Protection of Critical Infrastructures (Computer Systems) Ordinance Workshop

Comprehensive 2-Day Implementation Workshop Outline (8-16 hours)

2 Days

Physical Classes

Limited Seats Remain!

Nov 12, 2025

2PM HKT

EXECUTIVE SUMMARY

This workshop provides critical infrastructure operators in Hong Kong with a detailed roadmap for understanding and implementing compliance obligations under the Protection of Critical Infrastructures (Computer Systems) Ordinance, which comes into effect on January 1, 2026. The 2-day intensive format is designed to equip senior leadership, compliance officers, and technical teams with actionable knowledge to establish governance frameworks, security management systems, and incident response protocols.

DAY 1: FOUNDATIONAL UNDERSTANDING & STRATEGIC PLANNING

Theme: “Understanding Your Obligations and Building Your Governance Framework”

SESSION 1: Opening Keynote & Strategic Overview (08:00 – 09:30)

Duration: 90 minutes
Format: Keynote presentation + Q&A

Content:
1.1 Welcome & Workshop Objectives

Setting the tone for the 2-day intensive
Overview of what participants will achieve
Importance of leadership commitment to compliance
Key statistics on cybersecurity incidents in Hong Kong’s critical infrastructure

1.2 The Regulatory Landscape: Hong Kong’s CIO Ordinance

Background: Why Hong Kong enacted this legislation
Timeline: March 2025 passage, January 1, 2026 implementation
The establishment of the Office of the Commissioner of Critical Infrastructure (CCI)
Phased designation process for critical infrastructure operators
Enforcement mechanisms and penalties for non-compliance

1.3 Understanding the Scope: What is Critical Infrastructure?

Eight designated sectors:
- Energy
- Information Technology
- Banking and Financial Services
- Air Transport
- Land Transport
- Maritime Transport
- Healthcare Services
- Telecommunications and Broadcasting Services
Definition of critical computer systems (CCS)
Determination factors for CCS designation
Implications for your organization

1.4 Consequences of Non-Compliance

Summary conviction penalties: up to HK$3,000,000 + HK$60,000 per day for continuing offences
Indictment penalties: up to HK$5,000,000 + HK$100,000 per day
Regulatory direction and enforcement
Reputational and operational risks

Speaker Notes:

Emphasize that compliance is not optional but a statutory requirement
Highlight Hong Kong’s position as an international financial hub requiring robust critical infrastructure protection
Present real-world examples of cybersecurity incidents that could have been mitigated through proper governance

SESSION 2: The Three Categories of Obligations (09:45 – 11:15)

Duration: 90 minutes
Format: Structured presentation + Interactive discussion

Content:
2.1 Category 1 Obligations: Organizational Requirements

Maintaining an office in Hong Kong
- Definition: A location for receiving notices and conducting business operations
- Requirements for daily operations, management, and maintenance
Notification of operator changes
- Changes in daily operation, management, or maintenance
- Mergers, acquisitions, and organizational restructuring
- Timing and reporting procedures
Establishing a computer-system security management unit
- Organizational structure requirements
- Appointment of an employee supervising the unit
- Professional qualifications required (CISP, CISA, CISM, CISSP)
- Notification procedures to the regulating authority

2.2 Category 2 Obligations: Prevention and Risk Mitigation

Notification of material changes to critical computer systems
- Platform migrations
- Server virtualization
- Major version upgrades
- Application redesign
- System integration changes
- Cloud deployment changes
Submission and implementation of computer-system security management plans
Conducting regular computer-system security risk assessments
Arranging independent computer-system security audits

2.3 Category 3 Obligations: Incident Response

Participation in computer-system security drills (no more than once every 2 years)
Submission and implementation of emergency response plans
Notification of computer-system security incidents
- Serious incidents: within 12 hours
- Other incidents: within 48 hours
- Written reports: within 14 days

2.4 Designated Authorities

Commissioner of Critical Infrastructure Computer-system Security
Monetary Authority (Banking and Financial Services sector)
Communications Authority (Telecommunications and Broadcasting sector)
Relationships between regulating authorities and operators

Interactive Discussion Question:

Which category of obligations will be most challenging for your organization to implement? Why?

