Background

As you may be aware, the public has growing expectations of public organisations to properly and securely handle personal and confidential information. In 2007, the Institute (now retitled The Education University of Hong Kong) has commissioned KPMG as consultant to prepare an Information Security Policy for us. The policy and related procedures took reference to the international standard on information security ISO 27001, which covers governance structure, information classification, information handling, incident management and etc.

This policy was approved by the then Institute in Mar 2009 and is applicable to all staff members and students. The Chief Information Officer (CIO) is appointed as the Information Security Officer (ISO) of the University and is responsible for the implementation of the policy.

Information Security Audits are conducted from time to time to make sure that departments have developed the necessary controls or departmental policies to support the policy.

 

Objectives of the Information Security Policy

To protect the University's members and its reputation through the protection and preservation of Confidentiality, Integrity and Availability (CIA); and 
to set out the information security management framework for protecting:

  • Personal, vital and sensitive information;
  • Infrastructure and information systems; and
  • Authorised information users and administrators of the above.


The "CIA" Concept

CIA is the basic concept behind information security. CIA stands for “Confidentiality”, “Integrity” and “Availability”. Apart from protecting the confidentiality of restricted documents, we also need to ensure the integrity or accuracy of the information. Making crucial documents available in a timely fashion is essential for the operation of the University. Public information published by the University must be accurate and available in a timely manner.


What is my role and responsibilities?

Familiarise the requirements of the policy, in particular, in the following areas:

  • Classification – classify documents accordingly (“Confidential”, “Internal” and “Public”)
  • Labelling – label documents in a visible manner according to the classifications
  • Storage – Confidential documents must be stored in a secured place physically or with encryption when stored on portable storage media (e.g USB thumb drives)
  • Copy and Transmission – proper authorisation to copy and transmit Confidential documents
  • Disclosure – disclose Confidential materials with proper authorisation
  • Disposal – shred/wipe/destroy/degauss the storage media containing Confidential documents before disposal
  • Incident Reporting – report information security breach, loss, leakage incidents to Head of Department or ISO (i.e. CIO)

The Information Security Policy and related documents

 

Training by OCIO

OCIO organises training workshops from time to time. There are also related training sessions in the quarterly IT training for staff.

**Note: The video can only be viewed on modern browsers such as Chrome, Firefox and Microsoft Edge.

 

 Training by KPMG

The very first training workshops on the policy were given by KPMG consultants in Jun 2009. The presentation slides are available below. More workshops were held in Sep/Oct 2009 for staff and students. Though some of the figures and cases quoted may be out-dated, the key principles remain valid as of today. The materials below also provide some background on the establishment of the Information Security Policy and related documents at the University.

 

JUCC Information Security Awareness Workshop Materials - by JUCC Information Security Task Force

The Joint Universities Computer Centre (JUCC)'s Information Security Task Force meets regularly to discuss matters of concern. Previously, KPMG was commissioned to help the UGC-funded institutes to prepare their Information Security Policy.  Promotional events were held to enhance awareness of staff and students. The following are some useful materials for reference.

 

Feedback

If you have any queries and feedback on the Information Security Policy, please kindly send to listen@ocio.eduhk.hk .

 

Useful Links