www.hkedcity.net
私隱及資訊保安 ‐ 政策和框架
9 Dec 2019
Policies and Framework for Privacy
and Information Security in School
Information Security Management System
Based on ISO 27001 (US : NIST)
Describe “organised approach”
– whole school
Based on Risk Management
Address Confidentiality, Integrity and Availability
Anchor on :
People, Process, IT System
https://www.anitechconsulting.com.au/what-is-isms-and-how-will-it-impact-your-business/
ISMS Key Issues
Risk Management
Information Security Policy Roles and Responsibilities
Controls, Technical Implementation
Guidelines, Procedures
Information Security Management Cycle
Source :
https://www.infosec.gov.hk/english/business/security_smc.html
• Security Policy
• Roles and Responsibilities
• Security Controls
Risk Assessment – School Example
Confidentiality Integrity Availability
Student Data Accounting Network / WiFi
Teacher / HR Data Payroll School email system Exam papers Exam Grades /
Assessment Data
Admin / Learning
Systems
Risk Registry
Vulnerabilities Impact Likelihood Risk Level
Student Data High High High
Payroll Data Medium Medium Medium
Exam papers High Medium High
Attendance Record
Low Low Low
Risk Mitigation Analysis ‐ States
Description Storage Processing and I/O
Transmission
Student Data eClass server, WebSAMS, Cloud Storage Backup,
USB,
Paper Document
Excel, Server,
Paper Form Filling
School network, public network, Email,
File sharing, Paper mails
Payroll Payroll System, School Server, Paper forms
Payroll System, Excel,
Calculator
LAN only,
Letter distribution
Exam papers Teacher Personal Storage
School Server
MS Office
Other editing tools Grading Tools
LAN only,
Paper distribution
Related Legislations
Theft and damage of property (digital assets) Personal data protection
Copyright / IP rights
Software Asset Management
Digital marketing and unsolicited electronic messages Electronic Transactions Ordinance
Safety in the use of Display Screen Equipment
Policies, Standards, Guidelines, Procedures
Policies
Principles, intentions, directional
Clearly defines AUTHORITIES, ROLES and RESPONSIBILITIES Standards
Compliance – data centre, encryption Guidelines
More detail description to guide operation Procedures
Detailed step‐by‐step instructions that should be followed
Roles and Responsibilities
Information Security in Schools ‐ Recommended Practice ( Sept 2019) Chapter 2 Security Management
2.4.3 Set up and Implement Management and Administrative Processes
(a)(i)Assign roles and responsibilities School Management
IT Head
IT Committee Members Technical Support Staff Details:
https://www.edb.gov.hk/en/edu-system/primary-secondary/applicable-to-primary-
secondary/it-in-edu/Information-Security/information-security-in-school.html
Responsibilities
Incorporated Management Committee (IMC)
Approve policies
Delegate authority to Principals
Risk Management
Crisis Management
IT Committee under IMC Delegated with the above duties by the Council
School Supervisor Execution and Monitoring of the above School Principal Implement IS policy
Resource (budget, manpower) provision
Overall responsibilities covering IT and non-IT IT Head (Information Security
Officer)
Overall responsibility of IT related issues
Implement the IT infrastructure and procedures accordingly
Formulate IT guidelines and procedures
IT technical staff Carry out duties according to guidelines and procedures Teachers with IT related duties
(sensitive data, privileged accounts)
Understanding the guidelines and procedures related to their special duties
Teacher Users Follow the guidelines and procedures
Comply with legal requirements
Comply with teacher code of conducts
Student Users Understand AUP
Comply with school requirements for students (conduct, discipline)
Comply with legal requirements
IMC and Principal
Conduct Risk Assessment
Develop IS Policies
Assign Roles and Responsibilities
Monitoring and Review
FOR IT HEAD ‐ Infrastructure and Systems Related
Network Security – private network, remote access
Server security – patch and upgrades, rights management
Classifying sensitive data (personal data, mailbox, exam papers etc.) Managing file storage, backup and cloud services, IT Assets (keys) Security in IT Procurement and Service Contracts, third party services
Managing Technical Support Staff – security training, procedures, monitoring Reviewing system statistics and logs
Managing privileged / admin accounts Managing staff / student accounts
Use school provided accounts instead of personal accounts (cloud account)
Use school provided email instead of personal emails Automatic removal of rights after staff / student leaving
Not using real name with third party systems
Personal Data Handling
Collection – PICS / Consent Form
Minimum data – no unnecessary HKID, address, phone in student list, email, reports etc.
Encryption – in storage, processing and transmission Especially : USB, email, Excel
Hash Key – Integrity of data
Transfer to third parties (e.g. publishers)
Third Party Data Transfer Checklist
Agreement with third parties on purpose and usage of personal data
Clear authority on who can transfer data
Encryption in storage and transmission
Hash Key to protect integrity and reduce liability Contractual rights to request removing data upon request
Clear record of who transferred the data
Choose what data fields to be transferred
Clear record what data has been transferred
Secure transfer system (not email, WhatsApp etc).
Transfer of Student Data
Publisher A
School X
Secure??
Publisher B
Publisher C
School
Y
EdData
Publisher A
School X Publisher
B
Publisher C
School Y
EdData
Student Data
Secure transfer
Request
HKEdCity
EdData
EdData
Technical Framework to Strengthen Privacy & Security
More info: https://www.hkedcity.net/eddata/