IT Security Standards and Best Practices
To facilitate your planning on information security
management for your company, we have highlighted
some internationally recognised information security standards, guidelines
and effective security practices for reference.
( To view and print the downloaded document,
you need to use an Adobe Acrobat Reader. Please
to download if necessary.
Government IT Security
Policy and Guidelines
The Government of HKSAR has issued a Baseline
IT Security Policy and a series of guidelines
related to IT security to provide references and
guidance to Government bureaux and departments
in respect of the protection of Government information
systems. The related documents are obtainable
through the hyperlinks provided below. Users should
note that the documents are for general reference
only and users are responsible to make their own
assessment on the information provided and to
obtain independent advice before acting on it.
Baseline IT Security Policy - This document
sets the baseline standards of IT security
policy for Government bureaux/departments.
It states what aspects are of paramount importance.
IT Security Guidelines - This document
introduces concepts relating to IT security
and elaborates further on the Baseline IT
Internet Gateway Security Guidelines -
This document acts as a supplementary document
to IT Security Guidelines to provide guidelines
on Internet gateway security.
Security Risk Assessment & Audit Guidelines
- This document acts as a supplementary document
to IT Security Guidelines to give an introduction
to a generic reference model for IT security
risk assessment and security audit.
Information Security Incident Handling Guidelines
- This document acts as a supplementary document
to IT Security Guidelines to provide reference
for the planning and preparation for, the detection
of, and the response to information security
There is increasing public concern about the
security of information passing through public
Wi-Fi networks. To address such a concern, the Communications Authority (CA)
has published a set of security guidelines for
public Wi-Fi service operators to follow. The
guidelines are developed jointly with the industry
and the relevant professional bodies.
IT Governance Standards and Best Practices
27001 - ISO standards specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.
27002 - The document is the code of practice for information security controls.
British Standard 7799 Part 3 - Guidelines for information security risk management published by BSI Group.
COBIT - The Control Objectives for Information and related Technology (COBIT) is a control framework for the governance and management of enterprise IT published by ISACA.
Common Criteria (also known as ISO/IEC
15408) - combine and align existing and emerging evaluation criteria with a collaborative effort among national security standards organisations of Australia, Canada, France, Germany, Japan, Netherlands, New Zealand, Spain, UK and US.
ITIL (or ISO/IEC 20000 series) -
A collection of best practices in IT service management (ITSM), and focuses on the service processes of IT and considers the central role of the user.
National Information Security Technology Standard Specification
- A collection of national information security standards formulated by the National Information Security Standards Technical Committee. These standards include information security management, information security evaluation, authentication and authorisation, etc.
SANS Security Policy Resource
– A set of resources for for rapid development and implementation of information security policies.
Guidelines on Conducting Online Businesses and Activities
A Guide to Personal Data Privacy and Consumer Protection on the Internet – The guide is published by the Hong Kong Productivity Council on the protection of data privacy.
Electronic Transactions Ordinance - It concerns the legal status of electronic records and digital signatures used in electronic transactions as that of their paper-based counterparts.
Guidance for Data Users on the Collection and Use of Personal Data through the Internet – The guidance is prepared by the Privacy Commissioner for Personal Data to assist organization to comply with the Hong Kong Personal Data (Privacy) Ordinance.
Major Principles in OECD Guidelines for Consumer Protection in the Context of Electronic Commerce– The guideline lists the principles and good practices on e-commerce
OWASP Top Ten Project – The document for web application security representing a broad consensus about what the most critical web application security flaws are.
Payment Card Industry Data Security Standard
- A standard developed by a number of major credit card companies (including American Express, MasterCard Worldwide and Visa International) to enhance payment account data security.
RFC 2196 Site Security Handbook, from IETF (The Internet Engineering Task Force) – The handbook is a guide to developing computer security policies and procedures for sites that have systems on the Internet.
Technical Standards Relevant to Cloud Computing - A collection of technical standards relevant to Cloud Computing released by various international organisations. These standards include management, web services, security of cloud computing, etc.
TRUSTe – Under the program, a privacy seal, or called a "trustmark", is awarded to websites that adhere to the privacy principles and comply with the oversight and consumer resolution process.
WebTrust program – Under the program, a WebTrust seal at the website means the company is complied to WebTrust principles including, on-line privacy, security, business practices and transaction integrity, availability and WebTrust for Certification Authorities.
Guidelines on Safeguarding Data Privacy