Presentation is loading. Please wait.

Presentation is loading. Please wait.

Personal Data Protection and Security Measures

Published byScot Campbell Modified over 6 years ago

Similar presentations

Presentation on theme: "Personal Data Protection and Security Measures"— Presentation transcript:

1 Personal Data Protection and Security Measures
IT Services - Information Security Team 20 & 27 April 2017

2 Agenda Data Protection Data Classification
Good Practices for IT Security

3 Data Protection Data is one of the most valuable assets of the University Data can be any information (including fact, opinion, statistics, record and research information) that is stored in computer, USB drive, Cloud storage and on paper. Risks to the data: Theft Loss Leakage Tamper

4 Data Classification

5 The importance of data classification
Allow us to identify the sensitivity level of data Manage the data better Employ appropriate level of security to the data

6 Four-level Data Classification
In order to handle data properly, data should be classified into different sensitivity levels. Restricted Confidential Internal Public

7 Four-level Data Classification
Restricted Very sensitive in nature, strictly restricted by the University, the government or any other agreements between the University and 3rd parties Critical to the University’s capacity to conduct her business Disclosure of such data to unauthorized parties could have significant adverse impact to University’s reputation Examples: Examination papers Privileged accounts/passwords

8 Four-level Data Classification
Confidential Intended for use by specific group of authorized personnel within the University and business partners Unauthorized disclosure of such data would adversely affect the business performance Data should not be copied or removed from the University’s control without specific authorization by the Data/Information Owner/designee. Examples: Staff and student data disciplinary details; Unpublished research information

9 Four-level Data Classification
Internal Related to non-sensitive operational data/information. Intended for use within by members of the University and authorized services providers. Disclosure of such data/information could have moderate adverse impact. Examples: Staff handbooks Policies/manuals/procedures Training materials

10 Four-level Data Classification
Public Data approved by the appropriate University authority for public consumption Examples: Programme and admission information Published academic literature Press releases

11 Data Handling Different level of precautions and security controls are applied based on the data classification. Data with higher sensitivity level requires higher level of protection.

12 Good practices for IT Security

13 Workstation (PC) Use complex password, at least 10 characters with combinations of alphanumeric and special characters Enable PC login password and screen saver password Screen lock or logout your PC when unattended Do not install Peer-to-Peer(P2P) software on PC that handles confidential data Physically secure the notebook PC, tablet PC Avoid using public computer to access confidential files Using VPN or other secure channel for remotely access from the outside of the university

14 Storage Data could be stored on personal PC, file server, mobile phone, Network Attached Storage(NAS), Cloud storage, files and folders… etc. Apply access control Require user ID and password Read, write, deny access Logging Use encryption Backup regularly

15 Physical Security DON’T leave your PC unattended without physical protection. Protection measures: Lock your office door. Use cable chain lock. Enable screensaver.

16 Removable Storage Use encryption and password protected
Erase the data after use (best reformat the USB drive) Don’t leave USB drive unattended Keep it safe Don’t use USB drive from unknown source Only store sensitive data on portable devices or media when absolutely necessary For storing personal data, seek permission Report to supervisor if lost USB drive that contains sensitive data Guidelines on Electronic Communications and Storing Personal Data on Portable Storage Devices, Personally-owned Computers and Public Cloud Services (

17 Removable Storage Data Leakage Prevention (“DLP”) Protection (See Code of Practice) USB PSDs are required to be initialized before any write access of the device and only read access is allowed. Logon HKU Portal Search for “DLP” Click on the link “DLP for PSD”

18 Email & File Protection
Information Rights Management (IRM) Solution allows individuals to set access permissions to files and messages. only authorized person is granted access (permission) to an IRM- controlled document. Prevent content from unauthorized forwarding (applicable to mail message), editing, printing, faxing, saving, or copying (cutting and pasting) the content Support major platforms: Windows(Full features), MacOS, Android, iOS User Guide: Training:

19 IRM – Typical Usage Scenarios
User A shares a protected file to User B User A send a protected message to User B User B User A Tools to view protected file File needs protection Protected file RMS Sharing App User A User B message needs protection Protected Message RMS Sharing App

