To protect information assets of the Institute Information ... › infosec ›...
Transcript of To protect information assets of the Institute Information ... › infosec ›...
To protect information assets of the Institute Policy approved by the Institute in Mar 2009 Information Security Organisation◦ VP(ADM): Overall in-charge◦ Information Security Officer (Director of ITS, aka
Head of ITS): policy implementation◦ VP / Dean: oversees the implementation of the
respective departments◦ Heads of Department: departmental plan and
procedure; develop BCP
Information Classification Labeling Storage Copy and Transmission of Information Disclosure Disposal Incident Report
Highly Confidential
•HKID no.•Appraisal• Salary info.• Exam paper
before release
Confidential
• Staff & student data
•Budget•Tender
document
Internal
•Departmental meeting notes
• Internal policy & procedure
Public
• Information intended to be released to the public
Notes: Data owners to determine the classification.
Highly confidential & confidential information are required to marked with its classification◦ Use chops for paper document◦ For digital document, use filename like Confidential
- xxx◦ Use watermark or mark “Confidential” in PDF, Word
or Excel documents◦ For storage media such as DVD, thumb drive,
marking should be made clearly on the media itself Internal information does not require explicit
labeling
Should be stored and processed by Institute-owned equipment within the campus
Should be stored in a secure manner (central IS system, DMS system with access control & password protection)
Not recommended to store in portable media, like notebook computers, PDAs, etc.
Portable storage media containing confidential information must be encrypted
Proper authorization is required Should copy the minimal amount that is
needed, and destroy the copies after use. Classification and protection same as the
original information Transmission via email◦ Make sure recipient’s email address is correct◦ The confidential information sent as an attachment
with password protection.
Only be disclosed with authorization◦ ensure the people receiving the information aware
of the classification◦ third party to sign non-disclosure agreement
Highly confidential information ◦ only be disclosed by the data owner or the data
custodian◦ Keep the record of who have access to the
information
Paper & CD/DVDs should be shredded Use hard disk wiping tools for hard disk,
thumb drives, etc. Magnetic tapes and floppy disk should be
degaussed or physically destroyed
Report information security incidents through normal management channels ASAP and ISO must also be informed.
Examples of incidents◦ Loss of highly confidential data stored in thumb
drive◦ Computer account compromised which could
potentially expose any confidential information
HKIEd Information Security -www.ied.edu.hk/infosec/
HKSAR Infosec website – www.infosec.gov.hk Personal Data (Privacy) Ordinance -
www.pcpd.org.hk/english/ordinance/ordfull.html
Access your awareness of the Infosec Policy Read the http://www.ied.edu.hk/infosec and
the policies documents Do the 10-questions self-review test Answers will be revealed to you if you failed Refer to the web site or policies if needed URL for the online self-review test◦ http://tgweb.ied.edu.hk:8080/tester/
There is no pass or fail!