BREAK (11:15 – 11:30) (15 minutes)

SESSION 3: Building Your Computer-System Security Management Plan (11:30 – 13:00)

Duration: 90 minutes
Format: Workshop-style presentation with real-world templates

Content:
3.1 Requirements for the Management Plan

Board-level endorsement and senior management oversight
Biennial review requirement and material change triggers
Integration of multiple policies, standards, and guidelines
Alternative controls and comparable security measures

3.2 Core Components of an Effective Management Plan

3.2.1 Organizational Structure & Governance

Computer-system security management unit organization
Roles, responsibilities, and reporting lines
Clear accountability for security decisions
Documentation requirements

3.2.2 Policies, Standards, and Guidelines

Security policies aligned with business needs
Reference to national and international standards
Accessibility and communication mechanisms
Regular review and update processes

3.2.3 Risk Management Framework

Risk identification, assessment, mitigation, and monitoring approach
Reference to recognized methodologies:
- GBT 31722
- ISO/IEC 27005
- IEC 62443-3-2
- NIST 800-30
DPO’s Practice Guide for IT Security Risk Management

3.2.4 Security by Design

Principles integration throughout system lifecycle
Adoption in new systems and major upgrades
Legacy system considerations

3.2.5 Asset Management

Identification approach and selection criteria
Comprehensive inventory requirements:
- Hardware: name, manufacturer, model, firmware version
- Software: name, publisher, version
- Applications and valid warranties
- Service agreements and legal documentation
Regular review and automatic update mechanisms
Access restrictions on need-to-know basis

3.2.6 Access Control & Account Management

Prevention of unauthorized access
Least privilege principle enforcement
User approval, registration, and de-registration procedures
Password delivery and reset policies
Annual review of privileges and data access rights
Multi-factor authentication adoption
System use notification requirements

3.2.7 Privileged Access Management

Separate privileged access user-IDs
Just-in-time privilege elevation options
Least privilege for administrative accounts
Authorized device requirements for privileged access

3.2.8 Cryptography

Proper use of cryptographic protections
Key lifecycle management (generation, storage, distribution, retirement)
Separation of keys from encrypted information
Reference to national and international standards

3.2.9 Password Management

Minimum password length and complexity requirements
Maximum password lifetime
Maximum failed login attempts
Prohibition on password reuse
Default password changes before operation
Prompt changes for compromised passwords

3.2.10 Physical Security

Prevention of unauthorized physical access
Data center and computer room protection
Power and communication cable protection
Cable labeling and identification
Surveillance systems (CCTV, detectors, alarms, security guards)
Authorization lists for data center access
Visitor access monitoring and recording

3.2.11 Configuration Management & System Hardening

Prevention of unauthorized configuration
Baseline configuration development and maintenance
Least functionality and least privilege principles
Regular review processes

3.2.12 Change Management

Strict change control requirements
Change planning, impact assessment, authorization, testing
Non-production environment for development and testing
Change records and fall-back procedures
Communication to relevant stakeholders

3.2.13 Patch Management

Timely application of security patches
Risk-based patch management strategy
Vulnerability exposure assessment
Robust patch management lifecycle
Testing and risk evaluation before deployment

3.2.14 Remote Connection Security

Usage policies and procedures
Encryption of remote access sessions
Multi-factor authentication for remote access
Logging and monitoring of remote activities
Dedicated equipment requirements
Bring-your-own-device (BYOD) considerations

3.2.15 Storage Media Management

Authorization procedures for sensitive data disclosure
USB port disabling where operationally unnecessary
Malware scanning of portable devices
Encryption of sensitive data on storage media
Complete data destruction before disposal or reuse

3.2.16 Backup & Recovery

Regular backup intervals
Backup and recovery policies
Local and off-site backup maintenance
Backup media storage procedures
Immutable or physically disconnected copies
Regular restoration testing
Resilience to meet availability requirements

3.2.17 Network Security

Network security controls to prevent malicious traffic
Network intrusion detection/prevention systems
Network segmentation based on trust levels
Internet access controls (traffic filtering, routing, intrusion detection)
Wireless communication risk assessment and mitigation

3.2.18 Application Security

Security throughout development lifecycle
Authorized application software only
Secure coding principles
Structured testing before release
Source code protection
Test data controls

3.2.19 Log Management

Recording of security-relevant events
Logging policies for event retention (minimum 6 months)
Secured logs (non-deletable, read-only by authorized persons)
Comprehensive audit trail capabilities
Automated log analysis and exception identification
Internal clock synchronization for log correlation

3.2.20 Cloud Computing Security

Protection of cloud-based critical computer systems
Policies for cloud security risk identification and assessment
Shared responsibility definition with cloud service providers
Data isolation and protection throughout cloud lifecycle
External cloud services treated as supply chain risk

