IT Security Policy for Application Systems on Personal Data Handling

1. Principles of the Policy:

To ensure personal data is only used as intended and within (legal) restrictions
To apply appropriate security measures to protect personal data
To provide good security practices against hacking and eavesdropping

2. Scope of the Policy:

IT Application Systems containing ^[*1] personal data which is newly developed, revamped or having major system changes after this policy has been endorsed and published.

^[*1]: Definition of Personal Data refers to the University Protection of Personal Data (Privacy) and Circular to all staff and students – Management and Security of Personal Data

3. Policy Requirements

Application should minimize the data set with “Need to Know” principle
2FA for Application-admin in which application processes personal data should be enabled
Application should encrypt personal data both ^[*2]at rest and ^[*3] in transit
Application should display limited personal data (on need basis)
For user self-service applications, personal data should be partially masked. e.g. display first few alphanumeric characters of Staff ID
Application should enforce data retention as mandated by legislation
Application systems should follow ^[*4] Guidelines for Server Protection and Security Hardening

^[*2], ^[*3] & ^[*4] : Refer to below tab of “Security Technology Standards” S1, S2 & S3 respectively

A. Security Technology Standards

IT technology keeps changing and evolving, so does the security technology standards. ITSC will take care of these standards and do regular review. The following standards will subject to change in order to secure the University IT applications.

[S1] Data Encryption at rest , including but not limited to data in storage and logs :
- Use Strong encryption algorithm : AES256 or above
- Symmetric keys not to share across various applications and restrict to authorized user.

[S2] Data Encryption in transit, including but not limited to :
- Browser access to web application is encrypted using HTTPS
- Application access to database is encrypted using TLS-encrypted TCP connections to database server
- Application access to the FTPS site is encrypted using TLS
- Application access to the SFTP site is encrypted using SSH
- Servers hosting the above connections are configured to disable weak SSL protocols and weak cipher suites and to force asymmetric keys expired every 3 years :
  - Disable Weak SSL protocols : Disable SSLv2, SSLv3 and anything below TLS v1.2
  - Disable Weak cipher suites : Disable RC2, RC4, MD5, CBC, 3DES, DES and SHA-1

[S3] Guidelines for Server Protection and Security Hardening
- On-premise application systems :
- Public Cloud application systems :
  - Minimum Security Standards in procuring Public Cloud Service

Published on: Feb 2022

Last Update on: Mar 2022

B. Exceptional Case

Application owner or LAN admin may raise exemption request to state non-compliance items with strong justification.
Procedures:

Steps	Responsibility Role	Task
1	Application owner / LAN Admin	Submit request application via ITSC Service Desk
2.1	ITSC Information Security Section (ISS)	Evaluate submitted request and see whether the request should be proceeded for endorsement and approval.
2.2	Director of ITSC	Endorse the application and seek approval from University Management via email or meeting.
3	University Management	Approve ?

Remarks: ITSC would record down all request details and approval status.

Published on Feb 2022

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.