ISDM Guidelines

Quick Index

Policy Statement
1.1-1.2Commitment
1.3-1.14Key Definitions
1.15-1.16Philosophy
1.17-1.18Aims
1.19-1.31Key Roles and Responsibilities
1.32-1.34Oversight Bodies
1.35Enforcement
1.36Review
1.37Communication
Data/Information Classification Scheme
2.1-2.3Restricted
2.4-2.7Confidential
2.8Internal
2.9Public
Data/Information Life Cycle Management
3.1-3.5Planning
3.6-3.9Collecting and Maintaining Data/Information
3.10-3.17Accessing and Using Data/Information
3.18-3.26Storing and Transmitting Data/Information
3.27-3.28Archiving, Deleting and Destructing Data/Information
3.29External Parties/Third-Party Management
Physical Environment
4.1Physical Access Security
4.2-4.3Environmental Security
IT Environment
5.1-5.4Information Technology Acquisition, Development, Maintenance and Acceptance
5.5Technology Change Management
5.6-5.10Network and Platform Security
5.11-5.12Communications and Operational Management
5.13Technology Access Control
5.14-5.15Information System Internal Assessment
5.16-5.19Cloud / Off-site Storage
Contingency Management
6.1-6.3Information security incident management
6.4Business Continuity / Disaster Recovery Management
User Management
7.1Acceptable Usage
7.2Human Resources Security
7.3-7.4Awareness Education and Training

References

ISDM Article NumberSub-titles / ContentsReferences
Policy Statement

Commitment

1.1

The University of Hong Kong (“The University”) recognises data and information under its possession as a critical asset or resource of the University, and is committed to ensuring the proper management and security of such data and information.N/A
1.2In pursuit of this goal the University promotes international/well-recognised standards or “good practices” of information security and data management where applicable (e.g., COBIT, DAMA-DMBOK, ISO27001, ITIL, RCUK). The University’s Information Security and Data Management Policy (“this Policy”) applies to all University operations, both on and off campus, and shall be applied in conjunction with other applicable university policies, including the Policy on the Management of Research Data and Records.
 
 

Key Definitions

1.3

Data/Information – As a general concept refers to some existing information or knowledge that is represented or coded in some form suitable for better usage or processing.N/A 
1.4

Institutional Data/Information refers to data/information that is:

(a) Relevant to planning, managing, operating, controlling or auditing administrative functions of an administrative, academic or research unit of the University;

(b) Created, received, maintained, or transmitted resulting from administrative, academic or research activities;

(c) Generated by a University staff, research group/team or agent using any of the above data/information.

N/A
1.5Data/Information Architecture is composed of models, policies, rules or standards that govern which data/information is collected, and how it is stored, arranged, integrated, and put to use in data/information systems and in organisational activities or processes.N/A
1.6Data/information Life Cycle includes every phase of a data/information from its beginning to its end, from creation (sometimes up to the requirement stage before its creation) to its retirement.N/A
1.7Data/information Management is the development and execution of architectures, policies, practices and procedures that properly manage the full data/information life cycle needs of the University.N/A
1.8Data/information Availability refers to ensuring data and the functions of associated information systems are available and protected from service disruption.N/A
1.9Data/information Confidentiality refers to ensuring only authorised persons can access the data.N/A
1.10Data/information Integrity refers to maintaining the accuracy and consistency of data/information over its entire life cycle, and is the opposite of data corruption.N/A
1.11Data/information Quality is an essential characteristic that determines the reliability of data/information for making decisions. High quality data/information are fit for their intended uses in operations, decision making and planning.N/A
1.12Personal Data is any data or information that relates to a living person and can be used to identify that person, and such exists in a form in which access or processing is practicable. Such data is required to be appropriately collected, managed and protected in accordance with Personal Data (Privacy) Ordinance and relevant guidance. Examples include personal phone numbers, addresses, identity card numbers, photos, medical records and employment records.PCPD – Personal Data (Privacy) Ordinance at a Glance
1.13

Information Technology Resources include:

(a) All computers, peripherals, and related equipment and software; voice communications infrastructure, peripherals, and related equipment and software; data communications infrastructure, peripherals, and related equipment and software that are used to process, store and/or transmit institutional data/information;

(b) All other associated tools, instruments, and facilities; and

(c) Services that make use of any of these technology resources.

The above components may be individually controlled (e.g., assigned to an employee) or shared in a single-user or multi-user manner; they may be stand-alone or networked; and they may be stationary or mobile.

N/A
1.14Information Security is the practice of defending data/information from breaches of confidentiality, integrity and availability (e.g., unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction). Such practice supports data/information management.N/A

Philosophy

1.15

The value of data/information as a critical asset or resource to the University is increased through its assured quality and adequate and appropriate distribution, use and secured to enhance administrative or other forms of effectiveness; its value is diminished through low quality, misuse, misinterpretation, alteration, theft, destruction or inappropriate access restriction.N/A
1.16The level of value protection applied to data/information should correspond to their sensitivity and their criticality to the mission, reputation and operations of the University, and should be adequately secured for the level of risk without being overly restrictive or burdensome.N/A

Aims

1.17

Successful management and protection of data/information is critical to the administrative, academic and research functions of the University, minimising the enterprise risk of data/information breaches, as well as the safeguarding of the University’s reputation. Through active planning, organisation and control of such assets or resources, the University will:

(a) Manage data/information as an asset or resource to serve the running of University operations and improve the quality of services to University communities;

(b) Provide data/information that are consistent, reliable and accessible to meet the University’s needs;

(c) Deliver data management services that result in sufficiently high quality of data/information that help maximise the efficiency and effectiveness of operational processes; and

(d) Implement, maintain, operate and renew/update security measures to adequately safeguard institutional data/information and information technology resources such that they are adequately prevented from deliberate, unintentional or unauthorised alteration, destruction inappropriate disclosure or use, and/or intrusion, and to ensure the adequate satisfaction of confidentiality, integrity and availability requirements.