3.2.21 Supply Chain Management

Agreed security levels within supplier relationships
Processes for supply chain risk management
Diverse sourcing considerations
Geopolitical risk assessment
Security measures and service-level expectations documentation
Audit and compliance monitoring rights
Data deletion at service termination
Confidentiality and non-disclosure agreements

3.2.22 Monitoring & Detection

Continuous operation monitoring mechanism
Baseline behavior definition and deviation detection
Endpoint security solutions
- Personal firewalls
- Anti-malware software
- Endpoint Detection and Response (EDR)
Mobile code authorization and control
24×7 monitoring and rapid response procedures
Threat intelligence collection and analysis
Regular mechanism review

3.2.23 Computer-System Security Training

Structured, periodic training program
Program objectives aligned with security strategy
Target audience identification
Tailored training approaches (presentations, videos, interactive modules)
Effectiveness evaluation (quizzes, surveys, simulations)
Regular review and updates
External trainer engagement options

3.3 Special Considerations for Operational Technology (OT) Systems

Alternative measures for OT systems
Network/physical segregation
Cryptography adaptations
Password management flexibility
Change management in non-production environments
Endpoint protection considerations
Vulnerability assessment offline evaluation

Interactive Exercise:
“Management Plan Gap Assessment” – participants identify which components are already in place in their organizations and which require development.

LUNCH BREAK (13:00 – 14:00) (60 minutes)

SESSION 4: Computer-System Security Risk Assessment & Audits (14:00 – 15:30)

Duration: 90 minutes
Format: Technical presentation + Case study analysis

Content:

4.1 Mandatory Risk Assessment Requirements

Annual conduct requirement
Reference to recognized methodologies:
- GBT 22080, GBT 31722
- ISO/IEC 27001, ISO/IEC 27005
- IEC 62443-3-2
- NIST 800-30
- ISO/IEC 42001
DPO’s Practice Guide for IT Security Risk Management
DPO’s Practice Guide for Security Risk Assessment Audit

4.2 Scope of Risk Assessment

All applications, hosts, and network devices of critical computer systems
Documentation of identified risks with likelihood and severity
Risk tolerance levels determination
Required mitigation measures and monitoring

4.3 Vulnerability Assessment Component

Vulnerability scanning
Source code reviews
Configuration reviews
Qualified security professional supervision requirements
- CISP, CISA, CISM, CISSP certifications
- Appropriate professional experience
Identification of potential security loopholes

4.4 Penetration Testing Component

Simulated attacker perspective
Threat intelligence-based testing
Active exploitation of potential vulnerabilities
Test areas:
- Network security
- System software security
- Client-side application security
- Server-side application security
Qualified penetration tester requirements
- Recognized certifications (CESP, CISP-PTE, CREST, GIAC, Offensive Security, etc.)
- Appropriate professional qualifications and experience

4.5 Risk Assessment Report Components

Introduction (background information)
Executive summary
Assessment scope, objectives, methodology, timeframe, assumptions
Current environment/system description with network diagrams
Security requirements
Personnel involved in assessment
Summary of findings and recommendations
Risk analysis results (assets, threats, vulnerabilities, impact, likelihood)
Recommended safeguards with cost-benefit analysis
Conclusions
Annexes (completed reports, asset inventories, asset valuation)

4.6 Independent Computer-System Security Audit Requirements

Mandatory independent auditor engagement
Auditor qualifications:
- Suitable knowledge
- Relevant experience
- Appropriate certifications (CISP, CISA, CISM, CISSP)
Auditor objectivity and impartiality
No self-audit of own work
Reference to recognized audit methodologies:
- GBT 19011, GBT 28450
- ISO 19011, ISO/IEC 27007
- DPO’s Practice Guide for Security Risk Assessment Audit

4.7 Audit Scope and Objectives

Verification of management plan implementation
Assessment of security control effectiveness
Verification of code of practice compliance
Overall cybersecurity condition evaluation

Case Study Analysis:
“Real-World Risk Assessment: A Case Study from Banking Sector” – examining how a major financial institution identified and mitigated critical vulnerabilities through structured risk assessment and penetration testing.

