Data Owners, for the purpose of assurance, shall carry out a risk assessment, based on the University’s information risk assessment methodology and reporting format, shall be carried out for any new information technology system or infrastructure component (e.g., core network router) that may be used to store, process or transmit sensitive or confidential data/information, or when there is a major modification to any existing information technology system or infrastructure component (meaning that the major modification would likely alter the existing risk nature and/or level associated with the system or infrastructure component being modified), and shall request/require the respective Data Custodian(s), and where applicable, Data User(s) to appropriately respond to any assessment findings being raised. The risk assessment shall be repeated on a periodic basis at an appropriate frequency on any existing systems or infrastructure components that may be used to store, process or transmit restricted or confidential data/information. Upon completion of each risk assessment, a copy of the risk assessment report shall be provided to the [ITPC] through the coordination of ITS.
A privacy risk assessment component shall be added to the aforementioned risk assessment when personal data is involved. The purpose of the privacy risk assessment component is to identify and mitigate privacy risk through ensuring conformance with applicable legal, regulatory and policy requirements for privacy, determining the risk and effects, and evaluating protections and alternatives processes to mitigate potential privacy risks.
For the purpose of reducing risk to the University through efforts of technology standardisation, ITS shall develop a set of recommended information technologies (e.g., certain types of operating systems, server specifications, database applications, network equipment) and recommended “baseline” standards for configuring such information technologies (e.g., security settings). ITS, being responsible for the University’s central IT infrastructure, shall also set out and make known the requirements that must be met before any information technologies or networks (either within the University or outside) are allowed to be connected to the central campus network, as well as the associated approval procedures.
Where practically possible, Data Owners, working with respective Data Custodians, shall ensure that selection of new information technology systems or infrastructure components, as well as configurations of new and existing ones, shall comply with any applicable standards published by ITS (e.g., technical security configuration standards). For any information technology systems or infrastructure components that may be used to store, process or transmit restricted or confidential data/information, Data Custodians associated with the selection and configuration shall inform the respective Data Owners of any exceptions that should be appropriately documented with proper justifications.
Data Owners, supported by respective Data Custodians, shall ensure that changes to information systems, telecommunication equipment, software and other information technology resources under their ownership (and custodianship in the case of Data Custodians) will not result in adverse impact on the confidentiality, integrity and availability of institutional data/information being processed, stored or transmitted by such information technology resources. Data Custodians concerned shall assure their respective Data Owners that all changes have been assessed, documented, authorised and in line with change control standard published by ITS, having incorporated at least the following:
(a) Change request process and roles (initiator, approver, implementer and reviewer)
(b) Planning and testing of changes;
(c) Assessment of potential impacts, including security impacts and other forms of impact where appropriate; and
(d) Fall back procedures.
Members of the University shall properly protect its Campus Network with appropriate security measures and network equipment based on applicable standards published by ITS. Sensitive information about the Campus Network (e.g., network addresses, network configurations and other related systems or network information) shall be properly maintained and only accessible to authorised parties.
ITS, as the University’s custodian of the central campus network, shall segregate such central network into separated network environments based on the usage and sensitivity of data/information and services hosted in the respective sub-networks, and shall manage and control the central network and its sub-networks accordingly to maintain the corresponding network security levels. Connections between sub-networks, as well as with other networks within or outside the University, shall not compromise or downgrade the respective intended security levels of the central campus network.
Wireless networks that are connected to the Campus Network shall be documented, monitored and controlled by ITS. Staff, students, contractors and relevant third party users (e.g., visitors, authorised service providers) are prohibited from connecting unauthorised wireless network devices or setting up wireless networks with direct connection to the Campus Network. Restricted or confidential data, including any personal data, shall not be transmitted over wireless networks without proper encryption.
Centrally arranged Internet and external network gateways are managed by ITS. All other Internet or external network gateways must conform to applicable standards published by ITS, and be approved by and registered with ITS. All inbound and outbound traffic to and from the University Campus Network shall only pass through gateways managed centrally by ITS and those approved by and registered with ITS.