N/A
1.18

The University is committed to meeting internationally-recognised standards of personal data privacy protection, and will take all reasonably practicable steps and provide necessary resources to meet its commitment and achieve its goals, paying particular attention to the following required organisation-wide efforts:

(a) Ensuring compliance with the requirements of Personal Data (Privacy) Ordinance, and all other relevant legal and regulatory requirements;

(b) Ensuring compliance with all institutional requirements related to this Policy;

(c) Identifying and assessing challenges or risks that pose a barrier or threat to its commitment and aims, and managing those challenges or risks;

(d) Ensuring the designation of necessary common/shared or dedicated resources in organisational units to help meet their compliance requirements under this Policy;

(e) Ensuring that staff, students, contractors and relevant third party users (e.g., visitors, authorised service providers) are adequately informed of those risks and, where appropriate, receive adequate instruction, training, and supervision, requiring them to comply with all relevant requirements;

(f) Consulting and engaging with relevant stakeholders on data/information management matters where needed;

(g) Coordinating and collaborating with other organisations with which the University exchanges data or information.

Key Roles and Responsibilities

1.19

The Council is the sponsor of this Policy.N/A
1.20Whilst the University has ultimate ownership of all institutional data/information, effective governance and management of institutional data/information will require the proper delegation of accountabilities and responsibilities within a well-established structure of related roles, which shall include, but not be limited to, Data Owners, Data Stewards, Data Custodians and Data Users.N/A
1.21

Data Owners – The head of an administration office / faculty / department / school / centre (“unit”), or the Principal / Chief Investigator of a research programme or project, who is the decision maker with respect to data collected and/or used in conducting the unit’s business. He or she has decision-making authority over any data collected and/or used by the unit.

Key responsibilities: Interpret and implement information security and data management policies, standards and guidelines, or delegate this responsibility (but not accountability) to a Data Steward where appropriate.

N/A
1.22

Data Stewards – Any appropriate individual assigned by a Data Owner to facilitate the interpretation and implementation of information security and data management policies, standards and guidelines.

Key responsibilities:

(a) Facilitate the interpretation and implementation of information security and data management policies, standards and guidelines to meet the needs of the University for the use of data;

(b) Work with Data Owners, with assistance from Information Technology Services (ITS)/University Data Protection Officer (refer to relevant sections below for references) where necessary, to assure that data is appropriately classified, managed and protected. Identify and implement procedures and controls for data protection, and when necessary, work with the data protection and information security personnel in ITS to enforce the procedures and controls;

(c) Play the role as the University’s “Personal Data Protection Coordinators” (“PDPCs”).

N/A
1.23

Data Custodians – Organisational functions (e.g., Human Resources Section, IT functions of faculties or departments) or individuals (e.g., staff, students, contractors, third party users) that are entrusted to operate on university data/information (through including but not limited to the access, operation or construction of systems) on a need basis as part of their assigned functions or employment or contractual duties.

Key responsibilities:

(a) Be familiar with the University’s governance and classification structures in relation to information security and data/information management; and

(b) Comply with all related policies, standards, guidelines and procedures issued by the University associated with information security and data/information management, and equip themselves with necessary knowledge and skills to enable such compliance (including, for example, attendance of required training).

N/A
1.24To align with the modern model of data/information governance and management in universities, the Registrar shall be the Data Owner of institutional data/information centrally administered, managed, processed or stored under the Registry.N/A
1.25

Data Users – Individuals (e.g., staff, students, contractors, relevant third party users) or organisation functions (e.g., academic departments accessing student-related data on University Student Information System) that are entrusted to access and use university data on a need basis as part of their assigned employment or contractual duties or functions.

Key responsibilities:

(a) Be familiar with the University’s governance and classification structures in relation to information security and data/information management; and 

(b) Comply with all related policies, standards, guidelines and procedures issued by the University associated with information security and data/information management, and equip themselves with necessary knowledge and skills to enable such compliance (including, for example, attendance of required training).

N/A
1.26A successful information security and data/information management programme demands a positive commitment from all University staff, students, contractors, relevant third party users (e.g., visitors, authorised service providers) (regardless of their respective roles as Data Owners, Data Stewards, Data Custodians, Data Users, etc.). All such individuals have the responsibility to ensure that they are equipped with the necessary knowledge and skills (including, for example, having attended all required training and/or studied relevant information published by the University), comply with this Policy, do not create risks for and protect the University, themselves or others and to take all reasonable steps to address any foreseeable risks associated with data and information associated with the University.N/A
1.27Data Owners, Data Stewards, Data Custodians and Data Users together shall form the University’s “first line of defence” for the implementation of effective information security and data/information management, consisting of individuals who are closer to relevant issues and risks and are in a better position to identify, assess and manage them.N/A
1.28All staff, students, contractors and relevant third party users (e.g., visitors, authorised service providers) are bound by the various statutory data protection principles in Personal Data (Privacy) Ordinance and have a duty of confidentiality to protect personal data/information. Enquires about the University’s privacy policy and practices corresponding to Personal Data (Privacy) Ordinance should be addressed to the University Data Protection Officer (referred below in this section) through designated communication channels.N/A
1.29 para. 1
 

ITS is one of the major Data Custodians of the University through provisioning IT-related services for various information technology resources of the University, and supporting respective Data Owners in the implementation of good information security and/or data management practices and compliance with relevant policies / standards. On the other hand, recognising that there may exist information technology resources that are not directly developed, implemented, administrated, maintained or operated by ITS (e.g., by IT personnel that are directly under a particular faculty or department and as the Data Custodian), ITS shall also play a key role in the University-wide effort of ensuring that sound information security and data management practices are being implemented and that relevant policies are complied with across the University. ITS shall therefore establish a “Data and Security Team” that is independent and reasonably separated from other functions of ITS and be responsible for:

