Home » Service Catalogue » Advisory Services » Information Security » Information Security Advisory Service

Information Security Advisory Service

  1. Introduction
  2. Security Assessment Services

1. Introduction

To strengthen information security on a University scale, a University-wide security assessment service is conducted annually and an independent consultancy is engaged to conduct the assessment for a number of selected academic and administrative departments. The objective of this Risk Assessment exercise is to assess the vulnerabilities on the target network and systems of the selected departments, give remedial recommendations on information security weaknesses found and suggest best practices of IT operations and data/information management in related to information security.
The assessment will include the following key components:

i. Asset Identification – to identify and evaluate the assets of target system, e.g. people, hardware, software, data and information etc.

ii. Threat and Vulnerability Identification – to identify the threats and vulnerabilities of target system by reviewing the history of system attack and technical scanning respectively.

iii. Control Analysis – to collect and analyze the current controls.

iv. Likelihood Analysis – to analyze the probability of occurrence of identified threats and vulnerabilities.

v. Impact Analysis – to analyze the impact of the target system based on threats and vulnerabilities.

vi. Risk Determination – to determine the risk of the target system

  • Risk (Target System) = Value x Impact x Likelihood

vii. Controls Recommendation – to recommend controls to treat the determined risk

viii. Document the controls

Risk Management Components

Risk Management Components

2. Security Assessment Services

The scope of the security assessment services include Technical Security Assessment and Security Management Control Review, as described below:

Scope Methodology Deliverables

Technical Security Assessment

  • Use network security tools to identify the vulnerabilities, improper configurations and weaknesses in the departments’ computing environment
  • Give technical recommendations based on international security standards and good practices

Security Management Control Review

  • Interview with the departmental IT representatives to review and assess the current security controls in place to protect the information assets in selected departments
  • Suggest appropriate IT management control measures

After the assessment services, findings and recommendations will be presented to the selected departments.