SESSION 5: Emergency Response & Incident Notification Framework (15:45 – 17:15)

Duration: 90 minutes
Format: Interactive presentation + Role-play scenario

Content:

5.1 Emergency Response Plan Requirement

Board-level endorsement requirement
Biennial review and material change updates
Scope covering both incident management and business continuity

5.2 Incident Management Plan Components

Emergency response team structure
- Clear roles and responsibilities
- Contact details for non-working hour emergencies (minimum 2 contact points)
- Multiple communication channels
Incident reporting requirements per Schedule 6
Incident response thresholds
Incident communication plan
- Internal stakeholder communication
- External stakeholder communication
- Customer and public communication
- Communication timing and methods

5.3 Incident Response Playbooks

Incident containment procedures
- System/network isolation
- Compromised account remediation
- Malicious IP/domain blocking
Digital evidence handling
- Identification procedures
- Collection procedures
- Preservation procedures
- Forensic examination standards
Incident investigation procedures
Recovery and remediation procedures
Post-incident review and lessons learned

5.4 Business Continuity & Disaster Recovery

Business continuity management objectives
Business impact analysis
- Maximum Tolerable Downtime (MTD)
- Recovery Time Objectives (RTO)
- Recovery Point Objectives (RPO)
- Minimum Service Levels (MSL)
Disaster recovery strategy and procedures
Regular testing of backup and telecommunication services
Alternative site recovery procedures
Primary site restoration plan

5.5 Computer-System Security Incident Definition

Legal requirement: “access or any other act performed without lawful authority”
Actual adverse effect requirement
Distinguished from:
- Pure technical failure
- Natural disaster
- Mass power outage
- Detected and timely removed threats
- Personal data leakage from human error

5.6 Serious vs. Non-Serious Incidents
Serious Incident criteria (must notify within 12 hours):

Downtime exceeds defined maximum tolerable downtime
Service performance drops below minimum service level
Triggers business continuity or disaster recovery procedures
Causes leakage of material customer data
Leaks sensitive digital data hampering CCS function
Causes material customer complaints or inquiries
Threat actors have threatened attack at specified time

Non-Serious Incident notification: within 48 hours

5.7 Incident Notification Procedures

Initial notification form (Annex E) submission
- Through designated telephone number
- Through secured channel to regulating authority
Written report (Annex F) submission within 14 days
Information required in forms:
- Incident nature and classification
- Brief description and initial attack vector
- Root cause analysis summary
- Response actions taken
- Current operational status
- Financial and customer impact
- Duration of disruption

5.8 Computer-System Security Drill Requirements

Conducted upon written Commissioner notification
No more than once every 2 years
Not involving production environment disruption
Possible formats:
- Tabletop exercise
- Functional exercise
- Simulated attack
Multi-sector and multi-agency participation possible
Participant requirements:
- Management personnel with emergency response roles
- Security management unit members
- Emergency response team
- Public relations/corporate communications
- Other personnel as required by scenarios

5.9 Activation Thresholds & Mobilization

Clear thresholds triggering emergency response plan activation
Notification procedures to senior management
Emergency response team mobilization protocols
Communication protocols with the Commissioner
Stakeholder communication activation

Role-Play Scenario:
Scenario: “Ransomware Attack on Banking System” – Participants work in teams to respond to a simulated ransomware incident, including containment, evidence preservation, stakeholder communication, and recovery procedures.

SESSION 6: Key Implementation Challenges & Q&A (17:15 – 18:00)

Duration: 45 minutes
Format: Panel discussion + Audience Q&A

Content:

6.1 Common Implementation Challenges

Legacy system security hardening
Operational technology (OT) system security adaptations
Supply chain risk management
Multi-sector dependencies and interconnections
Resource constraints and budget allocation
Talent acquisition for security expertise

6.2 Industry Perspectives

Energy sector considerations
Financial services sector considerations
Telecommunications sector considerations
Transportation sector considerations
Healthcare sector considerations

6.3 Regulator Expectations

Commissioner’s Office approach to enforcement
Designated authorities’ sectoral guidance
Compliance monitoring frequency
Remediation timeframes

6.4 Open Discussion & Questions

Participant concerns and challenges
Best practice sharing
Sector-specific guidance

Speaker Notes for Day 1 Closing:

Summarize the three categories of obligations
Emphasize that preparation must begin immediately despite January 2026 implementation date
Preview Day 2’s operational focus
Encourage networking and peer discussion during dinner

DAY 2: IMPLEMENTATION & OPERATIONAL EXCELLENCE

Theme: “From Compliance to Embedded Security Culture”

SESSION 7: Operationalizing Your Security Management Framework (08:00 – 09:30)

Duration: 90 minutes
Format: Practical workshop with template review

Content:

7.1 Project Management Approach to Compliance Implementation

Gap analysis process:
- Current state assessment of management plan components
- Target state definition per ordinance requirements
- Gap identification and prioritization
Implementation roadmap development
- Phase 1: Category 1 obligations (pre-designation)
- Phase 2: Category 2 obligations (first 12 months)
- Phase 3: Category 3 obligations (ongoing)
Resource allocation and accountability
Timeline establishment with milestones
Executive sponsorship and steering committee structure

