Opening Address by Mr. Stephen Mak, JP Acting Government Chief Information Officer at the Information Security Awareness Seminar at the University of Hong Kong
3 March 2008

Professor Lee, Dr. Ho, Distinguished Speakers and Participants, Ladies and Gentlemen,

Good Afternoon! I am honoured to have the opportunity to address you at this Information Security Awareness Seminar.

Introduction

Last Wednesday, our Financial Secretary delivered his 2008 Budget Speech. He forecast a surplus of $115.6 billion in the Consolidated Account for 2007-08. He said he would focus on how to use the happily favourable outturn this year to address our present needs and to put us on a more secure footing to meet tomorrow's challenges.

Indeed, Hong Kong is a progressive, stable and free society. We are ranked 3rd in the World Competitiveness in 2007 by the International Institute for Management Development and 4th in Ease of Doing Business by the World Bank. One of the contributing factors to our achievements is the efficient and reliable business environment that we have built up over the years. Supporting this, we have an ICT-savvy population.

According to Hong Kong Domain Name Registration Company Limited (香 港 域 名 注 册 有 限 公 司), there are over 152400 ".hk" domain names registered today. We are ranked 4th in e-readiness by the Economist Intelligence Unit (经 济 学 人 信 息 部) in 2007.

Nowadays, we are connected in one way or the other by means of various networks and communication channels. Yet they also arouse concerns over information security. For example, it is estimated that in 2007 about 90 billion spam emails and messages have been sent everyday globally and some of them are used in connection with phishing or malicious software spreading.

IT Security in the University Environment

The university is a place for academic freedom and open exchange of information and ideas. With the use of the Internet and through various delivery channels, it provides a wide range of services for activities concerning administration, lecturing, collaboration, information dissemination, knowledge-sharing, publishing, innovation and research.

Security weaknesses may cause productivity loss, service disruption, sensitive information leakage, damage to the image of the university and various kinds of cyber crime. The "Educational Security Incidents - Year in Review" that examines all of the information security incidents occurring at colleges and universities around the world shows that in 2007, more than 1.2 million records containing sensitive and/or personal information had been exposed in 139 security incidents reported by 112 institutions around the world. Both the number of reported incidents and the number of institutions reporting a security incident had also increased in 2007.

The French bank - Societe Generale (法 国 兴 业 银 行) had reportedly suffered losses of US$7.2 billion because of insufficient IT security. The potential financial and practical damage that can be brought about by security breaches in a campus environment would be no less than a typical, major corporation with international connections. Our ability to protect against security threats to the busy campus activities depends on our conscious efforts to put in place the necessary IT security governance and measures.

A secure electronic business environment needs the concerted efforts of all the stakeholders who can each play a useful role. Because of the new Internet culture, the responsibilities in information security range from security controls administration for a large system to the protection of one's own access password. A particular individual often has more than one role. Typically, the functions, roles and responsibilities can be grouped into administrator, service provider and user categories to oversee the university's IT security policy and governance framework; implement and support the operational facilities and incident handling activities.

Nowadays, our younger generation has developed a habit of searching the Web for just about everything. They are also experienced in using tools such as email, blogs, chat rooms and instant messaging. In strengthening information security, it is necessary to think beyond the traditional campus environment to consider access made from home and Internet cafe.

Below, I would like to highlight four key aspects to help provide a secure environment and raise the awareness of IT users on campus.

First, define the IT risk assessment and management strategy to discover and prioritize information security risks with an action plan to address all these risks by either containing or accepting them.

Second, establish a comprehensive security policy for implementation by senior officers and include regular security audits to ensure their compliance by all stakeholders.

Third, set up and drill on the security incident response procedures in order to develop and maintain the capability to manage incidents, minimize exposure and achieve timely recovery.

Last but not least, plan and launch a comprehensive training, education and awareness programme because this is the most cost-effective improvement in the overall security exercise. Kevin Mitnick, a computer hacker and convicted criminal in the United States, has said :

"The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education….. my access to Motorola, Nokia, ATT, Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully. "

Ending Remarks

The Government is committed to building Hong Kong into a digital economy and world city. The University of Hong Kong, home to some of the most advanced computing facilities and a world class education environment, can leverage her capability to help achieve this target. Let me stop here and thank you for your attention. I am sure you will enjoy the rich programme lined up for today's seminar.

Thank you.

- END -