CEDD TC No. 19/2004 Page 1 of 2 興㈯㈭ 利民生 齊拓展 創明㆝ We bring the best engineering to l i fe
㈯ ㈭ 工 程 拓 展 署 Civil Engineering and Development Department
Civil Engineering and Development Building, 101 Princess Margaret Road, Kowloon, Hong Kong
File Ref.: CEDD T 4/36/1 July 2004
Civil Engineering and Development Department Technical Circular No. 19/2004
Information Technology Security Policy Introduction This circular promulgates the Information Technology (IT) Security Policy. Effective Date 2. This circular shall take immediate effect. Background 3. Both CED and TDD formulated their departmental IT security policies in 2002 based on the Baseline IT Security Policy issued by Information Technology Services Department (ITSD) in 2001. 4. In 2003, ITSD promulgated a revised Baseline IT Security Policy (version 2.0). The IT Security Policy of CEDD which is based on that revised baseline policy and the IT security policies of CED and TDD, is set out at the Appendix A. Policy 5. All staff shall comply with the IT Security Policy and any updates issued by the CEDD IT Management Committee established in accordance with CEDD TC No. 16/2004. 6. Senior Engineer/Computer Services will issue procedures and guidelines to elaborate the IT Security Policy as necessary. Re-circulation 7. This circular shall be re-circulated to all staff every six months.
CEDD TC No. 19/2004 Page 2 of 2
Enquiries 8. Enquiries on this circular should be addressed to Senior Engineer/Computer Services.
( T K TSAO ) Director of Civil Engineering and Development
CEDD TC No. 19/2004 - Appendix A Page 1 of 30
(Version 4.0)
Appendix A
Civil Engineering and Development Department
IT Security Policy
Version: 4.0
March 2013
IT SECURITY POLICY AMENDMENT HISTORY
CEDD TC No. 19/2004 - Appendix A Page 2 of 30
(Version 4.0)
Amendment History
Version
Number Amendment Date
1 First issue
July 2004
2.0 Revised to incorporate the latest government IT
security policies promulgated in OGCIO‟s Baseline IT
Security Policy version 3.0.
Appointment of ISIRT Commander updated.
July 2006
3.0 Revised to incorporate the government IT security
policies promulgated in OGCIO‟s Baseline IT
Security Policy versions 3.1 and 4.0.
Clerical mistakes corrected.
June 2012
4.0 Revised to incorporate the government IT security
policies promulgated in OGCIO‟s Baseline IT
Security Policy version 5.0 and recommendations in
OGCIO‟s audit in 2012 and some general updates.
March 2013
IT SECURITY POLICY CONTENTS
CEDD TC No. 19/2004 - Appendix A Page 3 of 30
(Version 4.0)
TABLE OF CONTENTS
1. PURPOSE .................................................................................................................................................... 5
2. SCOPE ......................................................................................................................................................... 6
2.1. APPLICABILITY ..................................................................................................................................... 6 2.2. TARGET AUDIENCE .............................................................................................................................. 6
3. REFERENCE .............................................................................................................................................. 7
4. DEFINITIONS AND CONVENTIONS .................................................................................................... 8
4.1. DEFINITIONS ......................................................................................................................................... 8 4.2. CONVENTIONS ...................................................................................................................................... 9
5. ORGANISATION ..................................................................................................................................... 10
5.1. DEPARTMENTAL IT SECURITY OFFICER (DITSO) .............................................................................. 10 5.2. IT MANAGEMENT COMMITTEE ........................................................................................................... 11 5.3. DEPARTMENTAL INFORMATION SECURITY INCIDENT RESPONSE TEAM (ISIRT) COMMANDER .......... 11 5.4. IT SECURITY ADMINISTRATORS (ITSA) ............................................................................................. 11 5.5. INFORMATION/SYSTEM OWNERS ........................................................................................................ 12 5.6. LOCAL AREA NETWORK (LAN)/SYSTEM ADMINISTRATORS .............................................................. 12 5.7. APPLICATION DEVELOPMENT & MAINTENANCE TEAM ...................................................................... 12 5.8. USERS ................................................................................................................................................ 12
6. CORE SECURITY PRINCIPLES ........................................................................................................... 13
7. MANAGEMENT RESPONSIBILITIES ................................................................................................ 15
7.1. GENERAL MANAGEMENT ................................................................................................................... 15 7.2. OUTSOURCING SECURITY ................................................................................................................... 15 7.3. CONTINGENCY MANAGEMENT ........................................................................................................... 16 7.4. HUMAN RESOURCES SECURITY .......................................................................................................... 16
8. PHYSICAL SECURITY ........................................................................................................................... 18
8.1. ENVIRONMENT ................................................................................................................................... 18 8.2. EQUIPMENT SECURITY........................................................................................................................ 18 8.3. PHYSICAL ACCESS CONTROL .............................................................................................................. 18
9. ACCESS CONTROL SECURITY .......................................................................................................... 20
