Recommended Practice (January 2019)

23  Download (0)

Full text

(1)

Information Security in Schools–

Recommended Practice (January 2019)

IT in Education Section Education Bureau

15 January 2019

(2)

Information Security in Schools – Recommended Practice

• Since 2002, the EDB has been providing recommended practice on IT security to assist schools in formulating IT security policies and promoting related good practices.

• The EDB updates the document from time to time.

(3)

Information Security in Schools –

Recommended Practice (January 2019)

https://www.edb.gov.hk/en/edu-system/primary- secondary/applicable-to-primary-secondary/it-in-

edu/Information-Security/information-security-in-school.html

(4)

2016 Version

PART 1 ABOUT THIS DOCUMENT PART 2 SECURITY MANAGEMENT

PART 3 SECURITY INCIDENT HANDLING PART 4 PHYSICAL SECURITY

PART 5 ACCESS CONTROL PART 6 DATA SECURITY

PART 7 APPLICATION SECURITY

PART 8 NETWORK AND COMMUNICATION SECURITY PART 9 WEB APPLICATION SECURITY

PART 10 SECURITY ISSUES OF MOBILE APPLICATIONS PART 11 COMPUTER VIRUS PROTECTION

PART 12 SECURITY REVIEW PART 13 CLOUD SERVICE

PART 14 WI-FI SECURITY QUICK REFERENCE

PART 15 ADDITIONAL RESOURCES ON IT SECURITY

2019 Version

CHAPTER 1 ABOUT THIS DOCUMENT CHAPTER 2 SECURITY MANAGEMENT

CHAPTER 3 SECURITY INCIDENT HANDLING CHAPTER 4 PHYSICAL SECURITY

CHAPTER 5 ACCESS CONTROL CHAPTER 6 DATA SECURITY

CHAPTER 7 APPLICATION SECURITY

CHAPTER 8 NETWORK AND COMMUNICATION SECURITY CHAPTER 9 WEBSITE & WEB APPLICATION SECURITY

CHAPTER 10 MOBILE DEVICE AND MOBILE APPLICATION PROTECTION CHAPTER 11 MALWARE PROTECTION

CHAPTER 12 SECURITY REVIEW CHAPTER 13 CLOUD SERVICE

CHAPTER 14 ADDITIONAL RESOURCES ON IT SECURITY

Major Updates

(5)

2016 Version

• General Network Protection

• Building a Secure Network

• Communication with External Network

Remote Access

• Virtual Private Network

• Wireless Network Protection

Management Control

Technical Control

End-user Control

• Protection against Email Spam and Malicious code

System Prospective

End-user Prospective

Prevent Malicious Code (Merge to Chapter 11)

2019 Version

• Network Security Management (Revised)

Recommendations for schools on building a secure network

Remote Access

Virtual Private Network

• Wireless Network Build Up Security Concerns (New)

Security Risks

Recommendations for schools on wireless network deployment

Network Mode (Separate / Integrate)

• Security Controls to Protect WLAN (Revised)

Management Control

Technical Control

End-user Control

• Mail Gateway Security and Email Handling

Mail Server Protection (Revised)

Tips for protecting schools from email bombing, spamming and spoofing (New)

Reduce the amount of incoming spam (Revised)

Protection against Email Scam (New)

Major Updates – Chapter 8

Network and Communication Security

(6)

Major Updates – Chapter 8

Network and Communication Security

• Security concerns on the communication with the external network and access privilege.

• Protection against the system and end-user strengthened.

• Email Bombing, Spamming & Spoofing and Email Scam.

• Security concerns on the network modes (Separate / Integrate) adopted by schools.

(7)

Separate or Integrate?

• It is recommended to build the WiFi network completely separated from schools’ existing network with separate broadband line to reduce security risk

• Due to the nature of wireless technology, wireless networks are relatively hard to contain within a building and it is generally considered to be an un-trusted network.

• As a best practice, wireless networks and wired networks should not be directly connected to each other.

(8)

IT Security Measures to address

the Security Concerns on Integrating the Networks

• For schools adopting the integration mode of WiFi networks, schools’ IT personnel needs to assess, understand and eliminate the security issues and risks to school existing network when the WiFi network is integrated or connected to schools’ existing network.

• Schools adopting the integration mode of WiFi networks are recommended to apply the “Defence-in-Depth” approach.

• Possible measures that can be employed to build multiple layers of defense:

 Separation of wireless and wired network segments

 Use of strong device and user authentication methods

 Application of network filtering based on addresses and protocols

 Deployment of intrusion detection systems on the wireless and wired networks

(9)

2016 Version

WEB APPLICATION SECURITY

• Adopt Web Application Security Architecture

• Architecture

• Web Server Security

2019 Version

WEBSITE & WEB APPLICATION SECURITY

• Website & Web Application Security Architecture

• Web Server Security (Revised)

• Web Server Monitoring and Incident Handling (New)

• Web Application Security (New)

• Keep Your School’s Website Safe (New)

• Secure Website with HTTPS Protocol (New)

• Anti-DDoS Protection (New)

Major Updates – Chapter 9

Website & Web Application Security

(10)

Major Updates – Chapter 9

Website & Web Application Security

• Important of web server security such as account management, web server application management, ports management, patch management, security monitoring, backup.