(a) Developing and maintaining additional information technology policies, standards or guidelines from time to time (whenever necessary) that apply to the University at large, with endorsement by [ITPC] (refer to “Oversight Bodies” section); 

(b) Setting related risk assessment methodology (in consultation with University Protection Officer for the privacy risk assessment component) and data/information asset inventory standards (i.e. standards for creating and maintaining formal records of data/information assets) for endorsement by [ITPC] (refer to “Oversight Bodies” section) and University-wide general adoptions (for the purpose of consistent applications by Data Owners and Data Custodians); 

(c) Establishing and maintaining a “common reporting platform” for the collect, consolidation and analysis of risk related information (e.g., from risk assessment reports and data/information asset inventory submitted by Data Owners) for the purpose of supporting relevant risk management and reporting activities; and 

(d) Facilitating the resolution of common/shared information security issues amongst central administration offices, faculties, departments, ITS and other relevant organisation units of the University; and 

(e) Performing periodic and ad-hoc assessment and ongoing monitoring of compliance in relation to information security and data management at the University, as well as providing support (i.e. non-first tier technical advice and incident management support associated with the management or use of data/information) where appropriate. 

1.29 para. 2
 

ITS, as one of the major Data Custodians of the University and its key information technology service provider, shall be responsible for, but not limited to, the following (in the context of this Policy):

(a) Providing a reliable and secure “central University information technology infrastructure” with effective support (including but not limited to controlling permissions to access such central infrastructure); 

(b) Formulation of University-wide data architectures and information security architectures, as well as related common standards (with such standards reviewed and endorsed by the Data and Security Team, and approved by [ITPC] where deemed necessary); 

(c) Working with Data Owners and their delegates to:

  • Support policy, process, and practice related implementation and/or improvement efforts associated with institutional data/information;
  • Resolve shared information security and data/information management issues; and
  • Provide appropriate technical advice and user support associated with the management or use of data/information.
1.30

The following individuals and organisation units together form the University’s “second line of defence” for information security and data/information management, which periodically reviews and challenges how issues and risks are being identified, assessed and managed by the “first line of defence”: 

(a) University Data Protection Officer for policy matters and advices concerning personal data protection (refer to the University’s Privacy Statement and related information); 

(b) Data and Security Team of ITS (a function within ITS that is without direct Data Custodian responsibilities) for matters concerning the compliance of data (including personal data) and information security; 

(c) Task Force on Management of Research Data and Records for research data management compliance (refer to the task force’s terms of reference). 

These individuals and organisation units shall also provide applicable support and consultation to the “first line of defence” that are deemed necessary in ensuring the effective implementation of the University’s information security and data management policies, including but not limited to providing information and guidance on appropriate processing of institutional data/information and producing “good practice” guidance material for and delivering training to relevant stakeholders.

 
1.31

The following individual(s) and organisation unit(s) shall form the University’s “third line of defence” for information security and data/information management, which shall reassure management and related governance bodies that issues and risks associated with information security and data/information management are effectively managed: 

(a) Internal Audit Function.

HKU Internal Audit Office

Oversight Bodies

1.32

To enable and ensure effective governance over how institutional data/information and information technology resources are managed and protected across the University, there shall be oversight body: 

[Information Technology Policy Committee] – Designated by the Council, [ITPC] provides strategic oversight of information technologies and related risks to ensure their well-coordinated governance, including information security and data management for the purpose of this Policy (refer to terms of reference of [ITPC]). 

N/A                                   
 
1.33

The responsibilities of [ITPC] shall include but are not limited to the following aspects in relation to the governance of information security and data management of the University: 

(a) Creation, maintenance and overall implementation of this Policy; 

(b) Ensuring that staff, students, contractors and relevant third party users (e.g., visitors, authorised service providers) are aware of this Policy; 

(c) Ensuring adequate resources for the implementation of this Policy; 

(d) Ensuring proper delegation of accountabilities and responsibilities within a well-established structure of related roles; 

(e) Monitoring and enforcing compliance; 

(f) Recommending disciplinary action for non-compliance if necessary; 

(g) Appointing the conduct of regular reviews of this Policy, having regard to any relevant changes in risk levels, legislation, regulations, organisational policies and contractual obligations; 

(h) Ensuring there is clear direction and visible management support for related initiatives. 

N/A
1.34

The Task Force on Management of Research Data and Records, given its unique position as part of the University’s research function as well as information security and data management function, shall have two reporting lines from a governance perspective: 

(a) To [ITPC] – On research data management related matters with administrative implications; and 

(b) To University Research Council – On research data management related matters with academic implications.

N/A

Enforcement

1.35

Any failure to comply with this Policy shall be reported to [ITPC] through designated reporting channels, which shall review such a case (either as a single case or with other similar cases collectively) to decide if any action should be taken. Serious offences may result in disciplinary action.N/A

Review

1.36

This Policy and its effectiveness will be reviewed periodically by [ITPC] and be reported to [ITPC] for endorsement of the Council.N/A

Communication

1.37

This Policy will be effectively communicated to staff, students, contractors and relevant third party users (e.g., visitors, authorised service providers) through an appropriate communication strategy.N/A
Data/Information Classification Scheme

Restricted

2.1

This classification applies to data/information that is very sensitive in nature and is strictly restricted by the University, the government or any other agreements between the University and third parties.N/A
2.2Such data/information is considered critical to the University’s capacity to conduct its business. Generally, this data/information shall be used exclusively by a limited number of predetermined and authorised named individuals or positions and business partners.N/A
2.3

Either disclosure of such data/information to unauthorised parties or being shared internally could have significant adverse impact on the University’s reputation, its staffs, students and other relevant stakeholders. Inappropriate disclosure or release could cause significant inconvenience to or endanger an individual, and result in financial lost or damage to standing or reputation at University level.

