Home » About Us » Policies & Guidelines » Information Security Requirements for Connection of Home Windows PC to HKU Network

Information Security Requirements for Connection of Home Windows PC to HKU Network

1. Introduction

1.1 Purpose

There may be times that HKU staff need to undertake their duties away from the office, e.g., during the outbreak of SARS/Avian/Swine Flu. This document sets out the information security (IS) requirements for using a home Windows PC (including laptop) by HKU staff to connect to the HKU campus network (i.e. HKU network including HKUVPN). 

Unless otherwise stated, the term ‘home PC’ refers to a PC or laptop running Microsoft Windows.

Users of non-Windows PC can follow the principles of the requirements and adopt similar measures for the connection of a non-Windows home PC to the HKU network.

1.2 Importance

The observance of the requirements stipulated in this document ensures conformance to the information security requirements for protecting the HKU network.  

1.3 Application Scope

This document applies to the all home PCs being used by HKU colleagues for connecting to the HKU network. 

2. Compliance Requirements

All HKU staff who use home PCs to connect to HKU network must follow the requirements defined herein.   

3. Objective of the Requirements

Information security is important for protection of the confidentiality, integrity and availability of data. Allowing insecure PC to connect to HKU campus network would pose serious security threats to HKU, e.g., malware propagation, data breach, etc. When connection of a home PC to the HKU network is required, security requirements must be fulfilled to ensure the security protection for reducing the risk of any compromise of data, network and systems in the HKU network. The objective is to state the baseline security requirements that all HKU staff should follow if they need to connect to HKU campus network by using their home PC.

The same requirements are required for laptops prepared by departments for loan to department staff or for the home PCs provided by the department staff to work at home.

The setting requirements and the operation protocol of connection of home PCs are described in Section 5 "Home Windows PC Setting Requirements" and Section 6 "Operation Protocol".

4. Roles and Responsibilities

All HKU staff who use home PC to connect to HKU network must follow the requirements and operation protocol defined herein.  Non-compliance may lead to disabling of the connection. It is mandatory for every HKU staff to enforce the protections stated in this document to secure their home PC and laptops loaned from their departments for connection to HKU campus network.

The Heads of Departments should support their department staff by arranging the preparation of the home PCs complying with the Requirements.

5. Home Windows PC Setting Requirements

  1. The home PC used for connection to HKU network must be running a current operating system with official support by Microsoft. Windows Vista (support till 11-April-2017), Windows 7, Windows 8.1 and Windows 10 are current operation systems. Note that PCs running Windows 8 or Windows XP or earlier Windows versions are not allowed for connection to the HKU network.

  2. Keep the personal firewall turned ON to protect the home PC from security threats.

    E.g., To turn on Windows Firewall in Windows 7, please refer to http://www.its.hku.hk/documentation/guide/personal/pc/virus/general/firewall-win7

  3. Ensure all Critical Update is performed on the home PC. New Windows Critical Update is available usually in the middle of a month.

    E.g., Sample procedures to apply critical updates in Windows 10:

    1. Open Settings, and tap on the Update & security icon.

    2. Tap on Windows Update on the left side, and tap on the Check for updates button.

    3. Then Windows will check for update automatically. Windows will now automatically install any available updates.

    4. If a restart has been scheduled to finish installing and applying available updates, then please click/tap on Restart now, let Windows restart later outside your active hours, or use a custom restart time.

  4. Ensure an anti-virus software is installed on the home PC and the latest virus definition is applied. Update the virus definition file daily, preferably immediately after your PC is started up to get the latest virus definition. Perform full virus scan of the PC on regular basis (e.g. weekly to monthly) to ensure it is free from any virus infection.

    • Staff members who have acquired the Sophos Anti-Virus License through their departments can download a copy of the software for installation on their home PC.

  5. Install anti-malware software on your PC, if applicable, and update it with the anti-malware definition file regularly.

  6. Only install and use licensed software in the home PC.

  7. Install HKU DLP (Data Leakage Prevention) software to ensure encryption is enforced on all USB portable storage devices (“PSD”) if the home PC will download and export HKU data to USB PSD.  See http://www.its.hku.hk/dlp for details.  Avoid using PSD if possible.

  8. Ensure no peer-to-peer (P2P) software is installed because P2P software may auto-redistribute files or software in your PC without authorization, and thus would cause compromise of your files, infringe others' copyright, and make your PC susceptible to network attacks such as port scanning, virus, Trojan horse or spyware.

  9. Use a separate local PC account, which is not the daily used accounts on the home PC, for connection to the HKU network. This local PC account should be dedicated for supporting HKU business only.

  10. Use a PIN/password of 10-18 characters (the longer the better) with combinations of letters (upper and lower case) and digits for protection on all administrator accounts on the home PC.

6. Operation Protocol

  1. Do not share the local PC account on the home PC for access to the HKU network with others.

  2. Do not disclose any user ID or password to others.

  3. Do not save the password of the account for HKUVPN access on the home PC for auto-connection.

  4. Do not leave the home PC unattended, and screen lock must be enabled when the PC is unattended. That is, you must enter your PC password to gain access to the home PC again.

  5. Do not store any HKU data on public storage on Internet, e.g., Dropbox, OneDrive, iCloud, Google Drive, etc. Use only centrally managed storage with protection under HKU control for storing and sharing of data.

  6. All data for business continuity support should be stored on centrally managed storage in HKU, e.g., Network Access Storage (NAS) with access control setup for access from authorized users and network only. Data stored temporarily on the home PC should be removed immediately after use.  (See http://itscloud.hku.hk/local/SetPermission-Win2012R2.pdf for the use of ITS NAS under HKUCC1 domain.)

  7. PCs for business continuity support must be prepared in advance with the security settings stated in Section 5, either by the Department for loan to the business continuity supporting staff or by the business continuity supporting staff if their own PCs will be used.

  8. Important files required for business continuity support should be readily accessible, e.g., stored in centrally managed storage in HKU instead of individual office PCs.

  9. Ensure to use secure network connection from the home PC to connect to Internet; do not use public wireless connections or wireless connections not managed by you, e.g., your neighbour’s wireless network.

  10. For remote access from home PC to the HKU network, the connection must be protected by using HKUVPN and two-factor authentication (2FA) with HKU Portal UID and password (see http://www.its.hku.hk/services/infosec/2fa), and encryption of connection is enforced.

  11. Ensure the working environment is safe and isolated when supporting HKU business, e.g., beware of any shoulder surfing and sensitive information leaked.

  12. Report to the Head of Department (or Business Continuity Manager of Department, or staff supporting similar function in support of business continuity) immediately if there is any information security incident happened during the business continuity support, e.g. leakage of data, hacking incident, etc.