IT Aduit & Assessment - Case 2

One of the market leading travel agencies in Hong Kong

Size
100+ Employees

Service
IT Audit and Technical Assessment Service

Challenge
Under the revolutionary technologies change in the recent decade, our client is one of the many in such industry, which undergo a transformation from manual operation to machine based operation for specific repetitive tasks. The automated programs are functioning 24 hours a day, 7 days a week nonstop. With the existing infrastructure set up, transiting and hosting such huge amount of automated programme would raise both management and security issues.

To tackle any serious incidents before it happens, the IT management has turned to our IT Audit and Technical Assessment service for evaluating existing vulnerabilities and risks within the system, infrastructure and daily operations.

Result and Follow-up
RSEL provided IT audit and technical assessment service towards the client’s IT infrastructure and daily operation focusing on information security. The auditing area of assessment are mainly focused on the information security aspect on:
•    IT Structure
•    IT Operation
•    System Infrastructure and Architecture
•    Network Infrastructure and Architecture.

Together with the audit assessment, a vulnerability scan assessment is also conducted towards the official webpage so as to determine if an eternal hacker can penetrate the system and network infrastructure.

Audit Report and Vulnerability Assessment Report submitted to the management includes the findings of vulnerability and risk, impact of related risk, priority of improvement and practical recommendations. With the road map and action plan included according to the seriousness of the observation found, our client could be able to include the follow up action needed in their IT year plan to tackle the corresponding risk.

Result
With the submission of the management report of our findings, impacts, severity levels and recommendations, a meeting is held with the management team to run through each finding, some includes:
•    Identification of security holes within their multi-sites setup in both network and application aspects.
•    Core business ERP system running a 2-tier hierarchy, any users may delete all system data under a press of the delete button.
•    Insufficient and ineffective configurations of firewall causing managers’ personal desktops and servers vulnerable to hackers.

Follow-up
Reduce potential security holes with an up-to-date centralized monitoring and administration system. Temporary work around method to protect data. Awareness of new options in ERP systems with pertinent professional advice. Establishment of new policies and procedures in protection of the company.

Our team thereafter, proposes a range of IT services providing a one stop solution of our client. Some of our services include:
•    Immediate handling of high severity objects to minimize risks including firewall configurations and ERP data protection.
•    In-place a centralized administration and network monitoring systems to govern and simplify IT administration.
•    Sources different options of ERP’s providing pertinent professional advice.
•    Establishment of new policies and procedures in protection of the company.

Benefit
After the running of our IT Audit and Services Scheme, the workload is centralized and eased by the new establishment of administration and network monitoring systems. The management team has much of a better overview of IT and the current environment in both security and business growth aspects. With the establishment of policies and procedures, a clear guideline is defined and a regular communication channel between management and IT is established.

More Updates

🔐 𝗪𝗵𝗼 𝗜𝘀 𝗜𝗻𝘃𝗼𝗹𝘃𝗲𝗱 𝗶𝗻 𝗛𝗼𝗻𝗴 𝗞𝗼𝗻𝗴’𝘀 𝗡𝗲𝘄 𝗖𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝗜𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 𝗖𝘆𝗯𝗲𝗿𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗟𝗮𝘄?Since 𝟭 𝗝𝗮𝗻𝘂𝗮𝗿𝘆 𝟮𝟬𝟮𝟲, the 𝘗𝘳𝘰𝘵𝘦𝘤𝘵𝘪𝘰𝘯 𝘰𝘧 𝘊𝘳𝘪𝘵𝘪𝘤𝘢𝘭 𝘐𝘯𝘧𝘳𝘢𝘴𝘵𝘳𝘶𝘤𝘵𝘶𝘳𝘦𝘴 (𝘊𝘰𝘮𝘱𝘶𝘵𝘦𝘳 𝘚𝘺𝘴𝘵𝘦𝘮𝘴) 𝘖𝘳𝘥𝘪𝘯𝘢𝘯𝘤𝘦 (𝘊𝘢𝘱. 653) has come into force. The law establishes a comprehensive framework to protect essential services from cyber threats.Under Cap. 653, designated 𝗖𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝗜𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 (𝗖𝗜) 𝗢𝗽𝗲𝗿𝗮𝘁𝗼𝗿𝘀 are organizations whose computer systems are essential to maintaining critical societal or economic activities in Hong Kong.🏗 𝗦𝗲𝗰𝘁𝗼𝗿𝘀 𝗗𝗲𝗳𝗶𝗻𝗲𝗱 𝗮𝘀 𝗖𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝗜𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 𝗜𝗻𝗰𝗹𝘂𝗱𝗲:1. Energy⚡2. Information Technology💻3. Banking & Financial Services🏦4. Air Transport✈5. Land Transport🚆6. Maritime Transport⚓7. Healthcare Services🏥8. Telecommunications & Broadcasting📡In addition, any other infrastructure the damage, loss of functionality or data leakage of which may hinder or otherwise substantially affect the maintenance of critical societal or economic activities in Hong Kong may also fall within scope.These operators are now legally required to establish cybersecurity governance frameworks — from maintaining dedicated computer-system security management units to reporting incidents, conducting periodic risk assessments and audits, etc.Besides the CI Operator, there are 𝘀𝗼𝗺𝗲 𝗼𝘁𝗵𝗲𝗿 𝗞𝗲𝘆 𝗥𝗼𝗹𝗲𝘀 𝘂𝗻𝗱𝗲𝗿 𝗖𝗮𝗽. 𝟲𝟱𝟯:👥🔹 𝗖𝗼𝗺𝗽𝘂𝘁𝗲𝗿-𝘀𝘆𝘀𝘁𝗲𝗺 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝗨𝗻𝗶𝘁Responsible for managing and safeguarding critical computer systems and ensuring compliance with the Ordinance.🔹 𝗦𝘂𝗽𝗲𝗿𝘃𝗶𝘀𝗼𝗿 𝗼𝗳 𝘁𝗵𝗲 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝗨𝗻𝗶𝘁An appointed employee with sufficient cybersecurity expertise, responsible for supervising the unit and notifying the regulating authority of the appointment.💡 𝗖𝗮𝗽. 𝟲𝟱𝟯 𝗺𝗮𝗿𝗸𝘀 𝗮 𝘀𝗶𝗴𝗻𝗶𝗳𝗶𝗰𝗮𝗻𝘁 𝘀𝗵𝗶𝗳𝘁 𝗳𝗿𝗼𝗺 𝗯𝗲𝘀𝘁 𝗽𝗿𝗮𝗰𝘁𝗶𝗰𝗲 𝘁𝗼 𝗹𝗲𝗴𝗮𝗹 𝗼𝗯𝗹𝗶𝗴𝗮𝘁𝗶𝗼𝗻.If your organization operates within a potentially designated sector, early preparation is essential.

