Secretary for Innovation and Technology, Alfred Sit discusses the the Data Security Law of the PRC.
The Hong Kong Government has formulated a set of comprehensive government information security incident response mechanism and related measures. Established by the Security Bureau, the Security Regulations include dedicated chapters governing information security for ensuring the security of government internal information and information systems.
Among other things, the Security Regulations define the security classification of government information and explicitly requires government departments to properly classify the information they hold and take corresponding measures according to the classification to ensure that the information is fully protected during storage and business operations. For example, limit access to classified information or access and use of related information systems and data by authorised persons only, encrypt classified information stored in the information systems, etc. Details of the information classification and security measures are not suitable for disclosure due to security reasons.
On the other hand, the Office of the Government Chief Information Officer (OGCIO) has also formulated a set of detailed Government IT Security Policy and Guidelines (Policy and Guidelines) under the framework of the Security Regulations for compliance by all departments. The Policy and Guidelines requires all departments to explicitly define and regularly review the access rights of relevant information systems and data, set out technical requirements for the use of encryption, and stipulate that departments must establish information security management framework to effectively handle security matters, etc.
The Policy and Guidelines also stipulates that departments must regularly conduct independent security risk assessments and audits for their information systems and data security to strengthen security measures. To raise the Government’s awareness of the latest situation and response capabilities in tackling cyber risks, the OGCIO has implemented the Cyber Risk Information Sharing Platform within the Government, which utilises big data analytics technology to collect, collate and analyse information on cyber and data security threats from different sources for timely dissemination of threat alerts to all departments.
In accordance with the Policy and Guidelines, all departments have established an information security incident response team to handle their information security incidents. Both the Security Regulations and the Policy and Guidelines are developed with reference to international standards and will be reviewed and updated from time to time to tackle the latest security threats.
All government departments must also abide strictly by the Security Regulations and the Policy and Guidelines mentioned above to ensure the security of government information and information systems. The OGCIO regularly conducts compliance audits for departments to ensure their information systems are compliant with relevant security requirements.
The OGCIO has also established a computer emergency response team within the Government to assist and co-ordinate departments in dealing with computer emergency response and incidents. In addition, the OGCIO organises annual Inter-departmental Cyber Security Drill to strengthen the capability of government departments in defending and responding to cyber security incidents.
In face of the security risks associated with critical infrastructures of different industries, the Hong Kong Police Force (HKPF) has established the Critical Infrastructure Security Coordination Centre (CISCC), which sought to strengthen self-protection and self-restoration capabilities of these infrastructures through public-private co-operation, risk management, on-site security inspections, promotion of restoration plans and security designs.
On cyber security, the Cyber Security Centre (CSC) under the Cyber Security and Technology Crime Bureau of the HKPF provides support to critical infrastructures by conducting timely cyber threat audits and analyses to prevent and detect cyber-attacks against them. The CISCC and the CSC operate round the clock to provide appropriate support to local critical infrastructures.
Meanwhile, the Government has attached great importance to co-operation and information sharing with the mainland and international counterparts in cyber security.
The OGCIO and the Bureau of Cyber Security of Cyberspace Administration of China reached a consensus on co-operation in 2016 to strengthen co-ordination and promote exchanges and co-operation in cyber security between the Mainland and Hong Kong. The OGCIO also works with the National Computer Network Emergency Response Technical Team/Coordination Centre of China to obtain related cyber security vulnerability information in a timely manner through the China National Vulnerability Database and arrange preventive measures. At the international level, the OGCIO maintains close liaison with global leading computer emergency incident response organisations and computer emergency response teams to quickly get hold of cyber security information and prevent cyber-attacks in a timely manner.
The Government will regularly review the Government’s prevailing information security incident response and handling arrangements and recommend improvement measures to continuously update and strengthen the Government’s response capabilities in handling information security and incidents.
By: Secretary for Innovation and Technology, Alfred Sit