Guidelines for Securely Managing Mobile / Removable Devices

Removable storage media are designed to process data and information, and hence would usually maintain these data and information on its own storage, e.g. laptop computers, personal digital assistants (PDAs), mobile/smart phones and tablet computers. Removable storage media are convenient devices for storing data, e.g. external hard drives, memory card, CDs, DVDs and universal serial bus flash drives (a.k.a. memory sticks and thumb drives).
Both mobile computing devices and removable storage media (thereafter called portable devices) have common characteristics that they are small and easily transportable. However, they have the drawbacks of being easily lost or stolen. This document is to communicate to all staff and students the policies and guidelines in securely managing their portable devices which are used for storing sensitive and restricted information.

 

Policies and Guidelines in Handling Portable Devices

No. Guidelines Action parties 
1. Storage and processing of sensitive and restricted data on portable devices should be avoided or restricted to the minimal quantity required for research, teaching, learning or administrative purposes. If portable devices have to be used for the storage of personal data, feasibility of using internal identifiers instead of HKID Card number merely for purposes of identification should be considered. Scope and level of details of the data to be stored should be justified. For example, why is it necessary to store the entire database when only part of the records will be used? In other cases, why is it necessary to store all the details of an individual from a database when only some skeleton information of any individual is needed? Business process owner, project staff, etc. to assess. Department Chairmen / School Directors / Unit Heads / principal investigators to monitor.
2. Use a strong password to protect the access to the portable devices. Although a strong password could not stop a determined hacker from gaining access to your device, it will make reading your data difficult and may deter a less skillful hacker. Business process owner, project staff, device custodian, etc. to apply password.
3. Encrypt the sensitive and restricted data stored in portable devices to lower the risk of disclosing the data. For more information about encryption software or secure portable devices, please click here. Business process owner, project staff, device custodian, etc. to apply encryption.
4. Care should be taken when using portable devices in public places such as meeting rooms, libraries and computer rooms. All portable devices should not be left unattended or be shared with unauthorized persons. They should be in the possession of an authorized person at all times or be physically locked away. Device custodian.
5. Data stored on portable devices should not be the only copy. Back-ups of the data to another secure media such as a secure server should be carried out regularly. Business process owner, project staff, device custodian, etc. to take action.
6. In addition to the primary connectivity, some portable devices have other means of connectivity, such as Wi-Fi, Bluetooth or mobile network, available to them. To avoid accidental disclosure to or malicious attacks from these means of connectivity, storage and processing of sensitive and restricted data on portable devices with other means of connectivity should be restricted to the minimal quantity required for research, teaching, learning or administrative purposes. Business process owner, project staff, device custodian, etc. to take action.
7. The practice of securely erasing data in portable devices after each and every use will ensure that data cannot be recovered by others who subsequently use or have access to the portable devices. (Guidelines for erasing data on portable devices will be provided by ITSC.) Business process owner, project staff, device custodian, etc. to take action.
8. Obsolete portable devices should be securely disposed of to minimize the risk of information leakage to unauthorized persons, e.g. by degaussing the devices, physically destroying them, or by using a data cleaner to erase data inside. For more information about encryption software or secure portable devices. For more information about “Guidelines for securely remove data and dispose of storage devices”, please click here. Business process owner, project staff, device custodian, etc. to take action.
9. Only use a reliable service provider in case maintenance service is needed for the portable devices. Erase all sensitive and restricted data inside the portable devices if possible before sending the portable device to the service provider. Otherwise, request the service provider to sign a non-disclosure agreement for the service to demonstrate your due diligence. Please click here to get the non-disclosure agreement. Business process owner, project staff, device custodian, etc. to take action.
10. Use anti-virus and malicious code detection software, with latest virus signatures and malicious code definition files, to regularly scan the portable devices to ensure they are free of computer viruses and malicious code. Device custodian to take action.
11. Some portable devices, such as smart phones and tablet computers, support inactivity passwords which serve as access control. They should be enabled wherever possible to deter any unauthorized access attempts. Device custodian to take action.
12. Various ways to closely protect the portable devices should be considered. For example, portable devices can be labeled with the identity of the department/school/unit; cable locks can be used for laptop computers. Device custodian to take action.
13. Portable devices provided by the University should be subject to inventory checks performed by respective departments/schools/units. Spot checks should be conducted to confirm that the custodian is keeping the portable devices provided. Business process owner, principal investigators and project staff to take action.
14. Users must be trained to follow the relevant guidelines and procedures, and made accountable for non-compliance. Department Chairmen / School Directors / Unit Heads / principal investigators to take action.
15. To keep pace with technological developments, there should be a formal mechanism to re-assess regularly the risk associated with the use of Portable Storage Devices and to review the relevance and scope of the established policies on Portable Storage Devices. Department Chairmen / School Directors / Unit Heads / principal investigators / ITSC to take action.
16. The implementation and compliance level of portable device policies should be audited regularly to gauge its effectiveness. Department Chairmen / School Directors / Unit Heads / principal investigators / ITSC to take action.
17. If any portable devices containing sensitive and restricted data is lost, stolen or appears to have been accessed without permission, you should immediately report this to the Director of IT Services (via email dir-itsc@cuhk.edu.hk) and the Department Chairmen/School Directors/Unit Heads concerned so that remedial actions can be taken to prevent or minimize the damages caused. Please click here to get the Incident Report Form. Business process owner, project staff, device custodian, etc. to take action.
18. The above guidelines focus on the direct protection of portable devices. For a more complete protection, you should also refer to good practices of information security in other areas and ITSC Policies and Guidelines. All concerned staff members and students

Definitions

The abbreviations and terms used in this document have the following meaning:

  • “mobile computing devices” are computer devices that store and process data such as laptop computers, personal digital assistants (PDAs) and mobile/smart phones and tablet computers.
  • “removable storage media” is memory for storing data such as external hard drives, memory card, CDs, DVDs and universal serial bus drives (a.k.a. memory sticks and thumb drive).
  • “portable devices” refers to all mobile computing devices and removable storage media.
  • “sensitive data” means information generally used internally by authorized users or externally by authorized partners for research, teaching, learning or administrative needs. It includes security-sensitive information.
  • “restricted data” is data restricted by law and legal contract such as peronal data. It also includes information which enables the access to restricted data such an access password.
  • “personal data” means any data:
    1. relating directly or indirectly to a living individual,
    2. from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
    3. In a form in which access to or processing of the data is practicable
References
  1. ISO27002 “Code of practice for information security management” published by International Organization for Standardization.
  2. InfoSec website
  3. Recommended Procedures for IT Practitioners on Personal Data Handling
  4. Personal Data (Privacy) Ordinance
Contact

This document is prepared by the Information Security Section (ISS) of the University Information Technology Services Centre. For any comments and enquiries regarding the content of this document, please send to ITSC servicedesk http://servicedesk.itsc.cuhk.edu.hk/