IT Aduit & Assessment - Case 3

A hospital providing holistic healthcare to patients in Hong Kong
 
Size200 staffs

Service
IT Audit and Assessment with Follow-up Services

Challenge
With a number of 100+ hospitals and clinics in diverse locations, the company has been struggling for many years to centrally manage the information security and to standardize the operation procedures. Due to the lack of resource, hardly can the company spot out the potential vulnerability without regular review mechanism. Therefore, Ringus engaged to perform an one-off and in-depth assessment, and pinpoint improvement areas within the information system.

After the on-site assessment, Ringus identified large amount of security vulnerabilities and operational deficiencies, in which IT Team might not have sufficient resource to fix the problem in the short run.
 

Solution

  • Identified network security vulnerabilities and provided technical recommendations
  • Evaluated and commenced internal and external security controls
  • Provided one-year implementation plan: Document Management System and Workflow System enhancement 
  • Provided project management consultation, including project progress, budget, and timeframe.

Result
Through a series of on-site interviews, our security experts have tailor-made a one-year step-by-step implementation plan for the company to perform remediation actions, along with continuous advisory from Ringus. High-priority risk items have been addressed with appropriate corrective actions to prevent the company from security risk exposure in the short run.

In the long run, to reduce the workload of the IT Team, Ringus not only provided suggestions and alternatives for the companies to consider, but also helped integrate the Information Security Management System into the operational workflow in diverse locations.
 
Follow-up
After the assessment, Ringus has consistently updated the remediation process with the company and continually provide implementation advisory mentioned in the assessment report.
An introduction of the standardized policies and procedures has been brought to ensure appropriate security level of information handling in the daily operation.

Benefit 
The one-year implementation roadmap is embedded in the assessment report in a manner that our client can easily follow the remediation plan according to the severity level assigned.

Our team continues to work closely with our client, providing the best managerial and technical implementations advisory that are in line with clientโ€™s missions and visions.
 

More Updates

Further reading

๐—ก๐—ฒ๐˜„ ๐—–๐—ฟ๐—ถ๐˜๐—ถ๐—ฐ๐—ฎ๐—น ๐—œ๐—ป๐—ณ๐—ฟ๐—ฎ๐˜€๐˜๐—ฟ๐˜‚๐—ฐ๐˜๐˜‚๐—ฟ๐—ฒ ๐—–๐˜†๐—ฏ๐—ฒ๐—ฟ๐˜€๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ถ๐˜๐˜† ๐—Ÿ๐—ฎ๐˜„