Illustrative examples:

  • Examination papers before official release
  • Privileged accounts’ passwords of the University’s key information systems
  • Sensitive information concerning a pending criminal investigation
  • Sensitive personal data (e.g., HKID number, credit card information, personal financial or medical information of Staff, Student and research information)
N/A

Confidential

2.4

This classification applies to sensitive data/information that is intended for use by specific group of authorised personnel within the University and business partners, assigned on a need-to-use basis and for authorised intended purpose.N/A
2.5The unauthorised disclosure, modification or destruction of this data/information would adversely affect the business performance or the continuity of operations.N/A
2.6Inappropriate disclosure or release could cause reasonable inconvenience to individuals, and result in limited financial lost or damage to a standing or reputation at unit level. Data/Information of interest for news media, pressure group or electorates also belongs to this classification.N/A
2.7

Such data/information shall not be copied or removed from the University’s control without specific authorisation by the appropriate Data/Information Owner/designee.

Illustrative Examples:

  • Student and staff personal information (e.g., Personal contact phone number, home address, academic results, performance appraisal)
  • Student and staff disciplinary details
  • Patent pending
  • Unpublished research information (exclude sensitive personal data)
  • Identifiable research subject data (exclude sensitive personal data)
N/A

Internal

2.8

This classification related to non-sensitive operational data/information. It applies to data/information that is intended for use within by members of the University and authorised services providers. Disclosure of such data/information could have moderate adverse impact. Disclosures or release are not expected to cause serious harm to the University and access may be provided to a staff or a specific group of staffs based on respective roles and responsibilities.

Illustrative examples:

  • Staff handbooks
  • Internal policies
  • Training materials
  • Manuals
  • Internal procedures (e.g., system hardening procedures, etc.)
N/A

Public

2.9

This classification applies to data/information that has been approved by the appropriate University authority for public consumption. Such data/information shall present minimal perceived risk to the University, its staff, students and/or relevant stakeholders.

Illustrative examples:

  • University policy
  • Programme and admission information
  • Published academic literature
  • Press releases, etc.
N/A
Data/Information Life Cycle Management

Planning

3.1

Data/Information management planning shall be conducted by Data Owners to produce a data/information management plan (based on the published standard and/or template(s)) that enables the development and documentation of clear requirements and procedures for the collection, storage, use, re-use, access and retention or destruction of institutional data/information. The data/information management plan shall be maintained and reviewed by the respective Data Owner at an appropriate frequency to ensure it is up-to-date.

Guidelines on Preparing Data/Information Management Planning:

3.2Data Owners shall conduct, on a periodic basis at an appropriate frequency, information risk assessments in order to determine the appropriate level of data/information risk responses and security measures, based on requirements or guidelines. Such assessment shall, at a minimum, identify and classify the nature of data/information held (e.g., value, potential threats), the adverse consequences should risks be materialised or security be breached, the likelihood of those consequences occurring, non-compliance or potential non-compliance with this Policy, and determine the appropriate risk responses. Once completed, a copy of the report of the information risk assessment shall be provided to [ITPC] with the coordination of ITS.Template of Information Risk Assessment and Data Privacy Checklist *
3.3Data Owners shall establish and promote explicit criteria for data/information validity, availability, accessibility, interpretation and ease of use to ensure data/information quality, and implement action programmes for ongoing data/information quality assurance / improvement as part of the data/information management plan (based on any applicable standard and/or template published).

Guidelines on Preparing Data/Information Management Planning:

3.4Data Owners shall also have the ultimate responsibility for producing and maintaining documentation on data/information that enable or support data/information management planning and data/information management activities (“data/information documentation”), based on requirements or guidelines (e.g., in the form of standard and/or template(s)). Some or all of these responsibilities may be assigned to Data Stewards.

Guidelines on Preparing Data/Information Management Planning:

3.5
 
A critical component of data/information documentation is the “Data/Information Asset Inventory”, which comprises a list of data/information that is under the ownership of the respective Data Owner, and such data/information are appropriately described and classified based on the University data/information classification scheme. Data Owners shall establish a process that ensures the continued accuracy of the data/information asset inventory and link such asset inventory information with data/information management planning and executions, and shall always keep the document available for compliance-related inspections and information risk assessments coordinated by ITS for the purpose of reporting to [ITPC].
 

Collecting and Maintaining Data/Information

3.6

 
Data Owners shall establish appropriate responsibilities, procedures and methods to ensure collections of institutional data/information are complete, valid, reliable and timely to the extent possible (based on any applicable standard and/or template published.
 

Guidelines on Preparing Data/Information Management Planning:

3.7With respect to procedures and methods for data/information collection of digital data/information, such data/information should be collected and maintained as close as possible to the source or creation point of the data/information. Separate collection and maintenance and unnecessary duplication of data/information that are kept by the central administration offices should be avoided. Data Owners shall determine the most proper source or creation point of data/information with advices from the relevant central administration office(s) and/or ITS.

Guidelines on Preparing Data/Information Management Planning:

3.8
Data Owners, with appropriate involvement from relevant Data Custodians, shall ensure that information technology systems that capture and update institutional data/information have appropriately incorporated edit and validation checks to assure the accuracy of the data/information, or that the data/information has not been altered in an unauthorised manner.  Edit and validation checks are concerned with the process of ensuring that a system (and its related system(s)) operate(s) on clean, correct and useful data through the employment of “validation rules” (often built into the system) that check for correctness, meaningfulness, and security of data that are input to the system. 
 

Guidelines on Preparing Data/Information Management Planning:

3.9Data Owners, with appropriate involvement from relevant Data Custodians, shall establish effective procedures that, upon written identification and notification of erroneous data/information, and if confirmed, timely corrective measures shall be taken to correct the cause of the erroneous data/information, correct the data/information in its official storage location, and notify users who have received or have accessed erroneous data/information.