20 Cloud storage Before uploading data to Cloud storage, you should consider: Privacy and confidentiality Data Encryption uploaded to, downloaded from, and stored in the cloud Exposure of data to cloud operator, local and foreign government or agency References Guidelines for Using External Web 2.0 Services ( PCPD Information Leaflet – Cloud Computing ( blications/files/IL_cloud_e.pdf)

21 Social Networks Online Social networking sites are useful to stay connected with others, but you should be wary about how much personal information you post. “Stay Smart. Mind Your Digital Footprint” – by PCPD Privacy and security settings Once posted, always posted Keep personal information personal

22 Mobile Security “New Technology, old Privacy and Security issue”
Lost or stolen mobile devices Enable screen lock Encrypt the data, such as and documents Use Remote Wipe and Anti-Virus Beware of automatically login of company & file server Malware and virus Steal bank details, company data, personal identities & addresses Beware of apps sources and access rights Install from trusted sources only Beware of app requests of excessive permissions of devices

23 Phishing Phishing is the act of attempting to acquire information such as usernames and password by pretending from a trusted entity, e.g. ITS or other department of the University Signs of a phishing Unofficial “From” address Urgent actions required Generic greeting Link to a fake website, sometimes with legitimate links What to do if you received phishing Delete these suspicious s Don’t reply or click any link on them Check HKU Spam Report website

24 Non-HKU Hyperlink Http://evil.com/cheat_u/login.htm
Phishing Sample of phishing Non-HKU Hyperlink

25 Ransomware Ransomware is malicious software which encrypts files & waits for a paid ransom, and in some cases, normal use of the infected computers cannot be resumed even a ransom is paid.

26 Your PC is locked and files are encrypted:
Ransomware Ransomware typically propagates in the form of a Trojan horse which enters a computer through a downloaded file s with malicious attachments malicious website network vulnerability Your PC is locked and files are encrypted: To get the key to unlock your PC and decrypt files, you have to pay HK$10,000.

27 Security Measures for Protecting PC
Regularly backup your PC data and keep a recent backup copy off-line. Ensure anti-virus software is installed on your PCs and keep it up-to-date with the latest virus signature. Keep the operating systems of your PCs up-to-date. For suspicious s, attachments/files and unsolicited web sites, please do not open them. Do not enable macros in document attachments received via . Limit the privilege & access right of shared network drives. Refer to HKU ITS web site

28 Thank You

Download ppt "Personal Data Protection and Security Measures"

Similar presentations

Unit 1 Living in the Digital WorldChapter 1 Lets Communicate Internet Safety.

Unit 1 Living in the Digital WorldChapter 1 Lets Communicate Internet Safety.
Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.

Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
Part 2 of Evil Lurking in Websites Data Security at the University of Wisconsin Oshkosh.

Part 2 of Evil Lurking in Websites Data Security at the University of Wisconsin Oshkosh.
Critical Data Management Indiana University HR Summit April 24, 2014.

Critical Data Management Indiana University HR Summit April 24, 2014.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Information Security Awareness:

Information Security Awareness:
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Computer Security: Advice for computer.

1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Computer Security: Advice for computer.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
Network & Computer Security Training.  Prevents unauthorized access to our network and your computer  Helps keep unwanted viruses and malware from entering.

Network & Computer Security Training.  Prevents unauthorized access to our network and your computer  Helps keep unwanted viruses and malware from entering.
1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.

1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.
Sensitive Data Accessibility Financial Management College of Education Michigan State University.

Sensitive Data Accessibility Financial Management College of Education Michigan State University.
10 Essential Security Measures PA Turnpike Commission.

10 Essential Security Measures PA Turnpike Commission.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
SHASHANK MASHETTY Email security. Introduction Electronic mail most commonly referred to as email or e- mail. Electronic mail is one of the most commonly.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.
Information Security Decision- Making Tool What kind of data do I have and how do I protect it appropriately? Continue Information Security decision making.

Information Security Decision- Making Tool What kind of data do I have and how do I protect it appropriately? Continue Information Security decision making.
PHISHING AND SPAM EMAIL INTRODUCTION There’s a good chance that in the past week you have received at least one email that pretends to be from your bank,

PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,
UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.

UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

Similar presentations

Ads by Google