Challenges on Information Security

I was invited to be one of the speakers to give a talk about the implementation of information security management system, for the seminar entitled “Embracing the Challenges of Emerging Information Security Threats” organized by Hong Kong Quality Assurance Agency (HKQAA) and supported by Hong Kong Society for Quality (HKSQ) on 27th August 2009. The summaries of different speeches were shared below.

The first speaker was Mr. You Cheng Hwee (Managing Director, Maximus Consulting Pte Ltd.) and his topic was “2009 Information Security Trend and Protect Yourself using ISO/IEC 27001 ISMS”.

Mr. You shared the independent information security reports and presented the trend of different threats (such as Virus, Insider Abuse, Laptop Theft, Unauthorized Access, Bots, Financial Fraud and DNS) from 1999 to 2008. He said new threats like Bots* and DNS** are emerging.

{* A bot (short for "robot") is a program that operates as an agent for a user or another program to simulate a human activity.
** The Domain Name System (DNS) is a hierarchical naming system for computers, services, or any resource connected to the Internet or a private network.}

He emphasized the importance of internal audits for compliance verification, which indicates “human” factor in managing security is one of critical success factors.
Information security management is more than just technology and proper protection by formalized mechanism is required. He pointed out the risk management would let you know what the things you wish to know. Then he summarized four critical success factors when considering ISMS as follows:
i) Understand the ISO 27001 standards
ii) Understand your business objectives
iii) Choose your ISMS framework and risk management methodology
iv) Select your ISMS implementation scope

I, Lotto Lai, was the second speaker (Quality Manager in HKSTP and the Chairman of HKSQ) and my topic entitled “A Case Study of ISO/IEC 27001 implementation in IC Design & IP Servicing Centre of HKSTP”. After introduced the background of ISMS, five control objectives groups were discussed as Policy, Process & Procedure, Organization Structure, Software Systems, and Hard ware Systems. The objectives of IC Design Centre and IP Servicing Centre were then outlined as follows:
i) To support IC development in a protected environment
ii) To facilitate the use of and license of Semiconductor Intellectual Properties through the Centres

Five steps for ISO 27001 implementation were listed as:
1st Step – Perform Information Asset Evaluation (based on Confidentiality, Integrity & Availability)
2nd Step – Perform Risk Priority Assessment (based on Severity, Occurrence and Detectability)
3rd Step – Perform Risk Treatment Plan (based on the result of risk assessment)
4th Step – Develop Supplementary ISMS Manual (based on PDCA)
5th Step – Record Statement of Applicability (SOA)

In my conclusion, I stated that ISMS framework created value on our new business model “Secure Virtual IP Chamber” in which operational model has been changed from physical service to virtual service and it caused world-class IP companies willing to sign agreement with HKSTP.
Lastly, I summarized the execution tactic of information security management system (ISMS) into one word “SECURE”. It means:
“S” – Standardization
“E” – Effectiveness
“C” – Clearance
“U” – Unique Identification
“R” – Recovery
“E” - Efficiency

The third speaker was Mr. Ronald Pong (Consultant, Technology & Special Project, CNLINK Networks Limited) and his topic was “ISO 27001 in IDC Environment”
In the beginning, Mr. Pong introduced the IDC* security adopted nowadays in the business world

{* Internet data centers (IDCs) provide businesses with a range of solutions for systems deployment and operation. It generally includes redundant or backup power supplies, redundant data communications connections, environmental controls (e.g., air conditioning, fire suppression) and security devices, etc.}

Mr. Pong shared problems he encountered such as Security Management mapping with IT operation management and which required to fulfill different compliance criteria. He said IDC provided co-location service, virtual hosting, facility management, netheath & security, as well as, SOC.

Mr. Pong elaborated the risks they faced as follows:
i) Distributed denial-of-service attack (DDoS attack): it involves saturating the target (victim) machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable.
ii) Botnet: It is often associated with malicious code/software but it can also refer to the network of computers using distributed computing software.
iii) Hacking (it breaks into computers, usually by gaining access to administrative controls)
iv) Economic Espionage (the theft or misappropriation of a trade secret a federal crime)
v) Crime
(and more, every thing can happen in IDC)

Mr. Pong continued that knowledge/understanding and appropriate documentation were the requirements to make IT operation management effective. The key word for security management and incidence response strategy is “Compliance”. In order to organize your IT security management, using framework of ISMS (such as ISO 27001) was recommended to make people understand what they should do.

The last speaker was Mr. Philip Chan (Auditor, HKQAA) and his topic entitled “Security Incident Zero-day Attack”. He explained security incident and zero-day attack as follows:
Security Incident – “Any real or suspected adverse event in relation to the security of computer systems or computer networks.”
Zero-day Attack – “The day a new vulnerability is made known. In some case, a “zero-day” exploits is referred to an exploit for which no patch is available yet.”