๐Ÿ” ๐—ช๐—ต๐—ผ ๐—œ๐˜€ ๐—œ๐—ป๐˜ƒ๐—ผ๐—น๐˜ƒ๐—ฒ๐—ฑ ๐—ถ๐—ป ๐—›๐—ผ๐—ป๐—ด ๐—ž๐—ผ๐—ป๐—ดโ€™๐˜€ ๐—ก๐—ฒ๐˜„ ๐—–๐—ฟ๐—ถ๐˜๐—ถ๐—ฐ๐—ฎ๐—น ๐—œ๐—ป๐—ณ๐—ฟ๐—ฎ๐˜€๐˜๐—ฟ๐˜‚๐—ฐ๐˜๐˜‚๐—ฟ๐—ฒ ๐—–๐˜†๐—ฏ๐—ฒ๐—ฟ๐˜€๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ถ๐˜๐˜† ๐—Ÿ๐—ฎ๐˜„?Since ๐Ÿญ ๐—๐—ฎ๐—ป๐˜‚๐—ฎ๐—ฟ๐˜† ๐Ÿฎ๐Ÿฌ๐Ÿฎ๐Ÿฒ, the ๐˜—๐˜ณ๐˜ฐ๐˜ต๐˜ฆ๐˜ค๐˜ต๐˜ช๐˜ฐ๐˜ฏ ๐˜ฐ๐˜ง ๐˜Š๐˜ณ๐˜ช๐˜ต๐˜ช๐˜ค๐˜ข๐˜ญ ๐˜๐˜ฏ๐˜ง๐˜ณ๐˜ข๐˜ด๐˜ต๐˜ณ๐˜ถ๐˜ค๐˜ต๐˜ถ๐˜ณ๐˜ฆ๐˜ด (๐˜Š๐˜ฐ๐˜ฎ๐˜ฑ๐˜ถ๐˜ต๐˜ฆ๐˜ณ ๐˜š๐˜บ๐˜ด๐˜ต๐˜ฆ๐˜ฎ๐˜ด) ๐˜–๐˜ณ๐˜ฅ๐˜ช๐˜ฏ๐˜ข๐˜ฏ๐˜ค๐˜ฆ (๐˜Š๐˜ข๐˜ฑ. 653) has come into force. The law establishes a comprehensive framework to protect essential services from cyber threats.Under Cap. 653, designated ๐—–๐—ฟ๐—ถ๐˜๐—ถ๐—ฐ๐—ฎ๐—น ๐—œ๐—ป๐—ณ๐—ฟ๐—ฎ๐˜€๐˜๐—ฟ๐˜‚๐—ฐ๐˜๐˜‚๐—ฟ๐—ฒ (๐—–๐—œ) ๐—ข๐—ฝ๐—ฒ๐—ฟ๐—ฎ๐˜๐—ผ๐—ฟ๐˜€ are organizations whose computer systems are essential to maintaining critical societal or economic activities in Hong Kong.๐Ÿ— ๐—ฆ๐—ฒ๐—ฐ๐˜๐—ผ๐—ฟ๐˜€ ๐——๐—ฒ๐—ณ๐—ถ๐—ป๐—ฒ๐—ฑ ๐—ฎ๐˜€ ๐—–๐—ฟ๐—ถ๐˜๐—ถ๐—ฐ๐—ฎ๐—น ๐—œ๐—ป๐—ณ๐—ฟ๐—ฎ๐˜€๐˜๐—ฟ๐˜‚๐—ฐ๐˜๐˜‚๐—ฟ๐—ฒ ๐—œ๐—ป๐—ฐ๐—น๐˜‚๐—ฑ๐—ฒ:1. Energyโšก2. Information Technology๐Ÿ’ป3. Banking & Financial Services๐Ÿฆ4. Air Transportโœˆ5. Land Transport๐Ÿš†6. Maritime Transportโš“7. Healthcare Services๐Ÿฅ8. Telecommunications & Broadcasting๐Ÿ“กIn addition, any other infrastructure the damage, loss of functionality or data leakage of which may hinder or otherwise substantially affect the maintenance of critical