![Baseline IT Security Policy [S17] - GovCERT](/img/42/s17-v7-en.jpg)
Transcription
Office of the Government Chief Information OfficerINFORMATIONSECURITYBaseline IT Security Policy[S17]Version 7.0March 2021 Office of the Government Chief Information OfficerThe Government of the Hong Kong Special Administrative RegionThe contents of this document remain the property of and maynot be reproduced in whole or in part without the expresspermission of the Office of the Government Chief Information Officer
COPYRIGHT NOTICE 2021 by the Government of the Hong Kong Special Administrative RegionUnless otherwise indicated, the copyright in the works contained in this publication is ownedby the Government of the Hong Kong Special Administrative Region. You may generallycopy and distribute these materials in any format or medium provided the followingconditions are met –(a)(b)(c)(d)the particular item has not been specifically indicated to be excluded and is thereforenot to be copied or distributed;the copying is not done for the purpose of creating copies for sale;the materials must be reproduced accurately and must not be used in a misleadingcontext; andthe copies shall be accompanied by the words “copied/distributed with the permissionof the Government of the Hong Kong Special Administrative Region. All rightsreserved.”If you wish to make copies for purposes other than that permitted above, you should seekpermission by contacting the Office of the Government Chief Information Officer.
BASELINE IT SECURITY POLICYAMENDMENT HISTORYAmendment HistoryChangeNumberRevision Description1RevisionNumberDateThe Revision Report is available at thegovernment intranet portal ITG InfoStation2.0April 20032Change “Information Technology ServicesDepartment” (or “ITSD”) to “Office of theGovernment Chief Information Officer”(or “OGCIO”)2.1July 20043Change “HKCERT/CC” to “HKCERT” asthe revised acronym for Hong KongComputer Emergency Response TeamCoordination Centre2-2,2-32.2September20044Updates were made accordingly to complywith the revised government securityrequirements.11-1,11-22.3November20045The Revision Report is available at thegovernment intranet portal ITG InfoStation3.0May 20066Updated section 8.3.1 and 9.1.6 forobservance of Personal Data (Privacy)Ordinance.3.1November20087The Revision Report is available at thegovernment intranet portal ITG InfoStation4.0December20098The Revision Report is available at thegovernment intranet portal ITG InfoStation5.0September20129The Revision Report is available at thegovernment intranet portal ITG InfoStation6.0December201610The Revision Report is available at thegovernment intranet portal Ref. No. : S17PagesAffected8-1,9-1ii-1
BASELINE IT SECURITY POLICYCONTENTSTABLE OF CONTENTS1.PURPOSE. 12.SCOPE. 22.1.2.2.2.3.APPLICABILITY. 2TARGET AUDIENCE. 2GOVERNMENT IT SECURITY DOCUMENTS. 33.NORMATIVE REFERENCES. 54.DEFINITIONS AND CONVENTIONS. 64.1.4.2.DEFINITIONS. 6CONVENTIONS75. GOVERNMENT ORGANISATION STRUCTURE ON INFORMATIONSECURITY. 85.1.5.2.5.3.GOVERNMENT INFORMATION SECURITY MANAGEMENT FRAMEWORK. 8DEPARTMENTAL IT SECURITY ORGANISATION. 11OTHER ROLES. 136.CORE SECURITY PRINCIPLES. 157.MANAGEMENT RESPONSIBILITIES. 177.1.8.GENERAL MANAGEMENT. 17IT SECURITY POLICIES. 188.1.9.MANAGEMENT DIRECTION FOR IT SECURITY. 18HUMAN RESOURCE SECURITY. 199.1.10.NEW, DURING OR TERMINATION OF EMPLOYMENT. 19ASSET MANAGEMENT. 2010.1.10.2.10.3.11.ACCESS CONTROL. 2211.1.11.2.11.3.11.4.11.5.11.6.12.BUSINESS REQUIREMENTS OF ACCESS CONTROL. 22USER ACCESS MANAGEMENT. 22USER RESPONSIBILITIES. 22SYSTEM AND APPLICATION ACCESS CONTROL. 23MOBILE COMPUTING AND REMOTE ACCESS. 23IOT DEVICES. 23CRYPTOGRAPHY. 2412.1.13.RESPONSIBILITY FOR ASSETS. 20INFORMATION CLASSIFICATION. 20STORAGE MEDIA HANDLING. 21CRYPTOGRAPHIC CONTROLS. 24PHYSICAL AND ENVIRONMENTAL SECURITY. 25Ref. No. : S17iii-1
