Integrated Registration Information System (IRIS) Online Services Security Statement
Internet security is not solely a technology issue, and common sense as well as normal practice in safeguarding personal and transaction data are of equal importance. Hackers need a "door" to get into an Internet system. Often, access through this "door" could be exposed to hackers due to simple carelessness in the physical distribution of sensitive documents and the handling of sensitive data (such as passwords or personal identification numbers). Hence, users must handle such sensitive documents and data with extreme care.
While the Internet is not an inherently secure environment for communication, Internet communication can be made safer by the application of appropriate technology as we have done. We take security matters very seriously and treat all personally identifiable information obtained from users of our website confidential. In addition to the firewalls and other sophisticated equipment implemented, we also adopt the following measures to protect our IRIS Online Services system, and the information and data contained in it from accidental or malicious disruption or destruction.
- Support of Digital Certificates
- Implementation of Secured Online Payment
- Restricted Access to Private Personal Information
- IT SECURITY GLOSSARY
To protect information transferred over the Internet and to uniquely identify our service subscribers, the IRIS Online Services support the Public Key Infrastructure (PKI) implemented by trusted certification authorities. The PKI enables the authentication of both server and user identities via the issuance of digital certificates and the use of public key cryptography and digital signature.
We also employ 256-bit encryption to encode all communications of sensitive data. Encryption enables users to continuously send encoded information back and forth across the Internet with a high degree of security. Users would notice from the URL that the Hyper-Text Transport Protocol Secure (HTTPS) would be used instead of HTTP to access the secured site of IRIS Online Services, and a padlock icon would appear at the bottom of the browser once a secured web session is established. By double-clicking on this padlock icon, users may view the details of the digital certificate for the IRIS web server and verify the server identity by examining the certification path and certificate status.
Online payments supported by the IRIS Online Services are protected through the Transport Layer Security (TLS) mechanism. Payment details are encrypted under this secure protocol and transmitted to the relevant banks via a secured payment gateway for payment approval and settlement.
Our IRIS Online Services website also supports various credit card payment authentication services to authenticate cardholder's identity.
In terms of system access control, appropriate security measures are taken such that access to any private personal information submitted through the IRIS Online Services is restricted to only those authorized members of staff who have legitimate needs to have such access. Also, the use of such personal information is in accordance with the provisions in the Personal Data (Privacy) Ordinance.
IRIS ONLINE SERVICES SUBSCRIBERS ARE RESPONSIBLE FOR KEEPING THEIR ACCOUNT LOGIN PASSWORDS OR DIGITAL CERT. PASSWORDS CONFIDENTIAL. WE ENCOURAGE SUBSCRIBERS TO CHANGE PASSWORDS PERIODICALLY. IF A SUBSCRIBER SUSPECTS THAT HIS/HER ACCOUNT LOGIN PASSWORD HAS BEEN MALICIOUSLY TAMPERED WITH, PLEASE CONTACT THE LAND REGISTRY IMMEDIATELY. IF ANY BREACH IN THE SECURITY OF DIGITAL CERT. IS SUSPECTED INSTEAD, PLEASE CONTACT THE HONG KONG POST CERTIFICATION AUTHORITY / DIGI-SIGN CERTIFICATION AUTHORITY DIRECTLY. IN THE CASE WHERE A SUBSCRIBER ALLOWS AN UNAUTHORISED INDIVIDUAL TO GAIN ACCESS TO EITHER THE ACCOUNT LOGIN PASSWORD OR THE DIGITAL CERT. TOGETHER WITH ITS PASSWORD, THE LAND REGISTRY WILL NOT BE HELD RESPONSIBLE FOR ANY CONSEQUENCES RESULTING FROM THIS ACTION.
Authentication - A process or method to identify and to prove the identity of a user/party who attempts to send message or access data. Message authentication refers to a process used to prove the integrity of specific informationCertification Authority (CA) - A trusted authority or party that digitally signs certificates in order to validate the identity of a person or party.