Guidelines & Standards

To facilitate your planning on information security management for your company, we have highlighted some useful guidelines that are recommended as effective security practices and internationally recognised standards related to information security.

• Government IT Security Policy and Guidelines
• Standards for Information Security
• IT Security References
• Selected Guidelines and References for Online Business
• Seals of Approval for Establishing Online Business

( To view and print the downloaded document, you need to use an Adobe Acrobat Reader. Please click here to download if necessary. )

Government IT Security Policy and Guidelines

The Government of HKSAR has issued a Baseline IT Security Policy and a series of guidelines related to IT security to provide references and guidance to Government bureaux and departments in respect of the protection of Government information systems. The related documents are obtainable through the hyperlinks provided below. Users should note that the documents are for general reference only and users are responsible to make their own assessment on the information provided and to obtain independent advice before acting on it.

• Baseline IT Security Policy - This document sets the baseline standards of IT security policy for Government bureaux/departments. It states what aspects are of paramount importance.

• IT Security Guidelines - This document introduces concepts relating to IT security and elaborates further on the Baseline IT Security Policy.

• Internet gateway Security Guidelines - This document acts as a supplementary document to IT Security Guidelines to provide guidelines on Internet gateway security.

• Security Risk Assessment & Audit Guidelines - This document acts as a supplementary document to IT Security Guidelines to give an introduction to a generic reference model for IT security risk assessment and security audit.

• Information Security Incident Handling Guidelines - This document acts as a supplementary document to IT Security Guidelines to provide reference for the planning and preparation for, the detection of, and the response to information security incidents.

There is increasing public concern about the security of information passing through public Wi-Fi networks. To address such a concern, the Communications Authority (CA) has published a set of security guidelines for public Wi-Fi service operators to follow. The guidelines are developed jointly with the industry and the relevant professional bodies.

• Guidelines on the Security Aspects for the Design, Implementation, Management and Operation of Public Wi-Fi Service - A set of guidelines on security for public Wi-Fi service.

Standards for Information Security

• ISO 27001 - Requirements for information security management systems.

• ISO 27002 - A code of practice for information security management.

• British Standard 7799 Part 3 - Guidelines for information security risk management.

• COBIT - The Control Objectives for Information and related Technology (COBIT) is a control framework first released by the IT Governance Institute (ITGI) in 1995. The latest update was version 4.1 which was published in 2007. COBIT links IT initiatives to business requirements, organises IT activities into a generally accepted process model, identifies the major IT resources to be leveraged and defines the management control objectives to be considered.
  URL: http://www.itgi.org
  

• ITIL (or ISO/IEC 20000 series) - The Information Technology Infrastructure Library (ITIL) is a collection of best practices in IT service management (ITSM), and focuses on the service processes of IT and considers the central role of the user. It was developed by the United Kingdom's Office of Government Commerce (OGC). Since 2005, ITIL has evolved into ISO/IEC 20000, which is an international standard within ITSM.
  URL: http://ogc.gov.uk

• Trusted Computer System Evaluation Criteria (TCSEC) or called the Orange Book - Classification on security requirements based on evaluation of functionality, effectiveness and assurance of mostly operating systems for mainly government and military sectors. TCSEC was introduced in 1985 and retired in 2000.

• Information Technology Security Evaluation Criteria (ITSEC) - the first single standard for evaluating security attributes of computer systems by European countries and used only in Europe.
  URL: http://www.cesg.gov.uk/site/iacs/index.cfm?menuSelected=1&displayPage=1

• Common Criteria (also known as ISO/IEC 15408) - combine and align existing and emerging evaluation criteria with a collaborative effort among national security standards organisations of Canada, France, Germany, Japan, Netherlands, Spain, UK and US.
  URL: www.commoncriteriaportal.org

• Common Criteria Evaluation and Validation Scheme (CCEVS) - This scheme establishes a national program for the evaluation of information technology products for conformance to the International Common Criteria for Information Technology Security Evaluation.

• ISO/IEC 13335 (IT Security Management) - ISO/IEC 13335 was initially a Technical Report (TR) before becoming a full ISO/IEC standard. It consists of a series of guidelines for technical security control measures

• Payment Card Industry Data Security Standard - The Payment Card Industry (PCI) Data Security Standard (DSS) was developed by a number of major credit card companies (including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) as members of the PCI Standards Council to enhance payment account data security. The standard consists of 12 core requirements, which include security management, policies, procedures, network architecture, software design and other critical measures.
  URL: https://www.pcisecuritystandards.org/security_standards/

• ISO 7498, Open System Interconnection Model - The ISO 7498, Open System Interconnection Model standard is currently available in 4 parts: Part 1 The Basic Model, Part 2 Security Architecture, Part 3 Naming and Addressing, and Part 4 Management Framework.
  

IT Security References

• Computer Security Incident Handling Guide (SP 800-61) NIST (National Institute of Standards and Technology).

• The SANS Security Policy Project

• RFC 2196 Site Security Handbook, from IETF (The Internet Engineering Task Force).

• RFC 2350 Expectations for Computer Security Incident Response, from IETF (The Internet Engineering Task Force).

• SANS Top-20 Security Risks - The list includes 20 vulnerabilities organised into different categories according to their affected areas such as vulnerabilities that affect operating systems and those that affect network devices.

• ISACA's Standards, Guidelines and Procedures - The Standards Board of Information Systems Audit and Control Association issues a series of information systems auditing standards, guidelines and procedures.

• Health Insurance Portability and Accountability Act (HIPAA) - The US government has enforced the HIPPA act in order to enact their national Standards for Privacy of Individuals Identifiable Health Information.

Selected Guidelines and References for Online Business

There are some basic guidelines that you need to pay attention and adhere to when running an online business.

Seals of Approval for Establishing Online Business

The Internet provides the most convenient platform for border-less and round-the-clock business activities. However, most Internet users still lack confidence in using the medium for business transaction. One of the most effective ways to gain trust from customers and build up recognition for your online business is to obtain a Seal of Approval from an independent verification organisation. There are some international Seals of Approval programs available in the market providing such verification and here are some examples:

• WebTrust
  
• TRUSTe

WebTrust

WebTrust in Hong Kong

The WebTrust program is:

• A set of e-Commerce standards comprised of prevailing best practices and requirements from around the world;
  
• Independent verification that a site meets the standards;
  
• An internationally recognised WebTrust Seal means that an online business meets the stringent standards

An online site that has a WebTrust seal means that the company has passed the WebTrust examination by a licensed Certified Public Accountant (CPA), Chartered Accountant, or equivalent. Hong Kong Institute of Certified Public Accountants is one of international affiliates of the program.

Under the WebTrust program, the online company is periodically examined by a WebTrust licensed CPA to ensure compliance with the current WebTrust principles including:

• On-line privacy
  
• Security
  
• Business practices and transaction integrity
  
• Availability
  
• WebTrust for Certification Authorities

TRUSTe 

TRUSTe is a privacy seal, or called a "trustmark", is an online branded seal that takes users directly to the privacy statement of an approved website. The trustmark is awarded to websites that adhere to the privacy principles and comply with the oversight and consumer resolution process. By displaying the trustmark, a website is telling consumers up front that it has made a commitment to communicating its privacy practices openly. A displayed trustmark signifies to users that the website will openly share, at least, the following:

• What personal information is being gathered
  
• How it will be used
  
• With whom it will be shared
  
• Who is gathering the information
  
• What options the user has
  
• What security procedures are in place to prevent misuse or loss
  
• How users can correct information to control its dissemination