Platform Wiki: InfoSec

Recent incidents relating to leakages of personal data and other security concerns have aroused public awareness and concerns about the issue of information security, a matter of obvious importance for our public bodies as well as key commercial sectors such as financial services, healthcare, education, etc. I have always maintained that part of the reasons for the problems we face is that we have one of the highest penetration of broadband Internet, personal computer and mobile phone usage in the world, with superb global connectivity. But it is also true that the awareness of information security at the individual and SME level remains unsatisfactory, making Hong Kong also vulnerable for botnet and other organized attacks. Yet, Hong Kong does not have a CERT (computer emergency response team) with sustained funding, and our Government does not conduct a regular proactive network monitoring (on aggregate basis of course) to observe trends of attacks and discover points of weaknesses before problems strike.

The recent cases of leakages of personal data but large public and private have also revealed that organizations need to urgently update and upgrade their technological, policy, procedural and cultural safeguards for protecting privacy. The resources of the Privacy Commissioner's Office (PCO) also needs to be beefed up in order to cope with the growing privacy concerns by a more informed public, and the high technology and media adoption that has enlarged the scale of the problems when they occur.

In order to protect Hong Kong's economy and social stability, we must make information security one of the highest priorities in our ICT policy. Therefore, I will:

* Propose a motion in Legislative Council if elected to urge Government to establish a complete, long-term policy on information security and privacy protection, and define the Government's role, function and responsibilities in the protection of information security; * Lobby Government to increase funding for the Hong Kong Computer Emergency Response Team/Coordination Center (HKCERT/CC) on a recurrent and sustainable basis, and enlarge its scope of responsibilities to include conducting proactive network monitoring studies on Hong Kong's network infrastructure; * Consult with ICT stakeholders, law enforcement bodies and the public to explore the establishment of a single, one-stop reporting channel for citizens to report about various information security related crimes or incidents, such as phishing, hacking, malware attackes, copyright infringements, and other computer-related crimes; * Call for all Government bureaus and departments as well as all statutory and publicly funded bodies to conduct annual information security audits and privacy impact studies, and inform the public with summaries reports highlighting any progress or risks; * Review the effectiveness of the Unsolicited Electronic Messages Ordinance (UEMO), especially in the areas of manned phone calls and especially electronic mails, to find ways to tackle the growing problems of spams. * Fight for more resources from Government to promote information security to both the public and corporations, including the adoption of the Control Objectives for Information and related Technology (COBIT) and Val IT to standardize and improve corporate IT governance; * Support the allocation of more resources to the PCO, and a review of the Personal Data (Privacy) Ordinance, which is long overdue and necessary to cope with technology changes and heightened community awareness, and to consider criminalization of certain conducts in using illegally obtained personal data, and imposing statutory requirements for incident reporting. * Propose the establishment of the post of Chief Security Officer for large public and private organizations and corporations which deal with a large amount of personal data, in order to improve accountability and prevent incidents from occurring.

Next: Infrastructure