The Alliance for Enterprise Security Risk Management: A partnership of the three leading international security organizations, formed to address issues surrounding the convergence of traditional and logical security.

Adrian Sit

Hong Kong International Terminals

Adrian Sit, information security officer at Hong Kong International Terminals since July 2001, is responsible for managing the company’s information security management system.

Organization
Adrian set up a two-tier organization to manage information risk. The top tier is the Security Steering Committee consisting of senior executives, where Adrian acquires his empowerment, sponsor and business alignment.

The second tier consists of two committees. The Security Coordinator Committee consists of members from departments. It aims at raising the general awareness of information users, identifying departmental information security needs and assisting implementation of nontechnical changes. The IT Security Control Workgroup members are key persons from technical teams of the IT department. They are responsible for identifying and implementing technical solutions.

Adrian sit on all three committees and act as the middleman among them to ensure that adequate attention is paid by the Steering Committee members to identified risks. On the other hand, he has the responsibility to ensure that decisions made by Steering are well implemented by the other two teams.

Policy
Frontline staff members need directives and rules to follow. Accountability has to be assigned to stakeholders. Adrian documented these elements into two high level information security policies: the data classification policy and the data protection policy. In addition, function-specific policies and standards were further defined to take care of the development and business needs. For example, the wireless security policy was introduced in 2005 when the company planned to deploy WiFi systems. Legal compliance is also a crucial consideration. Relevant requirements from the privacy ordinance, the guidelines of monitoring and personal data privacy at work and the intellectual property rights are integrated into these documents. To keep pace with emerging risks, these documents are reviewed yearly.

End users seldom read policies. Relevant “do” and “don’t” statements were extracted from policies, included in staff handbooks and introduced during staff induction program. In Q4 2006, the materials will be further transformed into eye-catching awareness materials, including posters, flash animation, cue cards and screensavers.

Implementation
To build a security culture from scratch is difficult. People may not be ready and resistance is common. To justify his security initiatives, Adrian took a “check to act” approach. He started regular “health” checks on IT infrastructure and critical systems with the help of external security experts. Based on the assessment findings and their respective severity levels, mitigation plans were made, agreed to, implemented and verified. During the course of implementation, new skills were transferred to responsible staff. Eventually, good practices were developed, documented and reused. Existing security systems and tools were better understood and utilized. Thus, new investment was minimized and justified.

Operations and Processes
Adrian was the leader of the program office. The office was responsible for quality assurance of IT products and services. The team set out more than 60 sets of standards and procedures to direct and measure the daily operations of IT departments and system development life cycle. Adrian took this opportunity to introduce security controls into various processes and infiltrate security ideas into daily operations of IT staff. With more than 20 IT audits executed by the program office, the effectiveness of most IT operation processes and controls were reviewed. Areas of improvement were identified and followed through. In addition, Adrian was also involved in other departments’ activities, such as the business process refinement of the procurement department, incident investigation of the safety and security department, and policy maintenance of the human resources department.

Projects Participation
To obtain a higher degree of infiltration, Adrian has participated into more than 20 projects of different sizes annually initiated by different departments. He acted as an internal consultant to these projects and brought information security to attention of project teams. Security requirements were identified at design stage and ready to use during the first day of production.

Security Culture
People are the weakest links of a security system. Carelessness and ignorance of staff are the root causes of most security incidents. To help the end users become aware of the danger, Adrian issued more than 40 monthly newsletters to introduce information security to them. Written in layman language, topics such as “Tittle-tattle Lovers Prove True Troublemakers,” explained what HOAX is and “Who Is It?” explained how we identify and authenticate personnel in the cyberworld, drawing analogies to daily life experiences and leading the readers to enter the cyberworld without difficulty.

To enrich their security knowledge, Adrian also conducted training courses to IT people on various new IT security technologies, such as PKI, IPSEC and firewalls, and end users on e-mail security and viruses.

Physical Security
The independent safety and security department manages physical security, and Adrian has close working relationship with it. Both parties are core members of the Security Steering Committee. Additionally, both parties have worked together to ensure that the company complies with the International Ship and Port Facility Security Code, which sets out requirements on physical security and logical security to container terminal runners.

Contingency Planning
Adrian is also a member of the company’s Crisis Team. He helped to facilitate reviews on the readiness and effectiveness of business continuity plans and disaster recovery plans.

Serving the Community
Adrian has been contributing his knowledge of information security to the public. He actively shared his experience with organizations such as Cathay Pacific Airline and the Hong Kong Jockey Club. He gave lectures to high diploma classes at the University of Hong Kong and Hong Kong Society of Accountants. He also illustrated IT security to hundreds of primary school teachers in 2000 when schools started to adopt IT in education.

Comparison of 2004 and 2005 Security Metrics

  • No virus outbreak since 2004
  • Spam reduced by 40 percent since 2004
  • Number of security incidents reported reduced by 89 percent, from 219 cases in 2004 to 25 cases in 2005
  • Number of vulnerabilities found from Internet-visible systems reduced by 82 percent, from 17 out of 18 systems in 2004 to five out of 30 systems in 2005.

Recommendation
As Adrian’s colleague for more than five years, from the aspect of information security, I should say he is my teacher more than just a colleague.  By viewing the facts stated above, you will understand that he is very worthy of the award because he perfectly matches the judging criteria.

 

 

 

 

Copyright © AESRM 2008, All Rights Reserved.