development department kowloon, hong kong · 2017-09-26 · security risk assessment & auditing...

CEDD TC No. 19/2004 of 2 興㈯㈭利民生齊拓展創明㆝ We bring the best engineering to l i fe

㈯㈭工程拓展署 Civil Engineering and Development Department

Civil Engineering and Development Building, 101 Princess Margaret Road, Kowloon, Hong Kong

File Ref.: CEDD T 4/36/1 July 2004

Civil Engineering and Development Department Technical Circular No. 19/2004

Information Technology Security Policy Introduction This circular promulgates the Information Technology (IT) Security Policy. Effective Date 2. This circular shall take immediate effect. Background 3. Both CED and TDD formulated their departmental IT security policies in 2002 based on the Baseline IT Security Policy issued by Information Technology Services Department (ITSD) in 2001. 4. In 2003, ITSD promulgated a revised Baseline IT Security Policy (version 2.0). The IT Security Policy of CEDD which is based on that revised baseline policy and the IT security policies of CED and TDD, is set out at the Appendix A. Policy 5. All staff shall comply with the IT Security Policy and any updates issued by the CEDD IT Management Committee established in accordance with CEDD TC No. 16/2004. 6. Senior Engineer/Computer Services will issue procedures and guidelines to elaborate the IT Security Policy as necessary. Re-circulation 7. This circular shall be re-circulated to all staff every six months.

http://www.ogcio.gov.hk/eng/prodev/download/s17_pub.pdf

http://www.ogcio.gov.hk/eng/prodev/download/s17_pub.pdf

CEDD TC No. 19/2004 of 2

Enquiries 8. Enquiries on this circular should be addressed to Senior Engineer/Computer Services.

( T K TSAO ) Director of Civil Engineering and Development

CEDD TC No. 19/2004 - Appendix A Page 1 of 30

(Version 4.0)

Appendix A

Civil Engineering and Development Department

IT Security Policy

Version: 4.0

March 2013

IT SECURITY POLICY AMENDMENT HISTORY


(Version 4.0)

Amendment History

Version

Number Amendment Date

1 First issue

July 2004

2.0 Revised to incorporate the latest government IT

security policies promulgated in OGCIO‟s Baseline IT

Security Policy version 3.0.

Appointment of ISIRT Commander updated.

July 2006

3.0 Revised to incorporate the government IT security

policies promulgated in OGCIO‟s Baseline IT

Security Policy versions 3.1 and 4.0.

Clerical mistakes corrected.

June 2012

4.0 Revised to incorporate the government IT security

policies promulgated in OGCIO‟s Baseline IT

Security Policy version 5.0 and recommendations in

OGCIO‟s audit in 2012 and some general updates.

March 2013

IT SECURITY POLICY CONTENTS


(Version 4.0)

TABLE OF CONTENTS

1. PURPOSE .................................................................................................................................................... 5

2. SCOPE ......................................................................................................................................................... 6

2.1. APPLICABILITY ..................................................................................................................................... 6 2.2. TARGET AUDIENCE .............................................................................................................................. 6

3. REFERENCE .............................................................................................................................................. 7

4. DEFINITIONS AND CONVENTIONS .................................................................................................... 8

4.1. DEFINITIONS ......................................................................................................................................... 8 4.2. CONVENTIONS ...................................................................................................................................... 9

5. ORGANISATION ..................................................................................................................................... 10

5.1. DEPARTMENTAL IT SECURITY OFFICER (DITSO) .............................................................................. 10 5.2. IT MANAGEMENT COMMITTEE ........................................................................................................... 11 5.3. DEPARTMENTAL INFORMATION SECURITY INCIDENT RESPONSE TEAM (ISIRT) COMMANDER .......... 11 5.4. IT SECURITY ADMINISTRATORS (ITSA) ............................................................................................. 11 5.5. INFORMATION/SYSTEM OWNERS ........................................................................................................ 12 5.6. LOCAL AREA NETWORK (LAN)/SYSTEM ADMINISTRATORS .............................................................. 12 5.7. APPLICATION DEVELOPMENT & MAINTENANCE TEAM ...................................................................... 12 5.8. USERS ................................................................................................................................................ 12

6. CORE SECURITY PRINCIPLES ........................................................................................................... 13

7. MANAGEMENT RESPONSIBILITIES ................................................................................................ 15

7.1. GENERAL MANAGEMENT ................................................................................................................... 15 7.2. OUTSOURCING SECURITY ................................................................................................................... 15 7.3. CONTINGENCY MANAGEMENT ........................................................................................................... 16 7.4. HUMAN RESOURCES SECURITY .......................................................................................................... 16

8. PHYSICAL SECURITY ........................................................................................................................... 18

8.1. ENVIRONMENT ................................................................................................................................... 18 8.2. EQUIPMENT SECURITY........................................................................................................................ 18 8.3. PHYSICAL ACCESS CONTROL .............................................................................................................. 18

9. ACCESS CONTROL SECURITY .......................................................................................................... 20

