To protect information assets of the Institute Policy approved by the Institute in Mar 2009 Information Security Organisation◦ VP(ADM): Overall in-charge◦ Information Security Officer (Director of ITS, aka

Head of ITS): policy implementation◦ VP / Dean: oversees the implementation of the

respective departments◦ Heads of Department: departmental plan and

procedure; develop BCP

Information Classification Labeling Storage Copy and Transmission of Information Disclosure Disposal Incident Report

Highly Confidential

•HKID no.•Appraisal• Salary info.• Exam paper

before release

Confidential

• Staff & student data

•Budget•Tender

document

Internal

•Departmental meeting notes

• Internal policy & procedure

Public

• Information intended to be released to the public

Notes: Data owners to determine the classification.

Highly confidential & confidential information are required to marked with its classification◦ Use chops for paper document◦ For digital document, use filename like Confidential

- xxx◦ Use watermark or mark “Confidential” in PDF, Word

or Excel documents◦ For storage media such as DVD, thumb drive,

marking should be made clearly on the media itself Internal information does not require explicit

labeling

Should be stored and processed by Institute-owned equipment within the campus

Should be stored in a secure manner (central IS system, DMS system with access control & password protection)

Not recommended to store in portable media, like notebook computers, PDAs, etc.

Portable storage media containing confidential information must be encrypted

Proper authorization is required Should copy the minimal amount that is

needed, and destroy the copies after use. Classification and protection same as the

original information Transmission via email◦ Make sure recipient’s email address is correct◦ The confidential information sent as an attachment

with password protection.

Only be disclosed with authorization◦ ensure the people receiving the information aware

of the classification◦ third party to sign non-disclosure agreement

Highly confidential information ◦ only be disclosed by the data owner or the data

custodian◦ Keep the record of who have access to the

information

Paper & CD/DVDs should be shredded Use hard disk wiping tools for hard disk,

thumb drives, etc. Magnetic tapes and floppy disk should be

degaussed or physically destroyed

Report information security incidents through normal management channels ASAP and ISO must also be informed.

Examples of incidents◦ Loss of highly confidential data stored in thumb

drive◦ Computer account compromised which could

potentially expose any confidential information

HKIEd Information Security -www.ied.edu.hk/infosec/

HKSAR Infosec website – www.infosec.gov.hk Personal Data (Privacy) Ordinance -

www.pcpd.org.hk/english/ordinance/ordfull.html

Access your awareness of the Infosec Policy Read the http://www.ied.edu.hk/infosec and

the policies documents Do the 10-questions self-review test Answers will be revealed to you if you failed Refer to the web site or policies if needed URL for the online self-review test◦ http://tgweb.ied.edu.hk:8080/tester/

There is no pass or fail!