Guidelines & Standards
To facilitate your planning on information security
management for your company, we have highlighted
some useful guidelines that are recommended as
effective security practices and internationally
recognised standards related to information security.
( To view and print the downloaded document,
you need to use an Adobe Acrobat Reader. Please
to download if necessary.
Government IT Security
Policy and Guidelines
The Government of HKSAR has issued a Baseline
IT Security Policy and a series of guidelines
related to IT security to provide references and
guidance to Government bureaux and departments
in respect of the protection of Government information
systems. The related documents are obtainable
through the hyperlinks provided below. Users should
note that the documents are for general reference
only and users are responsible to make their own
assessment on the information provided and to
obtain independent advice before acting on it.
Baseline IT Security Policy - This document
sets the baseline standards of IT security
policy for Government bureaux/departments.
It states what aspects are of paramount importance.
IT Security Guidelines - This document
introduces concepts relating to IT security
and elaborates further on the Baseline IT
Internet gateway Security Guidelines -
This document acts as a supplementary document
to IT Security Guidelines to provide guidelines
on Internet gateway security.
Security Risk Assessment & Audit Guidelines
- This document acts as a supplementary document
to IT Security Guidelines to give an introduction
to a generic reference model for IT security
risk assessment and security audit.
Information Security Incident Handling Guidelines
- This document acts as a supplementary document
to IT Security Guidelines to provide reference
for the planning and preparation for, the detection
of, and the response to information security
There is increasing public concern about the
security of information passing through public
Wi-Fi networks. To address such a concern, the Communications Authority (CA)
has published a set of security guidelines for
public Wi-Fi service operators to follow. The
guidelines are developed jointly with the industry
and the relevant professional bodies.
for Information Security
27001 - Requirements for information security
27002 - A code of practice for information
British Standard 7799 Part 3 - Guidelines
for information security risk management.
COBIT - The Control Objectives for
Information and related Technology (COBIT)
is a control framework first released by the
IT Governance Institute (ITGI) in 1995. The
latest update was version 4.1 which was published
in 2007. COBIT links IT initiatives to business
requirements, organises IT activities into
a generally accepted process model, identifies
the major IT resources to be leveraged and
defines the management control objectives
to be considered.
ITIL (or ISO/IEC 20000 series) -
The Information Technology Infrastructure
Library (ITIL) is a collection of best practices
in IT service management (ITSM), and focuses
on the service processes of IT and considers
the central role of the user. It was developed
by the United Kingdom's Office of Government
Commerce (OGC). Since 2005, ITIL has evolved
into ISO/IEC 20000, which is an international
standard within ITSM.
Computer System Evaluation Criteria (TCSEC)
or called the Orange Book - Classification
on security requirements based on evaluation
of functionality, effectiveness and assurance
of mostly operating systems for mainly government
and military sectors. TCSEC was introduced
in 1985 and retired in 2000.
Technology Security Evaluation Criteria (ITSEC)
- the first single standard for evaluating
security attributes of computer systems by
European countries and used only in Europe.
Common Criteria (also known as ISO/IEC
15408) - combine and align existing and
emerging evaluation criteria with a collaborative
effort among national security standards organisations
of Canada, France, Germany, Japan, Netherlands,
Spain, UK and US.
Criteria Evaluation and Validation Scheme
(CCEVS) - This scheme establishes
a national program for the evaluation of information
technology products for conformance to the
International Common Criteria for Information
Technology Security Evaluation.
(IT Security Management) - ISO/IEC
13335 was initially a Technical Report (TR)
before becoming a full ISO/IEC standard. It
consists of a series of guidelines for technical
security control measures
Payment Card Industry Data Security Standard
- The Payment Card Industry (PCI) Data Security
Standard (DSS) was developed by a number of
major credit card companies (including American
Express, Discover Financial Services, JCB,
MasterCard Worldwide and Visa International)
as members of the PCI Standards Council to
enhance payment account data security. The
standard consists of 12 core requirements,
which include security management, policies,
procedures, network architecture, software
design and other critical measures.
7498, Open System Interconnection Model
- The ISO 7498, Open System Interconnection
Model standard is currently available in 4
parts: Part 1 The Basic Model, Part 2 Security
Architecture, Part 3 Naming and Addressing,
and Part 4 Management Framework.
National Information Security Technology Standard Specification
- Consists of a collection of national information security standards formulated by the National Information Security Standards Technical Committee. These standards include information security management, information security evaluation, authentication and authorisation, etc.
Technical Standards Relevant to Cloud Computing
- Consists of a collection of technical standards relevant to Cloud Computing released by various international organisations. These standards include management, web services, security of cloud computing, etc.
Selected Guidelines and References for Online Business
There are some basic guidelines that you need
to pay attention and adhere to when running an
Seals of Approval for Establishing Online Business
The Internet provides the most convenient platform
for border-less and round-the-clock business activities.
However, most Internet users still lack confidence
in using the medium for business transaction.
One of the most effective ways to gain trust from
customers and build up recognition for your online
business is to obtain a Seal of Approval from an independent verification organisation.
There are some international Seals of Approval
programs available in the market providing such
verification and here are some examples:
in Hong Kong
The WebTrust program is:
- A set of e-Commerce standards comprised of
prevailing best practices and requirements from
around the world;
- Independent verification that a site meets
- An internationally recognised WebTrust Seal
means that an online business meets the stringent
An online site that has a WebTrust seal means
that the company has passed the WebTrust examination
by a licensed Certified Public Accountant (CPA),
Chartered Accountant, or equivalent. Hong Kong
Institute of Certified
Public Accountants is one of international
affiliates of the program.
Under the WebTrust program, the online company
is periodically examined by a WebTrust licensed
CPA to ensure compliance with the current WebTrust
- On-line privacy
- Business practices and transaction integrity
- WebTrust for Certification Authorities
TRUSTe is a privacy seal, or called a "trustmark",
is an online branded seal that takes users directly
to the privacy statement of an approved website.
The trustmark is awarded to websites that adhere
to the privacy principles and comply with the
oversight and consumer resolution process. By
displaying the trustmark, a website is telling
consumers up front that it has made a commitment
to communicating its privacy practices openly.
A displayed trustmark signifies to users that
the website will openly share, at least, the
- What personal information is being gathered
- How it will be used
- With whom it will be shared
- Who is gathering the information
- What options the user has
- What security procedures are in place to prevent
misuse or loss
- How users can correct information to control