𝗧𝗵𝗲 𝗥𝗲𝘀𝘂𝗿𝗴𝗲𝗻𝗰𝗲 𝗼𝗳 𝗣𝗼𝗸𝗲́𝗺𝗼𝗻

🎮 𝗧𝗵𝗲 𝗥𝗲𝘀𝘂𝗿𝗴𝗲𝗻𝗰𝗲 𝗼𝗳 𝗣𝗼𝗸𝗲́𝗺𝗼𝗻: 𝗛𝗼𝘄 𝗢𝘂𝘁𝗦𝘆𝘀𝘁𝗲𝗺𝘀 𝗘𝗻𝗮𝗯𝗹𝗲𝘀 𝗤𝘂𝗶𝗰𝗸 𝗮𝗻𝗱 𝗥𝗲𝗹𝗶𝗮𝗯𝗹𝗲 𝗢𝗽𝗽𝗼𝗿𝘁𝘂𝗻𝗶𝘁𝘆 𝗖𝗮𝗽𝘁𝘂𝗿𝗲𝗧𝗵𝗲 𝗥𝗲𝘀𝘂𝗿𝗴𝗲𝗻𝗰𝗲 𝗼𝗳 𝗣𝗼𝗸𝗲́𝗺𝗼𝗻 𝗮𝗻𝗱 𝗧𝗖𝗚'𝘀 𝗡𝗲𝘄 𝗥𝗶𝘀𝗲Since launching Pokémon Red and Pokémon Green in 1996, the Pokémon series has been a global favorite. Recently, the craze has resurged, driven by the 𝗧𝗿𝗮𝗱𝗶𝗻𝗴 𝗖𝗮𝗿𝗱 𝗚𝗮𝗺𝗲 (𝗧𝗖𝗚)'s explosive growth.Data shows TCG sales soaring, with billions of players worldwide, especially in Hong Kong and Asia, buzzing about new packs and online battles. This phenomenon offers vast business opportunities - companies must act swiftly to engage fans in this fast-paced market.🔎 𝗖𝗮𝘀𝗲 𝗜𝗻𝘀𝗶𝗴𝗵𝘁: 𝗧𝗣𝗖𝗶'𝘀 𝗗𝗶𝗴𝗶𝘁𝗮𝗹 𝗘𝘃𝗲𝗻𝘁 𝗟𝗼𝗰𝗮𝘁𝗼𝗿Facing fan anticipation before Pokémon Day (February 27), The Pokémon Company International (TPCi) needed a 𝗗𝗶𝗴𝗶𝘁𝗮𝗹 𝗘𝘃𝗲𝗻𝘁 𝗟𝗼𝗰𝗮𝘁𝗼𝗿 app to link players with global events.Traditional development couldn't keep up with the surge. OutSystems, a low-code platform for rapid app building, stepped in, showcasing its speed and reliability in this project.🚀 𝗢𝘂𝘁𝗦𝘆𝘀𝘁𝗲𝗺𝘀' 𝗦𝗽𝗲𝗲𝗱 𝗔𝗱𝘃𝗮𝗻𝘁𝗮𝗴𝗲𝘀TPCi adapted an existing location tool for the new Pokémon Day API under tight deadlines. Using OutSystems, the team and partner valantic met security and performance needs in 10 days, deploying in under a month. The app supports 7 languages, works on desktops, tablets, and mobiles, and includes a backend for easy event updates. Unlike months-long traditional methods, this low-code approach enabled quick iteration, connecting 14,000 players to events and raising attendance by 70%, capitalizing on the TCG wave.🛡 𝗢𝘂𝘁𝗦𝘆𝘀𝘁𝗲𝗺𝘀' 𝗥𝗲𝗹𝗶𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗔𝗱𝘃𝗮𝗻𝘁𝗮𝗴𝗲𝘀The app handles global traffic and multilingual demands reliably. Load tests simulated 300,000 users in 12 minutes without crashes. Its' UX emphasizes scalability and reusability, embeddable in marketing pages for future use. Backend ensures real-time data accuracy, boosting satisfaction and efficiency, establishing TPCi as a digital leader in TCG's rise.💡 𝗖𝗼𝗻𝗰𝗹𝘂𝘀𝗶𝗼𝗻: 𝗛𝗮𝗿𝗻𝗲𝘀𝘀 𝗢𝘂𝘁𝗦𝘆𝘀𝘁𝗲𝗺𝘀 𝗳𝗼𝗿 𝗕𝘂𝘀𝗶𝗻𝗲𝘀𝘀 𝗔𝗴𝗶𝗹𝗶𝘁𝘆OutSystems' speed and reliability empower enterprises to navigate dynamic markets and drive digital transformation. In fast-paced environments like Hong Kong, it enables rapid app development for customer engagement and operational efficiency.This TPCi case exemplifies low-code platforms' power, delivering scalable solutions that position businesses as innovation leaders.