societal or economic activities in Hong Kong may also fall within scope.These operators are now legally required to establish cybersecurity governance frameworks โ€” from maintaining dedicated computer-system security management units to reporting incidents, conducting periodic risk assessments and audits, etc.Besides the CI Operator, there are ๐˜€๐—ผ๐—บ๐—ฒ ๐—ผ๐˜๐—ต๐—ฒ๐—ฟ ๐—ž๐—ฒ๐˜† ๐—ฅ๐—ผ๐—น๐—ฒ๐˜€ ๐˜‚๐—ป๐—ฑ๐—ฒ๐—ฟ ๐—–๐—ฎ๐—ฝ. ๐Ÿฒ๐Ÿฑ๐Ÿฏ:๐Ÿ‘ฅ๐Ÿ”น ๐—–๐—ผ๐—บ๐—ฝ๐˜‚๐˜๐—ฒ๐—ฟ-๐˜€๐˜†๐˜€๐˜๐—ฒ๐—บ ๐—ฆ๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ถ๐˜๐˜† ๐— ๐—ฎ๐—ป๐—ฎ๐—ด๐—ฒ๐—บ๐—ฒ๐—ป๐˜ ๐—จ๐—ป๐—ถ๐˜Responsible for managing and safeguarding critical computer systems and ensuring compliance with the Ordinance.๐Ÿ”น ๐—ฆ๐˜‚๐—ฝ๐—ฒ๐—ฟ๐˜ƒ๐—ถ๐˜€๐—ผ๐—ฟ ๐—ผ๐—ณ ๐˜๐—ต๐—ฒ ๐—ฆ๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ถ๐˜๐˜† ๐— ๐—ฎ๐—ป๐—ฎ๐—ด๐—ฒ๐—บ๐—ฒ๐—ป๐˜ ๐—จ๐—ป๐—ถ๐˜An appointed employee with sufficient cybersecurity expertise, responsible for supervising the unit and notifying the regulating authority of the appointment.๐Ÿ’ก ๐—–๐—ฎ๐—ฝ. ๐Ÿฒ๐Ÿฑ๐Ÿฏ ๐—บ๐—ฎ๐—ฟ๐—ธ๐˜€ ๐—ฎ ๐˜€๐—ถ๐—ด๐—ป๐—ถ๐—ณ๐—ถ๐—ฐ๐—ฎ๐—ป๐˜ ๐˜€๐—ต๐—ถ๐—ณ๐˜ ๐—ณ๐—ฟ๐—ผ๐—บ ๐—ฏ๐—ฒ๐˜€๐˜ ๐—ฝ๐—ฟ๐—ฎ๐—ฐ๐˜๐—ถ๐—ฐ๐—ฒ ๐˜๐—ผ ๐—น๐—ฒ๐—ด๐—ฎ๐—น ๐—ผ๐—ฏ๐—น๐—ถ๐—ด๐—ฎ๐˜๐—ถ๐—ผ๐—ป.If your organization operates within a potentially designated sector, early preparation is essential.
๐—ง๐—ต๐—ฒ ๐—ฅ๐—ฒ๐˜€๐˜‚๐—ฟ๐—ด๐—ฒ๐—ป๐—ฐ๐—ฒ ๐—ผ๐—ณ ๐—ฃ๐—ผ๐—ธ๐—ฒฬ๐—บ๐—ผ๐—ป

