Home » IT Services News » IT Services News No. 194 (Aug 2018) » Updates on the Implementation of the Information Security and Data Management (ISDM) Policy

Updates on the Implementation of the Information Security and Data Management (ISDM) Policy

  1. Progress to-date
  2. Summary of Training Modules Delivered
  3. What’s Next

1. Progress to-date

The progress of the Information Security and Data Management (ISDM) Policy implementation is on track since its commencement in March 2017.  We are now in Phase 2 on Bridging the Gap and this phase will be concluded in end of August 2018.  

To recap, the consultant on University Data Policy proposed in 2012 a 3-phase development for implementing the ISDM Policy:

  • Phase 1: Building Foundation for successful implementation
  • Phase 2: Bridging the Gap from the varied maturity levels in departments towards having good understanding and measures for compliance of the ISDM Policy.
  • Phase 3: Obtaining Comfort in implementing the ISDM Policy in departments and make the data management process become a regular daily task

Under the joint effort of all departments, Phase 1 was kicked off in March 2017 followed by Phase 2 in September 2017.  These 2 phases are mainly accomplished through training sessions conducted to enable departments to acquire the necessary knowledge and know-hows for implementing the ISDM Policy in departments under Phase 3.  As of 31 July 2018, 51 ISDM training sessions were held which were attended by a total of 1,222 participants.   The awareness, understanding and practices on implementing the ISDM Policy are being built up among departments. 

2. Summary of Training Modules Delivered

A summary of the training modules (with the corresponding outcomes) conducted in the past year is tabulated below:

Training Modules

Outcomes

ISDM Basics

 

Attendants have learnt:

  • Background of ISDM Policy
  • Importance of Data Management
  • ISDM Data Governance Structure
  • ISDM Data Management Roles
  • Introduction to Data Classification Scheme

Departments should have nominated their ISDM coordinators. Data Owners should have identified their Data Stewards/Custodians.

Data Classification and Data Asset Inventory Template

Attendants have learnt:

  • Definitions of ISDM Data Classification Scheme
  • Key Differentiating Factors in Data Classification
  • Typical Examples in Classifying Institutional Data
  • What is Data Asset Inventory and Relationship to ISDM Policy
  • Typical Examples in Filling up Data Asset Inventory Template
  • Key Controls in Maintaining the Data Asset Inventory

Departments should be able to identify their own data asset and learn how to classify their own data.  They should have prepared their own Data Asset Inventory according to the template given by ITS.

Information Rights Management (IRM) Workshop

Attendants have learnt:

  • What is IRM and Relationship to ISDM Policy
  • Overview of ISDM Data Classification Scheme
  • Use of AIP Client to Protect Documents
  • Use of Microsoft Office Plugin to Protect Documents
  • Use of “Do Not Forward” Function in Sending Email
  • Demo of “Track and Revoke”
  • Scenarios in Data/Information Protection

Participants should be able to use the IRM tool to protect their sensitive data and be able to communicate with University members by using IRM.

Departmental Data Asset Storage (“DDAS”) Fundamental/Administration

Attendants have learnt:

  • Why We Need DDAS
  • DDAS Organisation Structure
  • Relationship between Document Library and Data Steward
  • Using Folders as Classification to Protect Sensitive Data/Information
  • Using IRM@DDAS to Protect Sensitive Data/Information from Being Leaked
  • Assigning Access Rights by Managing SharePoint Group Membership
  • Working with Your Sensitive Data/Information in Two-stage Data Management Paradigm.
  • Using Owner’s Key (OK) Account for Access Rights Succession

Departments should decide whether or not to use DDAS. If a department chooses not to use DDAS, it should have a plan in identifying the official storage location which complies with ISDM Policy.

Information Security (I) – Misconceptions and Commonly Overlooked Issues

 Attendants have learnt:

  • The Importance of Using Encrypted Channel to Transmit Sensitive Data/Information
  • What is PICS and its Importance
  • The More Data You Store, the More Liability You Have
  • The Importance of Setting Password
  • The Importance in Using Anti-virus Software, and Software Patching
  • How to Identify Phishing Emails
  • HKU Campus Network Acceptable Usage Policy

Departments should send their staff to attend IS awareness training regularly.

3. What’s Next

The IT Policy Committee (ITPC) and ISDM sub-committee (ISDM sub-com) play important roles in oversighting the operations in relation to ISDM Policy over institutional data/information across the University.  As ITPC is being formed, an interim ISDM sub-com will first be formed.

The theme of Phase 3 is “Obtaining Comfort”.  After departments equipped themselves with the knowledge of information security and data management, departments will assess their readiness through self-assessment.  Briefing sessions will be conducted to refresh departments’ ISDM knowledge before self-assessment will be arranged.

Classes on ISDM Chapters 3-7 (i.e. Data/Information Life Cycle Management, Physical Environment, IT Environment, Contingency Management and User Management, please refer to www.isdm.hku.hk for details) will be arranged after we complete the first round of ISDM self-assessment.  Please stay tuned with us on the latest training course announcement that will be arranged in the coming months. 

 

Bunny Wong
Data and Security Team
Tel: 3917 5715
Email: buwongsb@hku.hk