CSA HKM to hold Annual General Meeting on June 16, 2020

The Cloud Security Alliance Hong Kong & Macau Chapter will hold its Annual General Meeting on June 16, 2020:

Date:   16 June 2020

Time:   7:00 (p.m.)

Place:  Unit 1605, Hang Shing Building, 363 Nathan Road, Kowloon


  • To receive and consider the Directors’ Report and Audited Financial Statements for the year ended 30 June 2019.
  • To elect directors.
  • To re-appoint auditors and to fix their remuneration.
  • To consider any other business.

The meeting is open to all members.  Due to the social distancing policies introduced by the Hong Kong Government, it is advised to attend the meeting online rather than in person.  Please contact membership@csahkm.org for the meeting link.




Cloud Security Alliance Announces Industry’s First Credential for Cloud Auditing

The Cloud Security Alliance (CSA) has announced the Certificate of Cloud Auditing Knowledge (CCAK), the only credential for industry professionals that demonstrates expertise in the essential principles of auditing cloud computing systems. Set to be released in the second half of 2020, the CCAK aims to solve the current industry knowledge gap for IT audit and security professionals trained and certified for traditional on-premise IT auditing and assurance.

Designed to provide CISOs, security and compliance managers, internal and external auditors, and practitioners of tomorrow with the proven skillset to address the specific concerns that arise from the use of various forms of cloud services, the CCAK will provide a common baseline of expertise and shared nomenclature to ensure that IT auditors and other related stakeholders are communicating appropriately and accurately regarding the effectiveness of cloud security controls.

With its focus on cloud computing, the CCAK differs from traditional IT audit certification programs, which have many excellent elements, but were not developed with an understanding of cloud computing and its many nuances. An audited organization using cloud computing, for instance, will have a very different approach to satisfying control objectives, and a cloud tenant will certainly not have the same administrative access as in a legacy IT system and will employ a wide range of security controls that will be foreign to an audit and assurance professional grounded in traditional IT audit practices.

“Cloud computing represents a radical departure from legacy IT in virtually every respect. The new technology architecture, the nature of how cloud is provisioned, and the new shared responsibility model means that IT audits must be significantly altered to provide assurance to stakeholders that their cloud adoption is secure,” said Jim Reavis, co-founder and CEO, Cloud Security Alliance. “Because CSA already has developed the most widely adopted cloud security audit criteria and organizational certification, we are uniquely positioned to lead efforts to ensure industry professionals have the requisite skill set for auditing cloud environments.”

The CCAK’s holistic body of knowledge will be composed of the CSA’s Cloud Controls Matrix (CCM), the fundamental framework of cloud control objectives; its companion Consensus Assessments Initiative Questionnaire (CAIQ), the primary means for assessing a cloud provider’s adherence to CCM; and the Security, Trust, Assurance & Risk (STAR) program, the global leader in cloud security audits and self-assessments, in addition to new material.

For more than 10 years, CSA has led the development of the trusted cloud ecosystem, which notably includes the STAR program and the Certificate of Cloud Security Knowledge (CCSK), the gold standard for measuring professional competency in cloud security. The CCAK and the CCSK will complement one another in that the CCSK provides the knowledge that enables an expert to secure cloud systems that will, in turn, be successfully scrutinized by an expert holding the CCAK. In many cases, an industry professional will be well served by obtaining both certificates.

Because the CCAK is intended to create a common cloud audit understanding, it’s expected to become a mandatory requirement for IT auditors and highly recommended for IT managers and professionals, especially governance, risk management, compliance, and vendor/supply chain management.

Several opportunities exist for those looking to participate in the CCAK’s development. Individuals can volunteer to provide subject matter expertise or peer review, while organizations with a vested interest in cloud security can become a founding sponsor. Learn more about the Certificate for Cloud Auditing Knowledge and how to get involved.

CSA HKM Education Director Talks at Cloud Asia Expo 2018

Cloud Expo Asia is an unrivalled, multi-awarding winning event platform. For technology professionals it is a place to learn from world leading experts and source best-of-breed cloud technology and services. For technology vendors it offers 2 unmissable days of networking, lead and business generation. It is held in 16 – 17 May 2018 in HKCEC, Hong Kong.

Cloud Security Alliance is a supporting organisation of this event.

This year, our newly elected Education Director – Kelvin Wong will be giving a speech during the expo. https://www.cloudexpoasiahk.com/2018-conference-programme/get-ready-for-your-cloud-security-certificates

Please feel free to come and discuss about the “hot” Cloud Security certificate.


CSA HKM supports PISA Security Jam 2018

PISA JAM 2018 is a full day information security conference to provide a platform to InfoSec practitioners and students to chat and exchanges their ideas.

CSA (HK & Macau Chapter) jointly organise and support the PISA JAM 2018. CSA Professional Development team worked with PISA JAM 2018 OC to organise and align a Cloud Application Security Broker (CASB) – Symantec and a Docker Security company – Aqua to send their representatives to conduct half day demo workshop on 26 May 2018 (Sat) afternoon.

During the workshop, audience and participants will be able to participate in the lab and demo exercise in the afternoon for 3 hours. Please feel free to join. CSA (HK & Macau Chapter) members can join as supporting organization member without charge.

Please feel free to go to this link to get more details and register. https://www.pisa.org.hk/upcoming-events/531-pisa-security-jam-2018-pisajam2018-26-may-2018

Date:  26 May 2018 (Sat)
Target Audience:  PISA members, members of supporting organizations, full-time students in InfoSec relevant course
Venue:  HK PolyU, Hung Hom
Language:  Cantonese, with English terminology
Registration: https://bit.ly/2wuv4kO
Admission Fee:  FREE

CSA HKM Announces 2018/2019 Management Team

Cloud Security Alliance Hong Kong & Macau Chapter announced a new management team for 2018/2019 after their elections on March 22, 2018.

Position Name
Chairman Claudius Lam
Deputy Chairman (Hong Kong) Fred Sheu
Deputy Chairman (Macau) Terry Cheung
Vice Chairman – Secretarial & Treasurer Otto Lee
Vice Chairman – Membership & External Affairs SC Leung
–      Government Relationship Development Director Vince Wan
–      Membership (Events & Activities) Director Henry Ng
Vice Chairman – Programs & Research Joe Chan
–      Research Director Frank Chow
Vice Chairman – Professional Development Ricci Ieong
–      Education Director (Hong Kong) Kelvin Wong
–      Education Director (Macau) Victor Cheong
–      Certification Coordination Director Vincent Ip

The team will work together to further the development of CSA HKM in the years to come.

CSA HKM Councilors 2018

Hong Kong ICT Awards 2018

The Hong Kong ICT Awards aims at recognising and promoting outstanding information and communications technology (ICT) inventions and applications, thereby encouraging innovation and excellence among Hong Kong’s ICT talents and enterprises in their constant pursuit of creative and better solutions to meet business and social needs.

As a supporting organization of the Hong Kong ICT Awards 2018, Cloud Security Alliance Hong Kong & Macau Chapter encourages the active participation of our members and the general public to the eight categories under the Award.

Details of the Awards can be found at http://hkcs.org.hk/ictawards/

ICT Awards 2018

Cloud Security Alliance Announces Launch of CCSK v4

The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announced the general availability of its latest industry leading Certificate of Cloud Security Knowledge exam, version 4 (CCSK v4). The new exam has been significantly updated to reflect changes in the cloud and security landscape and features new content that aligns with this year’s earlier release of Guidance for Critical Areas of Focus in Cloud Computing 4.0.

“Since its launch, the CCSK has been recognized and widely accepted as the gold standard by a broad coalition of experts and organizations for demonstrating cloud security competency,” said Jim Reavis, CEO, CSA. “With this update, the CCSK is again proving to be the definitive resource for anyone in IT and information security who is looking to declare their understanding of key cloud security issues.”