9.1. DATA ACCESS CONTROL .................................................................................................................... 20 9.2. AUTHENTICATION ............................................................................................................................... 20 9.3. PRIVACY ............................................................................................................................................. 20 9.4. USER IDENTIFICATION ........................................................................................................................ 20 9.5. USER PRIVILEGES MANAGEMENT ....................................................................................................... 20 9.6. PASSWORD MANAGEMENT ................................................................................................................. 21 9.7. NETWORK ACCESS CONTROL ............................................................................................................. 21 9.8. MOBILE COMPUTING AND REMOTE ACCESS ....................................................................................... 21

10. DATA SECURITY ............................................................................................................................... 23

10.1. OVERALL DATA CONFIDENTIALITY .................................................................................................... 23 10.2. INFORMATION BACKUP ...................................................................................................................... 23

11. APPLICATION SECURITY ............................................................................................................... 24

11.1. APPLICATION DEVELOPMENT & MAINTENANCE ................................................................................. 24 11.2. CONFIGURATION MANAGEMENT & CONTROL .................................................................................... 24

IT SECURITY POLICY CONTENTS


(Version 4.0)

12. COMMUNICATIONS & OPERATIONS SECURITY .................................................................... 25

12.1. OPERATIONS MANAGEMENT .............................................................................................................. 25 12.2. GENERAL NETWORK PROTECTION ...................................................................................................... 25 12.3. INTERNET SECURITY .......................................................................................................................... 26 12.4. ELECTRONIC MESSAGING SECURITY .................................................................................................. 26 12.5. PROTECTION AGAINST COMPUTER VIRUS AND MALICIOUS CODE ...................................................... 26 12.6. SOFTWARE AND PATCH MANAGEMENT .............................................................................................. 27 12.7. WIRELESS SECURITY .......................................................................................................................... 27 12.8. MONITORING ...................................................................................................................................... 27

13. SECURITY RISK ASSESSMENT & AUDITING ............................................................................ 29

13.1. SECURITY RISK ASSESSMENT ............................................................................................................. 29 13.2. SECURITY AUDITING........................................................................................................................... 29

14. SECURITY INCIDENT MANAGEMENT ........................................................................................ 30

14.1. SECURITY INCIDENT MONITORING ..................................................................................................... 30 14.2. SECURITY INCIDENT RESPONSE .......................................................................................................... 30

IT SECURITY POLICY PURPOSE


(Version 4.0)

1. PURPOSE

This document sets out the Information Technology (IT) Security Policy of the Civil

Engineering and Development Department (CEDD).

This document shall be re-circulated to all staff every six months.

IT SECURITY POLICY SCOPE


(Version 4.0)

2. SCOPE

2.1. Applicability

This document addresses mandatory security considerations in the following areas:

Management responsibilities

Physical security

Access control security

Data security

Application security

Communications & operations security

Security risk assessment & auditing;

Security incident management

It sets the minimum security requirements. Staff may need to apply enhanced security

measures, appropriate to their circumstances and commensurate with the determined

risks.

2.2. Target Audience

The policy statements are developed for all levels of staff acting in different roles

within the Department , including management staff, IT administrators, and general

IT end users.

It is the responsibility for ALL staff to read through the entire document to

understand and follow the IT security policies accordingly.

IT SECURITY POLICY REFERENCE


(Version 4.0)

3. REFERENCE

a) Government of Hong Kong Special Administrative Region, “Security Regulations”

(http://itginfo.ccgo.hksarg/content/itsecure/docs/guidelines/Current/SR/SB/SR.ht

ml)

b) Civil Service Bureau, “Civil Services Regulations”

c) Baseline IT Security Policy, OGCIO(S17)

d) IT Security Guidelines, OGCIO(G3)

e) Internet Gateway Security Guidelines, OGCIO(G50)

f) Security Risk Assessment & Audit Guidelines, OGCIO(G51)

g) Information Security Incident Handling Guidelines, OGCIO(G54)

h) OGCIO Circular No. 7/2008

http://itginfo.ccgo.hksarg/content/itsecure/docs/guidelines/Current/SR/SB/SR.html


IT SECURITY POLICY DEFINITIONS AND CONVENTIONS


(Version 4.0)

4. DEFINITIONS AND CONVENTIONS

4.1. Definitions

a) Information System a related set of hardware and software organised for the

collection, processing, storage, communication, or

disposition of information.

b) Confidentiality only authorised persons are allowed to know or gain

access to the information stored or processed by

Information Systems in any aspects.

c) Integrity only authorised persons are allowed to make changes to

the information stored or processed by Information

Systems in any aspects.

d) Availability Information Systems should be accessible and usable

upon demand by authorised persons

e) IT Security Policy a documented list of management instructions that

describe in detail the proper use and management of

computer and network resources with the objective to

protect these resources as well as the information

stored or processed by Information Systems from any

unauthorised disclosure, modifications or destruction.

f) Classified Information refers to the categories of information classified in

accordance with the Security Regulations.

g) Staff persons employed by the Government irrespective of

the employment period and terms.

h) Data Centre a centralized data processing facility that houses

Information Systems and related equipment. A control

section is usually provided that accepts work from and

releases output to users.

i) Computer Room a dedicated room for housing computer equipment.

j) Malicious Codes programs intended to perform an unauthorised process

that will have adverse impact on the confidentiality,

integrity, or availability of an Information System.