• Web application security and data protection.

• HTTPS issue.

• How to prevent DDoS / Botnet attack.

• For better security incidents handling, schools are recommended to:

Follow the security incident handling procedure to handle the security incident until it is mitigated; and

Report the case to Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) and Hong Kong Police Force (HKPF).

(11)

2016 Version

SECURITY ISSUES OF MOBILE APPLICTIONS

• Protecting Mobile Devices

• Configuration Mobile Device

• Precautions of Using Mobile Applications

2019 Version

MOBILE DEVICE AND MOBILE APPLICATION PROTECTION (New)

• Security Concerns of Mobile Devices

• Information Security Policy for Mobile Devices

• Data Communication and Storage for Mobile Devices

• User and Device Authentication for Mobile Devices

• Security Control for Mobile Device Application

• Mobile Device Management (MDM) Solution

Major Updates – Chapter 10

Mobile Device and Mobile Application Protection

(12)

Major Updates – Chapter 10

Mobile Device and Mobile Application Protection

• Schools should establish a mobile device security policy to specify the operation and security requirements for mobile devices access.

• A formal usage policy and procedures should be in place, and appropriate security measures should be adopted to protect against the risks of using mobile computing and communication facilities.

• Schools are recommended to install security control tools such as MDM, anti-malware software.

(13)

2016 Version

COMPUTER VIRUS PROTECTION

• Anti-Virus Software

• Legal and Authorised Use of Software and Hardware

• Prevention from Doubtful File Resources

2019 Version

MALWARE PROTECTION (New)

• Protection against Malware by Schools

• Protection against Malware by Users

• Malware Incident Handling and Recovery

• Protection against Ransomware

• Ransomware Incident Handling and Recovery

Major Updates – Chapter 11

Malware Protection

(14)

Major Updates – Chapter 11 Malware Protection

• Malware can cause different level of security risks to computer assets, such as disrupt computer operations, gather sensitive information, etc.

• Schools are advised to adopt the precaution measures against ransomware.

• Ransomware Incident Handling:

a) Disconnect the network cable of the computer to avoid affecting network drives and other computers.

b) Power off the computer to stop the ransomware encrypting more files.

c) Jot down what have been accessed (such as programs, files, emails and websites) before discovering the issue.

d) Report to the HKCERT and HKPF the criminal offence if necessary.

e) Recover the data from backup to a clean computing device.

(15)

2016 Version

CLOUD SERVICE

• Cloud computing security considerations

2019 Version

CLOUD SERVICE (New)

• Cloud Security Overview

• Cloud Service Security Consideration

• Checklist on selecting cloud service provider

• On using cloud services

Major Updates – Chapter 13

Cloud Service

(16)

Updates – Chapter 13 Cloud Service

• A checklist on selecting cloud service provider was provided to schools for reference.

• Using encryption to protect stored data.

• Think twice when you want to store sensitive data in the cloud and assess the impact if the data concerned is exposed.

• Perform a regular backup of the data stored in the cloud service and maintain a local backup copy of important data so that this data can still be available when the service provider is out of service.

(17)

Security Tips

• TSS or IT Head should harden the firewall regularly including update firmware, review policy and check event log.

• Cyber attack are become more advance and unpredictable. Schools are recommended to deploy security device with the latest technology to secure the school’s network.

• Many schools were infected ransomware by opening attachments in suspicious email. Schools are recommended to purchase the latest anti- malware software with signature to filter the malicious attachment.

• There were security vulnerability in WPA2, schools are recommended to deploy network device with WPA3 when upgrading the Wi-Fi network.

• Apply latest approved security patches to any software (especially the operating system) and avoid using the end of supported components.

(18)

Related Promotion and Support by EDB

• Information Security in Schools webpage

• Email Message on IT Security Alert

• Information Security in Schools – Recommended Practice

• Co-organise with professional bodies to provide IT security related seminars

• Promote IT security related events / activities through school circular memorandum

• Grants

(19)

Overview of Various ITE Grants

Composite IT Grant (CITG)

$202,679 – 697,086 dependent on school type and size

Operational needs for e-learning, such as -

• IT-related consumables

• Digital resource materials

• Technical Support Staff (TSS)

• Maintenance of IT facilities, etc.

Funding for ITE4

$70,000 on average

• WiFi services fee

• Maintenance/

replacement of mobile devices

ITSSG

Flat rate of $307,200 Recruitment of TSS through contract or services procurement

Recurrent

One-off

Extra One-off IT Grant ($200,000 on average)

• Mobile devices

• Recruitment of TSS

• E-resource/platform ITE4 ($100,000 on average)

• Mobile devices

(20)

Information Security in Schools webpage

https://www.edb.gov.hk/ited/i-security

(21)

Information Literacy

https://www.edb.gov.hk/il/eng

(22)

Promote IT security related events / activities through school circular memorandum

https://www.cybersecurity.hk/en/resources.php EDBCM No.164/2018 Cyber Security Campaign – Smart Devices Security https://www.cybersecuritycampaign.com.hk/

(23)

Thank you

Figure

Updating...

References

Related subjects :