There may be times that HKU staff need to undertake their duties away from the office, e.g., during the outbreak of SARS/Avian/Swine Flu. This document sets out the information security (IS) requirements for using a home Windows PC (including laptop) by HKU staff to connect to the HKU campus network (i.e. HKU network including HKUVPN).
Unless otherwise stated, the term ‘home PC’ refers to a PC or laptop running Microsoft Windows.
Users of non-Windows PC can follow the principles of the requirements and adopt similar measures for the connection of a non-Windows home PC to the HKU network.
The observance of the requirements stipulated in this document ensures conformance to the information security requirements for protecting the HKU network.
1.3 Application Scope
This document applies to all home PCs being used by HKU colleagues for connecting to the HKU network.
2. Compliance Requirements
All HKU staff who use home PCs to connect to HKU network must follow the requirements in this document.
3. Objective of the Requirements
Information security is important for protection of the confidentiality, integrity and availability of data. Allowing insecure PC to connect to HKU campus network would pose serious security threats to HKU, e.g., malware propagation, data breach, etc. When connection of a home PC to the HKU network is required, security requirements must be fulfilled to ensure the security protection for reducing the risk of any compromise of data, network and systems in the HKU network. The objective of this document is to state the baseline security requirements that all HKU staff should follow if they need to connect to HKU campus network by using their home PC.
The same requirements are required for laptops prepared by departments for loan to department staff or for the home PCs provided by the department staff to work at home.
The setting requirements, and the operation protocol of connection of home PCs are described in Section 5 “Home Windows PC Setting Requirements” and Section 6 “Operation Protocol”.
4. Roles and Responsibilities
All HKU staff who use home PC to connect to HKU network must follow the requirements and operation protocol defined in the document. Non-compliance may lead to disabling of the connection. It is mandatory for every HKU staff to enforce the protections stated in this document to secure their home PC and laptops loaned from their departments for connection to HKU campus network.
The Heads of Departments should support their department staff by arranging the preparation of the home PCs complying with the Requirements.
5. Home Windows PC Setting Requirements
The home PC used for connection to HKU network must be running a current operating system with official support by Microsoft. Windows 8.1 and Windows 10 are current operation systems. Note that PCs running Windows Vista, Windows 8 or Windows XP or earlier Windows versions are not allowed for connection to the HKU network. Note that Windows 7 will be end of support on 14 January 2020 and those PCs running Windows 7 will not be allowed for connection to the HKU network after that date.
Keep the personal firewall turned ON to protect the home PC from security threats.
Note: Windows 8.1 and Windows 10 Firewall is turned on by default. Anti-Virus software with its own firewall program will disable Windows Firewall.
Ensure all Critical Update is performed on the home PC. New Windows Critical Update is available usually in the middle of a month.
E.g., Sample procedures to apply critical updates in Windows 10:
- Open Settings, and tap on the Update & security icon.
Tap on Windows Update on the left side, and tap on the Check for updates button.
Then Windows will check for update automatically. Windows will now automatically install any available updates.
If a restart has been scheduled to finish installing and applying available updates, then please click/tap on Restart now, let Windows restart later outside your active hours, or use a custom restart time.
- Ensure an anti-virus software is installed on the home PC and the latest virus definition is applied. Update the virus definition file daily, preferably immediately after your PC is started up to get the latest virus definition. Perform full virus scan of the PC on a regular basis (e.g. weekly to monthly) to ensure it is free from any virus infection. Staff and students can download Sophos Home Commercial Edition on up to 10 PCs for work or study-related purpose and use this software until they leave or graduate from the University.
- Install anti-malware software on your PC, if applicable, and update it with the anti-malware definition file regularly.
- Microsoft Windows Defender is part of Windows 8.1 and Windows 10. Enable it if not yet enabled.
- Only install and use licensed software in the home PC.
- Install HKU DLP (Data Leakage Prevention) software to ensure encryption is enforced on all USB portable storage devices (“PSD”) if the home PC will download and export HKU data to USB PSD. See Data Leakage Prevention (DLP) for details. Avoid using PSD if possible.
- Ensure no peer-to-peer (P2P) software is installed because P2P software may auto-redistribute files or software in your PC without authorization, and thus would cause compromise of your files, infringe others’ copyright, and make your PC susceptible to network attacks such as port scanning, virus, Trojan horse or spyware.
- Use a separate local PC account, which is not the daily used accounts on the home PC, for connection to the HKU network. This local PC account should be dedicated for supporting HKU business only.
- Use a PIN/password of 10-18 characters (the longer the better) with combinations of letters (upper and lower case) and digits for protection on all administrator accounts on the home PC.
6. Operation Protocol
Do not share the local PC account on the home PC for access to the HKU network with others.
Do not disclose any user ID or password to others.
Do not save the password of the account for HKUVPN access on the home PC for auto-connection.
Do not leave the home PC unattended, and screen lock must be enabled when the PC is unattended. That is, you must enter your PC password to gain access to the home PC again.
Do not store any HKU data on public storage on Internet, e.g., Dropbox, OneDrive, iCloud, Google Drive, etc. Use only centrally managed storage with protection under HKU control for storing and sharing of data.
All data for business continuity support should be stored on centrally managed storage in HKU, e.g., Network Access Storage (NAS) with access control setup for access from authorized users and network only. Data stored temporarily on the home PC should be removed immediately after use. (See userguide for the use of ITS NAS under HKUCC1 domain.)
PCs for business continuity support must be prepared in advance with the security settings stated in Section 5, either by the Department for loan to the business continuity supporting staff or by the business continuity supporting staff if their own PCs will be used.
Important files required for business continuity support should be readily accessible, e.g., stored in centrally managed storage in HKU instead of individual office PCs.
Ensure to use secure network connection from the home PC to connect to Internet; do not use public wireless connections or wireless connections not managed by you, e.g., your neighbour’s wireless network.
For remote access from home PC to the HKU network, the connection must be protected by using HKUVPN and two-factor authentication (2FA) with HKU Portal UID and password, and encryption of connection is enforced.
Ensure the working environment is safe and isolated when supporting HKU business, e.g., beware of any shoulder surfing and sensitive information leaked.
It is not allowed to save, store or backup restricted/confidential data into home PC. If there is definitely a need to transport restricted/confidential data to work on a home PC for business continuity purpose, prior permission must be obtained from the Data Owner and the restricted/confidential data must be encrypted for transportation to the home PC and must be deleted immediately after use on the home PC. The evidence of such authorization by the Data Owner and the use period must be kept for audit purpose.
Report to the Head of Department (or Business Continuity Manager of Department, or staff supporting similar function in support of business continuity) immediately if there is any information security incident happened during the business continuity support, e.g. leakage of data, hacking incident, etc.