JUCC Collaboration Project to Raise Campus-wide Information Security Standard
The Joint Universities Computer Centre (JUCC) is a consortium of the eight UGC-funded institutions including: The University of Hong Kong, The Chinese University of Hong Kong, The Hong Kong Polytechnic University, City University of Hong Kong, The Hong Kong University of Science and Technology, Hong Kong Baptist University, Lingnan University and The Hong Kong Institute of Education.
In order to effectively raise the information security standards among JUCC member institutions through close collaboration and resource sharing, Computer Centre is working closely with JUCC on an initiative supported by UGC to develop a range of common information security services that are specific to academic institutions.
A Request for Proposal (RFP) exercise was conducted and after a series of evaluation and presentations, KPMG was appointed as the service provider to carry out a two-year project for the provision of needed consultancy and service development in the 8 institutions. The project was kicked off in November 2009.
This joint universities project focuses on the development of specific information security services applicable to the member institutions and cover the following major areas:
Information Security Governance Structure Establishment
Information Security Training
Professional Information Security Support Services
The project schedule is depicted in the following diagram:
The project has begun by arranging a risk assessment on information security in all JUCC member institutions to identify the possible risks in each institution and to provide recommendations based on a systematic and proven methodology. A post-risk assessment will be arranged at the end of the project to assess the degree of improvement since project kick-off.
The approaches for the risk assessment are:
- Identification of critical information assets and associated risks - Based on ISO27001 framework, critical information assets will be identified alongside with the requirement on confidentiality, integrity and availability levels. KPMG will then analyze their associate risks based on a predefined risk rating scheme and present the results in an information asset risk matrix.
- Assessment on information security capability - Current information security posture will be accessed against the control objectives like Asset Management, Physical and Environment Security, Access Control and Information Security Incident Management etc.
- Identification of common risks - The assessment result of each JUCC institutions will be consolidated and analyzed to identify the common risks and the risks unique to the tertiary educational sector. Risk assessment reports will be produced.
More information on other project activities will be reported in the coming issues of IT Services News. Please stay tune.