Guidelines on Preparing Data/Information Management Planning:

Accessing and Using Data/Information

3.10

 
Access to institutional data/information refers to the permission to view, query or capture such data/information, but does not necessarily imply delivery or support of specific methods or technologies of data/information access.  It is crucial for Data Owners to ensure that proper access rights to institutional data/information have been assigned to authorised Data Custodians/Users. 
 

Guidelines on Preparing Data/Information Management Planning:

3.11Data Owners, typically through their respective Data Stewards, shall ensure that rights to access to institutional data/information are granted only through University staff who have been designated by the Data Owners / Data Stewards as authorised individual(s) to perform the granting of access rights for that data/information. All individuals accessing institutional data/information (i.e. Data Custodians/Users) must be appropriately authenticated, and additional forms of more stringent authentication should be considered where necessary.

Guidelines on Preparing Data/Information Management Planning:

3.12Data Owners, typically through their respective Data Stewards, shall ensure that authorisation of access to institutional data/information to any Data Custodian/User are based on appropriateness to the Data Custodian/User’s role and the intended use/function, and that such authorisation shall be reviewed for validity on a periodic basis at an appropriate frequency.

Guidelines on Preparing Data/Information Management Planning:

3.13Data Owners, typically through their respective Data Stewards, shall ensure that accesses to institutional data/information shall be in compliance with applicable requirements of the University and that they are granted only to those individuals or systems (in the case of non-human access through the use of system) that have been authorised.

Guidelines on Preparing Data/Information Management Planning:

3.14Data Owners, typically through their respective Data Stewards and/or Data Custodians, shall ensure that access authorisation of access to data are documented, reviewed, modified and terminated in accordance with applicable University requirements. To allow for audit trails and potential investigations, access records should be kept for a minimum of six months, or for longer, where necessary.

Guidelines on Preparing Data/Information Management Planning:

3.15
 
With respect to physical access to locations hosting restricted or confidential data/information, Data Owners, through the respective Data Custodians responsible for operating the physical security of such locations, shall ensure that such physical access should be monitored with access records properly maintained. 
 

Guidelines on Preparing Data/Information Management Planning:

3.16
 
With respect to remote access to information technology systems containing restricted or confidential data/information, Data Owners, through the respective Data Custodians responsible for operating such information technology systems, shall ensure that such remote access are properly identified and recorded, as well as controlled via a well-defined access control policy and tight access controls (e.g., in the data/information asset inventory), including secure access control protocols using appropriate levels of encryption and authentication. 
 

Guidelines on Preparing Data/Information Management Planning:

3.17Data Owners, through assistance from respective Data Custodians, shall set requirements or rules regarding the manipulation, modification or reporting of institutional data/information and for creating derived data or information.

Guidelines on Preparing Data/Information Management Planning:

Storing and Transmitting Data/Information

3.18

Data Owners, with support from respective Data Custodians, shall identify the official data/information storage location(s) for each type of institutional data/information and, where appropriate, reflect such identified information in the data/information asset inventory.Data/Information Asset Inventory Template. *
3.19
Data Owners, through respective Data Custodians, shall ensure that restricted or confidential data/information are kept secure, using, where applicable, dedicated and reliable storage and an appropriate level of physical security and/or digital security (according to applicable standards published and updated by ITS). 
 
3.20Data Owners, through respective Data Custodians, shall ensure that, for operations involving restricted and confidential data/information being stored and/or transmitted, the use of appropriate level of encryption for such information shall be adopted as an additional layer of defence where existing physical or digital security is insufficient, and shall be complied with by Data Custodians/Users with access to such information according to applicable standards published and updated by ITS.
 
3.21Data Owners, through respective Data Custodians, shall ensure that, for operations involving documents that contain restricted or confidential information, such documents shall be marked with appropriate designation according to the University’s data/information classification system, and such practice shall be complied with by Data Custodians/Users with access to such documents.1) Use of Information Rights Management (IRM) for email and file protection
3.22
 
Data Custodians/Users shall ensure that restricted or confidential data/information is only passed or sent to another party (both within and outside the University) only when such need is confirmed and where the recipient is trusted, with permission having been granted by the Data Owner where needed, and that appropriate safeguards have been taken (e.g., encryption, sealed envelope).  Data Owners shall ensure that proper procedures and/or access to safeguards for usage are in place according to applicable standards published by ITS).
 
3.23Data Custodians/Users shall ensure that permission of the Data Owner is obtained before restricted or confidential data/information can be taken off site, or be transported outside their intended University information technology system. Data Owners shall ensure that proper procedures are in place.

Guidelines on Preparing Data/Information Management Planning:

3.24
 
When transmitting restricted or confidential institutional data/information in digital format, Data Users shall ensure that such data is transmitted through an appropriate electronic data transmissionmessaging system provided by the University (e.g., University email system).  Data Custodians responsible for the 
University’s electronic messaging data transmission systems shall ensure that adequate controls are implemented to suitably protect electronic data messaging transmission of restricted or confidential data/information (e.g., sending such information through email) from unauthorised use and access according to applicable standards published and updated by ITS.  Data Users shall not seek to bypass such controls in their electronic data transmission activities
 
N/A
3.25Data Custodians/Users shall ensure that number of copies made of restricted or confidential data/information, whether in hardcopy or on portable devices or media, are kept to a minimum, with a record kept of their distribution where appropriate. Should such copies be no longer needed, they should be deleted or, if in the case of hard copies, destroyed where possible. Data Owners shall ensure that relevant and proper equipment or facilities are available where practically possible.
 