BASELINE IT SECURITY POLICY13.1.13.2.14.SECURE AREAS. 25EQUIPMENT. 25OPERATIONS SECURITY. ONAL PROCEDURES AND RESPONSIBILITIES. 27PROTECTION FROM MALWARE. 27BACKUP. 28LOGGING AND MONITORING. 28CONTROL OF OPERATIONAL ENVIRONMENT. 28TECHNICAL VULNERABILITY MANAGEMENT. 29COMMUNICATIONS SECURITY. 3015.1.NETWORK SECURITY MANAGEMENT. 3015.2 INFORMATION TRANSFER. 3116.SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE. 3216.1.16.2.16.3.17.OUTSOURCING SECURITY. 3317.1.17.2.17.3.18.IT SECURITY CONTINUITY. 35RESILIENCE. 35COMPLIANCE. 3620.1.20.2.21.MANAGEMENT OF SECURITY INCIDENTS AND IMPROVEMENTS. 34IT SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT. 3519.1.19.2.20.IT SECURITY IN OUTSOURCING SERVICE. 33OUTSOURCING SERVICE DELIVERY MANAGEMENT. 33PUBLIC CLOUD SERVICES. 33SECURITY INCIDENT MANAGEMENT. 3418.1.19.SECURITY REQUIREMENTS OF INFORMATION SYSTEMS. 32SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES. 32TEST DATA. 32COMPLIANCE WITH LEGAL AND CONTRACTUAL REQUIREMENTS. 36SECURITY REVIEWS. 36CONTACT. 37Ref. No. : S17iii-2
BASELINE IT SECURITY POLICY1.PURPOSEPURPOSEWith the effective use of Internet services and general adoption of cloud and mobilecomputing, the security and survivability of information systems are essential to theeconomy and the society. Our increasing dependence on IT for office works andpublic services delivery has brought new business focus that the key informationsystems and data we rely on have to be secure and actively protected for the smoothoperations of all government bureaux and departments (B/Ds), underpinning publicconfidence, security and privacy are fundamental to the effective, efficient and safeconduct of government business.This document outlines the mandatory minimum security requirements for theprotection of all HKSAR Government's information systems and data assets. B/Dsshall develop, document, implement, maintain and review appropriate securitymeasures to protect their information systems and data assets by: Establishing appropriate IT security policy, planning and governance within theB/D in line with this document, including adopting all frameworks andrequirements;Ensuring appropriate security measures are implemented as detailed in thisdocument;Ensuring regular review on continuing suitability, adequacy and effectiveness ofthe security measures; andImproving the suitability, adequacy and effectiveness of the security measures.The security requirements in this document are designed to be technology neutral.The policy requirements focus on the fundamental objectives and controls to protectinformation during processing, while in storage, and during transmission.Ref. No. : S171
BASELINE IT SECURITY POLICY2.SCOPE2.1.ApplicabilitySCOPEThis document adopts and adapts the security areas and controls specified in theInternational Organization for Standardization (ISO) and the InternationalElectrotechnical Commission (IEC) standards on information security managementsystems (ISO/IEC 27001:2013) and code of practice for information securitycontrols (ISO/IEC 27002:2013). This document addresses mandatory securityconsiderations in the following 14 areas: Management responsibilities (see section 7);IT security policies (see section 8);Human resource security (see section 9);Asset management (see section 10);Access control (see section 11);Cryptography (see section 12);Physical and environmental security (see section 13);Operations security (see section 14);Communications security (see section 15);System acquisition, development and maintenance (see section 16);Outsourcing security (see section 17);Security incident management (see section 18);IT security aspects of business continuity management (see section 19); andCompliance (see section 20)This document sets the minimum security requirements. B/Ds need to applyenhanced security measures, appropriate to their circumstances and commensuratewith the determined risks.2.2.Target AudienceThe policy statements are developed for all levels of staff acting in different roleswithin B/Ds, including management staff, IT administrators, and general IT endusers. It is the responsibility for ALL staff to read through the entire document tounderstand and follow IT security policies accordingly.In addition, the document is intended for reference by the vendors, contractors andconsultants who provide IT services to the Government.Ref. No. : S172
