***************************
Following is a question by the Hon Sin Chung-kai and a written reply by the Secretary for Commerce, Industry and Technology, Mr Joseph WP Wong, in the Legislative Council today (December 6):
Question:
In view of the recent cases in which the personal data of members of the public have been leaked by government departments and public bodies, will the Government inform this Council:
(a) of the measures currently adopted by the Information Security Management Committee and the Information Technology Security Working Group, so as to ensure that various policy bureaux and government departments comply with the information technology (IT) security policies and guidelines formulated by the Government Chief Information Officer;
(b) whether it has assessed if the above measures can effectively enhance the information protection capabilities within the Government; if it has, of the assessment results; if not, the reasons for that;
(c) whether it has assessed the overall information protection capabilities of policy bureaux, government departments and public bodies; if it has, of the results; if not, whether it plans to make such assessment; if so, of the relevant details;
(d) whether it will consider extending the scope of application of the IT security guidelines to all public bodies to protect the personal data of members of the public; and
(e) whether it plans to allocate additional resources, including funding for information security projects and investment in hardware to improve the information protection capabilities of policy bureaux, government departments and public bodies?
Reply:
Madam President:
(a) The Information Security Management Committee (ISMC) and the IT Security Working Group were established to oversee information security within the Government. The ISMC has formulated and promulgated comprehensive IT security policies, procedures and guidelines that all bureaux and departments (B/Ds) are required to comply with. In ensuring their compliance with information security requirements, B/Ds are required to conduct information security risk assessment and review their information systems regularly. On the handling of information security incidents, the Government Information Security Incident Response Office (GIRO) provides central advice and co-ordination to B/Ds whereas individual B/Ds are required to appoint a senior officer to be the Departmental Information Security Officer (DITSO) to take charge of the overall information security management and operation of the department. In addition, each department has to set up an Information Security Incident Response Team (ISIRT) to deal with security incident reporting and response matters.
(b) The OGCIO works closely with relevant B/Ds on information security matters, and regularly reviews Government's related regulations, policies and guidelines to keep them in pace with the advancement of technology and the development of international and industry best practices. Besides, an annual information security survey is conducted on B/Ds, which has enabled us to keep in view of the implementation of IT security measures by the departments as well as provided necessary input for us to continuously enhance the information security management framework and technical measures being deployed. These procedures and measures have proven to be effective in enhancing the overall security status of B/Ds.
(c) An annual information security survey is conducted on B/Ds to enable us to keep in view of the implementation of IT security measures by the B/Ds and the recent one was completed in July 2006. In March 2006, the OGCIO also conducted a survey through B/Ds regarding the information security protection measures implemented by major public organisations under their purview. B/Ds have reported that the organisations have adopted various measures to protect themselves against information security threats.
In August 2006, the OGCIO solicited the assistance of B/Ds to conduct another survey on the information security status of public organisations which B/Ds have purview over. A report on information security covering the overall security status of the B/Ds and public organisations has been produced and will be tabled at the LegCo IT and Broadcasting Panel Meeting to be held on December 11, 2006 for discussion.
(d) The OGCIO has advised B/Ds to encourage public organisations under their purview to adopt the information security guidelines where applicable. These guidelines are publicly available for access on the information security website (www.infosec.gov.hk). Moreover, we will cooperate with the Privacy Commissioner's Office and relevant industry bodies in promoting the importance of personal data privacy protection.
(e) B/Ds are responsible for implementing and enhancing their information security and may apply for funding for information security projects through the existing funding procedures. The capital expenditures for projects to review and enhance information security are chargeable to CWRF Head 710 Computerisation. Regarding the public organisations, they are responsible for their own investment, resources and funding on information security matters.
Ends/Wednesday, December 6, 2006
Issued at HKT 12:40
NNNN