9.1. DATA ACCESS CONTROL .................................................................................................................... 20 9.2. AUTHENTICATION ............................................................................................................................... 20 9.3. PRIVACY ............................................................................................................................................. 20 9.4. USER IDENTIFICATION ........................................................................................................................ 20 9.5. USER PRIVILEGES MANAGEMENT ....................................................................................................... 20 9.6. PASSWORD MANAGEMENT ................................................................................................................. 21 9.7. NETWORK ACCESS CONTROL ............................................................................................................. 21 9.8. MOBILE COMPUTING AND REMOTE ACCESS ....................................................................................... 21
10. DATA SECURITY ............................................................................................................................... 23
10.1. OVERALL DATA CONFIDENTIALITY .................................................................................................... 23 10.2. INFORMATION BACKUP ...................................................................................................................... 23
11. APPLICATION SECURITY ............................................................................................................... 24
11.1. APPLICATION DEVELOPMENT & MAINTENANCE ................................................................................. 24 11.2. CONFIGURATION MANAGEMENT & CONTROL .................................................................................... 24
IT SECURITY POLICY CONTENTS
CEDD TC No. 19/2004 - Appendix A Page 4 of 30
(Version 4.0)
12. COMMUNICATIONS & OPERATIONS SECURITY .................................................................... 25
12.1. OPERATIONS MANAGEMENT .............................................................................................................. 25 12.2. GENERAL NETWORK PROTECTION ...................................................................................................... 25 12.3. INTERNET SECURITY .......................................................................................................................... 26 12.4. ELECTRONIC MESSAGING SECURITY .................................................................................................. 26 12.5. PROTECTION AGAINST COMPUTER VIRUS AND MALICIOUS CODE ...................................................... 26 12.6. SOFTWARE AND PATCH MANAGEMENT .............................................................................................. 27 12.7. WIRELESS SECURITY .......................................................................................................................... 27 12.8. MONITORING ...................................................................................................................................... 27
13. SECURITY RISK ASSESSMENT & AUDITING ............................................................................ 29
13.1. SECURITY RISK ASSESSMENT ............................................................................................................. 29 13.2. SECURITY AUDITING........................................................................................................................... 29
14. SECURITY INCIDENT MANAGEMENT ........................................................................................ 30
14.1. SECURITY INCIDENT MONITORING ..................................................................................................... 30 14.2. SECURITY INCIDENT RESPONSE .......................................................................................................... 30
IT SECURITY POLICY PURPOSE
CEDD TC No. 19/2004 - Appendix A Page 5 of 30
(Version 4.0)
1. PURPOSE
This document sets out the Information Technology (IT) Security Policy of the Civil
Engineering and Development Department (CEDD).
This document shall be re-circulated to all staff every six months.
IT SECURITY POLICY SCOPE
CEDD TC No. 19/2004 - Appendix A Page 6 of 30
(Version 4.0)
2. SCOPE
2.1. Applicability
This document addresses mandatory security considerations in the following areas:
Management responsibilities
Physical security
Access control security
Data security
Application security
Communications & operations security
Security risk assessment & auditing;
Security incident management
It sets the minimum security requirements. Staff may need to apply enhanced security
measures, appropriate to their circumstances and commensurate with the determined
risks.
2.2. Target Audience
The policy statements are developed for all levels of staff acting in different roles
within the Department , including management staff, IT administrators, and general
IT end users.
It is the responsibility for ALL staff to read through the entire document to
understand and follow the IT security policies accordingly.
IT SECURITY POLICY REFERENCE
CEDD TC No. 19/2004 - Appendix A Page 7 of 30
(Version 4.0)
3. REFERENCE
a) Government of Hong Kong Special Administrative Region, “Security Regulations”
(http://itginfo.ccgo.hksarg/content/itsecure/docs/guidelines/Current/SR/SB/SR.ht
ml)
b) Civil Service Bureau, “Civil Services Regulations”
c) Baseline IT Security Policy, OGCIO(S17)
d) IT Security Guidelines, OGCIO(G3)
e) Internet Gateway Security Guidelines, OGCIO(G50)
f) Security Risk Assessment & Audit Guidelines, OGCIO(G51)
g) Information Security Incident Handling Guidelines, OGCIO(G54)
h) OGCIO Circular No. 7/2008
IT SECURITY POLICY DEFINITIONS AND CONVENTIONS
CEDD TC No. 19/2004 - Appendix A Page 8 of 30
(Version 4.0)
4. DEFINITIONS AND CONVENTIONS
4.1. Definitions
a) Information System a related set of hardware and software organised for the
collection, processing, storage, communication, or
disposition of information.
b) Confidentiality only authorised persons are allowed to know or gain
access to the information stored or processed by
Information Systems in any aspects.
c) Integrity only authorised persons are allowed to make changes to
the information stored or processed by Information
Systems in any aspects.
d) Availability Information Systems should be accessible and usable
upon demand by authorised persons
e) IT Security Policy a documented list of management instructions that
describe in detail the proper use and management of
computer and network resources with the objective to
protect these resources as well as the information
stored or processed by Information Systems from any
unauthorised disclosure, modifications or destruction.
f) Classified Information refers to the categories of information classified in
accordance with the Security Regulations.
g) Staff persons employed by the Government irrespective of
the employment period and terms.
h) Data Centre a centralized data processing facility that houses
Information Systems and related equipment. A control
section is usually provided that accepts work from and
releases output to users.
i) Computer Room a dedicated room for housing computer equipment.
j) Malicious Codes programs intended to perform an unauthorised process
that will have adverse impact on the confidentiality,
integrity, or availability of an Information System.
