Mr. Victor Lam, JP Deputy Government Chief Information ...

Mr. Victor Lam, JP Deputy Government Chief Information Officer

Office of the Government Chief Information Officer The Government of the Hong Kong Special Administrative Region

24 July 2013

Information Security Seminar 2013

1 Office of the Government Chief Information Officer (OGCIO)

Agenda

1. Introduction

2. Information Security Posture & Programmes

3. Hong Kong SAR Government Cloud Adoption

4. Cloud Challenges & Risk Mitigation

5. Closing


Who’s Peeking At You?

Security & Privacy Data Protection

Data Location

Outsourcing


Local ICT Environment

2.26M broadband accounts 86% household with broadband access 19 004 public Wi-Fi access points

5 mobile network operators 19 local fixed network operators 193 Internet Service Providers (ISP)


Local ICT Environment

Strong foundation for Cloud Computing • Well established legal system with good protection

of intellectual property rights and personal data • World-class infrastructure and ideal location in

Asia for data centres • Pro-business culture • Proximity to the Mainland of China • Talented ICT professionals


Office of the Government Chief Information Officer (OGCIO)

• Set up on 1 July 2004 • Provides a streamlined government structure and

leadership for delivering the ICT functions within Government

• Enables the Government to take a proactive, leading role in championing ICT development in the community

• Headed by Government Chief Information Officer (GCIO), deputised by two Deputy Government Chief Information Officers (DGCIOs)


ICT Facts and Figures in the Government

1300 Government IT Professionals 2500 Contract IT Professionals

400+ Government web sites 50+ e-Government mobile apps

29 Government data centres


Information Security – Major Stakeholders

OGCIO • Provide policy steer, advice and

support on Government information security requirements and matters

• Coordinate and facilitate the handling of IT security incidents within Government

• Protect Government’s central IT infrastructure and information

• Ensure compliance with information security policy and requirements

• Conduct IT security awareness promotion and training for government staff and the public

Hong Kong Police Force • Prevent and detect technology

crime • Establish the Cyber Security Centre

to strengthen resilience against cyber attacks

• Collaborate with OGCIO & HKCERT to conduct awareness promotion and training for the public

Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT)

• Coordinate computer security incident response

• Disseminate security alerts to the public

• Collaborate with OGCIO & Police to conduct awareness promotion and training for the public

• Conduct security drill

Security Bureau • Provide policy steer, advice and

support on Government’s security requirements and security incidents

Information Security


Review of Information Security Requirements

Security Regulations, Policies and Guidelines

Government Bureaux and Departments

(B/Ds)

Review, Revise and Promulgate

Cloud Computing Security

Social Networking Security

Mobile Device Security

To ensure that government information security requirements can keep in pace with the advancement of technology, security trends and latest development of international/industry practices.


Security Risk Assessment and Audit To ensure information security risks of government information systems are properly managed and appropriate mitigation measures are effectively implemented.

Information Security Risk Assessment and

Third-party Audit

Information Systems

Identify security threats, vulnerabilities

and corresponding impacts

Ensure compliance of information security

policies

Adopt effective information security

measures


Security Governance To better monitor the security status of B/Ds and help them achieve compliance with government security requirements.

Government Bureaux and Departments

(B/Ds)

Security Survey

Security Risk

Assessment Result

Visit & Review


Awareness Promotion to the Public To empower citizens to withstand new and ever-changing security threats.

Public Seminars

Thematic website www.infosec.gov.hk

Multimedia materials Leaflets

Posters

Radio clips


Government Cloud Computing Strategy

Public Cloud Outsourced

Private Cloud In-house

Private Cloud

Government Cloud (GovCloud)

E-Government Public Services without

Classified data

(at contractor data centres) (at government data centres)

E-Government Infrastructure

Services

Central Computer

Centre Virtualised

Infrastructure

E-Government Services with Classified data


A step by step approach to take full advantage of this new IT model while at the same time minimise the associated risks.

Government Cloud Adoption 2013 Provision of Shared Services • Electronic Information Mgt, • Human Resource Mgt, • e-Procurement, etc. 2011

Pilot and Testing • Portal for Public Sector

Information (PSI) • Central Computer Centre

Virtualization Mar 2011 Government Cloud Computing Strategy

2012 Funding and Contracting • GovCloud • Cloud-enabled Platform (EGIS) • Government Public Cloud services

2014 and beyond Rollout and Review


Cloud Challenges

Data location

Data Ownership Security & Privacy

Service Continuity

Data Protection

Multi-tenancy Outsourcing

Off-Premises

Changes to Infrastructure

Changes to Processes

Changes to User Behaviour


Cloud Security Trends

Source of Information: Cloud end-user survey conducted by the SME Global Alliance and Hong Kong Productivity Council in 2012.


Security Challenge & Risk Mitigation in Cloud Adoption

Challenge Risk Mitigation

Lack of corporate directions and relevant policies and guidelines

Cloud adoption strategy Review of policies and guidelines

Control on user authentication

Assurance of information security and privacy in cloud

Protection of data out of organisational control boundary

Access control security User education and training

Cloud security certifications and standards Conduct of risk assessments and audits Contractual agreement

Data protection best practices Incident response mechanism


Promotion of Best Practices in Cloud Adoption

雲資訊網 www.infocloud.gov.hk

OGCIO

Expert Group on Cloud Computing Services and

Standards

• Checklist for SMEs on selecting Cloud Service Provider

• Checklist for SMEs on using Cloud Services

• Checklist for Individuals on protecting their data in the Cloud Environment

• Policy Management • Data Protection Principles • Subcontractors’ Management • Staff Management

• Service Cost • Service Level • On Boarding & Off Boarding • Service Operation • Security and Privacy Protections • Service Commitments/Warranties • Data Ownership & Location and

IP Ownership • Service Default • Contracting (Terms of Service)

Practice Guide for Procuring Cloud Services

Security Checklists for Cloud Service Consumers

Security & Privacy Checklist for Cloud Service Providers in

Handling Personal Identifiable Information in Cloud Platforms


Summary

Government : Extensive Information Security Programmes

Cloud : Adoption through Risk

Mitigation

Hong Kong : Strong Foundation for

Cloud Computing

Mr. Victor Lam, JP Deputy Government Chief Information ...

Documents

Transcript of Mr. Victor Lam, JP Deputy Government Chief Information ...