To protect information assets of the Institute Policy approved by the Institute in Mar 2009 Information Security Organisation ◦ VP(ADM): Overall in-charge ◦ Information Security Officer (Director of ITS, aka Head of ITS): policy implementation ◦ VP / Dean: oversees the implementation of the respective departments ◦ Heads of Department: departmental plan and procedure; develop BCP
Information Classification Labeling Storage Copy and Transmission of Information Disclosure Disposal Incident Report
Highly Confidential Internal Public Confidential • HKID no. • Staff & • Departmental • Information student data meeting intended to • Appraisal notes be released • Budget • Salary info. to the public • Internal • Tender • Exam paper policy & document before procedure release Notes: Data owners to determine the classification.
Highly confidential & confidential information are required to marked with its classification ◦ Use chops for paper document ◦ For digital document, use filename like Confidential - xxx ◦ Use watermark or mark “Confidential” in PDF, Word or Excel documents ◦ For storage media such as DVD, thumb drive, marking should be made clearly on the media itself Internal information does not require explicit labeling
Should be stored and processed by Institute- owned equipment within the campus Should be stored in a secure manner (central IS system, DMS system with access control & password protection) Not recommended to store in portable media, like notebook computers, PDAs, etc. Portable storage media containing confidential information must be encrypted
Proper authorization is required Should copy the minimal amount that is needed, and destroy the copies after use. Classification and protection same as the original information Transmission via email ◦ Make sure recipient’s email address is correct ◦ The confidential information sent as an attachment with password protection.
Only be disclosed with authorization ◦ ensure the people receiving the information aware of the classification ◦ third party to sign non-disclosure agreement Highly confidential information ◦ only be disclosed by the data owner or the data custodian ◦ Keep the record of who have access to the information
Paper & CD/DVDs should be shredded Use hard disk wiping tools for hard disk, thumb drives, etc. Magnetic tapes and floppy disk should be degaussed or physically destroyed
Report information security incidents through normal management channels ASAP and ISO must also be informed. Examples of incidents ◦ Loss of highly confidential data stored in thumb drive ◦ Computer account compromised which could potentially expose any confidential information
HKIEd Information Security - www.ied.edu.hk/infosec/ HKSAR Infosec website – www.infosec.gov.hk Personal Data (Privacy) Ordinance - www.pcpd.org.hk/english/ordinance/ordfull. html
Access your awareness of the Infosec Policy Read the http://www.ied.edu.hk/infosec and the policies documents Do the 10-questions self-review test Answers will be revealed to you if you failed Refer to the web site or policies if needed URL for the online self-review test ◦ http://tgweb.ied.edu.hk:8080/tester/ There is no pass or fail!
Recommend
More recommend