Examples of malicious codes include computer
viruses, worms, trojan horses and spyware etc.
k) Mobile Devices portable computing and communication devices with
information storage and processing capability.
IT SECURITY POLICY DEFINITIONS AND CONVENTIONS
CEDD TC No. 19/2004 - Appendix A Page 9 of 30
(Version 4.0)
Examples include portable computers, mobile phones,
tablets, digital cameras, and audio or video recording
devices.
l) Removable Media portable electronic storage media such as magnetic,
optical, and flash memory devices, which can be inserted
into and removed from a computing device. Examples
include external hard disks or solid-state drives, floppy
disks, zip disks, optical disks, tapes, memory cards, flash
drives, and similar USB storage devices.
4.2. Conventions
4.2.1 The following is a list of conventions used in this document
Shall the use of the word „shall‟ indicates a mandatory
requirement.
Should the use of the word „should‟ indicates a requirement for
good practice, which should be implemented whenever
possible.
May the use of the word „may‟ indicates a desirable
requirement.
IT SECURITY POLICY ORGANISATION
CEDD TC No. 19/2004 - Appendix A Page 10 of 30
(Version 4.0)
5. ORGANISATION
This section explains the individual role and responsibility of the departmental IT
Security organisation. Multiple roles can be assigned to a single staff depending on
resource availability.
The following diagram describes the Departmental IT Security organisation:
IT Management
Committee
Departmental
Security Officer
Departmental IT
Security Officer
Departmental Information
Security Incident Response
Team (ISIRT)
IT Security
Administrators
Information/
System Owners
LAN/System
Administrators
Application/Development
Maintenance Team
Users
The Computer Services Unit in the Headquarters carries out the duties assigned by
the ITMC and provides necessary technical support to the Committee. The Head of
Development Offices and the Head of Divisions in other Offices shall appoint a
Computer Representative and/or a suitable number of Assistant Computer
Representative(s) who shall be responsible for the day-to-day computer related
matters in the Office/Division.
5.1. Departmental IT Security Officer (DITSO)
Senior Engineer/Computer Services shall take on the role of DITSO. The DITSO
shall collaborate with the Departmental Security Officer (DSO) designated in
accordance with the Security Regulations to oversee the IT Security of the
Department. The roles and responsibilities of DITSO include but are not limited to
the following:
Establish and maintain an information protection program to assist all staff in the
protection of the information they use;
Lead in the establishment, maintenance and implementation of IT security
policies, standards, guidelines and procedures;
Coordinate with other bureaux and departments on IT security issues;
Disseminate security alerts on impending and actual threats from the GIRO to
responsible parties within the department;
IT SECURITY POLICY ORGANISATION
CEDD TC No. 19/2004 - Appendix A Page 11 of 30
(Version 4.0)
Ensure information security risk assessments and audits are performed as
necessary; and
Initiate investigations and rectification in case of breach of security.
5.2. IT Management Committee
The CEDD IT Management Committee has an appreciation of IT security, its
problems and resolutions. The committee members shall direct and enforce the
development of security measures, provide the necessary resources required for the
measures to be implemented. They shall ensure participation at levels of
management, administrative, technical and operational staff, and provide full support
to them.
5.3. Departmental Information Security Incident Response Team (ISIRT)
Commander
The ISIRT is the central focal point for coordinating all IT security incidents
occuring within CEDD. Senior Engineer/Computer Services shall take on the role of
the Commander of ISIRT, who has the authority to appoint core team members for
the ISIRT. The responsibilities of the ISIRT Commander include:
Provide overall supervision and co-ordination of information security incident
handling for all Information Systems within CEDD;
Make decisions on critical matters such as damage containment system recovery,
the engagement of external parties and the extent of involvement, and service
resumption logistics after recovery etc.;
Trigger the departmental disaster recovery procedure where appropriate,
depending on the impact of the incident on the business operation of CEDD;
Provide management endorsement on the provision of resources for the incident
handling process;
Provide management endorsement in respect of the line-to-take for publicity on
the incident;
Collaborate with the Government Information Security incident Response Office
(GIRO) on incident reporting and necessary follow up actions; and
Facilitate experience and information sharing within CEDD on information
security incident handling and related matters.
5.4. IT Security Administrators (ITSA)
IT SECURITY POLICY ORGANISATION
CEDD TC No. 19/2004 - Appendix A Page 12 of 30
(Version 4.0)
IT Security Administrators are system level personnel responsible for providing
security and risk management related support services. They assist in identifying
system vulnerabilities and performing security administrative work of the system.
They are also responsible for maintaining control and access rules to the data and
system, checking and managing audit logs and promoting security awareness.
The IT Security Administrator may or may not be a technical person, but he/she
should not be the same person as the System Administrator. There should be
segregation of duties between the IT Security Administrator and the System
Administrator if possible.
5.5. Information/System Owners
Information/System Owners are the collators and the owners of information stored in
information systems. Their primary responsibility is to determine the data
classifications, the authorised data usage, and the corresponding security
requirements for protection of the information.
5.6. Local Area Network (LAN)/System Administrators
LAN/System Administrators are responsible for the day-to-day administration,
operation and configuration of the computer systems and network in the Department
whereas Internet System Administrators are responsible for the related tasks for their
Internet-facing Information Systems. They are responsible for implementing the
security mechanisms in accordance with procedures/guidelines established by the
DITSO.
