Red flag raised over information security
Computer crimes are on the rise and the government should lead the way in guarding against network attacks that could harm the economy
THE RECENT FLURRY of reports concerning security breaches which have led to personal particulars being made freely available on the internet raise questions about information security practices in Hong Kong.
Following shareholder activist David Webb's discovery of a confidential file on 20,000 police complainants, reports have emerged of other information leaks, including data on more than 600 policyholders that had signed up with ING Life between 1984 and 2004.
Information technology sector legislator Sin Chung-kai said these recent events raised a red flag over information security management by both private companies and public bodies at a time when computer crime was growing.
According to the Hong Kong Police, there were 653 cases of computer crimes last year, up from 472 cases in 2004.
'This incident has been the alarm bell for Hong Kong's information infrastructure. It shows that if we fail to follow the latest international security developments, any network attacks could seriously damage our economy,' Mr Sin said.
Many companies were yet to adopt internationally recognised information security standards such as COBIT and ISO 17799, but the government should lead the way in promoting information security, he said.
'If the government was serious about developing information certification, then it should strictly require all government bodies to adopt international standards and also require contractors to follow these requirements when working on government projects,' he said.
Mr Sin said the Japanese and South Korean governments had long used this practice. 'If Hong Kong does so, it could ensure that the government reaches a high standard of information management and also lead the private sector in improving their awareness of security issues.'
Andy Ho, regional security manager of IBM Global Services Asia Pacific, said Hong Kong lagged behind other Asian countries.
'In Hong Kong, less than 20 companies have the ISO 17799 certification, whereas in Japan more than 200 companies have reached the standard. Even Taiwan is much better than Hong Kong.'
Mr Ho, who is also a former chairman of the Professional Information Security Association, said the international standards required the confidentiality, integrity and availability of sensitive data.
'Confidentiality means that information is accessible only to those authorised to have access. Integrity is safeguarding the accuracy and completeness of information and processing methods, and availability ensures authorised users have access to the information and its associated assets when required.'
There was a risk of data loss, regardless of whether the information was being processed or kept in storage systems, which was why it was necessary for companies to have a secure information and data storage system, Mr Ho said. 'Such a system allows a company to maximise the protection of its critical business information.'
Hitachi Data Systems storage solutions consultant Stephen Ko said storage security was becoming increasingly important.
'Nowadays, storage networks contain many non-secure fibre channel switches and IP interfaces,' he said.
With companies and users demanding more avenues to access data, there is a greater need for security.
'Storage security needs are also driven by regulatory compliance and moving data around different regions,' he said.
Eddie Lau, systems engineer manager of Cisco Systems Hong Kong, said companies should bring together both their security and storage experts when addressing storage security issues.
'Only by bringing these two groups of people together can they work in concert towards the mutual goal of providing optimised security for the enterprise's storage networks. There is no advanced technology that can replace their commitment to achieving a shared goal.'
Mr Lau added that data security should be an underlying factor in all of the companies' decisions, rather than just dealt with as one individual problem.
'Security is the baseline architecture for all technologies and networks. When considering purchase decisions or going through the implementation process of any technologies, including storage solutions, companies must also think about security policies and security tools so as to ensure that storage networks can be best-protected at all times.'
Mr Ho said it was important for companies to set up an information life cycle management system. 'Companies should take a high level overall approach. As data is not only accessible to executives but also the frontline staff, we have to consider how data can be protected from how it is created to how it is run, stored, transferred, maintained and discarded. Different kinds of information need different levels of security measurement.'
Conference Fact File
What is it? An IT conference evaluating new technologies and strategies in both the security and storage spheres
Date March 29-30, 2006
Venue Level 4, Hong Kong Convention and Exhibition Centre
Target CIOs, IT directors, IT managers, network architects and senior management
Fees Expo - free admission; Conference (includes lunch) - $1,200 two days, $800 one day
Organiser Zenith Events