Examples of malicious codes include computer

viruses, worms, trojan horses and spyware etc.

k) Mobile Devices portable computing and communication devices with

information storage and processing capability.


IT SECURITY POLICY DEFINITIONS AND CONVENTIONS


(Version 4.0)

Examples include portable computers, mobile phones,

tablets, digital cameras, and audio or video recording

devices.

l) Removable Media portable electronic storage media such as magnetic,

optical, and flash memory devices, which can be inserted

into and removed from a computing device. Examples

include external hard disks or solid-state drives, floppy

disks, zip disks, optical disks, tapes, memory cards, flash

drives, and similar USB storage devices.

4.2. Conventions

4.2.1 The following is a list of conventions used in this document

Shall the use of the word „shall‟ indicates a mandatory

requirement.

Should the use of the word „should‟ indicates a requirement for

good practice, which should be implemented whenever

possible.

May the use of the word „may‟ indicates a desirable

requirement.

IT SECURITY POLICY ORGANISATION


(Version 4.0)

5. ORGANISATION

This section explains the individual role and responsibility of the departmental IT

Security organisation. Multiple roles can be assigned to a single staff depending on

resource availability.

The following diagram describes the Departmental IT Security organisation:

IT Management

Committee

Departmental

Security Officer

Departmental IT

Security Officer

Departmental Information

Security Incident Response

Team (ISIRT)

IT Security

Administrators

Information/

System Owners

LAN/System

Administrators

Application/Development

Maintenance Team

Users

The Computer Services Unit in the Headquarters carries out the duties assigned by

the ITMC and provides necessary technical support to the Committee. The Head of

Development Offices and the Head of Divisions in other Offices shall appoint a

Computer Representative and/or a suitable number of Assistant Computer

Representative(s) who shall be responsible for the day-to-day computer related

matters in the Office/Division.

5.1. Departmental IT Security Officer (DITSO)

Senior Engineer/Computer Services shall take on the role of DITSO. The DITSO

shall collaborate with the Departmental Security Officer (DSO) designated in

accordance with the Security Regulations to oversee the IT Security of the

Department. The roles and responsibilities of DITSO include but are not limited to

the following:

Establish and maintain an information protection program to assist all staff in the

protection of the information they use;

Lead in the establishment, maintenance and implementation of IT security

policies, standards, guidelines and procedures;

Coordinate with other bureaux and departments on IT security issues;

Disseminate security alerts on impending and actual threats from the GIRO to

responsible parties within the department;



(Version 4.0)

Ensure information security risk assessments and audits are performed as

necessary; and

Initiate investigations and rectification in case of breach of security.

5.2. IT Management Committee

The CEDD IT Management Committee has an appreciation of IT security, its

problems and resolutions. The committee members shall direct and enforce the

development of security measures, provide the necessary resources required for the

measures to be implemented. They shall ensure participation at levels of

management, administrative, technical and operational staff, and provide full support

to them.

5.3. Departmental Information Security Incident Response Team (ISIRT)

Commander

The ISIRT is the central focal point for coordinating all IT security incidents

occuring within CEDD. Senior Engineer/Computer Services shall take on the role of

the Commander of ISIRT, who has the authority to appoint core team members for

the ISIRT. The responsibilities of the ISIRT Commander include:

Provide overall supervision and co-ordination of information security incident

handling for all Information Systems within CEDD;

Make decisions on critical matters such as damage containment system recovery,

the engagement of external parties and the extent of involvement, and service

resumption logistics after recovery etc.;

Trigger the departmental disaster recovery procedure where appropriate,

depending on the impact of the incident on the business operation of CEDD;

Provide management endorsement on the provision of resources for the incident

handling process;

Provide management endorsement in respect of the line-to-take for publicity on

the incident;

Collaborate with the Government Information Security incident Response Office

(GIRO) on incident reporting and necessary follow up actions; and

Facilitate experience and information sharing within CEDD on information

security incident handling and related matters.

5.4. IT Security Administrators (ITSA)



(Version 4.0)

IT Security Administrators are system level personnel responsible for providing

security and risk management related support services. They assist in identifying

system vulnerabilities and performing security administrative work of the system.

They are also responsible for maintaining control and access rules to the data and

system, checking and managing audit logs and promoting security awareness.

The IT Security Administrator may or may not be a technical person, but he/she

should not be the same person as the System Administrator. There should be

segregation of duties between the IT Security Administrator and the System

Administrator if possible.

5.5. Information/System Owners

Information/System Owners are the collators and the owners of information stored in

information systems. Their primary responsibility is to determine the data

classifications, the authorised data usage, and the corresponding security

requirements for protection of the information.