5.7. Application Development & Maintenance Team
The Application Development & Maintenance Team is responsible for producing the
quality systems with the use of quality procedures, techniques and tools. They are
responsible for agreeing with the Information/System Owner on system security
requirements and defining the solutions to implement these security requirements.
5.8. Users Users of Information Systems are the staff who actually use the information and shall
be accountable for all their activities. They should know, understand, follow and
apply all the possible and available security mechanisms to the greatest extent, and
should endeavour to prevent leakage and unauthorised access to information under
his/her custody. They should also safekeep computing and storage devices, and
protect them from unauthorised access or malicious attack with his/her best effort.
IT SECURITY POLICY CORE SECURITY PRINCIPLES
CEDD TC No. 19/2004 - Appendix A Page 13 of 30
(Version 4.0)
6. CORE SECURITY PRINCIPLES
This section introduces some generally accepted principles that address information
security from a very high-level viewpoint. These principles are fundamental in
nature, and rarely changing. They are NOT stated here as security requirements but
are provided as useful guiding references for developing, implementing and
understanding security policies. The principles listed below are by no means
exhaustive.
Information system security objectives
Information system security objectives or goals are described in terms of three
overall objectives: Confidentiality, Integrity and Availability. Security policies
and measures are developed and implemented according to these objectives.
Prevent, Detect, Respond and Recover
Information security is a combination of preventive, detective, response and
recovery measures. Preventive measures are for avoiding or deterring the
occurrence of an undesirable event. Detective measures are for identifying the
occurrence of an undesirable event. Response measures refer to coordinated
response to contain damage when an undesirable event (or incident) occurs.
Recovery measures are for restoring the confidentiality, integrity and
availability of information systems to their expected state.
Protection of information while being processed, in transit, and in storage
Security measures should be considered and implemented as appropriate to
preserve the confidentiality, integrity, and availability of information while it is
being processed, in transit, and in storage. Wireless network without protection
is vulnerable to attacks, security measures must be adopted when transmitting
classified information.
External systems are assumed to be insecure
In general, an external system or entity that is not under your direct control
should be considered insecure. Additional security measures are required when
your information assets or information systems are located in or interfacing with
external systems. Information systems infrastructure could be partitioned using
either physical or logical means to segregate environments with different risk
level.
Resilience for critical information systems
All critical information systems need to be resilient to stand against major
disruptive events, with measures in place to detect disruption, minimise damage
and rapidly respond and recover.
Auditability and Accountability
Security requires auditability and accountability. Auditability refers to the
ability to verify the activities in an information system. Evidence used for
verification can take form of audit trails, system logs, alarms, or other
IT SECURITY POLICY CORE SECURITY PRINCIPLES
CEDD TC No. 19/2004 - Appendix A Page 14 of 30
(Version 4.0)
notifications. Accountability refers to the ability to audit the actions of all parties
and processes which interact with information systems. Roles and
responsibilities should be clearly defined, identified, and authorised at a level
commensurate with the sensitivity of information.
IT SECURITY POLICY MANAGEMENT RESPONSIBILITES
CEDD TC No. 19/2004 - Appendix A Page 15 of 30
(Version 4.0)
7. MANAGEMENT RESPONSIBILITIES
7.1. General Management
7.1.1. All Staff shall ensure the confidentiality, integrity and availability of
information and all other security aspects of Information Systems under their
control including outsourced systems.
7.1.2. The CEDD IT Management Committee shall conduct periodic review of
information security policies, standards, guidelines and procedures.
7.1.3. Information/System Owners shall ensure that security protection is responsive
and adaptive to changing environment and technology.
7.1.4. Information/System Owners shall ensure that the provision for necessary
security safeguards and resources are covered in the annual budget.
7.1.5. Inventory of hardware assets, software assets, valid warranties and service
agreements shall be properly kept and maintained.
7.1.6. Least privilege principle shall be enforced when assigning resources and
privileges of Information Systems to users.
7.1.7. Staff shall note the policy in relation to acceptable use of IT services and
facilities promulgated through other departmental and OGCIO circulars.
7.2. Outsourcing Security
7.2.1. Outsourcing or external service providers shall observe and comply with this IT
security policy and other information security requirements issued by the
Government.
7.2.2. Information/System Owners shall monitor and review with the outsourcing or
external service providers to ensure that security operations are managed
properly. Confidentiality and non-disclosure agreements shall be properly
managed, and reviewed when changes occur that affect the security
requirement.
7.2.3. Information/System Owners utilising external services or facilities shall identify
and assess the risks to the government data and business operations. Security
measures commensurate with the data classification and business requirements
shall be documented and implemented. Security responsibilities of external
service providers shall be defined.
7.2.4. Information/System Owners shall reserve audit and compliance monitoring
rights to ensure external service providers have implemented sufficient controls
on government information systems, facilities and data. Alternatively, the
external service providers shall provide security audit report periodically to
prove the measures put in place are satisfactory.
IT SECURITY POLICY MANAGEMENT RESPONSIBILITES
CEDD TC No. 19/2004 - Appendix A Page 16 of 30
(Version 4.0)
7.3. Contingency Management
7.3.1. Plans for emergency response and disaster recovery of mission critical
Information Systems shall be fully documented and regularly tested and tie in with
the Business Continuity Plan.
