Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
on
Security Audit Services
Version 1.0
Date: 16 December 2011
Unit 2002-2005, 20/F ING Tower, 308 Des Voeux Road Central,
Sheung Wan, Hong Kong.
Tel.: +852 2319 1313 Fax: +852 2319 2626
Email: enquiry@hkirc.hk
Website: www.hkirc.hk
IMPORTANT NOTICE
This communication contains information which is confidential and may also be
privileged. It is for the exclusive use of the intended recipient(s). If you are not the
intended recipient(s), please note that any distribution, copying or use of this
communication or the information in it is strictly prohibited. If you have received this
communication in error, please notify the sender immediately and then destroy any
copies of it.
Table of Contents
1.
2.
3.
4.
Summary ................................................................................................................5
Definitions..............................................................................................................6
About HKIRC ........................................................................................................7
The Required Services ...........................................................................................8
4.1.
Scope of Service ............................................................................................8
4.1.1
System architecture design review.........................................................8
4.1.2
External network/firewall vulnerability assessment ..............................8
4.1.3
External penetration test to web applications ........................................8
4.1.4
4.1.5
4.1.6
4.1.7
4.1.8
4.1.9
4.1.10
4.1.11
4.1.12
4.1.13
4.1.14
4.1.15
Project management.............................................................................10
4.2.
Service Acceptance ......................................................................................10
4.3.
Service Location .......................................................................................... 11
5. Information Security ............................................................................................ 11
6.
7.
8.
9.
10.
Schedule...............................................................................................................12
Payment Schedule................................................................................................13
Elements of a Strong Proposal .............................................................................13
Service Agreement Negotiation and Signature ....................................................13
HKIRC Contacts ..............................................................................................14
1. Summary
HKIRC is looking for an auditing firm or auditing professional(s) (the Contractor)
to provide the security audit services.
HKIRC has been enhancing information security following the ISO27001:2005 and
ISO27002:2005 standards. In December 2007, HKIRC have realized an ISMS
framework and have planned or implemented security controls and measures in
operation.
The Contractor selected by HKIRC will conduct an audit on the secured systems and
network architectures as well as the effectiveness of various implemented controls by
the end of April 2012.
The Contractor shall conduct their audits independently with no influence on the
auditing process by staff and directors. This arrangement will ensure high credibility
of the security audit reports. The Contractor shall identify any design and operational
gaps and provide feasible solutions with reference to established common good
industry practice.
The scope of service is detailed in section 4 of this document.
Parties interested in providing this service shall submit Expression of Interest (EOI)
by 20 January 2012. For those who have submitted EOI, they should submit
proposal (see Appendix B) to the Group no later than 5:30pm on 17 February
2012.
The Contractor should submit Expression of Interest by email to HKIRC contacts
(refer to Appendix B - HKIRC Proposal Requirements, electronic copy). The
Contractor must provide their information as required in the proposal cover page
(Appendix B, 1.3 Cover Page).
2. Definitions
The following terms are defined as in this section unless otherwise specified.
Audit Committee means the committee established by the HKIRCs board of
directors focusing on auditing matters. The committee members are drawn from
members of the board of directors. The responsibilities of the committee are to 1)
serve as a focal point for communication between other directors, the external auditors
and the internal auditors as regards their duties relating to financial and other
reporting, internal controls, external and internal audits for systems and operational
processes and such other financial and accounting, systems and operational matters as
the Board determines from time to time. 2) assist the Board in fulfilling its
responsibilities by providing an independent review and supervision of financial
reporting, systems and operational processes by satisfying themselves as to the
effectiveness of the internal controls of the Company and its subsidiaries. Refer to
https://www.hkirc.hk/pdf/TORAuditCommittee2007.pdf for details.
The Contractor means the company providing the Services.
HKIRC means Hong Kong Internet Registration Corporation Limited.
HKDNR means Hong Kong Domain Name Registration Company Limited, a
wholly-owned subsidiary of HKIRC, the company requesting the proposal for the
Services.
ISMS means Information Security Management System. It consists of an
information security organization and a set of policies, guidelines and procedures
concerned with information security management.
The Services means the Security Audit services with requirements stipulated in
Section 4 of this document.