7.2 Governance Structure Design

Board-level oversight mechanisms
Executive committee responsibilities
Computer-system security management unit roles
Emergency response team structure
Cross-functional collaboration mechanisms
Budget ownership and allocation

7.3 Policy Development & Documentation

Policy template review:
- Access control policies
- Patch management policies
- Change management policies
- Incident response policies
- Data protection policies
- Supplier management policies
Documentation best practices
Version control and approval procedures
Training and communication distribution
Regular review and update schedule

7.4 System Inventory & Asset Management

Hardware inventory requirements
- Name, manufacturer, model, firmware version
- Physical and logical location
- Owner/key personnel
Software inventory requirements
- Name, publisher, version
- License status
- Service agreements
Critical system mapping
- Dependencies and relationships
- System criticality determination
Automated inventory management tools
Regular accuracy verification processes

7.5 Risk Assessment Methodology Selection

NIST 800-30 approach overview
ISO/IEC 27005 methodology
GBT/IEC 62443 framework
Customization to organizational context
Frequency and trigger-based reassessment
Documentation and reporting templates

7.6 Vulnerability Management Program

Scanning tools and technologies
Source code review processes
Configuration baseline reviews
Scanning frequency determination
Remediation prioritization
Compensating control documentation
OT system assessment modifications

7.7 Access Control Implementation

User provisioning/deprovisioning workflows
Privileged access management (PAM) solutions
Multi-factor authentication (MFA) deployment
Password policy enforcement through technical controls
Least privilege principle operationalization
Regular access review and certification process

Practical Exercise:
“Build Your Implementation Timeline” – Participants develop a customized 18-month compliance implementation roadmap for their organization, identifying dependencies, resource requirements, and milestone targets.

BREAK (09:30 – 09:45) (15 minutes)

SESSION 8: Building a Resilient Incident Response & Business Continuity Program (09:45 – 11:45)

Duration: 120 minutes
Format: Workshop + simulation

Content:

8.1 Incident Response Program Components

Incident classification framework
- Severity levels
- Impact assessment criteria
- Escalation triggers
Detection and alerting
- SIEM implementation and tuning
- Intrusion detection/prevention systems
- Endpoint detection and response (EDR)
- Log analysis and alerting
- 24×7 monitoring requirements

8.2 Incident Response Team Roles

Incident commander/response coordinator
Technical investigation lead
Forensics specialist
Communications lead
Executive stakeholder liaison
Legal/compliance representative
Customer service representative

8.3 Incident Response Procedures

Detection and initial response
Evidence preservation and chain of custody
Containment strategies
Investigation procedures
Eradication steps
Recovery and system restoration
Post-incident activities
Lessons learned documentation

8.4 Business Continuity Planning

Business impact analysis (BIA) methodology
- Critical process identification
- Downtime tolerance determination
- Recovery priority sequencing
- Resource requirement assessment
Recovery strategy selection
- Hot standby sites
- Warm standby sites
- Cold standby sites
- Cloud-based recovery
- Manual processing alternatives
Recovery time objectives (RTO) definition
Recovery point objectives (RPO) definition
Maximum tolerable downtime (MTD) determination

8.5 Disaster Recovery Planning

Alternative site requirements
- Geographic distance considerations
- Infrastructure redundancy
- Failover automation
Backup strategy design
- Backup frequency
- Local backup storage
- Off-site backup location
- Backup media protection
- Immutable backup copies
Disaster recovery testing
- Frequency (minimum annually)
- Test scenarios
- Failover execution
- Data restoration verification
- Performance validation

8.6 Stakeholder Communication Plan

Internal communication
- Executive notification procedures
- Employee communication
- Board notification protocols
External communication
- Customer notification procedures
- Regulatory authority notification
- Media communication
- Third-party notification (suppliers, partners)
Communication templates and checklists
Spokesperson training
Message consistency across channels

8.7 Post-Incident Review Process

Incident documentation
Root cause analysis
Contributing factor identification
Governance and control gaps
Emergency response plan effectiveness evaluation
Personnel performance assessment
Recommendations for improvement
Action item tracking and closure