7.4. Human Resources Security
7.4.1. Information security is the responsibility of every member of the staff in the
Government. Staff shall receive appropriate awareness training and regular
updates on IT Security Policy.
7.4.2. Staff shall be educated and trained periodically in order to enable them to
discharge their responsibilities and perform their duties relating to IT security.
7.4.3. Staff who contravene provision of this Policy may be subjected to disciplinary
action as stipulated in the Civil Service Regulations and that different levels of
disciplinary action may be instigated depending on the severity of the breach.
7.4.4. If a non-Civil Service contract employee contravene any provision of the Policy,
their employment contracts may be terminated depending on the severity of the
breach.
7.4.5. Staff who use or have unescorted access to Information Systems and resources
shall be carefully selected and shall be made aware of their own responsibilities
and duties. They shall be formally notified of their authorisation to access
Information Systems.
7.4.6. Staff shall be advised of their IT security responsibilities upon being assigned a
new post, and periodically throughout their term of employment.
7.4.7. Civil servants authorised to access CONFIDENTIAL and above information
shall undergo an integrity check as stipulated by the Secretary for the Civil
Service. For non-civil servants, appropriate background verification checks
should be carried out commensurate with the business requirements, the
classification of the information that the staff will handle, and the perceived
risks.
7.4.8. External consultants, contractors, outsourced staff, and temporary staff who are
engaged in Government work shall be subject to equivalent information security
requirements, and have the same information security responsibilities, as
Government staff. They should receive appropriate awareness training and
relevant information on the IT Security Policy.
7.4.9. At the time that a member of the staff is transferred or ceases to provide services
to the CEDD, all related Information Systems privileges shall be promptly
terminated. The outgoing officer or staff of external parties shall handover and
return computer resources and information to the Government.
IT SECURITY POLICY MANAGEMENT RESPONSIBILITES
CEDD TC No. 19/2004 - Appendix A Page 17 of 30
(Version 4.0)
7.4.10. To protect classified information from unauthorised access or unauthorised
disclosure, relevant clauses in Security Regulations shall be observed. No
officer may publish, make private copies of or communicate to unauthorised
persons any classified document or information obtained in his official capacity,
unless he is required to do so in the interest of the Government. The "need to
know" principle should be applied to all classified information, which should be
provided only to persons who require it for the efficient discharge of their work
and who have authorised access. If in any doubt as to whether an officer has
authorised access to a particular document or classification or information, the
Departmental Security Officer should be consulted.
IT SECURITY POLICY PHYSICAL SECURITY
CEDD TC No. 19/2004 - Appendix A Page 18 of 30
(Version 4.0)
8. PHYSICAL SECURITY
8.1. Environment
8.1.1. Careful site selection and accommodation planning of a purpose-built computer
installation shall be conducted. Reference to the security specifications for
construction of special installation or office as standard should be made.
8.1.2. Data centres and computer rooms shall have good physical security and strong
protection from disaster and security threats, whether natural or caused by other
reasons, in order to minimize the extent of loss and disruption.
8.1.3. Backup media containing business essential and/or mission critical information
shall be sited at a safe distance from the main site in order to avoid damage
arising from a disaster at the main site.
8.1.4. Data centres and computer rooms shall conform to Level II1 security if the
Information System housed involves handling of CONFIDENTIAL information
and conform to Level III1 security for handling of TOP SECRET / SECRET
information.
8.2. Equipment Security
8.2.1. All Information Systems shall be placed in a secure environment or attended by
staff to prevent unauthorised access. Regular inspection of equipment and
communication facilities shall be performed to ensure continuous availability
and failure detection.
8.2.2. Staff in possession of mobile device or removable media for business purposes
shall safeguard the equipment in his/her possession, and shall not leave the
equipment unattended without proper security measures.
8.2.3. IT equipment shall not be taken away from sites without proper control.
8.3. Physical Access Control
8.3.1. A list of persons who are authorised to gain access to data centres, computer
rooms or other areas supporting critical activities, where computer equipment
and data are located or stored, shall be kept up-to-date and be reviewed
periodically.
8.3.2. All access keys, cards, passwords, etc. for entry to any of the information
systems and networks shall be physically secured or subject to well-defined and
strictly enforced security procedures.
1 For detailed security specifications on Level I/II/III security, please refer to the document “Guidelines
for Security Provisions in Government Office Buildings” published by the Security Bureau.
IT SECURITY POLICY PHYSICAL SECURITY
CEDD TC No. 19/2004 - Appendix A Page 19 of 30
(Version 4.0)
8.3.3. All visitors to data centres or computer rooms shall be monitored at all times by
an authorised staff. A visitor access record shall be kept and properly maintained
for audit purpose.
8.3.4. If there has been no activity for a predefined period of time to prevent illegal
system access attempt, re-authentication should be activated or the logon
session and connection should be terminated. Also, user workstation should be
switched off, if appropriate, before leaving work for the day or before a
prolonged period of inactivity.
8.3.5. All staff shall ensure the security of their offices. Offices that can be directly
accessed from public area and contain Information Systems or information
assets should be locked up when not in use.
8.3.6. The display screen of an Information System on which classified information
can be viewed shall be carefully positioned so that unauthorised persons cannot
readily view it.
