www.hkedcity.net
私隱及資訊保安 - 政策和框架
25 September 2019
Policies and Framework for Privacy
and Information Security in School
Information Security Management System
Based on ISO 27001 (US : NIST)
Describe “organised approach”
– whole school
Based on Risk Management
Address Confidentiality, Integrity and Availability
Anchor on :
People, Process, IT System
https://www.anitechconsulting.com.au/what-is-isms-and-how-will-it-impact-your-business/
ISMS Key Issues
Risk Management
Information Security Policy Roles and Responsibilities
Controls, Technical Implementation Guidelines, Procedures
3
Information Security Management Cycle
Source :
https://www.infosec.gov.hk/english/business/security_smc.html 4
• Security Policy
• Roles and Responsibilities
• Security Controls
Risk Assessment – School Example
Confidentiality Integrity Availability
Student Data Accounting Network / WiFi
Teacher / HR Data Payroll School email system Exam papers Exam Grades /
Assessment Data
Admin / Learning
Systems
Risk Registry
Vulnerabilities Impact Likelihood Risk Level
Student Data High High High
Payroll Data Medium Medium Medium
Exam papers High Medium High
Attendance Record
Low Low Low
Risk Mitigation Analysis - States
Description Storage Processing and I/O
Transmission
Student Data eClass server, WebSAMS, Cloud Storage Backup,
USB,
Paper Document
Excel, Server,
Paper Form Filling
School network, public network, Email,
File sharing, Paper mails
Payroll Payroll System, School Server, Paper forms
Payroll System, Excel,
Calculator
LAN only,
Letter distribution
Exam papers Teacher Personal Storage
School Server
MS Office
Other editing tools Grading Tools
LAN only,
Paper distribution
Related Legislations
Theft and damage of property (digital assets) Personal data protection
Copyright / IP rights
Software Asset Management
Digital marketing and unsolicited electronic messages Electronic Transactions Ordinance
Safety in the use of Display Screen Equipment
Policies, Standards, Guidelines, Procedures
Policies
Principles, intentions, directional
Clearly defines AUTHORITIES, ROLES and RESPONSIBILITIES Standards
Compliance – data centre, encryption Guidelines
More detail description to guide operation Procedures
Detailed step-by-step instructions that should be followed
Roles and Responsibilities
Information Security in Schools - Recommended Practice ( Sept 2019) Chapter 2 Security Management
2.4.3 Set up and Implement Management and Administrative Processes
(a)(i)Assign roles and responsibilities School Management
IT Head
IT Committee Members Technical Support Staff
Details:
https://www.edb.gov.hk/en/edu-system/primary-secondary/applicable-to-primary-
secondary/it-in-edu/Information-Security/information-security-in-school.html
Responsibilities
Incorporated ManagementCommittee (IMC)
• Approve policies
• Delegate authority to Principals
• Risk Management
• Crisis Management
IT Committee under IMC • Delegated with the above duties by the Council
School Supervisor • Execution and Monitoring of the above School Principal • Implement IS policy
• Resource (budget, manpower) provision
• Overall responsibilities covering IT and non-IT
IT Head (Information Security Officer)
• Overall responsibility of IT related issues
• Implement the IT infrastructure and procedures accordingly
• Formulate IT guidelines and procedures
IT technical staff • Carry out duties according to guidelines and procedures
Teachers with IT related duties (sensitive data, privileged accounts)
• Understanding the guidelines and procedures related to their special duties
Teacher Users • Follow the guidelines and procedures
• Comply with legal requirements
• Comply with teacher code of conducts
Student Users • Understand AUP
• Comply with school requirements for students (conduct, discipline)
• Comply with legal requirements
11
IMC and Principal
➢Conduct Risk Assessment
➢Develop IS Policies
➢Assign Roles and Responsibilities
➢Monitoring and Review
FOR IT HEAD - Infrastructure and Systems Related
Network Security – private network, remote access
Server security – patch and upgrades, rights management
Classifying sensitive data (personal data, mailbox, exam papers etc.) Managing file storage, backup and cloud services, IT Assets (keys) Security in IT Procurement and Service Contracts, third party services
Managing Technical Support Staff – security training, procedures, monitoring Reviewing system statistics and logs
Managing privileged / admin accounts Managing staff / student accounts
Use school provided accounts instead of personal accounts (cloud account)
✓
Use school provided email instead of personal emails ✓ Automatic removal of rights after staff / student leaving ✓
Not using real name with third party systems ✓
Personal Data Handling
Collection – PICS / Consent Form
Minimum data – no unnecessary HKID, address, phone in student list, email, reports etc.
Encryption – in storage, processing and transmission Especially : USB, email, Excel
Hash Key – Integrity of data
Transfer to third parties (e.g. publishers)
Third Party Data Transfer Checklist
Agreement with third parties on purpose and usage of personal data ✓
Clear authority on who can transfer data ✓
Encryption in storage and transmission ✓
Hash Key to protect integrity and reduce liability ✓ Contractual rights to request removing data upon request ✓
Clear record of who transferred the data ✓
Choose what data fields to be transferred ✓
Clear record what data has been transferred ✓
Secure transfer system (not email, WhatsApp etc). ✓
Transfer of Student Data
Publisher A
School X
Secure??
Publisher B
Publisher C
School
Y
EdData
Publisher A
School X
Publisher B
Publisher C
School Y
EdData
Student Data
Secure transfer
Request
HKEdCity
EdData
EdData
Technical Framework to Strengthen Privacy & Security
More info: https://www.hkedcity.net/eddata/