RFP means this Request for Proposal
3. About HKIRC
Hong Kong Internet Registration Corporation Limited (HKIRC) is a
non-profit-distributing and non-statutory corporation responsible for the
administration of Internet domain names under '.hk' and . country-code top
level domains. HKIRC provides registration services through its registrars and its
wholly-owned subsidiary, Hong Kong Domain Name Registration Company Limited
(HKDNR), for domain names ending with '.com.hk', '.org.hk', '.gov.hk', '.edu.hk',
'.net.hk', '.idv.hk', '..', '..', '..', '..', '..', '.
.'. '.hk' and ..
HKIRC endeavours to be:
Cost-conscious but not profit-orientated
Customer-orientated
Non-discriminatory
Scope of Service
The following defines the scope of security audit service to be provided by the
Contractor
The vendor can add or counter propose any tasks that they deem as necessary for
completeness and effectiveness.
Details of the system and network infrastructure, and their locations, will be provided
to vendors who have submitted expression of interest and have signed both the NDA
and the Information Security Compliance Statement (refer to section 5).
4.1.1
a.
Review the network and system architecture from a security, integrity and
availability perspective. The review aims to find out if the architecture is capable
of meeting HKIRCs business objectives considering the infrastructure as a
whole.
4.1.2
a.
4.1.5
a.
4.1.4
a.
4.1.3
a.
Review the security settings of applications. The review aims to uncover the
security control weaknesses of the major applications.
4.1.6
a.
Review the security settings of database servers. The review aims to identify any
8
4.1.7
a.
Check and identify any vulnerability in the operating systems. The check aims to
identify any vulnerability that can be exploited with access to the server being
tested.
4.1.8
a.
Check and identify any vulnerability in the operating systems. The check aims to
identify any vulnerability that can be exploited through other machines within
the local network and not externally reachable.
4.1.9
a.
4.1.10 Deliverables
a.
b.
For each of the items above, HKIRC expect detailed reports detailing the
findings as well as the resolutions, including the corrective, preventive and
detective measures
A briefing session to the management which summarize the findings as well as
the resolutions.
The Contractor is required to disclose the actual tools to be used to conduct the
audits.
b.
The vendor must provide the tables of contents of the deliverables in the
proposal.
The vendor may propose addition deliverables if considered appropriate.
The Contractor shall follow HKDNR Information Security Policy and Guidelines
set out by HKDNR on personal and co-operation data security.
Contractors Information Security Policy is subject to HKIRC review if needed.
d.
e.
3.
4.
5.
6.
Cost
Quality
HR
Communications
7.
8.
9.
10.
Risk
Procurement
Integration and Change Control
Information Security
11. Exception
In particular, for communications, the Contractor shall provide regular project
status report and meeting (monthly) to the management.
The Contractor shall provide one (1) briefing session to the Audit Committee.
The session aims to explain the security audit findings and resolutions.
4.2.
Service Acceptance
The overall service acceptance can be broken down into acceptances at various
levels:1.
2.
3.
Under this acceptance framework, the vendor should fulfill the scope of services
described in section 4.1. Interested vendors may provide additional acceptance criteria
10
4.3.
Service Location
The Services shall be provided in Hong Kong. The deliverables shall be delivered to
the HKIRCs office.
5. Information Security
The company submitting the proposal (the company) shall acknowledge and agree
that, if the company is selected as the Contractor, it shall be bounded by our
Non-Disclosure Agreement (NDA) and Information Security Policy (highlights of the
policies are illustrated in Appendix A). The company shall also comply with the
obligations under the Personal Data (Privacy) Ordinance and any other obligations in
relation to personal data.
The company shall be provided with a set of NDA and Information Security
Compliance Statement after HKIRC received the companys Expression-of-Interest
before the stipulated time. The NDA and the Information Security Compliance
Statement shall be signed and returned to HKIRC attached with documents required
by the Compliance Statement before the scheduled deadline. HKIRC will only
consider proposals from companies which have signed both the NDA and the
Information Security Compliance Statement.
The proposal should be marked RESTRICTED at the centre-top of each page in
black color. It must be encrypted if transmitted electronically.
Each proposal will be reviewed under the terms of non-disclosure by the HKIRCs
staff and Board of Directors of HKIRC.