IT SECURITY POLICY ACCESS CONTROL SECURITY
CEDD TC No. 19/2004 - Appendix A Page 20 of 30
(Version 4.0)
9. ACCESS CONTROL SECURITY
9.1. Data Access Control
9.1.1. Access to information shall not be allowed unless authorised by the relevant
information owners.
9.1.2. Data access rights shall be granted to users based on a need-to-know basis.
9.1.3. Data access rights shall be clearly defined and reviewed periodically. Records
for access rights approval and review shall be maintained.
9.1.4. Access to Information Systems containing information classified
CONFIDENTIAL or above shall be restricted by means of logical access
control.
9.2. Authentication
9.2.1. Access to classified information without appropriate authentication shall not be
allowed.
9.2.2. Authentication shall be performed in a manner commensurate with the
sensitivity of the information to be accessed.
9.2.3. Number of consecutive unsuccessful log-in trials shall be controlled.
9.3. Privacy
9.3.1. CEDD's management reserves the right to examine all information stored in or
transmitted by Government Information Systems in accordance with the
Personal Data (Privacy) Ordinance.
9.4. User Identification
9.4.1. Each user identity (user-ID) shall uniquely identify only one user. Shared or
group user-IDs are not permitted unless explicitly approved by the DITSO.
9.4.2. Users are responsible for all activities performed with their user-IDs.
9.5. User Privileges Management
9.5.1. Procedures for approving, granting and managing user access including user
registration/de-registration, password delivery and password reset shall be
documented.
9.5.2. All accounts shall be revoked after a pre-defined period of inactivity.
IT SECURITY POLICY ACCESS CONTROL SECURITY
CEDD TC No. 19/2004 - Appendix A Page 21 of 30
(Version 4.0)
9.5.3. User privileges shall be reviewed periodically.
9.5.4. The use of special privileges shall be restricted and controlled.
9.6. Password Management
9.6.1. The DITSO shall define a strict password policy that details at least, minimum
password length, initial assignment, restricted words and format, password life
cycle, and include guidelines on suitable system and user password selection.
9.6.2. Passwords shall not be shared or divulged unless necessary (e.g., helpdesk
assistance, shared PC and shared files). The risk of sharing passwords is that it
increases the probability of security being compromised. If passwords must be
shared, explicit approval from the DITSO shall be obtained. Besides, the shared
passwords should be changed promptly when the need no longer exists and
should be changed frequently if sharing is required on a regular basis.
9.6.3. Passwords shall always be well protected when held in storage. Passwords shall
be encrypted when transmitted over an un-trusted communication network.
Compensating controls shall be applied to reduce the risk exposure to an
acceptable level if encryption is not implementable.
9.6.4. Staff are prohibited from capturing or otherwise obtaining passwords,
decryption keys, or any other access control mechanism, which could permit
unauthorised access.
9.6.5. All vendor-supplied default passwords shall be changed before any Information
System is put into operation.
9.6.6. All passwords shall be promptly changed if they are suspected of / are being
compromised, or disclosed to vendors for maintenance and support.
9.7. Network Access Control
9.7.1. Prior approval from the DITSO is required to connect a departmental
Information System with another Information System under the control of
another bureau, department or organisation. The security level of the
Information Systems being connected shall not be downgraded. [A]
9.8. Mobile Computing and Remote Access
9.8.1. Staff shall note the usage policies and procedures specifying the security
requirements when using mobile computing and remote access. Appropriate
security measures shall be adopted to avoid unauthorised access to or disclosure
of the information stored and processed by these facilities. Authorised users
should be briefed on the security threats, and accept their security
responsibilities with explicit acknowledgement.
IT SECURITY POLICY ACCESS CONTROL SECURITY
CEDD TC No. 19/2004 - Appendix A Page 22 of 30
(Version 4.0)
9.8.2. Staff are prohibited from connecting workstations and mobile devices to
external network by means of communication device, such as dial-up modem,
wireless interface, or broadband link, if the workstations or mobile devices are
simultaneously connected to a Government internal network, unless with the
approval of DITSO.
9.8.3. Security measures shall be in place to prevent unauthorised remote access to
Government information systems and data.
9.8.4. Unauthorised computer resources including those privately-owned shall not be
connected to Government internal network. If there is an operational necessity,
approval from the Director of Civil Engineering and Development should be
sought. Such usage of computer resources shall conform to the same IT security
requirements.
IT SECURITY POLICY DATA SECURITY
CEDD TC No. 19/2004 - Appendix A Page 23 of 30
(Version 4.0)
10. DATA SECURITY
10.1. Overall Data Confidentiality
10.1.1. Information about Information Systems that may compromise the security of
those systems shall not be disclosed to users, or any parties, except on a
need-to-know basis and only if authorised by the DITSO or the ITSA for the
system.
10.1.2. Staff shall not disclose information about the individuals, department or specific
systems that have suffered from damages caused by computer crimes and
computer abuses, or the specific methods used to exploit certain system
vulnerabilities, to any people other than those who are handling the incident and
responsible for the security of such systems, or authorised investigators
involving in the investigation of the crime or abuse.
10.1.3. Staff shall not disclose to any unauthorised persons the nature and location of
the Information Systems, and the information system controls that are in use or
the way in which they are implemented.
