User Management

Acceptable Usage

7.1

The handling and use of all information technologies by Data Users, including those of personal belongings (e.g., personal portable devices), that are:

(a) controlled or operated by the University;
(b) connected to the University’s networks;
(c) used at or for the University’s activities;
(d) brought onto the University’s facilities,

to support the University’s activities, affairs and mission, must be legal, of the highest ethical standards and in compliance with this Policy and other applicable standards of the University (including the University’s Statement of Ethics on IT use and other technical usage standards), and shall not be involved with matters unacceptable, e.g., acts of a malicious or nuisance nature, invasion of privacy, violation of copyrights and licensing, harassment, bullying, hacking, unauthorised alternation of system settings, plagiarism, impersonation/identity theft, spoofing, or cheating in tests or examinations.

Human Resources Security

7.2

The University’s staff members, students, contractors and relevant third party users (e.g., visitors, authorised service providers) (who may play different data or information security related roles such as Data Owners, Data Custodians/Users) must understand their responsibilities and must be suitable for the roles they are employed or engaged in handling or use of University institutional data and/or information technology resources. University management, collectively through relevant organisational functions under the direction of [ITPC], shall ensure that appropriate human resources related controls are implemented to reduce information security risks of the University’s institutional data/information and/or information technology resources, which shall cover the following stages of an employment / engagement process:

(a) Prior to employment / engagement, including but not limited to:

  • Appropriately defined and documented security roles and responsibilities;
  • (Where necessary) appropriate pre-employment screening for candidates whose roles or positions involving access to restricted or confidential information to ensure that future employees can be trusted to manage and protect sensitive information;
  • Agreement to and signing of a confidentiality pledge.

(b) During employment / engagement, including but not limited to:

  • Information security awareness, education, training and regular updates to be appropriately received by all staff, students, contractors and relevant third party users (e.g., relevant visitors, authorised service providers);
  • Disciplinary process / sanction for all staff, students, contractors and relevant third party users (e.g., authorised service providers) who have committed a security breach.

(c) Termination or change of employment / engagement, including but not limited to:

  • Return of assets in possession in acceptable consideration upon termination of employment, academic and contractual relationships;
  • Removal or deactivation of access rights upon termination of employment, academic and contractual relationships;
  • Change of responsibility or employment requiring review and potential revisions of granted access permissions.

Awareness Education and Training

7.3

Data Users, as users of institutional information, shall be aware of their own individual responsibilities for complying with relevant policies on information security and data management, and be made aware so through awareness education and training programmes as directed by [ITPC] through ISDM Sub-com (to be conducted by designated parties).

7.4

Data Owners shall ensure that staff, students, contractors and third party users within his or her responsible area(s) are provided with adequate and appropriate training, including but not limited to training sessions organised by the Human Resources Section, Office of Data Protection Officer and ITS, to enable them to carry out their responsibilities for complying with relevant policies on information security and data management. The staff and students, as well as relevant contractors if deemed necessary, are also required to attend trainings that are determined to be mandatory for them.