Version four content represents more clarity, accuracy and better alignment with the recently published Guidance for Critical Areas of Focus in Cloud Computing 4.0 document, to better reflect current operational realities in cloud. Some key updates to note in the new version are reflected in the rebuilding of the introductory, infrastructure, and governance/legal/risk sections. Additionally, the materials covering data security includes an expanded coverage of Cloud Access Security Broker (CASB) technologies and business continuity/disaster recovery. Also, the Related Technologies sections now covers how IoT, mobile, serverless computing, and Big Data technologies are connected to cloud computing. A detailed list of changes between the CCSK v3 and v4 can be found at https://ccsk.cloudsecurityalliance.org/en/faq#changes.

Launched in 2010, the CCSK emerged as the industry’s first benchmark for measuring cloud security skillsets. The body of knowledge is constituted by Guidance for Critical Areas of Focus in Cloud Computing 4.0, the CSA Cloud Control Matrix (CCM) and the European Cyber Security Agency (ENISA) Cloud Computing Risk Assessment report. Information technology and security professionals interested in studying for the CCSK v4 exam can prepare through CSA’s self-study preparation kitor through their network of training partners offering instructor-led and online classes.

Approximately 86 percent of the exam questions will be related to the content of the Guidance for Critical Areas of Focus in Cloud Computing 4.0.  The CCSK v4 exam is now available for $395.  For more information or to take the exam visit https://cloudsecurityalliance.org/education/ccsk.

中國雲安全聯盟正式成立 (C-CSA formed in China)

(2017年11月1日 = China) 在廣東惠州舉行的中國物聯網雲計算應用技術博覽會上,中國雲安全與新興技術安全創新聯盟(以下簡稱「中國雲安全聯盟」或 「 C-CSA」)聯合中國雲體系產業創新戰略聯盟(以下簡稱「中國雲體系聯盟」)共同主辦2017中國雲安全與新興技術安全創新論壇,並為中國雲安全與新興技術安全創新聯盟舉行成立揭牌儀式,參加論壇的領導有中國科協原黨組副書記、副主席張勤院士,中國產學研合作促進會執行副會長、秘書長王建華,惠州市副市長劉小軍,中國雲安全聯盟常務副理事長李雨航,以及 雲安全的政產學研各界代表。 中國雲體系聯盟和中國雲安全聯盟秘書長沈寓實主持了論壇,專家們圍繞網路空間、雲計算、物聯網等領域分享了雲計算2.0時代的新興技術安全創新。

中國產學研合作促進會執行副會長、秘書長王建華宣讀中國雲安全與新興技術安全創新聯盟成立批復函拉開論壇序幕。 王建華強調中國雲安全聯盟的成立旨在加強產學研用深度融合,整合行業內各方資源優勢,搭建創新平臺並引進國際雲安全聯盟CSA等國際最佳實踐,突破雲計算和新興技術領域瓶頸,並引導建立安全共性標準, 培養更多的具有核心競爭力的產業集群和優秀人才,為建設網路強國提供有力支撐。

惠州市副市長劉小軍表示,惠州一直以來致力於打造世界手機之都,橫向融合縱向升級,推動智慧終端機產業發展。 資訊安全網路安全雲安全必不可缺,近些年來惠州重點支援物聯網、雲計算等資訊產業,惠州市對中國雲安全聯盟的專業性和權威性高度認可。

中國科協原黨組副書記、副主席張勤院士指出,去年 11月國家出臺了《網路安全法》,確立了國家網路空間安全發展戰略等重要內容,明確了網路空間治理的規則以及國際參與,將網路安全上升為國家安全的高度。 科技部等國家部委也出臺相應政策,大力推動雲安全與新興技術安全領域發展,科技部連續兩年組織實施國家重點研發計畫「網路空間安全」重點專項。 習近平同志在十九大報告中指出,創新是引領發展的第一動力。 此次舉辦中國雲安全與新興技術安全創新論壇,圍繞著物聯網、雲計算、大資料等新興技術及其優秀應用實踐進行分享,就雲計算和新興技術領域新的安全解決方案共同探討交流,對於加快科技成果轉化為生產力,實施創新驅動發展戰略, 建設技術創新體系,推動社會經濟發展具有重大的現實意義。 會上特別會上特別祝賀中國雲安全聯盟正式成立和大會取得成功。