5.6. Local Area Network (LAN)/System Administrators

LAN/System Administrators are responsible for the day-to-day administration,

operation and configuration of the computer systems and network in the Department

whereas Internet System Administrators are responsible for the related tasks for their

Internet-facing Information Systems. They are responsible for implementing the

security mechanisms in accordance with procedures/guidelines established by the

DITSO.

5.7. Application Development & Maintenance Team

The Application Development & Maintenance Team is responsible for producing the

quality systems with the use of quality procedures, techniques and tools. They are

responsible for agreeing with the Information/System Owner on system security

requirements and defining the solutions to implement these security requirements.

5.8. Users Users of Information Systems are the staff who actually use the information and shall

be accountable for all their activities. They should know, understand, follow and

apply all the possible and available security mechanisms to the greatest extent, and

should endeavour to prevent leakage and unauthorised access to information under

his/her custody. They should also safekeep computing and storage devices, and

protect them from unauthorised access or malicious attack with his/her best effort.

IT SECURITY POLICY CORE SECURITY PRINCIPLES


(Version 4.0)

6. CORE SECURITY PRINCIPLES

This section introduces some generally accepted principles that address information

security from a very high-level viewpoint. These principles are fundamental in

nature, and rarely changing. They are NOT stated here as security requirements but

are provided as useful guiding references for developing, implementing and

understanding security policies. The principles listed below are by no means

exhaustive.

Information system security objectives

Information system security objectives or goals are described in terms of three

overall objectives: Confidentiality, Integrity and Availability. Security policies

and measures are developed and implemented according to these objectives.

Prevent, Detect, Respond and Recover

Information security is a combination of preventive, detective, response and

recovery measures. Preventive measures are for avoiding or deterring the

occurrence of an undesirable event. Detective measures are for identifying the

occurrence of an undesirable event. Response measures refer to coordinated

response to contain damage when an undesirable event (or incident) occurs.

Recovery measures are for restoring the confidentiality, integrity and

availability of information systems to their expected state.

Protection of information while being processed, in transit, and in storage

Security measures should be considered and implemented as appropriate to

preserve the confidentiality, integrity, and availability of information while it is

being processed, in transit, and in storage. Wireless network without protection

is vulnerable to attacks, security measures must be adopted when transmitting

classified information.

External systems are assumed to be insecure

In general, an external system or entity that is not under your direct control

should be considered insecure. Additional security measures are required when

your information assets or information systems are located in or interfacing with

external systems. Information systems infrastructure could be partitioned using

either physical or logical means to segregate environments with different risk

level.

Resilience for critical information systems

All critical information systems need to be resilient to stand against major

disruptive events, with measures in place to detect disruption, minimise damage

and rapidly respond and recover.

Auditability and Accountability

Security requires auditability and accountability. Auditability refers to the

ability to verify the activities in an information system. Evidence used for

verification can take form of audit trails, system logs, alarms, or other

IT SECURITY POLICY CORE SECURITY PRINCIPLES


(Version 4.0)

notifications. Accountability refers to the ability to audit the actions of all parties

and processes which interact with information systems. Roles and

responsibilities should be clearly defined, identified, and authorised at a level

commensurate with the sensitivity of information.

IT SECURITY POLICY MANAGEMENT RESPONSIBILITES


(Version 4.0)

7. MANAGEMENT RESPONSIBILITIES

7.1. General Management

7.1.1. All Staff shall ensure the confidentiality, integrity and availability of

information and all other security aspects of Information Systems under their

control including outsourced systems.

7.1.2. The CEDD IT Management Committee shall conduct periodic review of

information security policies, standards, guidelines and procedures.

7.1.3. Information/System Owners shall ensure that security protection is responsive

and adaptive to changing environment and technology.

7.1.4. Information/System Owners shall ensure that the provision for necessary

security safeguards and resources are covered in the annual budget.

7.1.5. Inventory of hardware assets, software assets, valid warranties and service

agreements shall be properly kept and maintained.

7.1.6. Least privilege principle shall be enforced when assigning resources and

privileges of Information Systems to users.

7.1.7. Staff shall note the policy in relation to acceptable use of IT services and

facilities promulgated through other departmental and OGCIO circulars.

7.2. Outsourcing Security

7.2.1. Outsourcing or external service providers shall observe and comply with this IT

security policy and other information security requirements issued by the

Government.

7.2.2. Information/System Owners shall monitor and review with the outsourcing or

external service providers to ensure that security operations are managed

properly. Confidentiality and non-disclosure agreements shall be properly

managed, and reviewed when changes occur that affect the security

requirement.

7.2.3. Information/System Owners utilising external services or facilities shall identify

and assess the risks to the government data and business operations. Security

measures commensurate with the data classification and business requirements

shall be documented and implemented. Security responsibilities of external

service providers shall be defined.

7.2.4. Information/System Owners shall reserve audit and compliance monitoring

rights to ensure external service providers have implemented sufficient controls

on government information systems, facilities and data. Alternatively, the

external service providers shall provide security audit report periodically to

prove the measures put in place are satisfactory.



