ISDM Self-assessment Exercise 2018

Subject: ISDM Self-assessment Exercise 2018

Dear Colleagues (ISDM Data Owners/Stewards, and Departmental Coordinators),

The University-wide Information Security and Data Management (ISDM) Policy Implementation embarked in early 2017.

Phase I

Build Foundation

Mar 2017 – Aug 2017

Phase II

Bridge Gap

Sep 2017 – Aug 2018

Phase III

Obtain Comfort

Sep 2018 – Aug 2019


As we are stepping forward to September 2018, this is marking end of the second phase of Information Security and Data Management (“ISDM”) Policy implementation – “Bridging the Gap”. We would like to thank for your supports in the last 18 months.

The theme of the third phase is “Obtain Comfort”. To begin with, we would like to give a summary that we have learnt from our training sessions:

Training Session


ISDM Basics


We should have learnt:

  • Background of ISDM Policy
  • Importance of Data Management
  • ISDM Data Governance Structure
  • ISDM Data Management Roles
  • Introduction to ISDM Data Classification Scheme


Departments should have nominated their ISDM coordinators. And, Data Owners should have identified their Data Stewards/Custodians.


Data Classification and Data Asset Inventory Template

We should have learnt:

  • ISDM Data Classification Scheme in-depth
  • Key Differentiating Factors in Data Classification
  • Typical examples in classifying institutional data
  • Data Asset Inventory and its relationship to ISDM policy
  • Typical examples in filling up Data Asset Inventory template
  • Key controls in maintaining the Data Asset Inventory


Departments should be able to identify their own data asset and learnt how to classify its own data. In addition, they should have prepared their own Data Asset Inventory according to the template given by ITS.


Information Rights Management (IRM) Workshop

We should have learnt:

  • What is IRM and the relationship to ISDM policy
  • Overview of ISDM data classification scheme
  • Use of AIP Client to protect documents
  • Use of MS Office Plugin to protect documents
  • Use of “do not forward” in sending email
  • Features of “Track and Revoke” function
  • Scenarios in data / information protection


Participants should be able to use IRM tools to protect their sensitive data and be able to communicate with University members by using IRM.


Departmental Data Asset Storage (“DDAS”) Fundamental/Administration

We should have learnt:

  • Why we need DDAS
  • DDAS organisation structure
  • Relationship in between Document Library and Data Steward.
  • Using folders as classification to protect the sensitive data/information
  • Using IRM@DDAS to protect sensitive data/information from being leaked
  • Assigning access rights by managing SharePoint group membership
  • Working with your sensitive data/information in two-stage data management paradigm.
  • Using owner’s key (OK) account for access rights succession.


Departments should decide whether to use DDAS or not. If a department may not choose DDAS, it should have a plan in identifying the official storage location which complies to ISDM policy.


Information Security (I) – Misconceptions and Commonly Overlooked Issues

 We should have learnt:

  • The importance of using encrypted channel to transmit sensitive data/information
  • What PICS is and its importance?
  • The more data you stored, the more liability you have
  • The importance of setting password
  • The importance in using anti-virus software, and software patching
  • How to identify phishing emails
  • HKU Campus Network Acceptable Usage Policy


Departments should send their staff in attending IS awareness training regularly.




Given the role of second line of defence, the Data and Security Team of ITS is responsible to conduct the exercise of assessment to access our maturity level in data management. In this regard, departments are required to complete ISDM self-assessment form with accordance to the following details.

  1. Schedule



Sep 26, 2018


1. Department should receive the notification of 2018 ISDM self-assessment


2. Data Owners or their delegated Data Stewards should start to prepare the ISDM self-assessment


Oct 5, 2018


Nov 15, 2018

4 Briefing Sessions will be arranged, which objectives are as follows:


1. to explain the content of ISDM self-assessment;

2. to recap our ISDM knowledges which can fulfil the ISDM Policy.

Nov 20, 2018

Online Survey Form of 2018 ISDM self-assessment will be opened for submission.

Dec 4, 2018

1. Deadline of submission.

2. Online access of 2018 ISDM self-assessment will be closed.

Q1 2019

Different sessions will be arranged to conclude the self-assessment and improvement plan.


  1. Access


In between Nov 20 to Dec 4, 2018, we will open the Online Survey Form for department to participate the Self-Assessment. Before Nov 20, 2018, departments may access the sample questions in the following link: please click here.


Departments that have assigned multiple data stewards are required to submit one self-assessment only.


  1.  Briefing Sessions of ISDM Self-Assessment

To play safe, we strongly recommend that the sample template will be read at an early stage to identify information to be collected as well as some possible missing areas. Since this is the first time that we are involved in the filling of ISDM Assessment Questionnaire, we understand that you will need some revision, clarification on the various areas. To facilitate this, we will conduct the following briefing session to take you through.





HKU EMS Registration

Oct 5, 2018,

3.30pm to 5pm


MWT6, Meng Wah Complex

Please click here.

Oct 18, 2018,

3.30pm to 5pm


KK101, K.K. Leung Building

Please click here.

Nov 1, 2018,

3.30pm to 5pm


MBG07, Main Building

Please click here.

Nov 15, 2018,

3.30pm to 5pm


MBG07, Main Building

Please click here.


  1. Contact / Inquiries


Please contact ISDM support if you have further question:

Email :

Phone : 3917 5715

Thank you for your support in ISDM Policy implementation.



Bunny Wong

Data and Security Team

Information Technology Services