10.1.4. All stored information classified as CONFIDENTIAL or above shall be
encrypted. RESTRICTED information shall be encrypted when stored in
mobile devices or removable media assigned to individuals.
10.1.5. Staff shall comply with the Security Regulations in relation to Information
Systems including, but not limited to, storage, transmission, processing, and
destruction of classified information. Information without any security
classification should also be protected from unintentional disclosure.
10.1.6. Personal Data (Privacy) Ordinance (Cap.486) shall be observed when handling
personal data. In accordance with Security Regulations 161(d)(iii), all personal
data should be classified RESTRICTED at least, depending on the nature and
sensitivity of the personal data concerned and the harm that could result from
unauthorised or accidental access, processing, erasure or other use of the
personal data, a higher classification and appropriate security measures may be
required.
10.2. Information Backup
10.2.1. Backups shall be carried out at regular intervals.
10.2.2. Backup activities shall be reviewed regularly.
10.2.3. Integrity copies of backups shall be stored at a remote distance from the system
and be protected. Backup media should also be protected against unauthorised
access, misuse or corruption during transportation.
IT SECURITY POLICY APPLICATION SECURITY
CEDD TC No. 19/2004 - Appendix A Page 24 of 30
(Version 4.0)
11. APPLICATION SECURITY
11.1. Application Development & Maintenance
11.1.1. Application development staff shall include security planning and implement
the appropriate security measures and controls for system under development
according to the systems' security requirements.
11.1.2. Documentation and listings of applications shall be properly maintained and
restricted on a need-to-know basis.
11.1.3. Formal testing and review on the security measures shall be performed prior to
implementation.
11.1.4. The integrity of an application shall be maintained with appropriate security
measures such as version control mechanism and separation of environments for
development, system testing, acceptance testing, and live operation.
11.1.5. Application development staff shall not be permitted to access production
information unless necessary.
11.1.6. Test data shall be carefully selected, protected and controlled commensurate
with its classification. Use of test data extracted from production shall be
avoided. If genuinely required, the process should be reviewed, documented and
approved by Information/System Owner.
11.2. Configuration Management & Control
11.2.1. Change control procedures for requesting and approving program/system
changes shall be documented.
11.2.2. Installation of all computer equipment and software shall be done under control
and audit.
11.2.3. Staff shall be advised of the impact of security changes and usage on
Information Systems.
IT SECURITY POLICY COMMUNICATIONS & OPERATIONS SECURITY
CEDD TC No. 19/2004 - Appendix A Page 25 of 30
(Version 4.0)
12. COMMUNICATIONS & OPERATIONS SECURITY
12.1. Operations Management
12.1.1. There shall be sufficient segregation of duties where practicable to avoid
execution of all security functions of an Information System by a single
individual.
12.1.2. Information systems shall be managed using the principle of least functionality
with all unnecessary services or components removed or restricted.
12.1.3. Changes affecting existing security protection mechanisms shall be carefully
considered.
12.1.4. Operational and administrative procedures for information systems shall be
properly documented, followed, and reviewed periodically.
12.2. General Network Protection
12.2.1. Internal network addresses, configurations and related system or network
information shall be properly maintained and shall not be publicly released
without the approval of the DITSO.
12.2.2. All internal networks with connections to other Government networks or
publicly accessible computer networks shall be properly protected.
12.2.3. Proper configuration and administration of information / communication
systems is required and shall be reviewed regularly.
12.2.4. Connections and links made to other network shall not compromise the security
of CEDD's Information Systems and those on the connected/linked network.
12.2.5. CONFIDENTIAL / RESTRICTED information shall be encrypted when
transmitted over an un-trusted communication network.
12.2.6. TOP SECRET / SECRET information shall be transmitted only under
encryption and inside an isolated LAN approved by Government Security
Officer subject to the technical endorsement of OGCIO.
IT SECURITY POLICY COMMUNICATIONS & OPERATIONS SECURITY
CEDD TC No. 19/2004 - Appendix A Page 26 of 30
(Version 4.0)
12.3. Internet Security
12.3.1. Staff shall access the Internet through the centrally arranged Internet gateways,
Central Internet Gateway (CIG) or CEDD‟s Internet gateway conforming to
OGCIO security standards. In circumstances where this is not feasible or having
regard to the mode of use1, the DITSO may consider allowing Internet access
through stand-alone machines, if appropriate security control mechanisms are
implemented.
12.3.2. The DITSO may consider the value versus inconvenience of implementing
technologies to blocking non-business web sites where necessary. The ability to
connect with a specific web site does not in itself imply that users of systems are
permitted to visit that site.
12.3.3. All software and files downloaded from the Internet shall be screened and
verified with anti-virus software.
12.3.4. Staff should not execute mobile code or software downloaded from the Internet
unless the code is from a known and trusted source.
12.4. Electronic Messaging Security
12.4.1. LAN/Systems administrators shall establish and maintain a systematic process
for the recording, retention, and destruction of electronic mail messages and
accompanying logs. [A]
12.4.2. Internal email address lists containing entries for authorised users or
Government sites shall be properly maintained and protected from unauthorised
access and modification.
12.4.3. Email transmission of classified information shall be transmitted only on an
Information System approved by the Government Security Officer subject to the
technical endorsement of OGCIO. Email transmission of TOP SECRET /
SECRET information shall also follow the condition as stipulated in 12.2.6.