The following photo briefed the concept.

Then Mr. Chan mentioned three risk management theories.
Theory 1 is Control Type
- Preventive
- Detective
- Corrective
Theory 2 is Defense-in-Depth
- Determine
- Detective
- Delay
- Response
Theory 3 is risk management like AS/NZS 4360.

In the next section, Mr. Chan carried on different Six Sigma methodologies employed for information security especially on zero-day attack such as DMAIC, SIPOC, Process Flow, FMEA, Tree Diagram, Force Field Analysis, Critical Path Analysis, Value Stream Mapping, etc.

Lastly, the most important items of ISO 27001 (ISMS) were summarized as his conclusive remarks:
- Process Approach
- Risk Based Approach
- Security Policy
- Asset Management
- Communications & Operations Management
- Access Control
- Information Security Incident Management
- Business Continuity Management
- Compliance


Innovation – From Art to Science

I would like to share the seminar entitled “Innovation – From Art to Science” which was organized by HKSTP on 22nd August 2009. The speaker was Mr. Darrell Mann (Director, Systematic Innovation Ltd (UK)). He had serviced at Rolls-Royce in R&D for 15 years as the chief engineer responsible for the company’s long term future military engine strategy. Before attended the seminar, I expected it would introduce the traditional TRIZ principles. However, Darrell gave us an overall of systematic innovation philosophies with some practical examples.

In the beginning, Mr. Allen Yeung (VP – BDTS in HKSTP) gave opening speech and introduced the speaker – Mr. Darrell Mann.

Firstly, Darrell presented the overall business model in his company. Systematic Innovation Ltd is not a big company. It has only 40 full time staff and 150 networking partners. Yet, it is valuable to learn how the company runs a business as creative solution provider. There are four elements: “Problem Solving Consulting”, “Research”, “Systematic Innovation Method” and “IP Generation / Licensing”. The most important role of the company is “Coordination”.

Then he showed their services track record. Their services were provided to many famous companies and he quoted some examples to illustrate solutions implemented in cross-industries such as “PILKINGTON and ILFORD”.

Darrell said the company extracted most of best practices from all fields of human endeavour, including Business, Science, Patents and Creative Minds, to create its own Breakthrough database.
He showed an accelerating world moving from limited competition to global competition. In my quality point of view, “Stability” is QC and Six Sigma, “Continuous improvement” is QA/QM and TQM. And, TRIZ (The Theory of Inventive Problem Solving) could be the quality aspect for “Continuous Innovation”.

Darrell continued that 97% of patents would never pay back the filing cost of the patents! It indicated that invention is not necessary to be a good return innovation. Then, he asked what “WOW” solution is. Some participants said good return innovative idea would be iPod, iPhone, etc. He added innovative idea is non-obvious at first and it does not fit the current ‘common sense’ but it becomes the new common sense.

Another example was self-timing egg. The idea is only to print a temperature indicator on the egg shell to show the degree of cooked so it can be marked up 40%.

Then he introduced the “Ideal Final Result” deployment philosophy. The ideal final result is a theoretical solution in most senses; however, it could be a system to get closer and closer to the destination.

“Evolution is a Convergent Process.”

Darrell emphasized the contradiction would be found from customer’s expectation. But it can be innovation opportunities to solve these contradiction cases.

The photo showed a perfect solution which the speaker likes to use the most.

During the Q&A section, some questions are summarized as follows:
i) When we use other industries’ solution, do we need to pay for their patient?
ii) If you sign the NDA with one company, how do you use that company’s idea to help other industries?
The speaker shared that they use the fundamental knowledge or published knowledge which is not protected by the patent and to further develop a new solution or new patent.

For more information, please refer to Darrell’s best-selling book entitled “Hands-On Systematic Innovation for Business & Management” published by IFR Press, Malaysia in 2004.

In this book, it introduces seven pillars in systematic innovation:
i) Ideality (Ideal Final Result and S-curve)
ii) Contradictions (business conflict/trade-off elimination Matrix)
iii) Functionality (Main Useful Function)
iv) Resource (Maximization of use of everything)
v) Space, Time and Interface (Jump out of patterns / thinking out of the box, psychological inertia)
vi) Recursion
vii) Emergence

My another related article: Innovation/Creativity Management


Boating for coral – increasing staff loyalty

I joined boating for coral organized by my company on 16 Aug 2009. During the trip, we saw some beautiful natural creations, and then we had a countryside walk in a small island, called Tai Mun.