8.8 Drill & Exercise Program

Tabletop exercise design
- Scenario development
- Participant selection
- Facilitation approach
- Debrief and action items
Functional exercise planning
- Key systems testing
- Procedure validation
- Communication validation
- Recovery capability assessment
Full simulation exercise
- Realistic incident simulation
- All systems and personnel involvement
- No production environment impact
Annual exercise schedule
Lessons learned capture

Simulation Exercise:
“Incident Response Simulation: Data Breach Scenario” – A realistic scenario in which participants must:

Detect and classify the incident
Notify appropriate stakeholders (including regulating authority within required timeframe)
Preserve digital evidence
Contain the incident
Investigate root causes
Communicate with customers and media
Recover systems
Conduct post-incident review

Participants will have 60 minutes to execute their incident response plan, followed by a 30-minute debriefing discussing decision-making, communication effectiveness, and areas for improvement.

SESSION 9: Compliance Monitoring, Auditing & Continuous Improvement (12:00 – 13:30)

Duration: 90 minutes
Format: Practical guidance + metrics dashboard

Content:

9.1 Internal Compliance Monitoring Program

Compliance assessment procedures
Control effectiveness metrics
Self-assessment questionnaires
Management reviews
Audit schedule planning

9.2 Independent Audit Process Management

Auditor selection criteria
Audit scope and objectives definition
Audit protocol and procedures
Finding documentation and remediation
Audit report review and distribution
Remediation tracking

9.3 Regulatory Examination Readiness

Likely examination areas
- Management plan implementation
- Risk assessment and audit evidence
- Incident response plan testing
- Change management procedures
Documentation organization
Stakeholder coordination
Executive interview preparation
Data room setup

9.4 Key Performance Indicators (KPIs)

Security metrics dashboard examples
- Vulnerability detection and remediation time
- Patch management compliance
- Access control compliance
- Training completion rates
- Incident detection and response time
- Business continuity test results
Metric definition and baseline setting
Trend analysis
Board reporting

9.5 Continuous Improvement Process

Lessons learned capture
Management review meetings
Process improvement initiatives
Technology updates
Regulatory updates monitoring
Industry standard updates
Compensation controls evaluation
Plan updates and enhancements

9.6 Cyber Insurance Considerations

Insurance coverage assessment
Policy coverage alignment with ordinance requirements
Cyber insurance program design
Claims notification procedures
Coverage limitations and exclusions
Risk transfer strategy

9.7 Documenting Compliance

Record retention requirements (6 months minimum for logs)
Secure documentation storage
Document version control
Executive sign-offs and approvals
Cross-reference documentation to ordinance sections
Third-party evidence (audit reports, assessment results)

Dashboard Template Exercise:
Participants review and customize a compliance metrics dashboard for their sector, identifying key metrics, target performance levels, and reporting frequency.

LUNCH BREAK (13:30 – 14:30) (60 minutes)

SESSION 10: Sector-Specific Guidance & Case Studies (14:30 – 15:45)

Duration: 75 minutes
Format: Panel discussion with sector experts

Content:

10.1 Energy Sector

Critical infrastructure focus
SCADA/OT system security challenges
Cyber-physical attack scenarios
Resilience and continuity requirements
Case study: Utility company incident response

10.2 Banking & Financial Services

Payment system security requirements
Customer data protection
Monetary Authority expectations
Ransomware and extortion threats
Case study: Bank incident recovery

10.3 Telecommunications & Broadcasting

Network availability requirements
Customer service continuity
Communications Authority expectations
DDoS mitigation strategies
Case study: Telecom outage management

10.4 Healthcare Services

Patient safety and privacy
Medical device security
Emergency service continuity
Business continuity for life-critical systems
Case study: Hospital ransomware response

10.5 Transportation (Air, Land, Maritime)

Passenger safety considerations
Infrastructure control system security
Real-time operational requirements
Emergency response procedures
Case study: Airport system compromise

10.6 Information Technology Services

Cloud service provider responsibilities
Multi-tenant environment security
Supply chain implications
Audit and compliance visibility
Case study: Cloud provider incident

10.7 Cross-Sector Dependencies

Cascading failure scenarios
Inter-sector communication protocols
Multi-organization incident response
Shared infrastructure considerations

Speaker Notes:

Each sector discussion should include 2-3 specific, real-world examples
Highlight common vulnerabilities within sectors
Share best practices and lessons learned
Address sector-specific regulatory interactions

SESSION 11: Supplier, Third-Party & Cloud Risk Management (15:45 – 17:00)

Duration: 75 minutes
Format: Practical workshop + vendor assessment template

Content:

11.1 Supply Chain Risk Assessment

Vendor and supplier identification
Criticality assessment
Risk evaluation framework
Geopolitical risk assessment
Single-source dependency mitigation

