[General Users] [Youngsters & Students] [Parents and Teachers] [IT Professionals] [SME]
To facilitate your planning on information security management for your company, we have highlighted some useful guidelines that are recommended as effective security practices and internationally recognised standards related to information security.
( To view and print the downloaded document, you need to use an Adobe Acrobat Reader. Please click here to download if necessary. )
The Government of HKSAR has issued a Baseline IT Security Policy and a series of guidelines related to IT security to provide references and guidance to Government bureaux and departments in respect of the protection of Government information systems. The related documents are obtainable through the hyperlinks provided below. Users should note that the documents are for general reference only and users are responsible to make their own assessment on the information provided and to obtain independent advice before acting on it.
Baseline IT Security Policy - This document sets the baseline standards of IT security policy for Government bureaux/departments. It states what aspects are of paramount importance.
IT Security Guidelines - This document introduces concepts relating to IT security and elaborates further on the Baseline IT Security Policy.
Internet gateway Security Guidelines - This document acts as a supplementary document to IT Security Guidelines to provide guidelines on Internet gateway security.
Security Risk Assessment & Audit Guidelines - This document acts as a supplementary document to IT Security Guidelines to give an introduction to a generic reference model for IT security risk assessment and security audit.
There is increasing public concern about the security of information passing through public Wi-Fi networks. To address such a concern, the Communications Authority (CA) has published a set of security guidelines for public Wi-Fi service operators to follow. The guidelines are developed jointly with the industry and the relevant professional bodies.
ISO 27001 - Requirements for information security management systems.
ISO 27002 - A code of practice for information security management.
British Standard 7799 Part 3 - Guidelines for information security risk management.
COBIT - The Control Objectives for
Information and related Technology (COBIT)
is a control framework first released by the
IT Governance Institute (ITGI) in 1995. The
latest update was version 4.1 which was published
in 2007. COBIT links IT initiatives to business
requirements, organises IT activities into
a generally accepted process model, identifies
the major IT resources to be leveraged and
defines the management control objectives
to be considered.
ITIL (or ISO/IEC 20000 series) -
The Information Technology Infrastructure
Library (ITIL) is a collection of best practices
in IT service management (ITSM), and focuses
on the service processes of IT and considers
the central role of the user. It was developed
by the United Kingdom's Office of Government
Commerce (OGC). Since 2005, ITIL has evolved
into ISO/IEC 20000, which is an international
standard within ITSM.
Trusted Computer System Evaluation Criteria (TCSEC) or called the Orange Book - Classification on security requirements based on evaluation of functionality, effectiveness and assurance of mostly operating systems for mainly government and military sectors. TCSEC was introduced in 1985 and retired in 2000.
Technology Security Evaluation Criteria (ITSEC)
- the first single standard for evaluating
security attributes of computer systems by
European countries and used only in Europe.
Common Criteria (also known as ISO/IEC
15408) - combine and align existing and
emerging evaluation criteria with a collaborative
effort among national security standards organisations
of Canada, France, Germany, Japan, Netherlands,
Spain, UK and US.
Common Criteria Evaluation and Validation Scheme (CCEVS) - This scheme establishes a national program for the evaluation of information technology products for conformance to the International Common Criteria for Information Technology Security Evaluation.
ISO/IEC 13335 (IT Security Management) - ISO/IEC 13335 was initially a Technical Report (TR) before becoming a full ISO/IEC standard. It consists of a series of guidelines for technical security control measures
Payment Card Industry Data Security Standard
- The Payment Card Industry (PCI) Data Security
Standard (DSS) was developed by a number of
major credit card companies (including American
Express, Discover Financial Services, JCB,
MasterCard Worldwide and Visa International)
as members of the PCI Standards Council to
enhance payment account data security. The
standard consists of 12 core requirements,
which include security management, policies,
procedures, network architecture, software
design and other critical measures.
7498, Open System Interconnection Model
- The ISO 7498, Open System Interconnection
Model standard is currently available in 4
parts: Part 1 The Basic Model, Part 2 Security
Architecture, Part 3 Naming and Addressing,
and Part 4 Management Framework.
Computer Security Incident Handling Guide (SP 800-61) NIST (National Institute of Standards and Technology).
RFC 2196 Site Security Handbook, from IETF (The Internet Engineering Task Force).
RFC 2350 Expectations for Computer Security Incident Response, from IETF (The Internet Engineering Task Force).
SANS Top-20 Security Risks - The list includes 20 vulnerabilities organised into different categories according to their affected areas such as vulnerabilities that affect operating systems and those that affect network devices.
ISACA's Standards, Guidelines and Procedures - The Standards Board of Information Systems Audit and Control Association issues a series of information systems auditing standards, guidelines and procedures.
There are some basic guidelines that you need to pay attention and adhere to when running an online business.
|Useful Guidelines & References||Details|
|Major Principles in OECD Guidelines for Consumer Protection in the Context of Electronic Commerce||Principles and good practices on e-commerce|
|Electronic Transactions Ordinance||It concerns the legal status of electronic records and digital signatures used in electronic transactions as that of their paper-based counterparts.|
|A Guide to Personal Data Privacy and Consumer Protection on the Internet||Published by the Hong Kong Productivity Council and supported by the Consumer Council and Office of the Privacy Commissioner for Personal Data on the protection of data privacy.|
|A Practical Guide for IT Managers and Professionals on the Personal Data (Privacy) Ordinance(English only)||This Guide was compiled by Hong Kong Computer Society (HKCS) with the support of the Office of the Privacy Commissioner for Personal Data (PCPD). It aims to help enterprises, especially IT Managers and Professionals, to protect personal data privacy.|
The Internet provides the most convenient platform for border-less and round-the-clock business activities. However, most Internet users still lack confidence in using the medium for business transaction. One of the most effective ways to gain trust from customers and build up recognition for your online business is to obtain a Seal of Approval from an independent verification organisation. There are some international Seals of Approval programs available in the market providing such verification and here are some examples:
The WebTrust program is:
An online site that has a WebTrust seal means that the company has passed the WebTrust examination by a licensed Certified Public Accountant (CPA), Chartered Accountant, or equivalent. Hong Kong Institute of Certified Public Accountants is one of international affiliates of the program.
Under the WebTrust program, the online company is periodically examined by a WebTrust licensed CPA to ensure compliance with the current WebTrust principles including:
TRUSTe is a privacy seal, or called a "trustmark", is an online branded seal that takes users directly to the privacy statement of an approved website. The trustmark is awarded to websites that adhere to the privacy principles and comply with the oversight and consumer resolution process. By displaying the trustmark, a website is telling consumers up front that it has made a commitment to communicating its privacy practices openly. A displayed trustmark signifies to users that the website will openly share, at least, the following:
Copyright 2002. The Government of the Hong Kong Special Administrative Region.