and Information Security in School

www.hkedcity.net

私隱及資訊保安 - 政策和框架

25 September 2019

Policies and Framework for Privacy

and Information Security in School

Information Security Management System

Based on ISO 27001 (US : NIST)

Describe “organised approach”

– whole school

Based on Risk Management

Address Confidentiality, Integrity and Availability

Anchor on :

People, Process, IT System

https://www.anitechconsulting.com.au/what-is-isms-and-how-will-it-impact-your-business/

ISMS Key Issues

Risk Management

Information Security Policy Roles and Responsibilities

Controls, Technical Implementation Guidelines, Procedures

3

Information Security Management Cycle

Source :

https://www.infosec.gov.hk/english/business/security_smc.html 4

• Security Policy

• Roles and Responsibilities

• Security Controls

Risk Assessment – School Example

Confidentiality Integrity Availability

Student Data Accounting Network / WiFi

Teacher / HR Data Payroll School email system Exam papers Exam Grades /

Assessment Data

Admin / Learning

Systems

Risk Registry

Vulnerabilities Impact Likelihood Risk Level

Student Data High High High

Payroll Data Medium Medium Medium

Exam papers High Medium High

Attendance Record

Low Low Low

Risk Mitigation Analysis - States

Description Storage Processing and I/O

Transmission

Student Data eClass server, WebSAMS, Cloud Storage Backup,

USB,

Paper Document

Excel, Server,

Paper Form Filling

School network, public network, Email,

File sharing, Paper mails

Payroll Payroll System, School Server, Paper forms

Payroll System, Excel,

Calculator

LAN only,

Letter distribution

Exam papers Teacher Personal Storage

School Server

MS Office

Other editing tools Grading Tools

LAN only,

Paper distribution

Related Legislations

Theft and damage of property (digital assets) Personal data protection

Copyright / IP rights

Software Asset Management

Digital marketing and unsolicited electronic messages Electronic Transactions Ordinance

Safety in the use of Display Screen Equipment

Policies, Standards, Guidelines, Procedures

Policies

Principles, intentions, directional

Clearly defines AUTHORITIES, ROLES and RESPONSIBILITIES Standards

Compliance – data centre, encryption Guidelines

More detail description to guide operation Procedures

Detailed step-by-step instructions that should be followed

Roles and Responsibilities

Information Security in Schools - Recommended Practice ( Sept 2019) Chapter 2 Security Management

2.4.3 Set up and Implement Management and Administrative Processes

(a)(i)Assign roles and responsibilities School Management

IT Head

IT Committee Members Technical Support Staff

Details:

https://www.edb.gov.hk/en/edu-system/primary-secondary/applicable-to-primary-

secondary/it-in-edu/Information-Security/information-security-in-school.html

Responsibilities

Committee (IMC)

• Approve policies

• Delegate authority to Principals

• Risk Management

• Crisis Management

IT Committee under IMC • Delegated with the above duties by the Council

School Supervisor • Execution and Monitoring of the above School Principal • Implement IS policy

• Resource (budget, manpower) provision

• Overall responsibilities covering IT and non-IT

IT Head (Information Security Officer)

• Overall responsibility of IT related issues

• Implement the IT infrastructure and procedures accordingly

• Formulate IT guidelines and procedures

IT technical staff • Carry out duties according to guidelines and procedures

Teachers with IT related duties (sensitive data, privileged accounts)

• Understanding the guidelines and procedures related to their special duties

Teacher Users • Follow the guidelines and procedures

• Comply with legal requirements

• Comply with teacher code of conducts

Student Users • Understand AUP

• Comply with school requirements for students (conduct, discipline)

• Comply with legal requirements

11

IMC ^and Principal

➢Conduct Risk Assessment

➢Develop IS Policies

➢Assign Roles and Responsibilities

➢Monitoring and Review

FOR IT HEAD - Infrastructure and Systems Related

Network Security – private network, remote access

Server security – patch and upgrades, rights management

Classifying sensitive data (personal data, mailbox, exam papers etc.) Managing file storage, backup and cloud services, IT Assets (keys) Security in IT Procurement and Service Contracts, third party services

Managing Technical Support Staff – security training, procedures, monitoring Reviewing system statistics and logs

Managing privileged / admin accounts Managing staff / student accounts

Use school provided accounts instead of personal accounts (cloud account)

✓

Use school provided email instead of personal emails ✓ Automatic removal of rights after staff / student leaving ✓

Not using real name with third party systems ✓

Personal Data Handling

Collection – PICS / Consent Form

Minimum data – no unnecessary HKID, address, phone in student list, email, reports etc.

Encryption – in storage, processing and transmission Especially : USB, email, Excel

Hash Key – Integrity of data

Transfer to third parties (e.g. publishers)

Third Party Data Transfer Checklist

Agreement with third parties on purpose and usage of personal data ✓

Clear authority on who can transfer data ✓

Encryption in storage and transmission ✓

Hash Key to protect integrity and reduce liability ✓ Contractual rights to request removing data upon request ✓

Clear record of who transferred the data ✓

Choose what data fields to be transferred ✓

Clear record what data has been transferred ✓

Secure transfer system (not email, WhatsApp etc). ✓

Transfer of Student Data

Publisher A

School X

Secure??

Publisher B

Publisher C

School

Y

EdData

Publisher A

School X

Publisher B

Publisher C

School Y

EdData

Student Data

Secure transfer

Request

HKEdCity

EdData

EdData

Technical Framework to Strengthen Privacy & Security

More info: https://www.hkedcity.net/eddata/

-END-

Thank you