๐ŸŽฎ ๐—ง๐—ต๐—ฒ ๐—ฅ๐—ฒ๐˜€๐˜‚๐—ฟ๐—ด๐—ฒ๐—ป๐—ฐ๐—ฒ ๐—ผ๐—ณ ๐—ฃ๐—ผ๐—ธ๐—ฒฬ๐—บ๐—ผ๐—ป: ๐—›๐—ผ๐˜„ ๐—ข๐˜‚๐˜๐—ฆ๐˜†๐˜€๐˜๐—ฒ๐—บ๐˜€ ๐—˜๐—ป๐—ฎ๐—ฏ๐—น๐—ฒ๐˜€ ๐—ค๐˜‚๐—ถ๐—ฐ๐—ธ ๐—ฎ๐—ป๐—ฑ ๐—ฅ๐—ฒ๐—น๐—ถ๐—ฎ๐—ฏ๐—น๐—ฒ ๐—ข๐—ฝ๐—ฝ๐—ผ๐—ฟ๐˜๐˜‚๐—ป๐—ถ๐˜๐˜† ๐—–๐—ฎ๐—ฝ๐˜๐˜‚๐—ฟ๐—ฒ๐—ง๐—ต๐—ฒ ๐—ฅ๐—ฒ๐˜€๐˜‚๐—ฟ๐—ด๐—ฒ๐—ป๐—ฐ๐—ฒ ๐—ผ๐—ณ ๐—ฃ๐—ผ๐—ธ๐—ฒฬ๐—บ๐—ผ๐—ป ๐—ฎ๐—ป๐—ฑ ๐—ง๐—–๐—š'๐˜€ ๐—ก๐—ฒ๐˜„ ๐—ฅ๐—ถ๐˜€๐—ฒSince launching Pokรฉmon Red and Pokรฉmon Green in 1996, the Pokรฉmon series has been a global favorite. Recently, the craze has resurged, driven by the ๐—ง๐—ฟ๐—ฎ๐—ฑ๐—ถ๐—ป๐—ด ๐—–๐—ฎ๐—ฟ๐—ฑ ๐—š๐—ฎ๐—บ๐—ฒ (๐—ง๐—–๐—š)'s explosive growth.Data shows TCG sales soaring, with billions of players worldwide, especially in Hong Kong and Asia, buzzing about new packs and online battles. This phenomenon offers vast business opportunities - companies must act swiftly to engage fans in this fast-paced market.๐Ÿ”Ž ๐—–๐—ฎ๐˜€๐—ฒ ๐—œ๐—ป๐˜€๐—ถ๐—ด๐—ต๐˜: ๐—ง๐—ฃ๐—–๐—ถ'๐˜€ ๐——๐—ถ๐—ด๐—ถ๐˜๐—ฎ๐—น ๐—˜๐˜ƒ๐—ฒ๐—ป๐˜ ๐—Ÿ๐—ผ๐—ฐ๐—ฎ๐˜๐—ผ๐—ฟFacing fan anticipation before Pokรฉmon Day (February 27), The Pokรฉmon Company International (TPCi) needed a ๐——๐—ถ๐—ด๐—ถ๐˜๐—ฎ๐—น ๐—˜๐˜ƒ๐—ฒ๐—ป๐˜ ๐—Ÿ๐—ผ๐—ฐ๐—ฎ๐˜๐—ผ๐—ฟ app to link players with global events.Traditional development couldn't keep up with the surge. OutSystems, a low-code platform for rapid app building, stepped in, showcasing its speed and reliability in this project.๐Ÿš€ ๐—ข๐˜‚๐˜๐—ฆ๐˜†๐˜€๐˜๐—ฒ๐—บ๐˜€' ๐—ฆ๐—ฝ๐—ฒ๐—ฒ๐—ฑ ๐—”๐—ฑ๐˜ƒ๐—ฎ๐—ป๐˜๐—ฎ๐—ด๐—ฒ๐˜€TPCi adapted an existing location tool for the new Pokรฉmon Day API under tight deadlines. Using OutSystems, the team and partner valantic met security and performance needs in 10 days, deploying in under a month. The app supports 7 languages, works on desktops, tablets, and mobiles, and includes a backend for easy event updates. Unlike months-long traditional methods, this low-code approach enabled quick iteration, connecting 14,000 players to events and raising attendance by 70%, capitalizing on the TCG wave.๐Ÿ›ก ๐—ข๐˜‚๐˜๐—ฆ๐˜†๐˜€๐˜๐—ฒ๐—บ๐˜€' ๐—ฅ๐—ฒ๐—น๐—ถ๐—ฎ๐—ฏ๐—ถ๐—น๐—ถ๐˜๐˜† ๐—”๐—ฑ๐˜ƒ๐—ฎ๐—ป๐˜๐—ฎ๐—ด๐—ฒ๐˜€The app handles global traffic and multilingual demands reliably. Load tests simulated 300,000 users in 12 minutes without crashes. Its' UX emphasizes scalability and reusability, embeddable in marketing pages for future use. Backend ensures real-time data accuracy, boosting satisfaction and efficiency, establishing TPCi as a digital leader in TCG's rise.๐Ÿ’ก ๐—–๐—ผ๐—ป๐—ฐ๐—น๐˜‚๐˜€๐—ถ๐—ผ๐—ป: ๐—›๐—ฎ๐—ฟ๐—ป๐—ฒ๐˜€๐˜€ ๐—ข๐˜‚๐˜๐—ฆ๐˜†๐˜€๐˜๐—ฒ๐—บ๐˜€ ๐—ณ๐—ผ๐—ฟ ๐—•๐˜‚๐˜€๐—ถ๐—ป๐—ฒ๐˜€๐˜€ ๐—”๐—ด๐—ถ๐—น๐—ถ๐˜๐˜†OutSystems' speed and reliability empower enterprises to navigate dynamic markets and drive digital transformation. In fast-paced environments like Hong Kong, it enables rapid app development for customer engagement and operational efficiency.This TPCi case exemplifies low-code platforms' power, delivering scalable solutions that position businesses as innovation leaders.
๐—ฃ๐—ฟ๐—ถ๐—ป๐—ฐ๐—ถ๐—ฝ๐—น๐—ฒ๐˜€ ๐—ณ๐—ผ๐—ฟ ๐—ฃ๐—ฟ๐—ผ๐˜๐—ฒ๐—ฐ๐˜๐—ถ๐—ป๐—ด ๐—ฃ๐—ฟ๐—ถ๐˜ƒ๐—ฎ๐—ฐ๐˜†

