保安風險評估及審計(SRAA) 案例


就電腦系統的保安問題,社署於社會福利發展基金第三階段撥款鼓勵機構為新建構的系統進行保安風險評估及審計(SRAA),機構可聘請第三方獨立顧問,於完成系統建構後,為系統進行保安風險評估及審計,提供相關報告及改善建議。我們剛為某機構完成新財務系統的保安風險評估及審計(SRAA),下載案例資料 (按此下載)。

Security Risk Assessment and Audit (SRAA) use case

Regarding the security of computer systems, the SWD has allocated funds to the third phase of the Social Welfare Development Fund to encourage organizations to conduct security risk assessment and audit (SRAA) for newly-built systems. The agency may employ third-party independent consultants to complete the system construction. The system conducts security risk assessment and audit, and provides relevant reports and improvement suggestions. We just completed the Security Risk Assessment and Audit (SRAA) for the new financial system for an organization and downloaded the use case information. (Click to Download)

 

Background

A social service NGO with multiple office & service center locations in Hong Kong deployed a new financial management system in Q1 2019.  To observe Hong Kong OCGIO requirements on Security Risk Assessment & Audit (SRAA) upon new system implementation, eFaith IT Security Services was engaged as the third-party assessor to perform independent SRAA based on Practice Guide for Security Risk Assessment & Audit (ISPG-SM01, version 1.1) released by OCGIO by November 2017.

 

Challenges

  1. There are limited time and resources, we need to set the focus areas & resources
  2. On the other end, it is intended to mitigate and manage security risks as comprehensive as possible

 

Our Solutions & Deliverables

  1. Focused Scope - we tuned the SRAA to have specific focus as the pre-production assessment for the new Financial Management System Implementation; but not a replcement of regular IT / IT security control review.
  2. ZERO delay to the implementation - we delivered highly dedicated resources and finished the whole assessment within a short period of time, made ZERO delay to the implementation shedule.
  3. Comprehensive remediation recommendation walk-thru – we organized comprehensive remediation recommendation walk-thru session to assist our clients in understanding the findings & the recommended remediation