3) Guidelines on Preparing Data/Information Management Planning:
3.26Data Custodians/Users shall ensure that portable devices or media containing restricted or confidential data/information are appropriately protected from unauthorised access. Data Owners shall ensure that relevant and proper equipment or facilities are available where possible. These should be carried out in accordance with applicable standards published and updated by ITS.
 
4) Guidelines on Preparing Data/Information Management Planning:

Archiving, Deleting and Destructing Data/Information

3.27

 
Archiving requirements and strategies for storing and preserving historical data should be determined for each type of institutional data/information by the Data Owner (with reference to any relevant guidelines approved by [ITPC]), and shall be implemented accordingly by the Data Custodian concerned.
 

Guidelines on Preparing Data/Information Management Planning:

3.28Data Owners, through support from respective Data Custodians, shall ensure that proper policies, procedures and tools are in place for the secure disposal/destruction of restricted or confidential data/information in both physical and digital form.

Guidelines on Preparing Data/Information Management Planning:

External Parties/Third-Party Management

3.29

 
Data Owners shall ensure that any University’s data/information or information systems that are being 
accessed, processed, communicated or managed by third parties (being either a part of or outside the University) are protected by proper written agreements that cover all relevant data management and information security requirements and appropriate security measures commensurate with the classification(s) of the data/information concerned (be covered in contractual arrangements for non-University parties), as well as appropriate security measures, and shall obtain sufficient comfort that such third parties are capable of complying and/or have complied with such requirements. 
 
Physical Environment

Physical Access Security

4.1

 
For physical environments hosting University’s restricted and confidential institutional data/information and associated information technology resources, Data Owners, through the respective Data Custodians responsible for operating such physical environments, shall ensure that adequate access security is implemented, including but not limited to the following components where appropriate: 
(a) Facility security plan; 
(b) Physical entry control, and procedures for verifying access authorisations prior to physical access; 
(c) Need-to-know procedures for personal physical access; 
(d) Maintenance records, e.g., infrastructure changes that may have security impact; 
(e) Equipment control (into and out of site); 
(f) Sign-in for visitors and escort (where appropriate); 
(g) Evacuation plan and data/information asset protection plan in the case of emergency situations; and 
(h) Testing and, where necessary, revisions of physical access controls (to provide assurance of proper functioning). 
 
N/A

Environmental Security

4.2

For physical environments hosting University’s restricted and confidential institutional data/information and associated information technology resources, Data Owners, through the respective Data Custodians responsible for operating such physical environments, shall be protected against damage from natural and man-made environmental risks (e.g., fire, flood, wind, power source, temperature, etc.), where appropriate.N/A
4.3

Relevant Data Custodians shall carry out monitoring of environmental conditions for physical environments hosting University’s restricted and confidential institutional data/information and associated information technology resources, covering, for example, the following components:

(a) Alarm and emergency systems;
(b) Air conditioning (temperature and humidity);
(c) Electrical power supply;
(d) Fire and smoke detection and control;
(e) Loading, grounding and other structural protection;
(f) Uninterrupted Power Supply installations; and
(g) Water leakage.

N/A
IT Environment

Information Technology Acquisition, Development, Maintenance and Acceptance

5.1

Data Owners, for the purpose of assurance, shall carry out a risk assessment, based on the University’s information risk assessment methodology and reporting format, shall be carried out for any new information technology system or infrastructure component (e.g., core network router) that may be used to store, process or transmit sensitive or confidential data/information, or when there is a major modification to any existing information technology system or infrastructure component (meaning that the major modification would likely alter the existing risk nature and/or level associated with the system or infrastructure component being modified), and shall request/require the respective Data Custodian(s), and where applicable, Data User(s) to appropriately respond to any assessment findings being raised. The risk assessment shall be repeated on a periodic basis at an appropriate frequency on any existing systems or infrastructure components that may be used to store, process or transmit restricted or confidential data/information. Upon completion of each risk assessment, a copy of the risk assessment report shall be provided to the [ITPC] through the coordination of ITS.Template of Information Risk Assessment and Data Privacy Checklist *
5.2A privacy risk assessment component shall be added to the aforementioned risk assessment when personal data is involved. The purpose of the privacy risk assessment component is to identify and mitigate privacy risk through ensuring conformance with applicable legal, regulatory and policy requirements for privacy, determining the risk and effects, and evaluating protections and alternatives processes to mitigate potential privacy risks. A privacy risk assessment component shall be added to the aforementioned risk assessment when personal data is involved. The purpose of the privacy risk assessment component is to identify and mitigate privacy risk through ensuring conformance with applicable legal, regulatory and policy requirements for privacy, determining the risk and effects, and evaluating protections and alternatives processes to mitigate potential privacy risks.Template of Information Risk Assessment and Data Privacy Checklist *
5.3
 
For the purpose of reducing risk to the University through efforts of technology standardisation, ITS shall develop a set of recommended information technologies (e.g., certain types of operating systems, server specifications, database applications, network equipment) and recommended “baseline” standards for configuring  such information technologies (e.g., security settings).  ITS, being responsible for the University’s central IT infrastructure, shall also set out and make known the requirements that must be met before any information technologies or networks (either within the University or outside) are allowed to be connected to the central campus network, as well as the associated approval procedures. 
 
5.4Where practically possible, Data Owners, working with respective Data Custodians, shall ensure that selection of new information technology systems or infrastructure components, as well as configurations of new and existing ones, shall comply with any applicable standards published by ITS (e.g., technical security configuration standards). For any information technology systems or infrastructure components that may be used to store, process or transmit restricted or confidential data/information, Data Custodians associated with the selection and configuration shall inform the respective Data Owners of any exceptions that should be appropriately documented with proper justifications.