๐Ÿ” ๐Ÿณ ๐—ž๐—ฒ๐˜† ๐——๐—ฎ๐˜๐—ฎ ๐—ฃ๐—ฟ๐—ผ๐˜๐—ฒ๐—ฐ๐˜๐—ถ๐—ผ๐—ป ๐—ฃ๐—ฟ๐—ถ๐—ป๐—ฐ๐—ถ๐—ฝ๐—น๐—ฒ๐˜€ ๐—ณ๐—ผ๐—ฟ ๐—ฃ๐—ฟ๐—ผ๐˜๐—ฒ๐—ฐ๐˜๐—ถ๐—ป๐—ด ๐—ฃ๐—ฟ๐—ถ๐˜ƒ๐—ฎ๐—ฐ๐˜†The EU General Data Protection Regulation (GDPR) came into force on ๐Ÿฎ๐Ÿฑ ๐— ๐—ฎ๐˜† ๐Ÿฎ๐Ÿฌ๐Ÿญ๐Ÿด, which is the one of the world's strictest privacy laws. It aims to standardize data protection rules across the digital single market, enhance individual control over personal information, and adapt governance due to the technological developments and digitalization.The GDPR introduces 7 key data protection principles to ensure organizations handle data legally, securely, and with full transparency and responsibility:โœจ๐—Ÿ๐—ฎ๐˜„๐—ณ๐˜‚๐—น๐—ป๐—ฒ๐˜€๐˜€, ๐—™๐—ฎ๐—ถ๐—ฟ๐—ป๐—ฒ๐˜€๐˜€, ๐—ง๐—ฟ๐—ฎ๐—ป๐˜€๐—ฝ๐—ฎ๐—ฟ๐—ฒ๐—ป๐—ฐ๐˜†: Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.โœจ๐—ฃ๐˜‚๐—ฟ๐—ฝ๐—ผ๐˜€๐—ฒ ๐—Ÿ๐—ถ๐—บ๐—ถ๐˜๐—ฎ๐˜๐—ถ๐—ผ๐—ป:  Personal data can only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.โœจ๐——๐—ฎ๐˜๐—ฎ ๐— ๐—ถ๐—ป๐—ถ๐—บ๐—ถ๐˜€๐—ฎ๐˜๐—ถ๐—ผ๐—ป:  Processing should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.โœจ๐—”๐—ฐ๐—ฐ๐˜‚๐—ฟ๐—ฎ๐—ฐ๐˜†: Personal data must be accurate and, where necessary, kept up to date with reasonable steps taken to erase or rectify inaccuracies.โœจ๐—ฆ๐˜๐—ผ๐—ฟ๐—ฎ๐—ด๐—ฒ ๐—Ÿ๐—ถ๐—บ๐—ถ๐˜๐—ฎ๐˜๐—ถ๐—ผ๐—ป: Personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.โœจ๐—œ๐—ป๐˜๐—ฒ๐—ด๐—ฟ๐—ถ๐˜๐˜† ๐—ฎ๐—ป๐—ฑ ๐—–๐—ผ๐—ป๐—ณ๐—ถ๐—ฑ๐—ฒ๐—ป๐˜๐—ถ๐—ฎ๐—น๐—ถ๐˜๐˜†: Personal data must be processed in a manner that ensures security of the personal data using appropriate technical or organisational measures.โœจ๐—”๐—ฐ๐—ฐ๐—ผ๐˜‚๐—ป๐˜๐—ฎ๐—ฏ๐—ถ๐—น๐—ถ๐˜๐˜†: The controller shall be responsible for, and be able to demonstrate compliance with the principles.The GDPR extends its reach beyond the EU by explicitly requiring compliance from organizations established outside the EU in certain situations. Given the variety of business and transaction models, it is essential for the businesses in Hong Kong to assess whether the GDPR applies to them and to stay informed about ongoing regulatory developments.๐Ÿ’ก ๐—ฃ๐—ฟ๐—ถ๐˜ƒ๐—ฎ๐—ฐ๐˜† ๐—ฐ๐—ผ๐—บ๐—ฝ๐—น๐—ถ๐—ฎ๐—ป๐—ฐ๐—ฒ ๐—ถ๐˜€ ๐—ป๐—ผ ๐—น๐—ผ๐—ป๐—ด๐—ฒ๐—ฟ ๐—ผ๐—ฝ๐˜๐—ถ๐—ผ๐—ป๐—ฎ๐—น โ€” ๐—ถ๐˜โ€™๐˜€ ๐—ฎ ๐—ฏ๐˜‚๐˜€๐—ถ๐—ป๐—ฒ๐˜€๐˜€ ๐—ถ๐—บ๐—ฝ๐—ฒ๐—ฟ๐—ฎ๐˜๐—ถ๐˜ƒ๐—ฒ.

Contact Us