11.2 Vendor Security Requirements

Contractual security obligations
Data protection requirements
Incident notification requirements
Audit and compliance rights
Liability and indemnification clauses
Data handling and deletion procedures
Subcontractor management requirements

11.3 Cloud Computing Security

Cloud service provider evaluation
- Security certifications
- Compliance with ordinance requirements
- Data isolation capabilities
- Encryption standards
- Incident response capabilities
Cloud service agreements
- Shared responsibility definition
- Service level agreements (SLAs)
- Audit rights
- Data location and residency
- Compliance certifications
- Exit and data retrieval procedures
Vulnerability assessment in cloud environments
Cloud-specific OT system considerations

11.4 Managed Security Service Providers (MSSPs)

MSSP evaluation criteria
Security operation center (SOC) requirements
Incident response coordination
Alert triage and escalation
Liability and liability insurance
Service performance metrics

11.5 External Service Provider Oversight

Due diligence processes
Continuous monitoring requirements
Audit and assessment procedures
Performance review process
Termination procedures
Data handling at termination

11.6 Confidentiality & Non-Disclosure Agreements

Critical data classification
NDA requirements
Breach notification procedures
Employee and contractor coverage
Duration and perpetual obligations

Practical Exercise:
“Vendor Risk Assessment Template” – Participants complete a vendor security risk assessment for a critical supplier, evaluating security posture and developing remediation plan.

Sample Vendor Assessment Criteria:

Financial stability
Security certifications (ISO 27001, SOC 2, etc.)
Incident history
Audit rights and frequency
Data handling procedures
Business continuity capabilities
Regulatory compliance
Insurance coverage

SESSION 12: Change Management, Training & Culture (17:00 – 18:15)

Duration: 75 minutes
Format: Presentation + group discussion

Content:

12.1 Organizational Change Management

Stakeholder analysis and engagement
Change communication strategy
Leadership alignment and commitment
Resistance management
Quick wins identification
Progress monitoring

12.2 Computer-System Security Training Program

Training program objectives
- Awareness and knowledge
- Behavioral change
- Role-specific competency
Target audiences
- Executive leadership
- IT and security staff
- System administrators
- End users
- Management
- Third-party personnel
Training content and delivery
- Presentations and workshops
- Online modules
- Hands-on exercises
- Simulations
- Scenario-based training
- Role-specific training
Training effectiveness evaluation
- Post-training assessments
- Knowledge testing
- Behavioral observation
- Incident analysis
- Feedback surveys
- Simulation exercise results

12.3 Security Awareness Program

Phishing awareness training
Social engineering defense
Data protection and confidentiality
Incident reporting procedures
Policy compliance reinforcement
Ongoing awareness communications

12.4 Building a Security Culture

Leadership commitment demonstration
Accountability structures
Recognition and incentives
Normalized security practices
Open incident reporting culture
Continuous learning environment
Peer support and mentoring

12.5 Communicating Compliance Benefits

Business case for compliance
- Risk mitigation
- Regulatory compliance
- Operational resilience
- Reputation protection
- Customer confidence
- Stakeholder trust
Compliance as business enabler, not just cost center
Strategic alignment with organizational goals

12.6 Managing Through Implementation

Timeline and milestone management
Resource allocation and management
Executive reporting and steering
Stakeholder communication
Progress monitoring and adjustment
Risk management during transition

Group Discussion Question:
“How will you build a security culture in your organization? What are your biggest challenges and opportunities?”

SESSION 13: Regulatory Interaction & Compliance Readiness (18:15 – 19:00)

Duration: 45 minutes
Format: Q&A with regulatory perspective

Content:

13.1 Designation Process

Phase-based approach to CIO designation
Information required for designation
Timing expectations
Appeal process for designation decisions

13.2 Regulating Authority Interactions

Commissioner’s Office structure and functions
Designated authority relationships
Sectoral code of practice considerations
Regulatory direction procedures
Non-compliance consequences
Exemption and appeal processes

13.3 Notification & Reporting Procedures

Specific forms and channels
Secured submission requirements
Timing requirements
Escalation procedures
Record keeping for submissions

13.4 Regulatory Inspection & Audit

Likely inspection triggers
Authorized officer authority
Information production requirements
Warrant procedures
Facility access requirements
Cooperation expectations

13.5 Enforcement Approach

Graduated enforcement
Written directions
Compliance monitoring
Continuing offence considerations
Mitigating and aggravating factors