Data Custodians shall ensure (and assure to their respective Data Owners) that information systems and associated information technology components under their custodianship are adequately protected from internal and/or external threats through the implementation of applicable control procedures and ITS standards associated with application, service and platform security, which should include, for example, the following common components:
(a) Anti-virus and firewall systems;
(b) Application and platform configuration management and hardening;
(c) Configuration management;
(d) Hardware and software patch management;
(e) Information and system backup systems;
(f) Intrusion detection systems; and
(g) Network and application logging and monitoring systems.
Relevant Data Custodians shall ensure (and assure to their respective Data Owners) that operational procedures for proper and secure handling of information technology components involving restricted and sensitive data/information are developed, documented, maintained and complied with, as well as reviewed periodically for any necessary updates and/or ascertaining the level of compliance and effectiveness.
Data Owners and Data Custodians shall ensure that duties and areas of responsibility of staff are properly segregated to reduce the risk of unauthorised or unintentional access, modification or misuse of institutional data/information and associated information technology resources. The level of segregation shall match the confidentiality and security requirements of the data/information being processed.
Data Owners, supported by respective Data Custodians, shall ensure the effective implementation of access control over information technologies associated with institutional data/information. Related control measures and control procedures shall be commensurate with the sensitivity of the data/information concerned, and be implemented based on relevant standards and/or guidelines published by ITS, which shall cover, for example, the following:
(a) Access control that can restrict access only to privileged entities (e.g., role-based access, user-based access);
(b) Authorisation control that requires consent to be obtained for the disclosure and/or use of sensitive data/information;
(c) Password and screen lockout controls;
(d) Security event control over system activities, especially those performed by privileged accounts; and
(e) Regular review of access privileges to ensure continued appropriateness.
[ITPC], supported by ITS and with asset inventory information submitted by Data Owners, shall determine a list of information systems (together with their related infrastructure where applicable and appropriate, and including “central” and “non-central”) systems that are critical to University’s operations and financial reporting, or containing sensitive information of the University (based on information classifications), which shall be subject to periodic evaluations to ensure ongoing control effectiveness
[ITPC], supported by ITS and in consultation with respective Data Owners, shall determine and execute, using a risk-based approach and preferably on an annual basis at a minimum, an assessment plan to include a selection of information systems (together with their related infrastructure where applicable and appropriate) for periodic information system assessments for the purpose of identifying deficiencies and improvement opportunities. Data Owners associated with the selected information systems, working in conjunction with respective Data Custodians, shall commission at their own cost their own assessment to be carried out by an independent assessor that can satisfy assessment requirements endorsed by [ITPC], and shall provide to ITS a copy of the assessment’s report together with a proposed action plan for addressing any identified deficiencies and/or improvement suggestion.
(b) Loss of privacy of data, potentially due to aggregation with data from other cloud consumers;
(c) University dependency on a third party for critical infrastructure and data handling processes;
(d) Potential security and technological defects in the infrastructure provided by a cloud vendors;
(e) No University control over the third parties that a cloud vendor might contract with; and
(f) Loss of the University’s own competence in managing the security of computing infrastructure.
It is important that the following items be considered prior to entering any contract to use or purchase cloud/off-site storage:
(a) Data definition and use (Ownership, classification, etc.);
(b) General data protection terms;
(c) Compliance with legal and regulatory requirements; and
(d) Service level expectation and performance metrics.
The University should consider the following contract terms to ensure a minimum level of information security and data protection:
(a) Data transmission and encryption requirements;
(b) Authentication and authorization mechanisms;
(c) Intrusion detection and prevention mechanisms;
(d) Logging and log review requirements;
(e) Security scan and audit requirements; and
(f) Security training and awareness requirement.
When entering into a cloud-computing/storage contract, it is also important to make sure that the contract specifies service level expectations and includes and included performance metrics. The University should consider the following contract terms to address service level and performance metrics:
(a) Service availability time and service outages;
(b) Routine maintenance timeframes;
(c) Hardware upgrades to cloud-computing services;
(d) Software updates to cloud-computing services; and
(e) Changes to the cloud-computing services.
Edited by Data and Security Tean, 5 August 2020.