To strengthen information security on a University scale, a University-wide security assessment service is conducted annually and an independent consultancy is engaged to conduct the assessment for a number of selected academic and administrative departments. The objective of this Risk Assessment exercise is to assess the vulnerabilities on the target network and systems of the selected departments, give remedial recommendations on information security weaknesses found and suggest best practices of IT operations and data/information management in related to information security.
The assessment will include the following key components:
i. Asset Identification – to identify and evaluate the assets of target system, e.g. people, hardware, software, data and information etc.
ii. Threat and Vulnerability Identification – to identify the threats and vulnerabilities of target system by reviewing the history of system attack and technical scanning respectively.
iii. Control Analysis – to collect and analyze the current controls.
iv. Likelihood Analysis – to analyze the probability of occurrence of identified threats and vulnerabilities.
v. Impact Analysis – to analyze the impact of the target system based on threats and vulnerabilities.
vi. Risk Determination – to determine the risk of the target system
- Risk (Target System) = Value x Impact x Likelihood
vii. Controls Recommendation – to recommend controls to treat the determined risk
viii. Document the controls
Risk Management Components
The scope of the security assessment services include Technical Security Assessment and Security Management Control Review, as described below:
Technical Security Assessment
Security Management Control Review
After the assessment services, findings and recommendations will be presented to the selected departments.