Security Risk Assessment & Audit - OGCIO

Office of the Government Chief Information OfficerINFORMATIONSECURITYPractice GuideforSecurity Risk Assessment & Audit[ISPG-SM01]Version 1.1November 2017 Office of the Government Chief Information OfficerThe Government of the Hong Kong Special Administrative RegionThe contents of this document remain the property of and maynot be reproduced in whole or in part without the expresspermission of the Office of the Government Chief Information Officer

COPYRIGHT NOTICE 2017 by the Government of the Hong Kong Special Administrative RegionUnless otherwise indicated, the copyright in the works contained in this publication is ownedby the Government of the Hong Kong Special Administrative Region. You may generallycopy and distribute these materials in any format or medium provided the followingconditions are met –(a)(b)(c)(d)the particular item has not been specifically indicated to be excluded and is thereforenot to be copied or distributed;the copying is not done for the purpose of creating copies for sale;the materials must be reproduced accurately and must not be used in a misleadingcontext; andthe copies shall be accompanied by the words "copied/distributed with the permissionof the Government of the Hong Kong Special Administrative Region. All rightsreserved."If you wish to make copies for purposes other than that permitted above, you should seekpermission by contacting the Office of the Government Chief Information Officer.

Amendment HistoryAmendment HistoryChangeNumberRevision DescriptionPagesAffectedRevisionNumberDate1G51 Security Risk Assessment & AuditGuidelines version 5.0 was converted toPractice Guide for Security RiskAssessment & Audit. The RevisionReport is available at the governmentintranet portal ITG 0December20162Added a new chapter on informationsecurity management, revised descriptionon security risk assessment and securityaudit, and aligned references with otherpractice guides.Wholedocument1.1November2017Practice Guide for Security Risk Assessment and Auditiii

Table of ContentsTable of Contents1.Introduction . 11.1Purpose. 11.2Normative References . 11.3Definitions and Conventions. 21.4Contact . 22.Information Security Management . 33.Introduction to Security Risk Assessment and Audit . 54.5.6.7.3.1Security Risk Assessment and Audit . 53.2Security Risk Assessment vs Security Audit . 6Security Risk Assessment . 84.1Benefits of Security Risk Assessment . 84.2Frequency and Type of Security Risk Assessment . 94.3Steps on Security Risk Assessment . 104.4Common Security Risk Assessment Tasks . 324.5Deliverables . 33Security Audit . 345.1Frequency and Timing of Audit . 355.2Auditing Tools . 355.3Auditing Steps . 36Service Pre-requisites & Common Activities . 426.1Assumptions and Limitations . 426.2Client Responsibilities . 426.3Service Pre-requisites. 436.4Responsibilities of Security Consultant / Auditors . 436.5Examples of Common Activities . 44Follow-Up of Security Risk Assessment & Audit . 467.1Importance of Follow-Up . 467.2Effective & Qualified Recommendations . 477.3Commitment . 477.4Monitoring and Follow-Up . 48Practice Guide for Security Risk Assessment and Auditiv

Table of ContentsAnnex A: Sample List of Questions for Security Risk Assessment . 51Annex B: Sample Contents of Deliverables . 54Annex C: Different Audit Areas . 56Annex D: Sample Audit Checklist . 63Annex E: Sample List of Documented Information as Evidence of Compliance . 69Practice Guide for Security Risk Assessment and Auditv

Introduction1.IntroductionInformation Technology (IT) security risk assessment and security audit are themajor components of information security management. This document provides areference model to facilitate the alignment on the coverage, methodology, anddeliverables of the services to be provided by independent security consultants orauditors. With this model, managerial users, IT managers, system administrators andother technical and operational staff can have more understanding about security riskassessment and audit. They should be able to understand what preparations arerequired, which areas should be noted, and what results would be obtained. It is notthe intention of this document to focus on how to conduct a security risk assessmentor audit.1.1PurposeThis document shows a general framework for IT security risk assessment andsecurity audit. It should be used in conjunction with other security documents suchas the Baseline IT Security Policy [S17], IT Security Guidelines [G3] and relevantprocedures, where applicable.This practice guide is intended for all staff who are involved in a security riskassessment or security audit as well as for the security consultants or auditors whoperform the security risk assessment or security audit for the Government.1.2Normative ReferencesThe following referenced documents are indispensable for the application of thisdocument. Baseline IT Security Policy [S17] , the Government of the Hong Kong SpecialAdministrative RegionIT Security Guidelines [G3] , the Government of the Hong Kong SpecialAdministrative RegionInformation technology - Security techniques - Information securitymanagement systems - Overview and vocabulary (fourth edition),ISO/IEC 27000:2016Information technology - Security techniques - Information securitymanagement systems - Requirements (second edition), ISO/IEC 27001:2013Information technology - Security techniques - Code of practice for informationsecurity controls (second edition), ISO/IEC 27002:2013Information technology - Security techniques - Information security riskmanagement (second edition), ISO/IEC 27005:2011Practice Guide for Security Risk Assessment and Audit1

