The Security Risk Assessment and Audit (SRAA) service is an auditing project formulated by the Hong Kong government, aimed at ensuring that the network and data security of enterprises and organizations meet industry standards. This service covers network security risk assessments and audit work, with clear guidelines and standards that must be strictly followed.
While the methodology is standardized, it varies according to the scope, coding, and systems of different types of projects. Below are some examples of the services provided:
- Web-based applications
- Mobile applications (Android or iOS, or both)
- Traditional client/server-based applications
- IoT devices
- Public cloud infrastructure (Azure, AWS, etc.)
- Internal and external networks (internet-facing)
- Local internal networks
- Internal Wi-Fi networks
- Hybrid networks including local networks and external IoT devices
- Microsoft 365 and SharePoint
- ERP/CRM systems
- Portal-based systems/CMS (e-learning/e-vacation)
- Membership management systems
- Switches, firewalls, intrusion detection/prevention systems, end-user devices
- SIEM/log management systems
- Central control and monitoring systems
- Integration of security cabinets and CCTV, RFID, access locks, etc
- Activity tracking/anti-wandering systems (for healthcare use)
- Indoor positioning systems (for healthcare use)
- Dynamic Application Security Testing (DAST) – Automated application security scans
- Static Application Security Testing (SAST) – Application source code security scans
- Credential scanning – Automatically executing application/network scans with given access rights
- Penetration testing (using white-box/black-box/gray-box methods)
Our IT team will follow international standards such as ISO27001 and the Digital Policy Office guidelines to carry out SRAA services.
Sources of the information:
DPO’s document PG for SRAA_EN (Security Risk Assessment & Audit [ISPG-SM01])
Security risk assessment and audit is an ongoing process of information security practices to discovering and correcting security issues. They involve a series of activities. They can be described as a cycle of iterative processes that require ongoing monitoring and control. Each process consists of different activities and some of which are highlighted below as examples.
Security Risk Assessment at the system level involves several major activities and deliverables,including Risk Identification,Risk Analysis,Risk Evaluation,Risk Treatment and System Risk Registers.
SCSSEC-TEAM, as an independent third-party assessor/auditor, provides security risk assessments (SRA) and security audits (SA) to meet all the security standards on SRAA.