BASELINE IT SECURITY POLICY2.3.SCOPEGovernment IT Security DocumentsThe Government has promulgated a set of security regulations and government ITsecurity policy and guidelines to assist B/Ds in formulating and implementing theirIT security policies and control measures to safeguard government’s informationsecurity. B/Ds shall comply with the policy requirements in both the SecurityRegulations (SR) and the Baseline IT Security Policy (S17), and follow theimplementation guidance in the IT Security Guidelines (G3) and the relevantpractice guides. These security documents are indispensable references forinformation security management.The following diagram describes the relationship of various IT security documentswithin the Government:Security RegulationsGovernment IT Security Policy and GuidelinesSecurityRegulations(SR)BaselineIT SecurityPolicy(S17)IT SecurityGuidelines(G3)Practice ySecurity RiskAssessment& AuditData obileSecurityWebsite andWebApplicationSecurityPenetrationTestingSecure Useof USBStorageDevices Departmental IT Security Policies, Procedures and GuidelinesDepartmentalIT gProcedureStandardOperatingProceduresGuidelines 2.3.1. Security RegulationsSecurity Regulations, authorised by Security Bureau, provides directives on whatdocuments, material and information need to be classified and to ensure that they aregiven an adequate level of protection in relation to the conduct of governmentbusiness.Ref. No. : S173
BASELINE IT SECURITY POLICYSCOPE2.3.2. Government IT Security Policy and GuidelinesThe Government IT Security Policy and Guidelines, established by the Office of theGovernment Chief Information Officer, aim at providing a reference to facilitate theimplementation of information security measures to safeguard information assets.They are made heavy reference to the recognised International standards oninformation security management systems (ISO/IEC 27001:2013) and code ofpractice for information security controls (ISO/IEC 27002:2013).The Government IT Security Policy and Guidelines set out the minimum standardsof security requirements and provide guidance on implementing appropriate securitymeasures to protect the information assets and information systems.Baseline IT Security Policy(S17)A top-level directive statement that sets theminimum standards of a security specificationfor all B/Ds. It states what aspects are ofparamount importance to a B/D. Thus, theBaseline IT Security Policy can be treated asbasic rules which shall be observed asmandatory while there can still be otherdesirable measures to enhance the security.IT Security Guidelines(G3)Elaborates on the policy requirements and setsthe implementation standard on the securityrequirements specified in the Baseline ITSecurity Policy. B/Ds shall follow the ITSecurity Guidelines for effectiveimplementation of the security requirements.For topical issues and specific technical requirements, a series of practice guides aredeveloped to support the IT Security Guidelines. Supplementary documentsprovides guidance notes on specific security areas to assist B/Ds to address andmitigate risks brought by emerging technologies and security threats.All practice guides are available at the ITG InfoStation under the IT Security ThemePage corner/practices.shtml).2.3.3. Departmental IT Security Policies, Procedures and GuidelinesB/Ds shall formulate their own departmental IT policies, procedures and guidelinesbased on all the government security requirements and implementation guidancespecified in the Security Regulations and the Government IT Security Policy andGuidelines mentioned in Sections 2.3.1 and 2.3.2 above.Ref. No. : S174
BASELINE IT SECURITY POLICY3.NORMATIVE REFERENCESNORMATIVE REFERENCESa)Government of Hong Kong Special Administrative Region, “SecurityRegulations”b) Civil Service Bureau, “Civil Service Regulations”c)Information technology – Security techniques – Information securitymanagement systems – Requirements, ISO/IEC 27001: 2013, dated 1 October2013d) Information technology – Security techniques – Code of practice forinformation security controls, ISO/IEC 27002: 2013, dated 1 October 2013Ref. No. : S175