(Version 4.0)

7.3. Contingency Management

7.3.1. Plans for emergency response and disaster recovery of mission critical

Information Systems shall be fully documented and regularly tested and tie in with

the Business Continuity Plan.

7.4. Human Resources Security

7.4.1. Information security is the responsibility of every member of the staff in the

Government. Staff shall receive appropriate awareness training and regular

updates on IT Security Policy.

7.4.2. Staff shall be educated and trained periodically in order to enable them to

discharge their responsibilities and perform their duties relating to IT security.

7.4.3. Staff who contravene provision of this Policy may be subjected to disciplinary

action as stipulated in the Civil Service Regulations and that different levels of

disciplinary action may be instigated depending on the severity of the breach.

7.4.4. If a non-Civil Service contract employee contravene any provision of the Policy,

their employment contracts may be terminated depending on the severity of the

breach.

7.4.5. Staff who use or have unescorted access to Information Systems and resources

shall be carefully selected and shall be made aware of their own responsibilities

and duties. They shall be formally notified of their authorisation to access

Information Systems.

7.4.6. Staff shall be advised of their IT security responsibilities upon being assigned a

new post, and periodically throughout their term of employment.

7.4.7. Civil servants authorised to access CONFIDENTIAL and above information

shall undergo an integrity check as stipulated by the Secretary for the Civil

Service. For non-civil servants, appropriate background verification checks

should be carried out commensurate with the business requirements, the

classification of the information that the staff will handle, and the perceived

risks.

7.4.8. External consultants, contractors, outsourced staff, and temporary staff who are

engaged in Government work shall be subject to equivalent information security

requirements, and have the same information security responsibilities, as

Government staff. They should receive appropriate awareness training and

relevant information on the IT Security Policy.

7.4.9. At the time that a member of the staff is transferred or ceases to provide services

to the CEDD, all related Information Systems privileges shall be promptly

terminated. The outgoing officer or staff of external parties shall handover and

return computer resources and information to the Government.



(Version 4.0)

7.4.10. To protect classified information from unauthorised access or unauthorised

disclosure, relevant clauses in Security Regulations shall be observed. No

officer may publish, make private copies of or communicate to unauthorised

persons any classified document or information obtained in his official capacity,

unless he is required to do so in the interest of the Government. The "need to

know" principle should be applied to all classified information, which should be

provided only to persons who require it for the efficient discharge of their work

and who have authorised access. If in any doubt as to whether an officer has

authorised access to a particular document or classification or information, the

Departmental Security Officer should be consulted.

IT SECURITY POLICY PHYSICAL SECURITY


(Version 4.0)

8. PHYSICAL SECURITY

8.1. Environment

8.1.1. Careful site selection and accommodation planning of a purpose-built computer

installation shall be conducted. Reference to the security specifications for

construction of special installation or office as standard should be made.

8.1.2. Data centres and computer rooms shall have good physical security and strong

protection from disaster and security threats, whether natural or caused by other

reasons, in order to minimize the extent of loss and disruption.

8.1.3. Backup media containing business essential and/or mission critical information

shall be sited at a safe distance from the main site in order to avoid damage

arising from a disaster at the main site.

8.1.4. Data centres and computer rooms shall conform to Level II1 security if the

Information System housed involves handling of CONFIDENTIAL information

and conform to Level III1 security for handling of TOP SECRET / SECRET

information.

8.2. Equipment Security

8.2.1. All Information Systems shall be placed in a secure environment or attended by

staff to prevent unauthorised access. Regular inspection of equipment and

communication facilities shall be performed to ensure continuous availability

and failure detection.

8.2.2. Staff in possession of mobile device or removable media for business purposes

shall safeguard the equipment in his/her possession, and shall not leave the

equipment unattended without proper security measures.

8.2.3. IT equipment shall not be taken away from sites without proper control.

8.3. Physical Access Control

8.3.1. A list of persons who are authorised to gain access to data centres, computer

rooms or other areas supporting critical activities, where computer equipment

and data are located or stored, shall be kept up-to-date and be reviewed

periodically.

8.3.2. All access keys, cards, passwords, etc. for entry to any of the information

systems and networks shall be physically secured or subject to well-defined and

strictly enforced security procedures.

1 For detailed security specifications on Level I/II/III security, please refer to the document “Guidelines

for Security Provisions in Government Office Buildings” published by the Security Bureau.

IT SECURITY POLICY PHYSICAL SECURITY


(Version 4.0)

8.3.3. All visitors to data centres or computer rooms shall be monitored at all times by

an authorised staff. A visitor access record shall be kept and properly maintained

for audit purpose.

8.3.4. If there has been no activity for a predefined period of time to prevent illegal

system access attempt, re-authentication should be activated or the logon

session and connection should be terminated. Also, user workstation should be

switched off, if appropriate, before leaving work for the day or before a

prolonged period of inactivity.