𝗣𝗿𝗶𝗻𝗰𝗶𝗽𝗹𝗲𝘀 𝗳𝗼𝗿 𝗣𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗻𝗴 𝗣𝗿𝗶𝘃𝗮𝗰𝘆

🔐 𝟳 𝗞𝗲𝘆 𝗗𝗮𝘁𝗮 𝗣𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗣𝗿𝗶𝗻𝗰𝗶𝗽𝗹𝗲𝘀 𝗳𝗼𝗿 𝗣𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗻𝗴 𝗣𝗿𝗶𝘃𝗮𝗰𝘆The EU General Data Protection Regulation (GDPR) came into force on 𝟮𝟱 𝗠𝗮𝘆 𝟮𝟬𝟭𝟴, which is the one of the world's strictest privacy laws. It aims to standardize data protection rules across the digital single market, enhance individual control over personal information, and adapt governance due to the technological developments and digitalization.The GDPR introduces 7 key data protection principles to ensure organizations handle data legally, securely, and with full transparency and responsibility:✨𝗟𝗮𝘄𝗳𝘂𝗹𝗻𝗲𝘀𝘀, 𝗙𝗮𝗶𝗿𝗻𝗲𝘀𝘀, 𝗧𝗿𝗮𝗻𝘀𝗽𝗮𝗿𝗲𝗻𝗰𝘆: Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.✨𝗣𝘂𝗿𝗽𝗼𝘀𝗲 𝗟𝗶𝗺𝗶𝘁𝗮𝘁𝗶𝗼𝗻:  Personal data can only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.✨𝗗𝗮𝘁𝗮 𝗠𝗶𝗻𝗶𝗺𝗶𝘀𝗮𝘁𝗶𝗼𝗻:  Processing should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.✨𝗔𝗰𝗰𝘂𝗿𝗮𝗰𝘆: Personal data must be accurate and, where necessary, kept up to date with reasonable steps taken to erase or rectify inaccuracies.✨𝗦𝘁𝗼𝗿𝗮𝗴𝗲 𝗟𝗶𝗺𝗶𝘁𝗮𝘁𝗶𝗼𝗻: Personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.✨𝗜𝗻𝘁𝗲𝗴𝗿𝗶𝘁𝘆 𝗮𝗻𝗱 𝗖𝗼𝗻𝗳𝗶𝗱𝗲𝗻𝘁𝗶𝗮𝗹𝗶𝘁𝘆: Personal data must be processed in a manner that ensures security of the personal data using appropriate technical or organisational measures.✨𝗔𝗰𝗰𝗼𝘂𝗻𝘁𝗮𝗯𝗶𝗹𝗶𝘁𝘆: The controller shall be responsible for, and be able to demonstrate compliance with the principles.The GDPR extends its reach beyond the EU by explicitly requiring compliance from organizations established outside the EU in certain situations. Given the variety of business and transaction models, it is essential for the businesses in Hong Kong to assess whether the GDPR applies to them and to stay informed about ongoing regulatory developments.💡 𝗣𝗿𝗶𝘃𝗮𝗰𝘆 𝗰𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝗶𝘀 𝗻𝗼 𝗹𝗼𝗻𝗴𝗲𝗿 𝗼𝗽𝘁𝗶𝗼𝗻𝗮𝗹 — 𝗶𝘁’𝘀 𝗮 𝗯𝘂𝘀𝗶𝗻𝗲𝘀𝘀 𝗶𝗺𝗽𝗲𝗿𝗮𝘁𝗶𝘃𝗲.