BASELINE IT SECURITY POLICYDEFINITIONS AND CONVENTIONS4.DEFINITIONS AND CONVENTIONS4.1.Definitionsa)Information SystemA related set of hardware and software organised forthe collection, processing, storage, communication, ordisposition of information.b) ConfidentialityOnly authorised persons are allowed to know or gainaccess to the information stored or processed byinformation systems in any aspects.c)Only authorised persons are allowed to make changesto the information stored or processed by informationsystems in any aspects.Integrityd) AvailabilityInformation System is accessible and usable upondemand by authorised persons.e)IT Security PolicyA documented list of management instructions thatdescribes in detail the proper use and management ofcomputer and network resources with the objective toprotect these resources as well as the informationstored or processed by information systems from anyunauthorised disclosure, modifications or destruction.f)Classified InformationRefers to the categories of information classified inaccordance with the Security Regulations.g) StaffA collective term used to describe all personnelemployed or whose service is acquired to work forthe Government, including all public officersirrespective of the employment period and terms,non-government secondees engaged throughemployment agencies, and other term contractservices personnel, etc., who may have differentaccessibility to classified information and are subjectto different security vetting requirements. Specificrequirements governing human resource security arefound in Section 9 of S17.h) Data CentreA centralised data processing facility that housesInformation Systems and related equipment. Acontrol section is usually provided that accepts workfrom and releases output to users.i)A dedicated room for housing computer equipment.Ref. No. : S17Computer Room6
BASELINE IT SECURITY POLICYj)MalwarePrograms intended to perform an unauthorisedprocess that will have an adverse impact on theconfidentiality, integrity, or availability of aninformation system. Examples of malware includecomputer viruses, worms, Trojan horses, and spywareetc.k) Mobile DevicesPortable computing and communication devices withinformation storage and processing capability.Examples include portable computers, mobilephones, tablets, digital cameras, and audio or videorecording devices.l)Portable electronic storage media such as magnetic,optical, and flash memory devices, which can beinserted into and removed from a computing device.Examples include external hard disks or solid-statedrives, floppy disks, zip disks, optical disks, tapes,memory cards, flash drives, and similar USB storagedevices.Removable Mediam) Internet of Things (IoT)Devices4.2.DEFINITIONS AND CONVENTIONSDevices that have network connectivity andcomputing capabilities, which functionautonomously to interact with the physicalenvironment by ways of sensing or actuation.ConventionsThe following is a list of conventions used in this documentShallShouldMayRef. No. : S17The use of the word ‘shall’ indicates a mandatory requirement.The use of the word ‘should’ indicates a best practice, which should beimplemented whenever possible.The use of the word ‘may’ indicates a desirable best practice.7
BASELINE IT SECURITY POLICYGOVERNMENT ORGANISATION STRUCTURE5.GOVERNMENT ORGANISATION STRUCTURE ONINFORMATION SECURITY5.1.Government Information Security Management FrameworkTo coordinate and promote IT security in the Government, an Information SecurityManagement Framework comprising the following four parties has been established: Information Security Management Committee (ISMC)IT Security Working Group (ITSWG)Government Information Security Incident Response Office (GIRO)Bureaux/DepartmentsGovernment Information Security Management FrameworkThe roles and responsibilities of each party are explained in details in the followingsections.Ref. No. : S178
BASELINE IT SECURITY POLICYGOVERNMENT ORGANISATION STRUCTURE5.1.1. Information Security Management Committee (ISMC)A central organisation, the Information Security Management Committee (ISMC)was established in April 2000 to oversee IT security within the whole government.The committee meets on a regular basis to: Review and endorse changes to the Government IT security related regulations,policies and guidelines;Define specific roles and responsibilities relating to IT security; andProvide guidance and assistance to B/Ds in the enforcement of IT securityrelated regulations, policies, and guidelines through the IT Security WorkingGroup (ITSWG).The core members of ISMC comprise representatives from: Office of the Government Chief Information Officer (OGCIO)Security Bureau (SB)Representative(s) from other B/Ds will be co-opted into the Committee on a needbasis, in relation to specific subject matters.5.1.2. IT Security Working Group (ITSWG)The IT Security Working Group (ITSWG) serves as the executive arm of the ISMCin the promulgation and compliance monitoring of Government IT security relatedregulations, policies and guidelines. The ITSWG was established in May 2000 andits responsibilities are to: Co-ordinate activities aimed at providing guidance and assistance to B/Ds in theenforcement of IT security related regulations, policies and guidelines;Monitor the compliance with the Baseline IT Security Policy at B/Ds;Define and review the IT security related regulations, policies and guidelines;andPromote IT security awareness within the Government.The core members of ITSWG comprise representatives from: Office of the Government Chief Information Officer (OGCIO)Security Bureau (SB)Hong Kong Police Force (HKPF)Chief Secretary for Administration’s Office (CSO)Representative(s) from other B/Ds will be co-opted into the Working Group on aneed basis, in relation to specific subject matters.Ref. No. : S179
BASELINE IT SECURITY POLICYGOVERNMENT ORGANISATION STRUCTURE5.1.3. Government Information Security Incident Response Office (GIRO)To handle information security incidents occurring in B/Ds, an Information SecurityIncident Response Team (ISIRT) shall be established in each B/D. The GovernmentInformation Security Incident Response Office (GIRO) provides central coordination and support to the operation of individual ISIRTs of B/Ds. The GIROStanding Office serves as the executive arm of GIRO.The Government Computer Emergency Response Team Hong Kong(GovCERT.HK) was established in April 2015. In addition to collaborating withGIRO Standing Office in coordinating information and cyber security incidentswithin the Government, it also collaborates with the computer emergency responseteam community in sharing incident information and threat intelligence, andexchanging best practices with a view to strengthening information and cybersecurity capabilities in the region. GovCERT.HK has the following major functions: Disseminate security alerts on impending and actual threats to B/Ds; andAct as a bridge between the Hong Kong Computer Emergency Response TeamCoordination Centre (HKCERT) and other computer security incident responseteams (CSIRT) in handling cyber security incidents.The GIRO has the following major functions: Maintain a central inventory and oversee the handling of all information securityincidents in the Government;Prepare periodic statistics reports on government information security incidents;Act as a central office to coordinate the handling of multiple-point securityattacks (i.e. simultaneous attacks on different government information systems);andEnable experience sharing and information exchange related to informationsecurity incident handling among ISIRTs of different B/Ds.The core members of GIRO comprise representatives from: Office of the Government Chief Information Officer (OGCIO)Security Bureau (SB)Hong Kong Police Force (HKPF)5.1.4. Bureaux/DepartmentsBureaux and departments shall be responsible for the security protection of theirinformation assets and information systems. The roles and responsibilities of ITsecurity staff within a B/D are detailed in Section 5.2 - Departmental IT SecurityOrganisation.Ref. No. : S1710
BASELINE IT SECURITY POLICY5.2.GOVERNMENT ORGANISATION STRUCTUREDepartmental IT Security OrganisationThis section explains the individual roles and responsibilities of a departmental ITsecurity organisation. In order to have sufficient segregation of duties, multipleroles should not be assigned to an individual unless there is a resource limitation.The following diagram describes a sample departmental IT security managementframework:DepartmentalIT SecurityOfficerSeniorManagementIT alISIRTCommanderApplicationDevelopment &MaintenanceTeamUsersAn Example Organisation Chart for Departmental IT Security Management 15.2.1. Senior ManagementThe senior management of B/Ds shall have an appreciation of IT security, itsproblems and resolutions. His / her responsibilities include: Direct and enforce the development of security measures;Provide the necessary resources required for the measures to be implemented;andEnsure participation at all levels of management, administrative, technical andoperational staff, and provide full support to them.1 The actual IT Security Management structure may vary according to the circumstances of each organisation.Ref. No. : S1711