8.3.5. All staff shall ensure the security of their offices. Offices that can be directly

accessed from public area and contain Information Systems or information

assets should be locked up when not in use.

8.3.6. The display screen of an Information System on which classified information

can be viewed shall be carefully positioned so that unauthorised persons cannot

readily view it.

IT SECURITY POLICY ACCESS CONTROL SECURITY


(Version 4.0)

9. ACCESS CONTROL SECURITY

9.1. Data Access Control

9.1.1. Access to information shall not be allowed unless authorised by the relevant

information owners.

9.1.2. Data access rights shall be granted to users based on a need-to-know basis.

9.1.3. Data access rights shall be clearly defined and reviewed periodically. Records

for access rights approval and review shall be maintained.

9.1.4. Access to Information Systems containing information classified

CONFIDENTIAL or above shall be restricted by means of logical access

control.

9.2. Authentication

9.2.1. Access to classified information without appropriate authentication shall not be

allowed.

9.2.2. Authentication shall be performed in a manner commensurate with the

sensitivity of the information to be accessed.

9.2.3. Number of consecutive unsuccessful log-in trials shall be controlled.

9.3. Privacy

9.3.1. CEDD's management reserves the right to examine all information stored in or

transmitted by Government Information Systems in accordance with the

Personal Data (Privacy) Ordinance.

9.4. User Identification

9.4.1. Each user identity (user-ID) shall uniquely identify only one user. Shared or

group user-IDs are not permitted unless explicitly approved by the DITSO.

9.4.2. Users are responsible for all activities performed with their user-IDs.

9.5. User Privileges Management

9.5.1. Procedures for approving, granting and managing user access including user

registration/de-registration, password delivery and password reset shall be

documented.

9.5.2. All accounts shall be revoked after a pre-defined period of inactivity.



(Version 4.0)

9.5.3. User privileges shall be reviewed periodically.

9.5.4. The use of special privileges shall be restricted and controlled.

9.6. Password Management

9.6.1. The DITSO shall define a strict password policy that details at least, minimum

password length, initial assignment, restricted words and format, password life

cycle, and include guidelines on suitable system and user password selection.

9.6.2. Passwords shall not be shared or divulged unless necessary (e.g., helpdesk

assistance, shared PC and shared files). The risk of sharing passwords is that it

increases the probability of security being compromised. If passwords must be

shared, explicit approval from the DITSO shall be obtained. Besides, the shared

passwords should be changed promptly when the need no longer exists and

should be changed frequently if sharing is required on a regular basis.

9.6.3. Passwords shall always be well protected when held in storage. Passwords shall

be encrypted when transmitted over an un-trusted communication network.

Compensating controls shall be applied to reduce the risk exposure to an

acceptable level if encryption is not implementable.

9.6.4. Staff are prohibited from capturing or otherwise obtaining passwords,

decryption keys, or any other access control mechanism, which could permit

unauthorised access.

9.6.5. All vendor-supplied default passwords shall be changed before any Information

System is put into operation.

9.6.6. All passwords shall be promptly changed if they are suspected of / are being

compromised, or disclosed to vendors for maintenance and support.

9.7. Network Access Control

9.7.1. Prior approval from the DITSO is required to connect a departmental

Information System with another Information System under the control of

another bureau, department or organisation. The security level of the

Information Systems being connected shall not be downgraded. [A]

9.8. Mobile Computing and Remote Access

9.8.1. Staff shall note the usage policies and procedures specifying the security

requirements when using mobile computing and remote access. Appropriate

security measures shall be adopted to avoid unauthorised access to or disclosure

of the information stored and processed by these facilities. Authorised users

should be briefed on the security threats, and accept their security

responsibilities with explicit acknowledgement.



(Version 4.0)

9.8.2. Staff are prohibited from connecting workstations and mobile devices to

external network by means of communication device, such as dial-up modem,

wireless interface, or broadband link, if the workstations or mobile devices are

simultaneously connected to a Government internal network, unless with the

approval of DITSO.

9.8.3. Security measures shall be in place to prevent unauthorised remote access to

Government information systems and data.

9.8.4. Unauthorised computer resources including those privately-owned shall not be

connected to Government internal network. If there is an operational necessity,

approval from the Director of Civil Engineering and Development should be

sought. Such usage of computer resources shall conform to the same IT security

requirements.

IT SECURITY POLICY DATA SECURITY


(Version 4.0)

10. DATA SECURITY

10.1. Overall Data Confidentiality

10.1.1. Information about Information Systems that may compromise the security of

those systems shall not be disclosed to users, or any parties, except on a

need-to-know basis and only if authorised by the DITSO or the ITSA for the

system.

10.1.2. Staff shall not disclose information about the individuals, department or specific

systems that have suffered from damages caused by computer crimes and

computer abuses, or the specific methods used to exploit certain system

vulnerabilities, to any people other than those who are handling the incident and

responsible for the security of such systems, or authorised investigators

involving in the investigation of the crime or abuse.