Technology Change Management

5.5

 
Data Owners, supported by respective Data Custodians, shall ensure that changes to information systems, telecommunication equipment, software and other information technology resources under their ownership (and custodianship in the case of Data Custodians) will not result in adverse impact on the confidentiality, integrity and availability of institutional data/information being processed, stored or transmitted by such information technology resources.  Data Custodians concerned shall assure their respective Data Owners that all changes have been assessed, documented, authorised and in line with change control standard published by ITS, having incorporated at least the following: 
 
(a) Change request process and roles (initiator, approver, implementer and reviewer) 
(b) Planning and testing of changes; 
(c) Assessment of potential impacts, including security impacts and other forms of impact where appropriate; and 
(d) Fall back procedures.
 

Network and Platform Security

5.6

Members of the University shall properly protect its Campus Network with appropriate security measures and network equipment based on applicable standards published by ITS. Sensitive information about the Campus Network (e.g., network addresses, network configurations and other related systems or network information) shall be properly maintained and only accessible to authorised parties.N/A
5.7
 
ITS, as the University’s custodian of the central campus network, shall segregate such central network into separated network environments based on the usage and sensitivity of data/information and services hosted in the respective sub-networks, and shall manage and control the central network and its sub-networks accordingly to maintain the corresponding network security levels.  Connections between sub-networks, as well as with other networks within or outside the University, shall not compromise or downgrade the respective intended security levels of the central campus network
 
5.8Wireless networks that are connected to the Campus Network shall be documented, monitored and controlled by ITS.  Staff, students, contractors and relevant third party users (e.g., visitors, authorised service providers) are prohibited from connecting unauthorised wireless network devices or setting up wireless networks with direct connection to the Campus Network.  Restricted or confidential data, including any personal data, shall not be transmitted over wireless networks without proper encryption.N/A
5.9Centrally arranged Internet and external network gateways are managed by ITS. All other Internet or external network gateways must conform to applicable standards published by ITS, and be approved by and registered with ITS. All inbound and outbound traffic to and from the University Campus Network shall only pass through gateways managed centrally by ITS and those approved by and registered with ITS.N/A
5.10
 
Data Custodians shall ensure (and assure to their respective Data Owners) that information systems and associated information technology components under their custodianship) are adequately protected from internal and/or external threats through the implementation of applicable control procedures and ITS standards associated with application, service and platform security, which should include, for example, the following common components: 
 
(a) Anti-virus and firewall systems; 
(b) Application and platform configuration management and hardening; 
(c) Configuration management; 
(d) Hardware and software patch management; 
(e) Information and system backup systems; 
(f) Intrusion detection systems; and 
(g) Network and application logging and monitoring systems.
 

Communications and Operational Management

5.11

Relevant Data Custodians shall ensure (and assure to their respective Data Owners) that operational procedures for proper and secure handling of information technology components involving restricted and sensitive data/information are developed, documented, maintained and complied with, as well as reviewed periodically for any necessary updates and/or ascertaining the level of compliance and effectiveness.N/A
5.12
 
Data Owners and Data Custodians shall ensure that duties and areas of responsibility of staff are properly segregated to reduce the risk of unauthorised or unintentional access, modification or misuse of institutional data/information and associated information technology resources.  The level of segregation shall match the confidentiality and security requirements of the data/information being processed. 
 

Guidelines on Preparing Data/Information Management Planning:

Technology Access Control

5.13

 
Data Owners, supported by respective Data Custodians, shall ensure the effective implementation of access control over information technologies associated with institutional data/information.  Related control measures and control procedures shall be commensurate with the sensitivity of the data/information concerned, and be implemented based on relevant standards and/or guidelines published by ITS, which shall cover, for example, the following: 
(a) Access control that can restrict access only to privileged entities (e.g., role-based access, userbased access); 
(b) Authorisation control that requires consent to be obtained for the disclosure and/or use of sensitive data/information; 
(c) Password and screen lockout controls; 
(d) Security event control over system activities, especially those performed by privileged accounts; and 
(e) Regular review of access privileges to ensure continued appropriateness. 
 

Information System Internal Assessment

5.14

[ITPC], supported by ITS and with asset inventory information submitted by Data Owners, shall determine a list of information systems (together with their related infrastructure where applicable and appropriate, and including “central” and “non-central”) systems that are critical to University’s operations and financial reporting, or containing sensitive information of the University (based on information classifications), which shall be subject  to periodic evaluations to ensure ongoing control effectiveness.N/A
5.15[ITPC], supported by ITS and in consultation with respective Data Owners, shall determine and execute, using a risk-based approach and preferably on an annual basis at a minimum, an assessment plan to include a selection of information systems (together with their related infrastructure where applicable and appropriate) for periodic information system assessments for the purpose of identifying deficiencies and improvement opportunities.  Data Owners associated with the selected information systems, working in conjunction with respective Data Custodians, shall commission at their own cost their own assessment to be carried out by an independent assessor that can satisfy assessment requirements endorsed by [ITPC], and shall provide to ITS a copy of the assessment’s report together with a proposed action plan for addressing any identified deficiencies and/or improvement suggestion.N/A

Cloud / Off-site Storage

5.16

There are a number of information security and data privacy concerns about use of cloud / off-site storage. They include:
 
(a) Loss of University control of data, leading to a loss of security or lessened security;
(b) Loss of privacy of data, potentially due to aggregation with data from other cloud consumers;
(c) University dependency on a third party for critical infrastructure and data handling processes;
(d) Potential security and technological defects in the infrastructure provided by a cloud vendors;
(e) No University control over the third parties that a cloud vendor might contract with; and
(f) Loss of the University’s own competence in managing the security of computing infrastructure.
N/A
5.17

It is important that the following items be considered prior to entering any contract to use or purchase cloud/off-site storage:

(a) Data definition and use (Ownership, classification, etc.);
(b) General data protection terms;
(c) Compliance with legal and regulatory requirements; and
(d) Service level expectation and performance metrics.