11
6. Schedule
Project schedule
Tasks
To be Completed
Remark
by
1 Publish RFP
9/1/2012
2 Expression of interest
20/1/2012
3/2/2012
interested vendors
4
17/2/2012, 5:30pm
2/3/2012
9/3/2012
16/3/2012
23/3/2012
30/4/2012
12
7. Payment Schedule
Interested vendors shall provide the breakdown of the cost, in Hong Kong Dollars, of
the whole service specified in the proposal.
The Contractors should make certain that prices quote are accurate before submitting
their proposal. Under no circumstances will the HKIRC accept any request for
adjustment on the grounds that a mistake has been made in the proposed prices.
The following payment schedule is recommended but interested vendors may propose
their own in their proposals.
Milestone/Acceptance of Security Audit
Payment %
30%
Acceptance of deliverables
60%
10%
TOTAL
100%
13
Contacts
Hong Kong Internet Registration
Corporation Limited
IT Project Manager
Unit 2002-2005,
+852 23193819
ben.choy@hkirc.hk
Ben Choy
IT Manager
Hong Kong
Ben Lee
+852 23193811
ben.lee@hkirc.hk
CEO
Jonathan Shea
+852 23193821
jonathan.shea@hkirc.hk
14
and third party users shall be carried out in accordance with relevant laws, regulations
and ethics, and proportional to the business requirements, the classification of the
information to be accessed, and the perceived risks.
8.1.3 As part of their contractual obligations, employees, contractors and third party
users shall agree and sign the terms and conditions of their employment contract,
which shall state their and the organizations responsibilities for information security.
8.2 During employment
Security objective: To ensure that all employees, contractors and third party users are
aware of information security threats and concerns, their responsibilities and liabilities,
and are equipped to support organizational security policy in the course of their
normal work, and to reduce the risk of human error.
8.2.1 Management shall require employees, contractors and third party users to apply
security measures in accordance with established policies and procedures of the
organization.
8.2.2 All employees of the organization and, where relevant, contractors and third
party users shall receive appropriate awareness training and regular updates on
organizational policies and procedures, as relevant to their job functions.
8.3 Termination or change of employment
Security objective: To ensure that employees, contractors and third party users exit an
organization or change employment in an orderly manner.
8.3.2 All employees, contractors and third party users shall return all of the
organizations assets in their possession upon termination of their employment,
contract or agreement.
8.3.3 The access rights of all employees, contractors and third party users to
information and information processing facilities shall either be removed upon
termination of their employment, contract or agreement, or adjusted upon change.
12. Information systems acquisition, development and maintenance
12.5.5 Outsourced software development shall be supervised and monitored by the
organization
16
third party users shall be conducted in accordance with relevant laws, regulations and
ethics, and proportional to the business requirements, the classification of the
information to be accessed, and the perceived risks.
8.1.3 Terms and Conditions of Employment
As part of their contractual obligation, employees, contractors and third party users
shall agree and sign the terms and conditions of their employment contract, which
shall state their and the organizations responsibilities for information security.
8.2.1 Management Responsibilities
Management shall require employees, contractors and third party users to apply
security measures in accordance with established policies and procedures of the
organization.
12. Information systems acquisition, development and maintenance
12.5.5 Outsourced Software Development
Outsourced software development shall be supervised and monitored by the
organization.
18
Delivery address
Hard copies
Electronic copy
Proposal format
Page count
30 pages or fewer.
Font
Stapled.
Do not bind.
font.
Successful vendor is the one who submitted a clearly worded proposal that
demonstrates the following attributes:
a persuasive section on the company background
international recognize certification for security audit
a strong and flexible service and tools meeting HKIRC requirements with
minimum customization
19
20
Name:
Title:
Mailing
address:
Phone:
Fax:
Email:
Company
Contact person:
Title:
Company
name:
Mailing
address:
Phone:
Fax:
Email:
Website:
1.7 Methodology
The vendor must describe the methods to be used, and briefly explains its advantage
and disadvantage. Track records are preferred.
and in emergency.
Equipment that is permanently placed or purchased for HKIRC to complete
the project or service, if any.
Subsequent support, maintenance or consultation service.
Other direct costs including services, materials, supplies, postage, traveling,
pocket money, etc.
23