The continuity of the City University of Hong Kong (“University”) is highly dependent upon the way which the information resources are managed. The principles used in setting the foundations for the policies governing information security management are:
- Information resources that support information processing are important assets (“information assets”) which must be appropriately protected from accidental or intentional compromise.
- The confidentiality, integrity and availability of information assets are essential for ensuring legal compliance and for maintaining competitive edge and the image of the University.
- Information assets are provided to support business processes and should be used to derive benefit for the University.
- All personnel who use information assets have a responsibility to protect them, and to minimize the risks that might result from inappropriate use.
Throughout the document, the terms MUST, SHALL and SHOULD are used carefully. “Musts” and “shalls” are mandatory and not negotiable; “shoulds” are goals for the University. The terms “data”, “information” and “information asset” are used interchangeably in the documents.
Hierarchy of Information Security Policies and Standards
The set of Information Security Policies and Standards consists of documents with different level of details:
Policies are high-level statements driven by the University’s requirements. They are technology and process independent statements setting the general principles, goals and objectives for the University. They are not statements of how the goals and objectives will be accomplished.
Standards are the next level in the hierarchy with increasing levels of detail for business requirements. Standards still remain platform independent. They are directed to the implementation of policies for specific subject areas. Standards can be further broken down into two types, with varying levels of latitude in their implementation.
- “Requirements” are activities that must be followed – there is no leeway within a requirement.
- “Guidelines” are not as stringent as requirements – guidelines should be followed, unless there is a compelling business reason for not doing so (for example, if there are specific legal requirements within a jurisdiction prohibiting the implementation of such a requirement, then there is a compelling business justification for not implementing the standard.)
Procedures are process-level and/or platform-specific instructions for implementing Policies and Standards. One standard may require multiple procedures – one for each platform to satisfy the standard. For example, a standard dealing with password length would require procedures at least one separated for each platform – Solaris, AIX, Windows, AS400 etc. – where that standard is implemented.
The objective of this “Information Security Policies” document is to define the principles to which all users of information assets in any form owned by or entrusted to the University. The principles cover the following areas:
- Defining the confidentiality, integrity and availability requirements for data and information resources used to support the University’s objectives.
- Ensuring that the security requirements of those data and information resources are effectively communicated to individuals who come in contact with such information.
- Using, managing, and distributing those data and information resources in any form (electronic or physical) in a manner that is consistent with their confidentiality, integrity, and availability requirements.
In addition, this document also sets out the Information Security Governance Framework of the University based on international standard on information security, International Organization for Standardization (“ISO”) 27001.
Definition of Information Security
Information security is critical to protect information and information resources from unauthorized access, use, disclosure, disruption, modification, or destruction and it is applicable to the lifecycle of the information from creation, use, transfer, storage to disposal.
Information security is primarily concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: digital (e.g. data files), material (e.g. printed papers), or unrepresented information (e.g. knowledge of internal affairs). These include text, picture, audio, video, and information transmitted by mail, email, oral communication, telephone etc.
The University requires appropriate control measures for all forms of information to ensure their confidentiality, integrity and availability and avoid breaches of any law, statutory, regulatory, or contractual obligations, and of any security requirements.
- Confidentiality. Protecting information from unauthorized access or disclosure
- Integrity. Protecting information from unauthorized or improper modification and destruction
- Availability. Ensuring timely and reliable access to and use of data and information resources.
The University shall also adopt control measures to ensure the authenticity, accountability, non-repudiation, and reliability of information and information services depending on circumstances.
- Authenticity. Assuring the correctness of the claimed identity of an entity.
- Accountability. Assuring the traceability and responsibility of an entity for its actions and decisions.
- Non-repudiation. Preventing the future false denial of involvement by any entities.
- Reliability. Assuring the correctness of service, and behaviour and result of service is consistent and predictable.
This document is used as the University-wide Information Security Policies and all activities performed relating to the information resources must comply with the policies unless a written approval was obtained from the Information Strategy and Governance Committee (“ISGC”), which is the approval body of this standard. Also, this policy must be published and communicated to the University’s staff members, students, and relevant external parties.
The purpose of these policies and standards is to ensure that due care is exercised in protecting the University’s information assets. Due care is defined as the economical and practical protection of information at a level commensurate with its value. The value of the information is determined by considering not only the cost of its development, but also its non-monetary value, including intangible worth (e.g. intellectual property and competitive value) and rights of personnel affected (e.g. privacy). The value of information can also be impacted by its misuse. Good Information security can facilitate cost avoidance through the prevention of misuse.
The Information Security Unit (“ISU”) in the Office of the Chief Information Officer (“OCIO”) is responsible for the reviews and updates of this document from time-to-time to keep up with any changes in this policy.
Terms and Definitions
For the purpose of this set of documents, the following terms will be used:
Asset owner is the person or group of people identified by management as having responsibility for the maintenance of the security of that asset. The asset owner may change during the lifecycle of the asset.
The owner does not normally or necessarily personally own the asset. In most cases the employing organization, its customers or suppliers will be the entity with property rights to the asset.
The terms asset owner, asset controller, and asset custodian are used interchangeably. Information is one type of asset.
Asset is anything that has value to the University. There are many types of assets, including:
- software, such as a computer program;
- physical, such as computer;
- people, and their qualifications, skills, and experience; and
- intangibles, such as reputation and image.
IT asset is the asset that related to the processing of digital information. Types of IT asset include hardware, software, digital storage media, IT services, etc.
Information asset is one type of asset and IT asset. Information assets are knowledge or data that has value to the University regardless of form or format.
All data, information as well as the hardware, software, personnel, and processes involved with the storage, processing, and output of such information. This includes data networks, servers, PC’s, storage media, printers, photo copiers, fax machines, supporting equipment, and back-up media.
The terms and definitions listed in BS ISO/IEC 27000:2009  will be also used.