10.1.3. Staff shall not disclose to any unauthorised persons the nature and location of

the Information Systems, and the information system controls that are in use or

the way in which they are implemented.

10.1.4. All stored information classified as CONFIDENTIAL or above shall be

encrypted. RESTRICTED information shall be encrypted when stored in

mobile devices or removable media assigned to individuals.

10.1.5. Staff shall comply with the Security Regulations in relation to Information

Systems including, but not limited to, storage, transmission, processing, and

destruction of classified information. Information without any security

classification should also be protected from unintentional disclosure.

10.1.6. Personal Data (Privacy) Ordinance (Cap.486) shall be observed when handling

personal data. In accordance with Security Regulations 161(d)(iii), all personal

data should be classified RESTRICTED at least, depending on the nature and

sensitivity of the personal data concerned and the harm that could result from

unauthorised or accidental access, processing, erasure or other use of the

personal data, a higher classification and appropriate security measures may be

required.

10.2. Information Backup

10.2.1. Backups shall be carried out at regular intervals.

10.2.2. Backup activities shall be reviewed regularly.

10.2.3. Integrity copies of backups shall be stored at a remote distance from the system

and be protected. Backup media should also be protected against unauthorised

access, misuse or corruption during transportation.


IT SECURITY POLICY APPLICATION SECURITY


(Version 4.0)

11. APPLICATION SECURITY

11.1. Application Development & Maintenance

11.1.1. Application development staff shall include security planning and implement

the appropriate security measures and controls for system under development

according to the systems' security requirements.

11.1.2. Documentation and listings of applications shall be properly maintained and

restricted on a need-to-know basis.

11.1.3. Formal testing and review on the security measures shall be performed prior to

implementation.

11.1.4. The integrity of an application shall be maintained with appropriate security

measures such as version control mechanism and separation of environments for

development, system testing, acceptance testing, and live operation.

11.1.5. Application development staff shall not be permitted to access production

information unless necessary.

11.1.6. Test data shall be carefully selected, protected and controlled commensurate

with its classification. Use of test data extracted from production shall be

avoided. If genuinely required, the process should be reviewed, documented and

approved by Information/System Owner.

11.2. Configuration Management & Control

11.2.1. Change control procedures for requesting and approving program/system

changes shall be documented.

11.2.2. Installation of all computer equipment and software shall be done under control

and audit.

11.2.3. Staff shall be advised of the impact of security changes and usage on

Information Systems.

IT SECURITY POLICY COMMUNICATIONS & OPERATIONS SECURITY


(Version 4.0)

12. COMMUNICATIONS & OPERATIONS SECURITY

12.1. Operations Management

12.1.1. There shall be sufficient segregation of duties where practicable to avoid

execution of all security functions of an Information System by a single

individual.

12.1.2. Information systems shall be managed using the principle of least functionality

with all unnecessary services or components removed or restricted.

12.1.3. Changes affecting existing security protection mechanisms shall be carefully

considered.

12.1.4. Operational and administrative procedures for information systems shall be

properly documented, followed, and reviewed periodically.

12.2. General Network Protection

12.2.1. Internal network addresses, configurations and related system or network

information shall be properly maintained and shall not be publicly released

without the approval of the DITSO.

12.2.2. All internal networks with connections to other Government networks or

publicly accessible computer networks shall be properly protected.

12.2.3. Proper configuration and administration of information / communication

systems is required and shall be reviewed regularly.

12.2.4. Connections and links made to other network shall not compromise the security

of CEDD's Information Systems and those on the connected/linked network.

12.2.5. CONFIDENTIAL / RESTRICTED information shall be encrypted when

transmitted over an un-trusted communication network.

12.2.6. TOP SECRET / SECRET information shall be transmitted only under

encryption and inside an isolated LAN approved by Government Security

Officer subject to the technical endorsement of OGCIO.



(Version 4.0)

12.3. Internet Security

12.3.1. Staff shall access the Internet through the centrally arranged Internet gateways,

Central Internet Gateway (CIG) or CEDD‟s Internet gateway conforming to

OGCIO security standards. In circumstances where this is not feasible or having

regard to the mode of use1, the DITSO may consider allowing Internet access

through stand-alone machines, if appropriate security control mechanisms are

implemented.

12.3.2. The DITSO may consider the value versus inconvenience of implementing

technologies to blocking non-business web sites where necessary. The ability to

connect with a specific web site does not in itself imply that users of systems are

permitted to visit that site.

12.3.3. All software and files downloaded from the Internet shall be screened and

verified with anti-virus software.

12.3.4. Staff should not execute mobile code or software downloaded from the Internet

unless the code is from a known and trusted source.

12.4. Electronic Messaging Security

12.4.1. LAN/Systems administrators shall establish and maintain a systematic process

for the recording, retention, and destruction of electronic mail messages and

accompanying logs. [A]

12.4.2. Internal email address lists containing entries for authorised users or

Government sites shall be properly maintained and protected from unauthorised

access and modification.