Regis Mckenna’s 7S includes Structure, Systems, Strategy, Skills, Staff, Style and Shared Value. During the boating, staff not only enjoyed a family day, but also had better communication with others. Company values can be shared during such activities, such as “Nature”, “Environmental”, “Family” and “Education”.

Our cruiser left the pier.

My wife and I took a photo in the bow of a cruiser.

We left Science Park.

It is Ma On Shan (馬鞍山) as the shape of hill is like saddle.

We saw a Marine Police.

A small crystal boat we employed for seeing coral.

We saw the coral through the glass on the keel of the boat.

See! Many Coral!

Coral can be found everywhere near the coastal beach.

After that we went to Tap Mun (塔門) for lunch and countryside walk.

Fish and octopus were sun-dried.

Then, we went to Tin Hau Temple (天后廟).

A front view of Tin Hau Temple (天后廟)(A protector of fisherman and sailors, Tin Hau – the Queen of Heaven – is honoured with the most prayers from coastal peoples such as the Cantonese, Fujianese, Taiwanese and Vietnamese.)

Many very large and colorful spiders were found. It must be poison.

My wife and I took another picture.

Then we went to “Balanced Rock” (疊石).

It is like two of square rocks which are stacked together.

People like to stay there to enjoy sunset.

The cow was clever to have rest under trees. It was a really hot day!

After that we went to Lai Chi Chong (荔枝莊) for a while.

Twenty years ago, I joined a camp in Lai Chi Chong (荔枝莊). The terrace was very beautiful and distinct. But it is not so distinct now.

Do you see two jump fishes (彈塗魚 Periophthalmus cantonensis) under the rock?

A fighter (suspended) was seen.

When we left, we needed to pass the marine police’s cruiser.

Back to Science Park



本人覺得網絡應該保持言論自由. 只要沒有人身攻擊, 大家把自己的論據說明, 只要大家尊重對方, 道理可愈辯愈明. 如果不能把對方說服, 就只乘下立場的分別.


梁文道在am730的文章 “文懷沙事件” (17/6/2009) 及 “公共領域的陽光法則” (18/06/2009)寫得好. 他主要引出伏爾泰的名句 “雖然我不同意你的意見, 但我誓死捍衛你發表意見的權利.” 及 在道理上見真章.

希望在公共領域有一個恆久的陽光法則, 而不是黑暗律法.

破惘 – 思之旅(星篇) (第五版) 李天命 明報出版社 一九九六年七月


IPO process in Hong Kong

I attended a seminar entitled “IPO Process in Hong Kong & Role of Financial Adviser” on 7 Aug 2009 in Hong Kong Science & Technology Parks (HKSTP). The seminar introduced IPO qualifications and the way a financial adviser would assist a company to reach IPO milestone. Two speakers were Ms. Edwina Lee and Mr. Leo Wong whose service in the Anglo Chinese Group, which provides advisory services for mergers and acquisitions, raising capital, corporate reorganization and rescue, litigation support and regulatory compliance.

Benefit and draw back of IPO has been described as follows:
For Benefit, they are summarized as follows:
i) Benchmark of value,
ii) Increase profile & global awareness of the company,
iii) Monetization for current shareholder at IPO,
iv) Increase attention from lenders and institution,
v) Platform for employee retention & their incentive, etc
Draw backs are:
i) Exposure to public observation,
ii) Leak of competitive information,
iii) Potential legal liabilities,
iv) Short-term strategy,
v) Demanding continuing obligation (requested from HK Stock Exchange), etc.

IPO Qualification in Main Board and GEM were also briefed. Some actions done in pre-IPO preparation were listed below.
Phase 1:
It should appoint a right team and get your house in order.
i) Restructuring
ii) Financial statement
iii) Business plan
iv) Target valuation
v) Equity story / positioning
vi) Appointment of adviser
Phase 2: IPO Preparation / Execution
i) Due diligence → Documentation
ii) Structure and logistics → Marketing preparation
Phase 3: Marketing & Pricing
The whole process needs 5 month theoretically, and 9 month typically.

The role of financial adviser is mainly on problem resolution. It includes pricing, capital commitment, valuation disagreement, listing venue, sensitive disclosure, etc.

IPO team members included Bookrunners, Lawyer, Accountants, and others (Financial PR, Junior Syndicate Members, Printers, etc.).

The key element of an equity story is good positioning which helps promoting the merits of the company and marketing momentum of the IPO process. The cycle may be:

Market share → Management → Track record → Technology → Earning / Profitability → Dividend yield → Growth → Established franchise

After the seminar, I understood that IPO is a long journey and key milestone for company success. Many technology companies in HKSTP would be diligent to achieve IPO process.


Related Posts with Thumbnails