Personal Data Protection and Security Measures

Justin LawIT Services - Information Security Team

18, 20 & 25 March 2015

Agenda

➢ Data protection

➢ Data Classification

➢ IT Security Good practices

Data protection

➢ Data is one of the most valuable assets of the University

➢ Data could be any factual information that is stored on computer, USB drive, Cloud and paper.

➢ Risks to the data:

1. Theft

2. Loss

3. Leakage

4. Tamper

Data Classification

The importance of data classification

• Allow us to identify the data

• Manage the data better

• Employ appropriate level of security to the data

Three-level Data ClassificationIn order to handle data properly, data should be classified into sensitivity levels, namely, PUBLIC, SENSITIVE and RESTRICTED information.

Public

Sensitive

Restricted

Three-level ClassificationPublic• Data is generally open to the public.

• No existing local, national or international legal restrictions on access.

Example: Events and Activities, communications notices and publications.

Three-level ClassificationSensitive• Data is “Official Use Only”

• Protected from unauthorized access due to proprietary, ethical or privacy considerations

Example: Student Data; University partner or sponsor information where no NDA exists

Three-level ClassificationRestricted• Data is protected by regulations, University policies or contractual

agreement

• Unauthorized access may result in significant financial risk or negative impacts on the reputation of the University

Example: Personal Information, Payment Records, Medical records

Data Handling

➢ Level of precautions and security controls are relevant to the data classification

➢ More protections for more sensitive data

Data HandlingSecurity Control Public Level Sensitive Level Restricted Level

Access Control No restriction AAA (Authentication, authorization, accounting)

AAA,Confidentiality agreement

Copying/Printing No restriction Limited Limited with label “Confidential”

Network Security No protection Firewall, IPS,Allow remote Access

Firewall, IPS,No remote Access

System Security Best practices Hardening Hardening with specific security

Physical Security Locked Locked, CCTV Data Centre

Data Storage Monthly Backup Daily Backup Encryption Data loss preventionDaily Backup

Auditing No Logging Logins Logins, access and changes

IT Security Good practices

Workstation➢ Use complex password, more than 8 characters

➢ Enable login password and screen saver password

➢ Logout when unattended

➢ Do not install P2P software on computer that handles confidential data

➢ Physically secure the notebook PC, tablet PC

➢ Avoid using public computer to access confidential files

➢ Using VPN or other secure channel for remotely access from the outside of the university

StorageData could be stored on personal PC, file server, mobile phone, NAS, Cloud, etc…

➢ Access control

• Need ID and password

• Read, write, deny access

• Logging

➢ Use encryption

➢ Backup

Removable Storage➢ Only store sensitive data on portable devices or media when absolutely

necessary

➢ Use Encryption

➢ Erase the data after use

➢ Don’t leave USB drive unattended

➢ Keep it safe

➢ Don’t use USB drive from unknown source.

➢ Report to supervisor if lost USB drive that contains sensitive data

http://www.its.hku.hk/about/policies/

Guidelines on storing and accessing personal data on portable storage devices and personally owned computers (Newly updated on Mar 2015)

Cloud storage

Before uploading data to Cloud, you should consider:

➢ Privacy and confidentiality

➢ Data Encryption

▪ being uploaded to, or downloaded from, and stored in the cloud

➢ Exposure of data

▪ to operator, local and foreign government or agency

Social NetworksOnline Social networking sites are useful to stay connected with others, but you should be wary about how much personal information you post.

• Privacy and security settings

• Once posted, always posted

• Keep personal info personal

• Know and manage your friends

Mobile Security“New Technology, old Privacy and Security issue”

➢ Lost or stolen devices

▪ Enable screen lock

▪ Encrypt the data, such as email and documents

▪ Use Remote Wipe and Anti-Virus

▪ Be aware the automatically login of company email and file server

➢ Malware and virus

▪ Steal bank details, Company Data, Personal identities, Email addresses

➢ Be aware apps sources and rights

▪ Install from trusted sources only

▪ Be aware the requested application permissions

Phishing email

Hyperlink Http://evil.com/cheatu/login.htm

Sample of phishing email

Phishing is the act of attempting to acquire information such as usernames and password by pretending from a trusted entity, e.g. ITS or other department of the University➢ Signs of a phishing email:

• Unoffical “From” address• Urgent actions required• Generic greeting• Link to a fake website, sometimes with legitimate links

➢ What to do if you received phishing email• Delete these suspicious emails• Don’t reply or click any link on them • Refer to HKU Spam report web site http://www.its.hku.hk/spam-report

Phishing

Thank You