HRMC Executive Paper

Executive Summary

In recent times, cybersecurity threats have escalated in frequency and sophistication. The ransomware attack on Hong Kong's tech hub, Cyberport, which exposed 400GB of sensitive data, underscores the critical need for robust cybersecurity measures. To safeguard our assets, data, and reputation, I propose the establishment of a Information Security Center (ISC). This initiative aims to enhance our cybersecurity posture, streamline our defenses, and ensure our readiness against evolving threats.

Introduction

The threat landscape for our company has evolved significantly over recent years, with an increase in the frequency and sophistication of cyber attacks. This paper aims to provide a comprehensive analysis of the current threats and vulnerabilities we face, using the NIST Cybersecurity Framework as a guide.

Threat Landscape Overview

The recent cybersecurity incidents in Hong Kong highlight the urgent need for a comprehensive Information Security Center (ISC). The ransomware attack on the Hong Kong Institute of Bankers (HKIB) exposed personal data of over 13,000 members and 100,000 non-members, including names, identity card numbers, and credit card details (PCPD Investigation Report). Additionally, phishing attacks have become increasingly sophisticated, accounting for nearly 46% of the 18,000 cybersecurity attacks reported to the Hong Kong police in the first three months of 2024 (SCMP Article).

Establish a Information Security Center

Information Security is not just a technical requirement but a strategic necessity for our organization. The increasing sophistication and frequency of cyber threats demand a proactive and comprehensive approach to protect our assets, data, and reputation. Therefore, I propose the establishment of a Information Security Center to enhance our cybersecurity posture, streamline our defenses, and ensure our readiness against evolving threats.

ISC Functions

The ISC will focus on several key functions:

  • Monitoring and Incident Response: Continuous monitoring of security events and incidents, with rapid response to detected threats. This includes real-time threat detection and response capabilities.

  • Vulnerability Management: Regular scanning and assessment of vulnerabilities are essential. Prioritizing and remediating identified weaknesses will prevent exploitation and reduce the risk of cyberattacks.

  • Application Security: Implementing security measures in the software development lifecycle and conducting static and dynamic application security testing (SAST and DAST) will protect against data breaches and ensure the integrity of our applications.

  • Network Security: Managing firewalls, intrusion detection systems, and DDoS protection will ensure network integrity, availability, and confidentiality. This will prevent external attacks and maintain operational continuity.

  • Threat Intelligence: Gathering and analyzing threat data to anticipate and neutralize potential threats is essential. Integrating threat intelligence into the overall security strategy will enhance our ability to stay ahead of emerging threats.

ISC Team Structure

The ideal team size for the ISC is four staff members, each focusing on specific areas. These roles are essential for ensuring comprehensive cybersecurity coverage and effective response to threats.

  1. Security Operations Analyst: Focuses on monitoring, incident response, threat detection, and network security. Oversees the SIEM (Security Information and Event Management) system, monitors security alerts, and responds to incidents. Manages the WAF (Web Application Firewall) and DDoS protection systems to safeguard against network-based attacks.

  2. Vulnerability and Application Security Specialist: Responsible for vulnerability management, application security, and penetration testing. Conducts regular vulnerability scanning and assessments, performs static and dynamic application security testing (SAST and DAST), and provides guidance on secure coding practices.

  3. Network and Security Operations Engineer: Oversees the deployment, configuration, and management of network security devices such as firewalls, routers, and VPNs. Implements DDoS protection strategies and manages related tools, ensuring network availability during attacks. Provides incident response support, particularly for network and web security incidents.

  4. Cybersecurity Tools and Technology Operations Specialist: Manages and maintains all cybersecurity tools, ensuring they are up-to-date and functioning effectively. Handles system integration, implements automation and orchestration solutions, and coordinates with outsourced service providers for vulnerability assessments, penetration testing, and threat intelligence.

Outsourcing Strategy

Certain functions will be outsourced to ensure comprehensive security coverage without overburdening the internal team. These include:

  • Vulnerability Scanning and Penetration Testing: Engaging specialized security firms, establishing clear SLAs, and scheduling regular reporting and follow-ups.

  • Security Awareness and Training: Partnering with training providers (e.g., KnowBe4, SANS Security Awareness) to customize training modules and conduct regular assessments.

  • 24/7 Security Monitoring and Incident Response: Partnering with Managed Security Service Providers (MSSPs) and defining SLAs for timely detection and response.

  • Threat Intelligence Gathering and Analysis: Subscribing to threat intelligence services (e.g., Recorded Future, FireEye) and integrating feeds with the SIEM system for enhanced threat detection.

  • Compliance and Audit: Conducting audits and compliance assessments with third-party auditors and compliance specialists, scheduling regular reviews, and implementing necessary improvements.

Budget Request

To establish the ISC, we request an initial budget allocation to cover the following areas:

  • Staff Salaries: Competitive compensation packages for four full-time cybersecurity professionals.

  • Security Tools and Systems: Acquisition and licensing of necessary security tools and platforms.

  • Outsourced Services: Engaging with external service providers for vulnerability assessments, penetration testing, training, monitoring, and threat intelligence.

  • Training and Development: Ongoing training programs and certifications for ISC staff.

  • Incident Response and Recovery: Resources for incident response planning, simulation exercises, and recovery processes.

  • Infrastructure and Office Setup: Physical and digital infrastructure required to set up the ISC, including secure workstations, network configurations, and collaboration tools.

Conclusion

The establishment of a Information Security Center (ISC) is a strategic imperative for our organization. The budget request outlined above reflects the necessary investment to safeguard our assets, data, and reputation against increasingly sophisticated cybersecurity threats. By mitigating risks, ensuring regulatory compliance, protecting assets, and enhancing customer trust, the ISC will provide significant value to our organization. I recommend the Board of Management approve the establishment of the ISC and allocate the necessary budget to ensure our continued resilience and success in the digital landscape.

PreviousOutsource StrategyNextSecure Coding Principles

Last updated