2007年12月20日 星期四

Study tender of OGCIOCITA

Scope of Study
  1. Study security of physical environment of all computer equipment.
  2. Assess security of in-house IT resources.
  3. Review organization structure and recommend suitable management framework to oversee IT related security policy.
  4. Assess security requirement of all staff.
  5. Security risk assessment and audit shall cover but not limited to physical security, access control security, data security, system security, application security and network and communication security.

Service Requirement for IT security risk assessment
  1. Cover all computer systems
  2. Conduct site visit and perform multi-level interview, group discussion, survey, equipment checking etc to gathering all relevant information
  3. Perform general control review to identify any inadequacies in general controls:
    1. Physical control
    2. Security incident response and handling
    3. Change management control
    4. Access control
    5. Security awareness
    6. Staff roles and responsibilities
    7. Security policy, standards, guidelines and procedure
  4. Perform vulnerability tests
    1. Network level probing/scanning and discovery
    2. Host vulnerability
    3. Denial of services
  5. Perform risk analysis on:
    1. Physical security
    2. Access control security
    3. Data security
    4. System security
    5. Application security
    6. Network and communication security
  6. Determine the value of asset and their associated risk through
    1. Asset identification and valuation
    2. Threat analysis
    3. Vulnerability analysis
    4. Asset/threat/vulnerability mapping
    5. Impact and likelihood assessment
    6. Risk results analysis
Service Requirement for IT security policy, guidelines and procedure
  1. Review existing IT security guidelines
  2. Identify various security stakeholder
  3. Perform multi-level interviews
  4. Identify, determine and document security requirement
  5. Prepare IT security policy

Professional Staff Requirement
  1. Project Manager
  2. IT Security Specialist
  3. Security Consultant
  4. Security Engineer
  5. Technical Writer
Project Schedule

Start from January 2008 and has to be completed in 16 weeks.
  1. Project Team Formation (wk1)
  2. Project Initiation
    1. Prepare detailed project plan (wk1)
    2. Formation of project organization (wk2)
    3. Project initiation meeting (wk2)
  3. Security Risk Assessment & Audit Services
    1. Perform security risk assessment (wk5)
    2. Compile security risk assessment report (wk6)
    3. Conduct presentation to report the findings of security risk assessment (wk7)
    4. Review security status after implementation of safeguards (wk2 after implementation)
    5. Compile security audit report (wk3 after implementation)
    6. Conduct presentation to report the finding (wk4 after implementation)
  4. Security Management Design & Implementation Service
    1. Set up IT security policy task force (wk 3)
    2. Perform interview, group discussions, survey, site visit etc (wk7)
    3. Compile security requirement report (wk8)
    4. Conduct presentation (wk9)
    5. Compile IT security policy (wk11)
    6. Conduct presentation (wk12)
    7. Endorsement of IT security policy (wk14)
    8. Prepare and submit training material (wk15)
    9. Conduct IT security awareness (wk16)
    10. Conduct course evaluation (wk16)
Deliverables
  1. Detailed Project Plan
  2. Security Risk Assessment Report
  3. Security Audit Report
  4. Security Requirement Report
  5. IT Security Policy
  6. Training Material
  7. IT Security Awareness and Policy training
  8. Course Evaluation Report
張貼者:
標籤:

沒有留言:

張貼留言

訂閱: 張貼留言 (Atom)