Personal Data Protection and Security Measures

advertisement
Personal Data Protection and
Security Measures
Justin Law
IT Services - Information Security Team
18, 20 & 25 March 2015
Agenda
➢ Data protection
➢ Data Classification
➢ IT Security Good practices
Data protection
➢ Data is one of the most valuable assets of the University
➢ Data could be any factual information that is stored on
computer, USB drive, Cloud and paper.
➢ Risks to the data:
1. Theft
2. Loss
3. Leakage
4. Tamper
Data Classification
The importance of data classification
• Allow us to identify the data
• Manage the data better
• Employ appropriate level of security to the data
Three-level Data Classification
In order to handle data properly, data should be classified into sensitivity
levels, namely, PUBLIC, SENSITIVE and RESTRICTED information.
Restricted
Sensitive
Public
Three-level Classification
Public
• Data is generally open to the public.
• No existing local, national or international legal restrictions on access.
Example: Events and Activities, communications notices and publications.
Three-level Classification
Sensitive
• Data is “Official Use Only”
• Protected from unauthorized access due to proprietary, ethical or
privacy considerations
Example: Student Data; University partner or sponsor information where
no NDA exists
Three-level Classification
Restricted
• Data is protected by regulations, University policies or contractual
agreement
• Unauthorized access may result in significant financial risk or negative
impacts on the reputation of the University
Example: Personal Information, Payment Records, Medical records
Data Handling
➢ Level of precautions and security controls are relevant to the data
classification
➢ More protections for more sensitive data
Data Handling
Security Control
Public Level
Sensitive Level
Restricted Level
Access Control
No restriction
AAA (Authentication,
AAA,
Confidentiality
agreement
authorization,
accounting)
Copying/Printing
No restriction
Limited
Limited with label
“Confidential”
Network Security
No protection
Firewall, IPS,
Allow remote
Access
Firewall, IPS,
No remote Access
System Security
Best practices
Hardening
Hardening with specific
security
Physical Security
Locked
Locked, CCTV
Data Centre
Data Storage
Monthly Backup
Daily Backup
Encryption
Data loss prevention
Daily Backup
Auditing
No Logging
Logins
Logins, access and
changes
IT Security Good practices
Workstation
➢ Use complex password, more than 8 characters
➢ Enable login password and screen saver password
➢ Logout when unattended
➢ Do not install P2P software on computer that handles confidential data
➢ Physically secure the notebook PC, tablet PC
➢ Avoid using public computer to access confidential files
➢ Using VPN or other secure channel for remotely access from the
outside of the university
Storage
Data could be stored on personal PC, file server, mobile phone, NAS,
Cloud, etc…
➢ Access control
• Need ID and password
• Read, write, deny access
• Logging
➢ Use encryption
➢ Backup
Removable Storage
➢ Only store sensitive data on portable devices or media when absolutely
necessary
➢ Use Encryption
➢ Erase the data after use
➢ Don’t leave USB drive unattended
➢ Keep it safe
➢ Don’t use USB drive from unknown source.
➢ Report to supervisor if lost USB drive that contains sensitive data
http://www.its.hku.hk/about/policies/
Guidelines on storing and accessing personal data on portable storage devices
and personally owned computers (Newly updated on Mar 2015)
Cloud storage
Before uploading data to Cloud, you should consider:
➢ Privacy and confidentiality
➢ Data Encryption
▪
being uploaded to, or downloaded from, and stored
in the cloud
➢ Exposure of data
▪
to operator, local and foreign government or agency
Social Networks
Online Social networking sites are useful to stay connected with
others, but you should be wary about how much personal information
you post.
• Privacy and security settings
• Once posted, always posted
• Keep personal info personal
• Know and manage your friends
Mobile Security
“New Technology, old Privacy and Security issue”
➢ Lost or stolen devices
▪
Enable screen lock
▪
Encrypt the data, such as email and documents
▪
Use Remote Wipe and Anti-Virus
▪
Be aware the automatically login of company email and file server
➢ Malware and virus
▪
Steal bank details, Company Data, Personal identities, Email
addresses
➢ Be aware apps sources and rights
▪
Install from trusted sources only
▪
Be aware the requested application permissions
Phishing email
Sample of phishing email
Hyperlink
Http://evil.com/cheatu/login.htm
Phishing
Phishing is the act of attempting to acquire information such as
usernames and password by pretending from a trusted entity, e.g. ITS or
other department of the University
➢ Signs of a phishing email:
•
•
•
•
Unoffical “From” address
Urgent actions required
Generic greeting
Link to a fake website, sometimes with legitimate links
➢ What to do if you received phishing email
• Delete these suspicious emails
• Don’t reply or click any link on them
• Refer to HKU Spam report web site http://www.its.hku.hk/spam-report
Thank You
Download