BASELINE IT SECURITY POLICYGOVERNMENT ORGANISATION STRUCTURE5.2.2. Departmental IT Security Officer (DITSO)Head of B/D shall appoint an officer from the senior management to be theDepartmental IT Security Officer (DITSO) and responsible for IT security.Directorate officer responsible for IT management of the B/D is consideredappropriate to take up the DITSO role. Depending on the size of the department,departmental grade officers at directorate grade who understand the B/D’s priorities,the importance of the B/D’s information systems and data assets, and the level ofsecurity that shall be achieved to safeguard B/Ds, are also considered suitable.SB and OGCIO will provide training to DITSOs to facilitate them in carrying outtheir duties. B/Ds should ensure that the designated DITSOs have duly receivedsuch training. The roles and responsibilities of DITSO shall be clearly definedwhich include but are not limited to the following: Establish and maintain an information protection program to assist all staff inthe protection of the information and information system they use;Establish proper security governance process to evaluate, direct, monitor andcommunicate the IT security related activities within the B/D;Lead in the establishment, maintenance and implementation of IT securitypolicies, standards, procedures and guidelines;Monitor, review and improve the effectiveness and efficiency of IT securitymanagement;Coordinate with other B/Ds on IT security issues;Disseminate security alerts on impending and actual threats from the GIRO toresponsible parties within the B/D;Ensure information security risk assessments and audits are performed asnecessary; andInitiate investigations and rectification in case of breach of security.5.2.3. Departmental Security Officer (DSO)The Head of B/D will designate a Departmental Security Officer (DSO) to performthe departmental security related duties. A DSO will take the role as an executiveto: Discharge responsibilities for all aspects of security for the B/D; andAdvise on the set up and review of the security policy.The DSO may take on the role of the DITSO. Alternatively, in those B/Ds wheresomeone else is appointed, the DITSO shall collaborate with the DSO to oversee theIT security of the B/D.Ref. No. : S1712
BASELINE IT SECURITY POLICYGOVERNMENT ORGANISATION STRUCTURE5.2.4. Departmental Information Security Incident Response Team (ISIRT)CommanderThe Departmental Information Security Incident Response Team (ISIRT) is thecentral focal point for coordinating the handling of information security incidentsoccurring within the respective B/D. Head of B/D should designate an officer fromthe senior management to be the ISIRT Commander. The ISIRT Commandershould have the authority to appoint core team members for the ISIRT. Theresponsibilities of an ISIRT Commander include: 5.3.Provide overall supervision and co-ordination of information security incidenthandling for all information systems within the B/D;Make decisions on critical matters such as damage containment, systemrecovery, the engagement of external parties and the extent of involvement, andservice resumption logistics after recovery etc.;Trigger the departmental disaster recovery procedure where appropriate,depending on the impact of the incident on the business operatio
security. B/Ds shall comply with the policy requirements in both the Security Regulations (SR) and the Baseline IT Security Policy (S17), and follow the implementation guidance in the IT Security Guidelines (G3) and the relevant practice guides. These security documents are indispensable references for information security management.
