Cybersecurity Executive Summary

In view of escalating cybersecurity threats targeted at technologuy organisations it is imperative that every IT resource user and owner in Data Migrators should adopt appropriate cybersecurity protections. To strike a balance between openness and control, as well as costs and benefits, it is most effective to adopt a risk-based approach for cybersecurity. Such an approach is manifested in the classification of IT resources including data, application systems, endpoints, servers and networks into 3 risk categories, namely high-risk, moderate-risk, and low-risk, depending on the actual purpose of use. Adequate levels of protection can be applied for different risk categories according to the minimum security standards defined for different risk categories.

We adopt a shared responsibility model that every IT resource user and owner needs to perform risk assessment and select appropriate protection according to a set of defined minimum security standards. IT Security Officer, posted in ITSC, together with a group of Cybersecurity Coordinators nominated by sites/departments/offices/units, is charged with the responsibility of facilitating this risk assessment process as well as implementing adequate protection.

Upholding cybersecurity is a continuous effort. Regular reviews of Cybersecurity Health will be prepared by the IT Security Officer so that adequate remediation measures can be arranged. Exceptions that cannot be dealt with will be escalated promptly according to Data Migrators’ policies. The IT Security Officer will update the Cybersecurity Policy as well as adopt appropriate best practices in light of emerging threats in cybersecurity.

The Cyber Security Policy is structured as a set of related documents covering each element of the Policy. The following key documents will give all system owners and administrators a good understanding to start implementing the Policy: