Information Security in Schools–
Recommended Practice (January 2019)
IT in Education Section Education Bureau
15 January 2019
Information Security in Schools – Recommended Practice
• Since 2002, the EDB has been providing recommended practice on IT security to assist schools in formulating IT security policies and promoting related good practices.
• The EDB updates the document from time to time.
Information Security in Schools –
Recommended Practice (January 2019)
https://www.edb.gov.hk/en/edu-system/primary- secondary/applicable-to-primary-secondary/it-in-
edu/Information-Security/information-security-in-school.html
2016 Version
PART 1 ABOUT THIS DOCUMENT PART 2 SECURITY MANAGEMENT
PART 3 SECURITY INCIDENT HANDLING PART 4 PHYSICAL SECURITY
PART 5 ACCESS CONTROL PART 6 DATA SECURITY
PART 7 APPLICATION SECURITY
PART 8 NETWORK AND COMMUNICATION SECURITY PART 9 WEB APPLICATION SECURITY
PART 10 SECURITY ISSUES OF MOBILE APPLICATIONS PART 11 COMPUTER VIRUS PROTECTION
PART 12 SECURITY REVIEW PART 13 CLOUD SERVICE
PART 14 WI-FI SECURITY QUICK REFERENCE
PART 15 ADDITIONAL RESOURCES ON IT SECURITY
2019 Version
CHAPTER 1 ABOUT THIS DOCUMENT CHAPTER 2 SECURITY MANAGEMENT
CHAPTER 3 SECURITY INCIDENT HANDLING CHAPTER 4 PHYSICAL SECURITY
CHAPTER 5 ACCESS CONTROL CHAPTER 6 DATA SECURITY
CHAPTER 7 APPLICATION SECURITY
CHAPTER 8 NETWORK AND COMMUNICATION SECURITY CHAPTER 9 WEBSITE & WEB APPLICATION SECURITY
CHAPTER 10 MOBILE DEVICE AND MOBILE APPLICATION PROTECTION CHAPTER 11 MALWARE PROTECTION
CHAPTER 12 SECURITY REVIEW CHAPTER 13 CLOUD SERVICE
CHAPTER 14 ADDITIONAL RESOURCES ON IT SECURITY
Major Updates
2016 Version
• General Network Protection
• Building a Secure Network
• Communication with External Network
• Remote Access
• Virtual Private Network
• Wireless Network Protection
• Management Control
• Technical Control
• End-user Control
• Protection against Email Spam and Malicious code
• System Prospective
• End-user Prospective
• Prevent Malicious Code (Merge to Chapter 11)
2019 Version
• Network Security Management (Revised)
• Recommendations for schools on building a secure network
• Remote Access
• Virtual Private Network
• Wireless Network Build Up Security Concerns (New)
• Security Risks
• Recommendations for schools on wireless network deployment
• Network Mode (Separate / Integrate)
• Security Controls to Protect WLAN (Revised)
• Management Control
• Technical Control
• End-user Control
• Mail Gateway Security and Email Handling
• Mail Server Protection (Revised)
• Tips for protecting schools from email bombing, spamming and spoofing (New)
• Reduce the amount of incoming spam (Revised)
• Protection against Email Scam (New)
Major Updates – Chapter 8
Network and Communication Security
Major Updates – Chapter 8
Network and Communication Security
• Security concerns on the communication with the external network and access privilege.
• Protection against the system and end-user strengthened.
• Email Bombing, Spamming & Spoofing and Email Scam.
• Security concerns on the network modes (Separate / Integrate) adopted by schools.
Separate or Integrate?
• It is recommended to build the WiFi network completely separated from schools’ existing network with separate broadband line to reduce security risk
• Due to the nature of wireless technology, wireless networks are relatively hard to contain within a building and it is generally considered to be an un-trusted network.
• As a best practice, wireless networks and wired networks should not be directly connected to each other.
IT Security Measures to address
the Security Concerns on Integrating the Networks
• For schools adopting the integration mode of WiFi networks, schools’ IT personnel needs to assess, understand and eliminate the security issues and risks to school existing network when the WiFi network is integrated or connected to schools’ existing network.
• Schools adopting the integration mode of WiFi networks are recommended to apply the “Defence-in-Depth” approach.
• Possible measures that can be employed to build multiple layers of defense:
Separation of wireless and wired network segments
Use of strong device and user authentication methods
Application of network filtering based on addresses and protocols
Deployment of intrusion detection systems on the wireless and wired networks
2016 Version
WEB APPLICATION SECURITY
• Adopt Web Application Security Architecture
• Architecture
• Web Server Security
2019 Version
WEBSITE & WEB APPLICATION SECURITY
• Website & Web Application Security Architecture
• Web Server Security (Revised)
• Web Server Monitoring and Incident Handling (New)
• Web Application Security (New)
• Keep Your School’s Website Safe (New)
• Secure Website with HTTPS Protocol (New)
• Anti-DDoS Protection (New)
Major Updates – Chapter 9
Website & Web Application Security
Major Updates – Chapter 9
Website & Web Application Security
• Important of web server security such as account management, web server application management, ports management, patch management, security monitoring, backup.
