Page:Ransomware Attack on the Servers of The Hong Kong Institute of Bankers.pdf/12

  vulnerabilities in a timely manner, information systems containing personal data would become easy targets of hacker attacks.

'''The Commissioner opines that organisations, large or small, should learn a lesson from HKIB's data breach, keep abreast of the latest update on information system security, and put in place patch management procedures to ensure timely deployment of security patches issued by software suppliers. The Commissioner appeals to organisations to comply with the data security requirements under the Ordinance by taking all the practicable steps to safeguard the personal data held by them, such as conducting regular scans on internet-facing servers to check for vulnerabilities, and paying attention to potential data security risks posed by vulnerabilities on information systems containing personal data so as to take appropriate remedial actions as early as possible.'''

Through this report, the Commissioner wishes to point out that a robust data security system is an essential element of good data governance. The Commissioner is mindful that as the steps required of a data user to protect personal data may vary from case to case, data users should consult their own data security experts and legal advisers on whether the relevant requirements under the Ordinance are met. Reference may also be made to the "Guidance Note on Data Security Measures for Information and Communications Technology" published by the PCPD, so as to understand the proposed ICT-related data security measures and good practices in enhancing data security systems.