Security Risk Assessment and Audit (SRAA) use case
Regarding the security of computer systems, the SWD has allocated funds to the third phase of the Social Welfare Development Fund to encourage organizations to conduct security risk assessment and audit (SRAA) for newly-built systems. The agency may employ third-party independent consultants to complete the system construction. The system conducts security risk assessment and audit, and provides relevant reports and improvement suggestions. We just completed the Security Risk Assessment and Audit (SRAA) for the new financial system for an organization and downloaded the use case information. (Click to Download)
A social service NGO with multiple office & service center locations in Hong Kong deployed a new financial management system in Q1 2019. To observe Hong Kong OCGIO requirements on Security Risk Assessment & Audit (SRAA) upon new system implementation, eFaith IT Security Services was engaged as the third-party assessor to perform independent SRAA based on Practice Guide for Security Risk Assessment & Audit (ISPG-SM01, version 1.1) released by OCGIO by November 2017.
- There are limited time and resources, we need to set the focus areas & resources
- On the other end, it is intended to mitigate and manage security risks as comprehensive as possible
Our Solutions & Deliverables
- Focused Scope - we tuned the SRAA to have specific focus as the pre-production assessment for the new Financial Management System Implementation; but not a replcement of regular IT / IT security control review.
- ZERO delay to the implementation - we delivered highly dedicated resources and finished the whole assessment within a short period of time, made ZERO delay to the implementation shedule.
- Comprehensive remediation recommendation walk-thru – we organized comprehensive remediation recommendation walk-thru session to assist our clients in understanding the findings & the recommended remediation