李雨航常務副理事長受在京參加院士大會的方濱興理事長委託做了題為「 CSA2.0」的揭幕主題演講,強調安全已成為網路強國的命脈,新興技術如大資料、物聯網、人工智慧等的安全,是雲安全的延伸,中國雲安全聯盟將在中國政府認可下規範運作,貫徹國家網路主權自主可控的方針政策, 充分發揮聯盟各成員的主人翁精神,與國際雲安全聯盟CSA等國際組織緊密對接,把先進安全實踐經驗帶到中國並完成當地語系化改進。 早在2010年,CSA就在中國開展起志願工作。 2014年在政產學研7家中國戰略合作夥伴的支援下,CSA大中華區落地中國並實現半職業化,此次中國雲安全聯盟的成立,是CSA2.0 時代的起航,標誌著CSA在中國職業化,邁向在華新階段。

論壇由沈寓實秘書長主持,國家資訊中心安全管理處處長邵國安、武漢大學教授陳晶、普華永道風險及控制服務部合夥人李睿、安恒資訊副總裁劉志樂、中科院雲計算中心電子政務事業部主任孫傲冰、平安科技技網路安全研究所所長王曉箴 、創元網路技術股份有限公司總經理張少華、安信科技總經理陳林、北京益安線上科技股份有限公司總監李岩共9位行業實戰專家就各自所擅長的領域進行了分享。

中國產學研促進會已經支援成立了包括中國雲體系聯盟、中國雲安全聯盟在內的上百個各領域的聯盟,並獲得党和國家領導人習近平、李克強、栗戰書、汪洋、王滬甯、趙樂際、韓正、劉延東、路甬祥等極大的關懷和支援。 新成立的中國雲安全聯盟,將在促進會的指導下,力爭成為國際雲安全聯盟和其它國際安全性群組織在華的管理和運營機構。

C-CSA formed in China

圖片說明:(左起)C-CSA秘書長沈寓實,惠州市政府副秘書長鄒平生,C-CSA常務副理事長李雨航,促進會執行秘書長王建華,中國科協原副主席張勤,惠州市副市長劉小軍,工信部信通院雲安全主任栗蔚, C-CSA分會會長劉志樂


Hong Kong SMEs Cloud Adoption, Security & Privacy Readiness Survey Results Announced

October 25, 2017 – HONG KONG – Internet Society Hong Kong and Cloud Security Alliance – Hong Kong and Macau Chapter jointly announced the third annual report on “Hong Kong Small and Medium-sized Enterprises (SMEs) Cloud Adoption, Security & Privacy Readiness Survey” today. This survey is sponsored by Microsoft Hong Kong.

In the survey, 95% of the SMEs have already established policies towards data security after the launch of Personal Data (Privacy) Ordinance (the “Ordinance”), which is a leap of 40% as compared to that of two years ago. More than 50% of the SMEs believed that cloud security services provided by the Cloud Service Providers (“CSPs”) are reliable; Meanwhile, 45% of the SMEs claimed their CSPs are lacking transparency while handling customers data and information. It is not clear if the data kept on cloud could be deleted or returned after terminating the service contract with the providers. In terms of data privacy standard, 70% of the SMEs are not familiar with cloud security standards, such as ISO/IEC 27017 and ISO/IEC 27018, which reflects SMEs are not able to distinguish which CSPs follow the Ordinance or similar international legislation to protect their personal data.

The survey aims to understand Hong Kong SME’s readiness and application of cloud technologies. With the previous survey revealing the SMEs have already adopted cloud services to varying degrees, which brings to the focus of this year on analyzing SMEs understanding towards CSP’s handling on data and personal information.

Recommendations were made for SMEs to choose their CSPs. The survey was conducted in March 2017 and commissioned the Hong Kong Productivity Council to carry out telephone interviews to SMEs in Hong Kong (corporate size < 100 employees) over the course of three weeks and to review data from the Census and Statistics Bureau. The Council successfully collected 103 survey responses. The research covered major industry sectors in Hong Kong. The survey questionnaire was developed based on the Cloud Security Alliance Cloud Control Matrix international standard with questions adapted to local conditions.