Introduction1.3Definitions and ConventionsFor the purposes of this document, the definitions and conventions given in S17, G3,and the following shall apply.Abbreviation and TermsSecurity RiskAssessmentSecurity Audit1.4It is a process to identify, analyse and evaluate the securityrisks, and determine the mitigation measures to reduce therisks to an acceptable level.It is an audit on the level of compliance with the securitypolicy or standards as a basis to determine the overall state ofthe existing protection and to verify whether the existingprotection has been performed properly.ContactThis document is produced and maintained by the Office of the Government ChiefInformation Officer (OGCIO). For comments or suggestions, please send to:Email:it security@ogcio.gov.hkLotus Notes mail:IT Security Team/OGCIO/HKSARG@OGCIOPractice Guide for Security Risk Assessment and Audit2

Information Security Management2.Information Security ManagementInformation security is about the planning, implementation and continuousenhancement of security controls and measures to protect the confidentiality,integrity and availability of information assets, whether in storage, processing, ortransmission and its associated information systems. Information securitymanagement is a set of principles relating to the functions of planning, organising,directing, controlling, and the application of these principles in harnessing physical,financial, human and informational resources efficiently and effectively to assure thesafety of information assets and information systems.Information security management involves a series of activities that requirecontinuous monitoring and control. These activities include but not limited to thefollowing functional areas: Security Management Framework and the Organisation;Governance, Risk Management, and Compliance;Security Operations;Security Event and Incident Management;Awareness Training and Capability Building; andSituational Awareness and Information Sharing.Security Management Framework and OrganisationB/Ds shall establish and enforce departmental information security policies,standards, guidelines and procedures in accordance with the business needs and thegovernment security requirements.B/Ds shall also define the organisation structure on information security and provideclear definitions and proper assignment of security accountability and responsibilityto involved parties.Governance, Risk Management and ComplianceB/Ds shall adopt a risk based approach to identify, prioritise and address the securityrisks of information systems in a consistent and effective manner.B/Ds shall perform security risk assessments for information systems and productionapplications periodically and when necessary so as to identify risks andconsequences associated with vulnerabilities, and to provide a basis to establish acost-effective security program and implement appropriate security protection andsafeguards.Practice Guide for Security Risk Assessment and Audit3

Information Security ManagementB/Ds shall also perform security audit on information systems regularly to ensurethat current security measures comply with departmental information securitypolicies, standards, and other contractual or legal requirements.Security OperationsTo protect information assets and information systems, B/Ds should implementcomprehensive security measures based on their business needs, covering differenttechnological areas in their business, and adopt the principle of "Prevent, Detect,Respond and Recover" in their daily operations. Preventive measures avoid or deter the occurrence of an undesirable event;Detective measures identify the occurrence of an undesirable event;Response measures refer to coordinated actions to contain damage when anundesirable event or incident occurs; andRecovery measures are for restoring the confidentiality, integrity andavailability of information systems to their expected state.Security Event and Incident ManagementIn reality, security incidents might still occur due to unforeseeable, disruptive events.In cases where security events compromise business continuity or give rise to risk ofdata security, B/Ds shall activate their standing incident management plan toidentifying, managing, recording, and analysing security threats, attacks, or incidentsin real-time. B/Ds should also prepare to communicate appropriately with relevantparties by sharing information on response for security risks to subdue distrust orunnecessary speculation. When developing an incident management plan, B/Dsshould plan and prepare the right resources as well as develop the procedures toaddress necessary follow-up investigations.Awareness Training and Capability BuildingAs information security is everyone’s business, B/Ds should continuously promoteinformation security awareness throughout the organisations and arrange trainingand education to ensure that all related parties understand the risks, observe thesecurity regulations and requirements, and conform to security best practices.Situational Awareness and Information SharingAs cyber threat landscape is constantly changing, B/Ds should also constantly attendto current vulnerabilities information, threat alerts, and important noticesdisseminated by the security industry and the GovCERT.HK. The security alerts onimpending and actual threats should be disseminated to and shared with thoseresponsible colleagues within B/Ds so that timely mitigation measures could betaken.B/Ds could make use of the cyber risk information sharing platform to receive andshare information regarding security issues, vulnerabilities, and cyber threatintelligence.Practice Guide for Security Risk Assessment and Audit4