Mr. Victor Lam, JP Deputy Government Chief Information ...
Transcript of Mr. Victor Lam, JP Deputy Government Chief Information ...
Mr. Victor Lam, JP Deputy Government Chief Information Officer
Office of the Government Chief Information Officer The Government of the Hong Kong Special Administrative Region
24 July 2013
Information Security Seminar 2013
1 Office of the Government Chief Information Officer (OGCIO)
Agenda
1. Introduction
2. Information Security Posture & Programmes
3. Hong Kong SAR Government Cloud Adoption
4. Cloud Challenges & Risk Mitigation
5. Closing
2 Office of the Government Chief Information Officer (OGCIO)
Who’s Peeking At You?
Security & Privacy Data Protection
Data Location
Outsourcing
4 Office of the Government Chief Information Officer (OGCIO)
Local ICT Environment
2.26M broadband accounts 86% household with broadband access 19 004 public Wi-Fi access points
5 mobile network operators 19 local fixed network operators 193 Internet Service Providers (ISP)
5 Office of the Government Chief Information Officer (OGCIO)
Local ICT Environment
Strong foundation for Cloud Computing • Well established legal system with good protection
of intellectual property rights and personal data • World-class infrastructure and ideal location in
Asia for data centres • Pro-business culture • Proximity to the Mainland of China • Talented ICT professionals
6 Office of the Government Chief Information Officer (OGCIO)
Office of the Government Chief Information Officer (OGCIO)
• Set up on 1 July 2004 • Provides a streamlined government structure and
leadership for delivering the ICT functions within Government
• Enables the Government to take a proactive, leading role in championing ICT development in the community
• Headed by Government Chief Information Officer (GCIO), deputised by two Deputy Government Chief Information Officers (DGCIOs)
7 Office of the Government Chief Information Officer (OGCIO)
ICT Facts and Figures in the Government
1300 Government IT Professionals 2500 Contract IT Professionals
400+ Government web sites 50+ e-Government mobile apps
29 Government data centres
9 Office of the Government Chief Information Officer (OGCIO)
Information Security – Major Stakeholders
OGCIO • Provide policy steer, advice and
support on Government information security requirements and matters
• Coordinate and facilitate the handling of IT security incidents within Government
• Protect Government’s central IT infrastructure and information
• Ensure compliance with information security policy and requirements
• Conduct IT security awareness promotion and training for government staff and the public
Hong Kong Police Force • Prevent and detect technology
crime • Establish the Cyber Security Centre
to strengthen resilience against cyber attacks
• Collaborate with OGCIO & HKCERT to conduct awareness promotion and training for the public
Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT)
• Coordinate computer security incident response
• Disseminate security alerts to the public
• Collaborate with OGCIO & Police to conduct awareness promotion and training for the public
• Conduct security drill
Security Bureau • Provide policy steer, advice and
support on Government’s security requirements and security incidents
Information Security
10 Office of the Government Chief Information Officer (OGCIO)
Review of Information Security Requirements
Security Regulations, Policies and Guidelines
Government Bureaux and Departments
(B/Ds)
Review, Revise and Promulgate
Cloud Computing Security
Social Networking Security
Mobile Device Security
To ensure that government information security requirements can keep in pace with the advancement of technology, security trends and latest development of international/industry practices.
11 Office of the Government Chief Information Officer (OGCIO)
Security Risk Assessment and Audit To ensure information security risks of government information systems are properly managed and appropriate mitigation measures are effectively implemented.
Information Security Risk Assessment and
Third-party Audit
Information Systems
Identify security threats, vulnerabilities
and corresponding impacts
Ensure compliance of information security
policies
Adopt effective information security
measures
12 Office of the Government Chief Information Officer (OGCIO)
Security Governance To better monitor the security status of B/Ds and help them achieve compliance with government security requirements.
Government Bureaux and Departments
(B/Ds)
Security Survey
Security Risk
Assessment Result
Visit & Review
13 Office of the Government Chief Information Officer (OGCIO)
Awareness Promotion to the Public To empower citizens to withstand new and ever-changing security threats.
Public Seminars
Thematic website www.infosec.gov.hk
Multimedia materials Leaflets
Posters
Radio clips
15 Office of the Government Chief Information Officer (OGCIO)
Government Cloud Computing Strategy
Public Cloud Outsourced
Private Cloud In-house
Private Cloud
Government Cloud (GovCloud)
E-Government Public Services without
Classified data
(at contractor data centres) (at government data centres)
E-Government Infrastructure
Services
Central Computer
Centre Virtualised
Infrastructure
E-Government Services with Classified data
16 Office of the Government Chief Information Officer (OGCIO)
A step by step approach to take full advantage of this new IT model while at the same time minimise the associated risks.
Government Cloud Adoption 2013 Provision of Shared Services • Electronic Information Mgt, • Human Resource Mgt, • e-Procurement, etc. 2011
Pilot and Testing • Portal for Public Sector
Information (PSI) • Central Computer Centre
Virtualization Mar 2011 Government Cloud Computing Strategy
2012 Funding and Contracting • GovCloud • Cloud-enabled Platform (EGIS) • Government Public Cloud services
2014 and beyond Rollout and Review
18 Office of the Government Chief Information Officer (OGCIO)
Cloud Challenges
Data location
Data Ownership Security & Privacy
Service Continuity
Data Protection
Multi-tenancy Outsourcing
Off-Premises
Changes to Infrastructure
Changes to Processes
Changes to User Behaviour
19 Office of the Government Chief Information Officer (OGCIO)
Cloud Security Trends
Source of Information: Cloud end-user survey conducted by the SME Global Alliance and Hong Kong Productivity Council in 2012.
20 Office of the Government Chief Information Officer (OGCIO)
Security Challenge & Risk Mitigation in Cloud Adoption
Challenge Risk Mitigation
Lack of corporate directions and relevant policies and guidelines
Cloud adoption strategy Review of policies and guidelines
Control on user authentication
Assurance of information security and privacy in cloud
Protection of data out of organisational control boundary
Access control security User education and training
Cloud security certifications and standards Conduct of risk assessments and audits Contractual agreement
Data protection best practices Incident response mechanism
21 Office of the Government Chief Information Officer (OGCIO)
Promotion of Best Practices in Cloud Adoption
雲資訊網 www.infocloud.gov.hk
OGCIO
Expert Group on Cloud Computing Services and
Standards
• Checklist for SMEs on selecting Cloud Service Provider
• Checklist for SMEs on using Cloud Services
• Checklist for Individuals on protecting their data in the Cloud Environment
• Policy Management • Data Protection Principles • Subcontractors’ Management • Staff Management
• Service Cost • Service Level • On Boarding & Off Boarding • Service Operation • Security and Privacy Protections • Service Commitments/Warranties • Data Ownership & Location and
IP Ownership • Service Default • Contracting (Terms of Service)
Practice Guide for Procuring Cloud Services
Security Checklists for Cloud Service Consumers
Security & Privacy Checklist for Cloud Service Providers in
Handling Personal Identifiable Information in Cloud Platforms
23 Office of the Government Chief Information Officer (OGCIO)
Summary
Government : Extensive Information Security Programmes
Cloud : Adoption through Risk
Mitigation
Hong Kong : Strong Foundation for
Cloud Computing