12.4.4. Electronic messages from suspicious sources should not be opened or
forwarded.
12.5. Protection Against Computer Virus and Malicious Code
12.5.1. Anti-virus protection shall be enabled on all local area network servers, personal
computers, mobile devices, and computers connecting to the Government
internal network via remote access channel.
12.5.2. LAN/System Administrators shall protect their Information Systems from
computer viruses and malicious codes. Virus signatures, malicious code
1 Such modes of use may include, for example, Internet surfing, e-mail exchange, and the use of official,
portable computers while on business. The relevant standalone machines must still be protected by any
applicable security mechanisms.
IT SECURITY POLICY COMMUNICATIONS & OPERATIONS SECURITY
CEDD TC No. 19/2004 - Appendix A Page 27 of 30
(Version 4.0)
definitions as well as their detection and repair engines shall be updated
regularly and whenever necessary.
12.5.3. Storage media and files from unknown source or origin shall not be used unless
the storage media and files have been checked and cleaned for computer viruses
and malicious codes.
12.5.4. Users shall not intentionally write, generate, copy, propagate, execute or involve
in introducing computer viruses or malicious codes.
12.6. Software and Patch Management
12.6.1. LAN/System Administrators shall protect their Information Systems from
known vulnerabilities by applying the latest security patches recommended by
the product vendors or implementing other compensating security measures.
12.6.2. Computers and networks shall only run software that comes from trustworthy
sources.
12.6.3. No unauthorised application software shall be loaded onto a Government
Information System without prior approval from officer as designated by the
department.
12.6.4. Before security patches are applied, proper risk evaluation and testing should be
conducted to minimize the undesirable effects to the Information Systems.
12.7. Wireless Security
12.7.1. LAN/System Administrators shall document, monitor, and control wireless
network with connection to Government internal network.
12.7.2. Users of wireless or mobile computing devices shall protect their devices
against loss and theft.
12.7.3. Proper authentication and encryption security controls shall be employed to
protect data communication over wireless with connection to the Government
internal network.
12.7.4. Users of wireless or mobile computing devices shall ensure that their devices do
not contain computer viruses and malicious codes.
12.8. Monitoring
12.8.1. LAN/System Administrators shall log activities of production Information
Systems under their control according to the business needs and data
classification.
12.8.2. Any log kept shall provide sufficient information to support comprehensive
audits of the effectiveness of, and compliance of security measures.
IT SECURITY POLICY COMMUNICATIONS & OPERATIONS SECURITY
CEDD TC No. 19/2004 - Appendix A Page 28 of 30
(Version 4.0)
12.8.3. Logs shall be retained for a period commensurate with their usefulness as an
audit tool. During this period, such logs shall be secured such that they cannot
be modified, and can only be read by authorised persons.
12.8.4. Logs shall not be used to profile the activity of a particular user unless it relates
to a necessary audit activity supported by a Directorate officer.
12.8.5. Regular checking on log records, especially on system/application where
classified information is processed/stored, shall be performed, not only on the
completeness but also the integrity of the log records. All system and
application errors which are suspected to be triggered as a result of security
breaches shall be reported and logged.
12.8.6. Clock synchronisation should be configured to keep clocks of Information
Systems in sync.
IT SECURITY POLICY SECURITY RISK ASSESSMENT & AUDITING
CEDD TC No. 19/2004 - Appendix A Page 29 of 30
(Version 4.0)
13. SECURITY RISK ASSESSMENT & AUDITING
13.1. Security Risk Assessment
13.1.1. Security risk assessments for information systems and production applications
shall be performed at least once every two years. A security risk assessment
shall also be performed before production, and prior to major enhancements and
changes associated with these systems or applications.
13.1.2. Use of software and programs for performing security risk assessment shall be
restricted and controlled.
13.2. Security Auditing
13.2.1. Information/System Owners shall identify and document all relevant statutory,
regulatory and contractual requirements applicable to the operations of their
information systems.
13.2.2. Audit on Information Systems shall be performed periodically to ensure the
compliance of IT security polices and effective implementation of security
measures. The selection of auditors and conduct of audits shall ensure
objectivity and impartiality of the audit process. Auditors shall not audit their
own work.
13.2.3. Use of software and programs for performing security audit shall be restricted
and controlled.
IT SECURITY POLICY SECURITY INCIDENT MANAGEMENT
CEDD TC No. 19/2004 - Appendix A Page 30 of 30
(Version 4.0)
14. SECURITY INCIDENT MANAGEMENT
14.1. Security Incident Monitoring
14.1.1. LAN/System Administrator shall establish an incident detection and monitoring
mechanism to detect, contain and ultimately prevent security incidents.
14.1.2. LAN/System Administrator shall ensure that system logs and other supporting
information are retained for the proof and tracing of security incidents.
14.2. Security Incident Response
14.2.1. DITSO shall establish, document and maintain a security incident
handling/reporting procedure.
14.2.2. Staff shall be made aware of the security incident handling/reporting procedure
that is in place and shall observe and follow it accordingly.
14.2.3. Any observed or suspected security incidents or security problems in
information systems or services shall be reported immediately only to the
responsible party according to the incident handling procedure.
***End***