Background
As you may be aware, the public has growing expectations of public organizations to properly and securely handle personal and confidential information. In 2007, the Institute (now retitled The Education University of Hong Kong) has commissioned KPMG as consultant to prepare an Information Security Policy for us. The policy and related procedures took reference to the international standard on information security ISO 27001, which covers governance structure, information classification, information handling, incident management and etc.
This new policy has been approved by the then Institute in March 2009 and is applicable to all staff members and students with immediate effect. The Chief Information Officer (CIO) was appointed as the Information Security Officer (ISO) of the University and is responsible for the implementation of the policy.
The senior management understands that it takes time for some departments to fully implement the policy. Information Security Audits will be conducted from time to time to make sure that departments have developed the necessary controls or departmental policies to support the policy.
Objectives of the Information Security Policy
To protect the University's members and its reputation through the protection and preservation of Confidentiality, Integrity and Availability (CIA); and
to set out the information security management framework for protecting:
- Personal, vital and sensitive information;
- Infrastructure and information systems; and
- Authorized information users and administrators of the above.
The "CIA" Concept
What is my role and responsibilities?
Familiarize the requirements of the policy, in particular, in the following areas:
- Classification – classify documents accordingly (“Highly Confidential”, “Confidential”, “Internal” and “Public”)
- Labeling – label documents in a visible manner according to the classifications
- Storage – Highly Confidential documents must be stored in a secured place physically or with encryption when stored on portable storage media (e.g USB thumb drives)
- Copy and Transmission – proper authorization to copy and transmit Highly Confidential or Confidential documents
- Disclosure – disclose Highly Confidential or Confidential materials with proper authorization
- Disposal – shred/wipe/destroy/degauss the storage media containing Highly Confidential or Confidential documents before disposal
- Incident Reporting – report information security breach, loss, leakage incidents to Head of Department or ISO (i.e. CIO)
The Information Security Policy and related documents
- The Information Security Policy
- The Information Classification and Protection Policy
- The Information Security Incident Management Procedures
- The Acceptable Usage Policy
- The Password Policy
- Network and System Hardening Guidelines for all EdUHK information systems and web sites
- Personal Data Protection in EdUHK
- Annual Report from Information Security Officer (for the year 2010, 2011, 2012, 2013, 2014, 2015, 2016 and 2017)
Trainings by OCIO
- Information Security Workshop with Lessons Learnt 2019 Presentation Slides / Video** <English only> (for INTERNAL only)
- IT Training for Staff
**Note: The video can only be viewed on modern browsers such as Chrome, Firefox and Internet Explorer 11.
Trainings by KPMG
- Information Security Training Slides Part One and Part Two (for INTERNAL only)
- Information Security Poster
JUCC Information Security Awareness Workshop Materials - by JUCC Information Security Task Force
- Information Security Newsletter New!
- Training workshop for staff and students conducted by KPMG on 27 October 2011 - training poster, presentation slide Part One, Part Two, Part Three, Part Four and Part Five (for INTERNAL only)
- A two-day conference "Implementing Information Security in the Higher Education Community" for senior management and technical staff in The Hong Kong Polytechnic University on 19-20 May 2011.
- Training workshop for staff and students conducted by KPMG on 23 March 2011 - training poster, presentation slide Part One, Part Two, Part Three and Part Four (for INTERNAL Only)
- Training workshop for staff and students conducted by KPMG on 20 October 2010 - training poster, presentation slide: Part One, Part Two, Part Three and Part Four (for INTERNAL Only)
- A two-day conference for senior management and staff in The Hong Kong Polytechnic University on 19 - 20 May 2010.
- Training workshop for staff and students conducted by KPMG on 24 March 2010 - training poster, presentation slide: Part One, Part Two, Part Three and Part Four (for INTERNAL Only)
Feedback
Useful Links