Before the workshop, we took a photo with Mr. Kesson Lee (Secretary-General, HKCTC) and guest speakers. (Left: I, Mr. Ronald Pong, Mr. Kesson Lee (HKCTC), Mr. Ronald Tse, Dr. Kwok Moon-keung (HKAS))
In the beginning, Mr. Kesson Lee (Secretary-General, HKCTC) give an opening remarks and he said ICT was one of focus areas in Testing & Certification Industry.
And then Mr. Vincent Chan (Convenor of the Working Group on Cloud Security and Privacy under Office of the Government Chief Information Officer) gave a welcoming remark. He said public concerned the cloud computing security and introduced InfoCloud website which was established as a one-stop portal for the general public and enterprises (especially the small and medium-sized enterprises) to effectively access information and resources on cloud computing technologies.
All guest speakers took a group photo.
The first speaker was Mr. Ronald Pong (CEO, Nexusguard Consulting Limited) and his topic entitled “Practical Implementation of ISO/IEC 27001 in Your Environment”. Mr. Pong briefed the agenda of his talk included ISO 27001, Different various documents in ISO 27001:2014 series, Vulnerability and Threat, as well as, ISO 27005:2011 risk assessment requirement.
Firstly, Mr. Pong briefed different standards under ISO 27001:2014 series and classified those standards to be “Must”, “Major”, “Reference” and “Supportive”. He explained to us the different between Vulnerability and Thread. Vulnerability was technical problem which could be fixed by updating patch and installation the advance equipment. However, Thread was come from management and human error such as configuration problem and bad practices.
Then he introduced ISO 27005:2011 risk management and its scope included “Constraints related to Methods and Know-How”, “Time Constraints”, “Organization Constraints”, “Environmental Constraints” and “Financial Constraints”. In Organization Constraints, it involved “Development Management”, “HR Management”, “Operation”, “Administrative Management” and “Maintenance”. The standard risk matrix was also mentioned.
Finally, Mr. Ronald Pong briefed ISO 27003:2010 for ISMS implementation guidance and the first thing to do was your information inventory classification. ISO 27006 & ISO 27007 was related to certification body such as auditor manday criteria for Large/Small and Simple/Complex companies.
During the break, I took a photo with Dr. Kwok Moon-keung (Senior Accreditation Officer, HKAS) who was one of assessor to audit our laboratories before.
I was honor to represent HKSTP to be the second speaker and my presentation named “QMS based Information Security Management System – Case Study”. Our Technology Support Centre (TSC) achieved ISO 27001 since 2008 and I reviewed many security incident happened in Hong Kong at that time. We had upgraded the standard to ISO 27001:2013 for whole TSC at the end of 2014.
Then I introduced the development of InfoSec FMEA Circle as our key risk assessment tools (where FMEA stands for Failure Mode and Effect Analysis). Then its implementation philosophy was mentioned. It was based on ISO 27001 Control Objectives & Controls as fundamental level and then evaluation risk level on each operation information flow accordingly.
After that 24-steps QISM Implementation Roadmap was introduced and its development was based on TQM Roadmap. We focused on 7 phase including “Awareness”, “Preparation”, “Plan”, “Do”, “Check”, “Act” and “Validation”. I also discussed how to establish our risk assessment criteria. The details was published in the Journal (See reference).
At the end, I used the term “SECURE” to conclude our ISMS implementation and it indicated “Standardization”, “Effectiveness”, “Clearance”, “Unique Identification”, “Recovery” and “Efficiency”.
Then Mr. Ronald Tse briefed his ISO 27001 journey and shared some tips to achieve it. He briefed ISO 27001 was suitable for SME. He added “Big names say: We are ACME therefore your data is secure. SMEs can say: We are independently certified for ISO/IEC 27001!” Then he showed different security management maturity level which ISO 27001 could help to improve it.
Mr. Tse said leadership commitment was crucial to a successful ISMS implementation. He shared to list each specific duty unit and subunit to perform risk management and set appropriate IS objectives. Finally, Mr. Tse told us the fastest way to implement ISMS successfully was to lead by yourself but not shortcut!
Dr. Kwok Moon-keung (Senior Accreditation Officer, HKAS) was the last speaker and his topic named “Hong Kong Accreditation Service (HKAS) – How its Services Help You”. Dr. Kwok introduced that Accreditation which was issuance of conformance statement by a third party (i.e. accreditation body) to a conformity assessment body (i.e. laboratory, inspection body or certification body, validation and verification body) and conveying formal demonstration of its competence to carry our specific conformity assessment tasks. (ISO/IEC 17024)
Accreditation helps managing the risk. The relationship among accreditation body, certification body/laboratory and users was showed in the following diagram. Dr. Kwok described how to monitor accredited organization including “Reassessment”, “Surveillance visit”, “Monitoring organization change”, “Complaints” and “Proficiency Testing / Inter-laboratory Comparison Study”, etc.
Finally, Dr. Kwok introduced HKCAS services which extended to ISO 27001.
Reference:
HKCTC - http://www.hkctc.gov.hk/en/home.html
HKCTC Seminar presentation file - http://www.hkctc.gov.hk/en/work_seminars.html#b44
HKAS - http://www.itc.gov.hk/en/quality/hkas/about.htm
OGCIO - Working Group on Cloud Security and Privacy (WGCSP) - http://www.ogcio.gov.hk/en/about_us/committees/egccss/previous_term/wgcsp_tor_membership_2013.htm
InfoCloud website - http://www.infocloud.gov.hk/home/20
20150424: PMI Seminar on QMS based Information Security Management - http://qualityalchemist.blogspot.hk/2015/04/pmi-seminar-on-qms-based-information.html
Lai, Lotto K.H. and K.S. Chin (2014) “Development of a Failure Mode and Effects Analysis Based Risk Assessment Tool for Information Security”, Industrial Engineering & Management Systems, Vol 13, No. 1, pp.88-101.
Lai, Lotto K.H., Chin, K.S. & Tsang, A.H.C. (2010) “Risk Management of Information Security – Information Security FMEA Circle” The eighth ANQ Congress, paper HK01. (Reprinted in SQI Yearbook 2011, pp.66-72)
Lai, Lotto K.H., Chin, K.S. & Tsang, A.H.C. (2009) “Integration of Quality Management System and Information Security Management System – HKSTP implementation case” Proceedings CD-ROM of The seventh ANQ Congress, paper HK02.
20150424: PMI Seminar on QMS based Information Security Management - http://qualityalchemist.blogspot.hk/2015/04/pmi-seminar-on-qms-based-information.html
Lai, Lotto K.H. and K.S. Chin (2014) “Development of a Failure Mode and Effects Analysis Based Risk Assessment Tool for Information Security”, Industrial Engineering & Management Systems, Vol 13, No. 1, pp.88-101.
Lai, Lotto K.H., Chin, K.S. & Tsang, A.H.C. (2010) “Risk Management of Information Security – Information Security FMEA Circle” The eighth ANQ Congress, paper HK01. (Reprinted in SQI Yearbook 2011, pp.66-72)
Lai, Lotto K.H., Chin, K.S. & Tsang, A.H.C. (2009) “Integration of Quality Management System and Information Security Management System – HKSTP implementation case” Proceedings CD-ROM of The seventh ANQ Congress, paper HK02.
沒有留言:
發佈留言