IT Security Standards and Best Practices
Home > 
Useful Resources > 
IT Security Standards and Best Practices
< back
IT Security Standards and Best Practices
Security Certifications
Security Associations and Groups
Related Ordinances
Multimedia Centre
Quiz
Glossary
CERT Community
Miscellaneous

IT Security Standards and Best Practices

To facilitate your planning on information security management for your company, we have highlighted some internationally recognised information security standards, guidelines and effective security practices for reference.

Government IT Security Policy and Guidelines

The Government of HKSAR has issued a set of "Government IT Security Policy and Guidelines" to provide references and guidance to Government bureaux and departments in respect of the protection of Government information systems and data assets. The related documents are obtainable through the hyperlinks provided below. Users should note that the documents are for general reference only and users are responsible to make their own assessment on the information provided and to obtain independent advice before acting on it.

Baseline IT Security Policy - This document sets the baseline standards of IT security policy for Government bureaux/departments. It states what aspects are of paramount importance.
IT Security Guidelines - This document elaborates on the policy requirements and sets the implementation standard on the security requirements specified in the Baseline IT Security Policy.
Practice Guide for Information Security Incident Handling - This document provides the practical guidance and reference for handling information security incidents in the Government.
Practice Guide for IT Security Risk Management - This document provides the practical guidance and reference for IT security risk management in the Government.
Practice Guide for IT Security Risk Management - This document provides the practical guidance and reference for IT security risk management in the Government.
Practice Guide for IT Security Threat Management - This document provides the practical guidance and reference for IT security threat management in the Government.
Practice Guide for Security by Design - This document provides the practical guidance and reference for the adoption of Security by Design in the Government.
Practice Guide for Security Risk Assessment & Audit - This document provides the practical guidance and reference for security risk assessment & audit in the Government.
Practice Guide for Penetration Testing - This document provides the practical guidance and reference for the secure adoption of penetration testing in the Government.
Practice Guide for Internet Gateway Security - This document provides the practical guidance and reference for the secure adoption of internet gateway in the Government.
Practice Guide for Mobile Security - This document provides the practical guidance and reference for the secure use of mobile devices and development of mobile apps in the Government.
Practice Guide for Cloud Computing Security - This document provides the practical guidance and reference for the secure adoption of cloud computing technology in the Government.
Practice Guide for Internet of Things Security - This document provides the practical guidance and reference for secure adoption of Internet of Things (“IoT”) technology in the Government.
Practice Guide for Social Media Security - This document provides the practical guidance and reference for secure management and use of social media in the Government.
Practice Guide for Wi-Fi Security - This document provides the practical guidance and reference for secure design, management and operation of Wi-Fi network in the Government.

There is increasing public concern about the security of information passing through public Wi-Fi networks. To address such a concern, the Communications Authority (CA) has published a set of security guidelines for public Wi-Fi service operators to follow. The guidelines are developed jointly with the industry and the relevant professional bodies.

Guidelines on the Security Aspects for the Design, Implementation, Management and Operation of Public Wi-Fi Service - A set of guidelines on security for public Wi-Fi service.
IT Governance Standards and Best Practices
ISO/IEC 27001 - This document provides the ISO standards of the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation.
ISO/IEC 27002 - This document introduces the code of practice for information security controls.
ISO/IEC 27017 - This document provides guidelines supporting the implementation of information security controls for cloud service consumers and providers. The selection of appropriate controls and the application of the implementation guidance are based on risk assessment and other requirements for the use of cloud services.
British Standard 7799 Part 3 - This set of guidelines is published by BSI Group for the information security risk management.
COBIT - The Control Objectives for Information and related Technology (COBIT) is published by the Standards Board of Information Systems Audit and Control Association (ISACA) providing a control framework for the governance and management of enterprise IT.
Common Criteria (also known as ISO/IEC 15408) - This set of evaluation criterias is developed by and aligned with national security standards organisations of Australia, Canada, France, Germany, Japan, Netherlands, New Zealand, Spain, UK and US.
ITIL (or ISO/IEC 20000 series) - This document introduces a collection of best practices in IT service management (ITSM), and focuses on the service processes of IT and considers the central role of the user.
National Information Security Technology Standard Specification - This webpage introduces a collection of national information security standards formulated by the National Information Security Standards Technical Committee. These standards include information security management, information security evaluation, authentication and authorisation, etc.
The Center for Internet Security (CIS) Controls (formerly known as Critical Security Controls) – These are a prioritized set of safeguards to mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks.
Guidelines on Conducting Online Businesses and Activities
Electronic Transactions Ordinance - This Ordinance concerns the legal status of electronic records and digital signatures used in electronic transactions as that of their paper-based counterparts.
Consumer Protection in E-commerce - OECD Recommendation– This guideline is published by the Organisation for Economic Co-operation and Development (OECD) listing the principles and good practices on e-commerce
OWASP Top Ten Project – This document for web application security is published by The Open Web Application Security Project (OWASP) representing a broad consensus about what the most critical web application security flaws are.
Payment Card Industry Data Security Standard - This standard is developed by a number of major credit card companies (including American Express, MasterCard Worldwide and Visa International) for enhancing payment account data security.
RFC 2196 Site Security Handbook, from IETF (The Internet Engineering Task Force) – This handbook is prepared by IETF for developing computer security policies and procedures for sites that have systems on the Internet.
Technical Standards Relevant to Cloud Computing - This webpage introduces a collection of technical standards relevant to Cloud Computing released by various international organisations. These standards include management, web services, security of cloud computing, etc.
TRUSTe – Under this program, a privacy seal, or called a "trustmark", is awarded to websites that adhere to the privacy principles and comply with the oversight and consumer resolution process.
WebTrust program – Under this program, a WebTrust seal at the website means the company is complied to WebTrust principles including, on-line privacy, security, business practices and transaction integrity, availability and WebTrust for Certification Authorities.
Guidelines on Safeguarding Data Privacy
A Series Guidance Notes on Data Privacy – The guidance notes are provided by the Office of the Privacy Commissioner for Personal Data to specific industires, organisation and users for general reference.
A Practical Guide for IT Managers and Professionals on the Personal Data (Privacy) Ordinance – This guide was compiled by Hong Kong Computer Society (HKCS) for the enterprises, especially IT Managers and Professionals, to protect personal data privacy.
Health Insurance Portability and Accountability Act (HIPAA) - This Act was enforced by the US government in order to enact their national Standards for Privacy of Individuals Identifiable Health Information.
Other References
ISACA's Frameworks, Standards and Models - This is a series of information systems auditing frameworks, standards and models issued by the Standards Board of Information Systems Audit and Control Association (ISACA).
RFC 2350 Expectations for Computer Security Incident Response, from IETF (The Internet Engineering Task Force) – This document is prepared by IETF listing the general set of topics and issues which are of concern and interest to Computer Security Incident Response Teams.