Background

As you may be aware, the public has growing expectations of public organizations to properly and securely handle personal and confidential information. In 2007, the Institute (now retitled The Education University of Hong Kong) has commissioned KPMG as consultant to prepare an Information Security Policy for us. The policy and related procedures took reference to the international standard on information security ISO 27001, which covers governance structure, information classification, information handling, incident management and etc.

This new policy has been approved by the then Institute in March 2009 and is applicable to all staff members and students with immediate effect. The Chief Information Officer (CIO) was appointed as the Information Security Officer (ISO) of the University and is responsible for the implementation of the policy.

The senior management understands that it takes time for some departments to fully implement the policy. Information Security Audits will be conducted from time to time to make sure that departments have developed the necessary controls or departmental policies to support the policy.

Objectives of the Information Security Policy

To protect the University's members and its reputation through the protection and preservation of Confidentiality, Integrity and Availability (CIA); and 
to set out the information security management framework for protecting:

  • Personal, vital and sensitive information;
  • Infrastructure and information systems; and
  • Authorized information users and administrators of the above.


The "CIA" Concept

CIA is the basic concept behind information security. CIA stands for “Confidentiality”, “Integrity” and “Availability”. Apart from protecting the confidentiality of restricted documents, we also need to ensure the integrity or accuracy of the information. Making crucial documents available in a timely fashion is essential for the operation of the University. Public information published by the University must be accurate and available in a timely manner.


What is my role and responsibilities?

Familiarize the requirements of the policy, in particular, in the following areas:

  • Classification – classify documents accordingly (“Highly Confidential”, “Confidential”, “Internal” and “Public”)
  • Labeling – label documents in a visible manner according to the classifications
  • Storage – Highly Confidential documents must be stored in a secured place physically or with encryption when stored on portable storage media (e.g USB thumb drives)
  • Copy and Transmission – proper authorization to copy and transmit Highly Confidential or Confidential documents
  • Disclosure – disclose Highly Confidential or Confidential materials with proper authorization
  • Disposal – shred/wipe/destroy/degauss the storage media containing Highly Confidential or Confidential documents before disposal
  • Incident Reporting – report information security breach, loss, leakage incidents to Head of Department or ISO (i.e. CIO)

Trainings by KPMG

Training workshops on the new policy were given by KPMG consultants in June 2009. The presentation slides are available below. More workshops were held in Sep/Oct 2009 for staff and students. Website and posters on the Information Security Policy are also available.

The Information Security Policy and related documents



 

JUCC Information Security Awareness Workshop Materials - by JUCC Information Security Task Force

The Joint Universities Computer Centre (JUCC) Information Security Task Force is now working with the eight UGC-funded institutes on a project related to “Information Security”. KPMG has been commissioned as a consultant to help the institutes to prepare their Information Security Policy.  Promotional events were held to enhance awareness of staff and students. The following are the useful materials for users' reference.

 

Feedback

If you have any queries and feedback on the Information Security Policy, please kindly send to listen@ocio.eduhk.hk .

 

Useful Links