Governance To better monitor the security status of B/Ds and help them achieve compliance with government security requirements. Security Survey Government Bureaux and Departments (B/Ds) Security Risk Assessment Result Visit & Review 12
Awareness Promotion to the Public To empower citizens to withstand new and ever-changing security threats. Thematic website www.infosec.gov.hk Public Seminars Radio clips Leaflets Multimedia materials Posters 13
14
Government Cloud Computing Strategy Outsourced Private Cloud (at contractor data centres) In-house Private Cloud (at government data centres) Public Cloud E-Government Services with Classified data Government Cloud (GovCloud) E-Government Infrastructure Services Central Computer Centre Virtualised Infrastructure E-Government Public Services without Classified data 15
Government Cloud Adoption A step by step approach to take full advantage of this new IT model while at the same time minimise the associated risks. 2011 Pilot and Testing Portal for Public Sector Information (PSI) Central Computer Centre Virtualization Mar 2011 Government Cloud Computing Strategy 2013 Provision of Shared Services Electronic Information Mgt, Human Resource Mgt, e-procurement, etc. 2014 and beyond 2012 Funding and Contracting Rollout and Review GovCloud Cloud-enabled Platform (EGIS) Government Public Cloud services 16
17
Cloud Challenges Data Protection Data location Multi-tenancy Outsourcing Data Ownership Service Continuity Off-Premises Security & Privacy Changes to Infrastructure Changes to Processes Changes to User Behaviour 18
Cloud Security Trends Source of Information: Cloud end-user survey conducted by the SME Global Alliance and Hong Kong Productivity Council in 2012. 19
Security Challenge & Risk Mitigation in Cloud Adoption Challenge Risk Mitigation Lack of corporate directions and relevant policies and guidelines Cloud adoption strategy Review of policies and guidelines Control on user authentication Access control security User education and training Assurance of information security and privacy in cloud Cloud security certifications and standards Conduct of risk assessments and audits Contractual agreement Protection of data out of organisational control boundary Data protection best practices Incident response mechanism 20
Promotion of Best Practices in Cloud Adoption 雲 資 訊 網 www.infocloud.gov.hk Practice Guide for Procuring Cloud Services Service Cost Service Level On Boarding & Off Boarding Service Operation Security and Privacy Protections Service Commitments/Warranties Data Ownership & Location and IP Ownership Service Default Contracting (Terms of Service) Expert Group on Cloud Computing Services and Standards OGCIO Security Checklists for Cloud Service Consumers Checklist for SMEs on selecting Cloud Service Provider Checklist for SMEs on using Cloud Services Checklist for Individuals on protecting their data in the Cloud Environment Security & Privacy Checklist for Cloud Service Providers in Handling Personal Identifiable Information in Cloud Platforms Policy Management Data Protection Principles Subcontractors Management Staff Management 21
22
Summary Hong Kong : Strong Foundation for Cloud Computing Cloud : Adoption through Risk Mitigation Government : Extensive Information Security Programmes 23