12.4.3. Email transmission of classified information shall be transmitted only on an

Information System approved by the Government Security Officer subject to the

technical endorsement of OGCIO. Email transmission of TOP SECRET /

SECRET information shall also follow the condition as stipulated in 12.2.6.

12.4.4. Electronic messages from suspicious sources should not be opened or

forwarded.

12.5. Protection Against Computer Virus and Malicious Code

12.5.1. Anti-virus protection shall be enabled on all local area network servers, personal

computers, mobile devices, and computers connecting to the Government

internal network via remote access channel.

12.5.2. LAN/System Administrators shall protect their Information Systems from

computer viruses and malicious codes. Virus signatures, malicious code

1 Such modes of use may include, for example, Internet surfing, e-mail exchange, and the use of official,

portable computers while on business. The relevant standalone machines must still be protected by any

applicable security mechanisms.



(Version 4.0)

definitions as well as their detection and repair engines shall be updated

regularly and whenever necessary.

12.5.3. Storage media and files from unknown source or origin shall not be used unless

the storage media and files have been checked and cleaned for computer viruses

and malicious codes.

12.5.4. Users shall not intentionally write, generate, copy, propagate, execute or involve

in introducing computer viruses or malicious codes.

12.6. Software and Patch Management

12.6.1. LAN/System Administrators shall protect their Information Systems from

known vulnerabilities by applying the latest security patches recommended by

the product vendors or implementing other compensating security measures.

12.6.2. Computers and networks shall only run software that comes from trustworthy

sources.

12.6.3. No unauthorised application software shall be loaded onto a Government

Information System without prior approval from officer as designated by the

department.

12.6.4. Before security patches are applied, proper risk evaluation and testing should be

conducted to minimize the undesirable effects to the Information Systems.

12.7. Wireless Security

12.7.1. LAN/System Administrators shall document, monitor, and control wireless

network with connection to Government internal network.

12.7.2. Users of wireless or mobile computing devices shall protect their devices

against loss and theft.

12.7.3. Proper authentication and encryption security controls shall be employed to

protect data communication over wireless with connection to the Government

internal network.

12.7.4. Users of wireless or mobile computing devices shall ensure that their devices do

not contain computer viruses and malicious codes.

12.8. Monitoring

12.8.1. LAN/System Administrators shall log activities of production Information

Systems under their control according to the business needs and data

classification.

12.8.2. Any log kept shall provide sufficient information to support comprehensive

audits of the effectiveness of, and compliance of security measures.



(Version 4.0)

12.8.3. Logs shall be retained for a period commensurate with their usefulness as an

audit tool. During this period, such logs shall be secured such that they cannot

be modified, and can only be read by authorised persons.

12.8.4. Logs shall not be used to profile the activity of a particular user unless it relates

to a necessary audit activity supported by a Directorate officer.

12.8.5. Regular checking on log records, especially on system/application where

classified information is processed/stored, shall be performed, not only on the

completeness but also the integrity of the log records. All system and

application errors which are suspected to be triggered as a result of security

breaches shall be reported and logged.

12.8.6. Clock synchronisation should be configured to keep clocks of Information

Systems in sync.

IT SECURITY POLICY SECURITY RISK ASSESSMENT & AUDITING


(Version 4.0)

13. SECURITY RISK ASSESSMENT & AUDITING

13.1. Security Risk Assessment

13.1.1. Security risk assessments for information systems and production applications

shall be performed at least once every two years. A security risk assessment

shall also be performed before production, and prior to major enhancements and

changes associated with these systems or applications.

13.1.2. Use of software and programs for performing security risk assessment shall be

restricted and controlled.

13.2. Security Auditing

13.2.1. Information/System Owners shall identify and document all relevant statutory,

regulatory and contractual requirements applicable to the operations of their

information systems.

13.2.2. Audit on Information Systems shall be performed periodically to ensure the

compliance of IT security polices and effective implementation of security

measures. The selection of auditors and conduct of audits shall ensure

objectivity and impartiality of the audit process. Auditors shall not audit their

own work.

13.2.3. Use of software and programs for performing security audit shall be restricted

and controlled.

IT SECURITY POLICY SECURITY INCIDENT MANAGEMENT


(Version 4.0)

14. SECURITY INCIDENT MANAGEMENT

14.1. Security Incident Monitoring

14.1.1. LAN/System Administrator shall establish an incident detection and monitoring

mechanism to detect, contain and ultimately prevent security incidents.

14.1.2. LAN/System Administrator shall ensure that system logs and other supporting

information are retained for the proof and tracing of security incidents.

14.2. Security Incident Response

14.2.1. DITSO shall establish, document and maintain a security incident

handling/reporting procedure.

14.2.2. Staff shall be made aware of the security incident handling/reporting procedure

that is in place and shall observe and follow it accordingly.

14.2.3. Any observed or suspected security incidents or security problems in

information systems or services shall be reported immediately only to the

responsible party according to the incident handling procedure.

***End***

development department kowloon, hong kong · 2017-09-26 · security risk assessment & auditing...

Documents