N/A
5.18
 
The University should consider the following contract terms to ensure a minimum level of information security and data protection:
(a) Data transmission and encryption requirements;
(b) Authentication and authorization mechanisms;
(c) Intrusion detection and prevention mechanisms;
(d) Logging and log review requirements;
(e) Security scan and audit requirements; and
(f) Security training and awareness requirement.
 
 
5.19
 
When entering into a cloud-computing/storage contract, it is also important to make sure that the contract specifies service level expectations and includes and included performance metrics. The University should consider the following contract terms to address service level and performance metrics: 
(a) Service availability time and service outages;  
(b) Routine maintenance timeframes; 
(c) Hardware upgrades to cloud-computing services;  
(d) Software updates to cloud-computing services; and 
(e) Changes to the cloud-computing services 
 
Guidelines for Using External Web 2.0 Services for Univerity Purposes
Contingency Management

Information security incident management

6.1

Data Custodians/Users shall report promptly any information technology related security incidents involving the loss or unauthorised disclosure of sensitive or confidential data/information, whether held in digital or hardcopy format, to both the respective Data Owners and the Data and Security Team of ITS in accordance to the relevant incident reporting and escalation procedure, which shall be set by [ITPC].N/A
6.2
 
If there is a loss or unauthorised disclosure that involves personal data, whether digital or hardcopy, the Data Owner concerned shall ensure that the University Data Protection Officer will also be promptly informed in accordance with the relevant incident reporting and escalation procedure. 
 
6.3
 

After an information security incident has been resolved or closed, [ITPC] shall commission the following review activities to be carried out by an appropriate party of the University and/or an independent party, as deemed necessary:

(a) Identifying the lessons learned from the information security incident; and
(b) Recommending required improvements as a result of the lessons learned.

 

Business Continuity / Disaster Recovery Management

6.4

Data Owners, working with respective Data Custodians, shall ensure that disaster Recovery/Business continuity plans and other methods of responding to an emergency or other occurrences of damage to systems containing institutional data are developed, implemented and maintained (including review and testing of such plans at an adequate frequency). These contingency plans shall be developed, implemented and maintained (including review and testing) based on relevant standards and/or guidelines and endorsed by [ITPC], and shall include, but are not limited to, data backup, system/disaster recovery, and emergency mode operations procedures. These plans shall also address testing of and revision to disaster recovery/business continuity procedures and a criticality analysis.Guidelines on Disaster Recovery / Business Continuity Plans *
User Management

Acceptable Usage

7.1

 
The handling and use of all information technologies by Data Users, including those of personal belongings (e.g., personal portable devices),  that are: 
 
(a) controlled or operated by the University; 
(b) connected to the University’s networks; 
(c) used at or for the University’s activities; 
(d) brought onto the University’s facilities, 
 
to support the University’s activities, affairs and mission, must be legal, of the highest ethical standards and in compliance with this Policy and other applicable standards of the University (including the University’s Statement of Ethics on IT use and other technical usage standards set out by ITS), and shall not be involved with matters unacceptable, e.g., acts of a malicious or nuisance nature, invasion of privacy, violation of copyrights and licensing, harassment, bullying, hacking, unauthorised alternation of system settings, plagiarism, impersonation/identity theft, spoofing, or cheating in tests or examinations.
 

Human Resources Security

7.2

The University’s staff members, students, contractors and relevant third party users (e.g., visitors, authorised service providers) (who may play different data or information security related roles such as Data Owners, Data Custodians/Users) must understand their responsibilities and must be suitable for the roles they are employed or engaged in handling or use of University institutional data and/or information technology resources. University management, collectively through relevant organisational functions under the direction of [ITPC], shall ensure that appropriate human resources related controls are implemented to reduce information security risks of the University’s institutional data/information and/or information technology resources, which shall cover the following stages of an employment / engagement process:

(a) Prior to employment / engagement, including but not limited to:

  • Appropriately defined and documented security roles and responsibilities;
  • (Where necessary) appropriate pre-employment screening for candidates whose roles or positions involving access to restricted or confidential information to ensure that future employees can be trusted to manage and protect sensitive information;
  • Agreement to and signing of a confidentiality pledge.

(b) During employment / engagement, including but not limited to:

  • Information security awareness, education, training and regular updates to be appropriately received by all staff, students, contractors and relevant third party users (e.g., relevant visitors, authorised service providers);
  • Disciplinary process / sanction for all staff, students, contractors and relevant third party users (e.g., authorised service providers) who have committed a security breach.

(c) Termination or change of employment / engagement, including but not limited to:

  • Return of assets in possession in acceptable consideration upon termination of employment, academic and contractual relationships;
  • Removal or deactivation of access rights upon termination of employment, academic and contractual relationships;
  • Change of responsibility or employment requiring review and potential revisions of granted access permissions.

1) University’s Code of Practice in respect of the Personal Data (Privacy) Ordinance (in particular personal data retention in Part V)

2) “Code of Practice on Human Resource Management” issued by the Office of the Privacy Commissioner for Personal Data

3) Policy documents related to confidentiality and personal data: “Confidentiality of information” 

Awareness Education and Training

7.3

Data Users, as users of institutional information, shall be aware of their own individual responsibilities for complying with relevant policies on information security and data management, and be made aware so through awareness education and training programmes as directed by [ITPC] (to be conducted by designated parties).
7.4Data Owners shall ensure that staff, students, contractors and third party users within his or her responsible area(s) are provided with adequate and appropriate training, including but not limited to training sessions organised by the Human Resources Section, Office of Data Protection Officer and ITS, to enable them to carry out their responsibilities for complying with relevant policies on information security and data management. The staff and students, as well as relevant contractors if deemed necessary, are also required to attend trainings that are determined to be mandatory for them.

* HKU Portal login is required.

^ Pre-release pending the endorsement of ITPC

# ITS internal documents which are classified as restricted.