Personal Data Protection and Security Measures
Justin LawIT Services - Information Security Team
25 & 27 November 2013
Agenda
Data protection Data Classification IT Security Good practices
Data protection
Data is one of the most valuable assets of the University
Data could be any factual information that is stored on computer, USB drive, Cloud and of course, on paper.
Risks of Data: 1. Theft2. Loss3. Leakage4. Tamper
Data Classification
The importance of data classification
• Allow us to identify the data• Manage the data better• Employ appropriate level of security for the data
Three-level Data ClassificationIn order to handle data properly, data should be classified into categories- classification level.
Three-level Classification:
Public Sensitive Restricted
Three-level ClassificationPublic• Data is generally open to the public. • No existing local, national or international legal restrictions on
access. Example: Events and Activities, communications notices and publications.
Public Sensitive Restricted
Three-level ClassificationSensitive• Data is “Official Use Only”• Protected from unauthorized access due to proprietary, ethical
or privacy considerationsExample: Student Data; University partner or sponsor information where no NDA exists
Public Sensitive Restricted
Three-level ClassificationRestricted• Data is protected by regulations, University policies or
contractual agreement• Unauthorized access may result in significant financial risk or
negative impacts on the reputation of the UniversityExample: Personal Information, Payment Records, Medical records
Public Sensitive Restricted
Data Handling Level of precautions and security controls are relevant to
the data classification
More protections for more sensitive data
Data HandlingSecurity Control Public Level Sensitive Level Restricted LevelAccess Control No restriction AAA (Authentication,
authorization, accounting)
AAA,Confidentiality agreement
Copying/Printing No restriction Limited Limited with label “Confidential”
Network Security No protection Firewall, IPS,Allow remote Access
Firewall, IPS,No remote Access
System Security Best practices Hardening Hardening with specific security
Physical Security Locked Locked, CCTV Data CentreData Storage Monthly Backup Daily Backup Encryption
Data loss preventionDaily Backup
Auditing No Logging Logins Logins, access and changes
IT Security Good practices
Workstation Use complex password, more than 8 characters Enable login password and screen saver password Logout when unattended Do not install P2P software on computer that handles
confidential data Physically secure the notebook PC, tablet PC Avoid using public computer to access confidential files Using VPN or other secure channel for remotely access from
the outside of the university
StorageData could be stored on personal PC, file server, mobile phone, NAS, Cloud, etc… Access control
• Need ID and password• Read, write, deny access• Logging
Use encryption Backup
Removable Storage Only store sensitive data on portable devices or media when
absolutely necessary Use Encryption Erase the data after use Don’t leave USB drive unattended Keep it safe Don’t use USB drive from unknown source. Report to supervisor if lost USB drive that contains sensitive
data
Cloud storageBefore putting data to Cloud, you should consider: Privacy and confidentiality Data retention
Impossible to eliminate Data ownership Data Encryption
being uploaded to, or downloaded from, and stored in the cloud
Exposure of data to operator, local and foreign government
and government agency
Social NetworksSocial networks are a great way to stay connected with others, but you should be wary about how much personal information you post.
• Privacy and security settings• Once posted, always posted• Keep personal info personal• Know and manage your friends
Mobile Security“New Technology, old Privacy and Security issue” Lost or stolen devices
Enable screen lock Encrypt the data, such as email and documents Alert the automatically login of company email and
file server Malware and virus
Steal bank details, Company Data, Personal identities, Email addresses
Install mobile security apps Use Remote Wipe, Encryption and Anti-Virus
Phishing email
Hyperlink Http://evil.com/cheatu/login.htm
Sample of phishing email
Phishing is the act of attempting to acquire information such as usernames and password by pretending from a trusted entity, e.g. ITS or other department of the university
Signs of a phishing email:• Not addressed to you by name• Asks for your username and password• “Business letters” but comes from suspicious email accounts
What to do if you received phishing email Delete these suspicious emails Don’t reply or click any link on them. Refer to HKU Spam report web site http://www.its.hku.hk/spam-report
Phishing
Thank You