ISDM is the acronym of “Information Security and Data Management”. The “Implementation of ISDM Policy” is a 30-month University-wide campaign aiming at upbringing the level of maturity in both information security and data management within the University.
The implementation of the Policy embarked in April 2017, with some preparatory work completed smoothly before that. During June and July 2017, we conducted 5 ISDM briefing sessions to departmental ISDM coordinators nominated by the Heads of departments/units, and 1 briefing session for data users to promote the essence of the policy implementation. The total number of attendees in these 6 sessions amount to 340, who are coming from 120 departments/units.
The campaign will transit from Phase I to Phase II starting from September 2017. I wish to take this opportunity to brief you on the structure and responsibilities of all levels of stakeholders in this campaign.
The Council’s IT Policy Committee is the strategic governance body whereas the ISDM Sub-committee is the operational governance body.
IT acts as the central coordinator of the policy implementation movement. Their responsibilities are:
- To update the ISDM website regularly to serve as the common information resources.
- To maintain reference materials that are relevant to the information security and data management policies, including the protection of personal data and research data.
- To arrange communication and training activities for increasing the awareness on the requirements to comply with the ISDM practices.
- To acquire/develop/provide the appropriate systems/facilities/tools to enable the execution of the recommended practices for the First Level of Defence (departments and units in the University) towards standardization.
- To facilitate self-assessment exercises be carried out at the First Level of Defence on an annual basis, and to provide a platform to consolidate the assessment results for the review by Data and Security Team of ITS and the ISDM Sub-committee.
- To institute and execute the information security surveillance for compliance assurance, including servers and networks, on a regular basis.
- To promote ISDM assurance across the University campus.
- To work closely with the Internal Audit Office to facilitate its role as the Third Level of Defence.
To report the status, related risks assessed and mitigation to ITPC through its ISDM Sub-committee, and to follow up on their directives given.
During the ISDM policy implementation, departments and units form the First Level of Defence to bridge the gaps and obtain comfort in ISDM. Department Head is the Data Owner (including personal data and research data) of the department. He can assign Data Steward(s) to act on his behalf in the management of data/information. For ISDM policy implementation, Department Head can assign one or more departmental ISDM coordinators. Subsequently, according to the regular duties of department staff, the corresponding Data Custodians can also be identified. With the identification of Data Stewards, Data Custodians and ISDM Coordinators, departments will play the crucial role of policy implementation in the following ways:
- To work closely with Data and Security Team of ITS as allies in the implementation of the policy, including the proper handling of personal data and research data.
- To identify and keep a register of data/system inventory and Data Custodians.
- To assure staff taking up different roles can carry out the responsibilities according to the ISDM positions and works assigned.
- To carry out an annual self-assessment of ISDM maturity coordinated by ITS.
A series of training sessions for Data Stewards, ISDM Coordinators, Data Custodians and Data Users on various aspects of Data Management and Information Security will soon be conducted. Let’s work hand-in-hand to make this campaign a success.
Convenor, ISDM Working Group
Tel: 3921 2403