• Web application security and data protection.
• HTTPS issue.
• How to prevent DDoS / Botnet attack.
• For better security incidents handling, schools are recommended to:
• Follow the security incident handling procedure to handle the security incident until it is mitigated; and
• Report the case to Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) and Hong Kong Police Force (HKPF).
2016 Version
SECURITY ISSUES OF MOBILE APPLICTIONS
• Protecting Mobile Devices
• Configuration Mobile Device
• Precautions of Using Mobile Applications
2019 Version
MOBILE DEVICE AND MOBILE APPLICATION PROTECTION (New)
• Security Concerns of Mobile Devices
• Information Security Policy for Mobile Devices
• Data Communication and Storage for Mobile Devices
• User and Device Authentication for Mobile Devices
• Security Control for Mobile Device Application
• Mobile Device Management (MDM) Solution
Major Updates – Chapter 10
Mobile Device and Mobile Application Protection
Major Updates – Chapter 10
Mobile Device and Mobile Application Protection
• Schools should establish a mobile device security policy to specify the operation and security requirements for mobile devices access.
• A formal usage policy and procedures should be in place, and appropriate security measures should be adopted to protect against the risks of using mobile computing and communication facilities.
• Schools are recommended to install security control tools such as MDM, anti-malware software.
2016 Version
COMPUTER VIRUS PROTECTION
• Anti-Virus Software
• Legal and Authorised Use of Software and Hardware
• Prevention from Doubtful File Resources
2019 Version
MALWARE PROTECTION (New)
• Protection against Malware by Schools
• Protection against Malware by Users
• Malware Incident Handling and Recovery
• Protection against Ransomware
• Ransomware Incident Handling and Recovery
Major Updates – Chapter 11
Malware Protection
Major Updates – Chapter 11 Malware Protection
• Malware can cause different level of security risks to computer assets, such as disrupt computer operations, gather sensitive information, etc.
• Schools are advised to adopt the precaution measures against ransomware.
• Ransomware Incident Handling:
a) Disconnect the network cable of the computer to avoid affecting network drives and other computers.
b) Power off the computer to stop the ransomware encrypting more files.
c) Jot down what have been accessed (such as programs, files, emails and websites) before discovering the issue.
d) Report to the HKCERT and HKPF the criminal offence if necessary.
e) Recover the data from backup to a clean computing device.
2016 Version
CLOUD SERVICE
• Cloud computing security considerations
2019 Version
CLOUD SERVICE (New)
• Cloud Security Overview
• Cloud Service Security Consideration
• Checklist on selecting cloud service provider
• On using cloud services
Major Updates – Chapter 13
Cloud Service
Updates – Chapter 13 Cloud Service
• A checklist on selecting cloud service provider was provided to schools for reference.
• Using encryption to protect stored data.
• Think twice when you want to store sensitive data in the cloud and assess the impact if the data concerned is exposed.
• Perform a regular backup of the data stored in the cloud service and maintain a local backup copy of important data so that this data can still be available when the service provider is out of service.
Security Tips
• TSS or IT Head should harden the firewall regularly including update firmware, review policy and check event log.
• Cyber attack are become more advance and unpredictable. Schools are recommended to deploy security device with the latest technology to secure the school’s network.
• Many schools were infected ransomware by opening attachments in suspicious email. Schools are recommended to purchase the latest anti- malware software with signature to filter the malicious attachment.
• There were security vulnerability in WPA2, schools are recommended to deploy network device with WPA3 when upgrading the Wi-Fi network.
• Apply latest approved security patches to any software (especially the operating system) and avoid using the end of supported components.
Related Promotion and Support by EDB
• Information Security in Schools webpage
• Email Message on IT Security Alert
• Information Security in Schools – Recommended Practice
• Co-organise with professional bodies to provide IT security related seminars
• Promote IT security related events / activities through school circular memorandum
• Grants
Overview of Various ITE Grants
Composite IT Grant (CITG)
$202,679 – 697,086 dependent on school type and size
Operational needs for e-learning, such as -
• IT-related consumables
• Digital resource materials
• Technical Support Staff (TSS)
• Maintenance of IT facilities, etc.
Funding for ITE4
$70,000 on average
• WiFi services fee
• Maintenance/
replacement of mobile devices
ITSSG
Flat rate of $307,200 Recruitment of TSS through contract or services procurement
Recurrent
One-off
Extra One-off IT Grant ($200,000 on average)
• Mobile devices
• Recruitment of TSS
• E-resource/platform ITE4 ($100,000 on average)
• Mobile devices
Information Security in Schools webpage
https://www.edb.gov.hk/ited/i-security
Information Literacy
https://www.edb.gov.hk/il/eng
Promote IT security related events / activities through school circular memorandum
https://www.cybersecurity.hk/en/resources.php EDBCM No.164/2018 Cyber Security Campaign – Smart Devices Security https://www.cybersecuritycampaign.com.hk/