As you may be aware, the public has growing expectations of public organisations to properly and securely handle personal and confidential information. In 2007, the Institute (now retitled The Education University of Hong Kong) has commissioned KPMG as consultant to prepare an Information Security Policy for us. The policy and related procedures took reference to the international standard on information security ISO 27001, which covers governance structure, information classification, information handling, incident management and etc.
This policy was approved by the then Institute in Mar 2009 and is applicable to all staff members and students. The Chief Information Officer (CIO) is appointed as the Information Security Officer (ISO) of the University and is responsible for the implementation of the policy.
Information Security Audits are conducted from time to time to make sure that departments have developed the necessary controls or departmental policies to support the policy.
Objectives of the Information Security Policy
To protect the University's members and its reputation through the protection and preservation of Confidentiality, Integrity and Availability (CIA); and
to set out the information security management framework for protecting:
- Personal, vital and sensitive information;
- Infrastructure and information systems; and
- Authorised information users and administrators of the above.
The "CIA" Concept
What is my role and responsibilities?
Familiarise the requirements of the policy, in particular, in the following areas:
- Classification – classify documents accordingly (“Confidential”, “Internal” and “Public”)
- Labelling – label documents in a visible manner according to the classifications
- Storage – Confidential documents must be stored in a secured place physically or with encryption when stored on portable storage media (e.g USB thumb drives)
- Copy and Transmission – proper authorisation to copy and transmit Confidential documents
- Disclosure – disclose Confidential materials with proper authorisation
- Disposal – shred/wipe/destroy/degauss the storage media containing Confidential documents before disposal
- Incident Reporting – report information security breach, loss, leakage incidents to Head of Department or ISO (i.e. CIO)
The Information Security Policy and related documents
- The Information Security Policy
- The Information Classification and Protection Policy
- The Information Security Incident Management Procedures
- The Acceptable Usage Policy
- The Password Policy
- Network and System Hardening Guidelines for all EdUHK information systems and web sites
- Non-Disclosure Agreement template for vendors and service providers (Fillable pdf form for direct use / Word format for revisions as needed)
- Personal Data Protection in EdUHK and Personal Data Compliance Manual
- Annual Report from Information Security Officer (for the year 2019, 2020 and 2021)
Training by OCIO
- Information Security Workshop with Lessons Learnt 2019 Presentation Slides / Video** <English only> (for INTERNAL only)
- IT Training for Staff
**Note: The video can only be viewed on modern browsers such as Chrome, Firefox and Microsoft Edge.
Training by KPMG
- Information Security Training Slides Part One and Part Two (for INTERNAL only)
- Information Security Poster
JUCC Information Security Awareness Workshop Materials - by JUCC Information Security Task Force
- Training workshop for staff and students conducted by KPMG on 27 Oct 2011 - training poster, presentation slide Part One, Part Two, Part Three, Part Four and Part Five (for INTERNAL only)
- A two-day conference "Implementing Information Security in the Higher Education Community" for senior management and technical staff in The Hong Kong Polytechnic University on 19-20 May 2011.
- Training workshop for staff and students conducted by KPMG on 23 Mar 2011 - training poster, presentation slide Part One, Part Two, Part Three and Part Four (for INTERNAL Only)
- Training workshop for staff and students conducted by KPMG on 20 Oct 2010 - training poster, presentation slide: Part One, Part Two, Part Three and Part Four (for INTERNAL Only)
- A two-day conference for senior management and staff in The Hong Kong Polytechnic University on 19 - 20 May 2010.
- Training workshop for staff and students conducted by KPMG on 24 Mar 2010 - training poster, presentation slide: Part One, Part Two, Part Three and Part Four (for INTERNAL Only)