SMEs Has A Higher Level Security Readiness In Overall Data Management And Information Security Systems The survey shows an increase in SMEs overall acknowledgment on data management and information security systems, particularly in physical security management, data privacy management, and incident management. Nearly 70% of the SMEs manage their IT systems with proper access rights and password control, representing an 15% increase when compared to that of 2015.

In addition, over 70% of the SMEs have good understanding of or have implemented data encryption, and over 60% of the SMEs have established their data disposal policy, which is a big jump when compare to none in 2015. Moreover, over 70% of the SMEs have established an Incident Response Plan and Disaster Recovery Plan, with a distinctive growth of 39% and 25% respectively. On the contrary, there is little progress on SMEs system management, with only 30% SMEs implemented a security patch policy, a slightly increase at 7.5%; Meanwhile, it is recorded a 4% decrease in SMEs firewall devices installation to further improve the security.

Mr. Sang YOUNG, Convener, Internet Security and Privacy Working Group, Internet Society Hong Kong, commented, “Comparing the data against with that of the past 2 surveys, we are happy to witness more and more SMEs formulate their data privacy policy, hence demonstrate higher readiness to data security on cloud and are more prepared to handle incidents. However, we see an increasing dependence on third party service provider’s cloud security systems, while a vast amount of SMEs are poor in implementing their security patches policies. We believe the number of SMEs relying on third party service provider’s cloud security service will remain huge, therefore we suggest SMEs to choose cloud service providers based on their transparency, and companies should review their vendor’s security solutions to ensure they are updated from time to time.”

SMEs Could Not Determine Whether CSPs Are Up To International Standard Compared with last year, the survey revealed that SMEs are showing more concern on personal data protection, with most of the companies (95%) claimed they follow the Ordinance from PCPD. However, SMEs are still lacking awareness on how CSPs process with their data, nearly half of the companies (45%) uses CSPs which are not transparent to their users if and when their data would be deleted and returned, and one-fifth of them (20%) do not know if their CSPs will use their data for marketing purpose. In the meantime, 25% of the surveyed SMEs reflected that their CSPs do not follow the Ordinance which raises a significant concern as CSPs are also data processors of the companies.

“SMEs should be clear on the CSP’s policies for data retention and deletion, including when the SMEs unsubscribe from the Cloud services in question. The survey revealed that up to 70% of SMEs are unclear on the international standard of cloud security & privacy, It is recommended that SMEs should look for CSPs which comply with international standards like ISO/IEC 27017 and ISO/IEC 27018 that provide guidelines to CSPs for the protection of Personally Identifiable Information,” commented Mr. Claudius LAM, Chairman of Cloud Security Alliance Hong Kong and Macau Chapter.

“As SMEs may not have the manpower and professional technology knowledge to deal with information security & privacy. With the use of reliable enterprise level CSP which in line with international standard, not only can overcome the deficiency, SMEs can also enjoy an enterprise level data privacy protection which ensure compliance with all relevant regulations at an affordable price”, said Mr. Fred SHEU, National Technology Officer of Microsoft Hong Kong Limited. “Microsoft is dedicated to help SMEs to leverage IT and enhance their competitiveness. The survey showed that more than 40% of Hong Kong SMEs will give priority to Microsoft Azure as their CSP. We will continue to invest and provide a more flexible and comprehensive cloud services to help local enterprises protect their data and assets effectively.”

For the full report, click HERE

SME Survey 2017

Photo shows: (From left) Claudius LAM, Chairman of Cloud Security Alliance Hong Kong & Macau Chapter, Sang YOUNG, Convener, Internet Security and Privacy Working Group, Internet Society Hong Kong, and  Fred SHEU, National Technology Officer of Microsoft Hong Kong Limited, announces the results of the Hong Kong Small and Medium-sized Enterprises (SMEs) Cloud Adoption, Security & Privacy Readiness Survey.