13.6 Industry Engagement

Industry working groups
Best practice sharing
Regulatory guidance updates
Code of practice revisions
Stakeholder consultation opportunities

Open Q&A:

Participants can ask final questions about regulatory expectations and compliance
Address specific sector considerations
Discuss appeal and exemption procedures

SESSION 14: Closing & Action Planning (19:00 – 19:45)

Duration: 45 minutes
Format: Facilitated action planning + closing remarks

Content:

14.1 Compliance Roadmap Finalization

Participants finalize their organization’s compliance implementation roadmap
- Phase 1 (Organizational obligations) – By designation date
- Phase 2 (Risk management obligations) – Within 12 months of designation
- Phase 3 (Incident response obligations) – Ongoing after first year
Resource requirements
Budget allocation
Governance structure
Success metrics

14.2 90-Day Implementation Plan

Immediate priorities:
- Executive engagement and steering committee formation
- Current state assessment and gap analysis
- Consultant/resource engagement if needed
- Vendor/supplier assessment initiation
- Policy framework development commencement
Milestone identification
Accountability assignment
Regular review schedule

14.3 Commitment to Continuous Improvement

Post-workshop actions
Ongoing learning and development
Industry engagement
Peer networking
Regulatory updates monitoring
Annual compliance review

14.4 Key Takeaways
For Business Leaders:

The Protection of Critical Infrastructures Ordinance is a statutory requirement, not optional guidance
Board-level oversight and executive commitment are essential for successful implementation
Compliance is an investment in organizational resilience and business continuity
Early preparation provides competitive advantage and demonstrates governance maturity
Regulatory relationships should be built proactively before designation

For IT & Security Teams:

Comprehensive security management frameworks are more effective than point solutions
Risk-based prioritization drives resource efficiency
Continuous assessment and improvement are required, not one-time compliance projects
Talent development and security culture are as important as technology
Vendor and supply chain management are critical components of overall security posture

For Compliance & Risk Teams:

The three categories of obligations provide a structured implementation roadmap
Documentation and evidence retention are essential for demonstrating compliance
Regular auditing and assessment ensure ongoing effectiveness
Incident response readiness should be continuously tested and improved
Regulatory engagement and transparency build trust and facilitate compliance

14.5 Closing Remarks & Networking

Key success factors for implementation:
- Leadership commitment
- Adequate resource allocation
- Realistic timeline with flexibility for adjustment
- Regular progress monitoring
- Continuous stakeholder engagement
- Focus on risk-based prioritization
- Integration with existing governance frameworks
Industry and peer network opportunities
- Hong Kong Computer Society
- ISACA China Hong Kong Chapter
- Security associations
- Sector-specific forums
Ongoing learning resources
- DPO Practice Guides
- Regulatory guidance updates
- Industry conferences and seminars
- Certification programs (CISSP, CISM, etc.)

EXECUTIVE SUMMARY: WORKSHOP VALUE PROPOSITION

This 2-day intensive workshop equips your organization with the strategic framework, operational procedures, and practical tools necessary to achieve robust compliance with Hong Kong’s Protection of Critical Infrastructures (Computer Systems) Ordinance. Participants will leave with:

Clear understanding of all three categories of obligations and their specific requirements
Customized implementation roadmap tailored to your organization’s risk profile and sector
Actionable templates and tools ready for immediate deployment
Peer network of critical infrastructure leaders across sectors
Regulatory intelligence directly from industry experts and regulators
Confidence in your organization’s readiness to achieve compliance

The workshop is designed for organizations that are serious about exceeding minimum compliance requirements and building a sustainable, resilient cybersecurity governance framework that protects critical infrastructure and ensures business continuity in Hong Kong’s increasingly complex threat environment.

Register Now to Join Our Events

Our Speaker

Meet the leadership and advisors driving innovation in compliance, governance, and security.

Alfons Futterer

Cybersecurity & Risk Strategist

Alfons Futterer is the Managing Director at NanoMatriX Technologies, leveraging over 25 years of experience in anti-counterfeit systems, document security, and track-and-trace technologies. He is also active in AI governance, digital transformation, infrastructure-level compliance and policy implementation, and compliance innovation.

Dale Johnstone

Cybersecurity Professional & Advisor

Dale Johnstone is a seasoned cybersecurity professional with over 30 years of expertise in governance, risk management, compliance, and international standards. He has served as CISO for major global enterprises in Australia and Hong Kong, where he led teams, educated stakeholders, and fostered strong security awareness across organizations.

Standards

Regulations

Products

Platform

Services