Revised: 12 Nov 2015 by ITSC
Escalating Threats in Cybersecurity
Advances in technology has led to the widespread application of Information Technology (IT). This has in turn steadily increased the number of cybersecurity incidents in the modern society. In particular, higher education organizations that embrace the open and free academic culture and normally adopt IT in large scales are, unfortunately, attractive targets to cyber attackers. Cybersecurity threats targeted at the higher education sector has been escalating.
Since the use of IT has become an integral part of HKUST’s day-to-day business, a reasonable level of cybersecurity is in the interest of everyone in HKUST. To that goal, it is important that all members of the University community understand and perform their responsibilities in protecting the IT resources (e.g. data, end-points, servers, application systems, etc.) under their control. This document intends to outline how cybersecurity is managed and governed in the University and the relevant roles and responsibilities of everyone in upholding the University’s cybersecurity.
Considering recommendations from international standards (e.g. ISO27001, ISO27002, SANS 20, etc.) and adopting current best practices in similar organizations worldwide (e.g. Stanford University), the Cybersecurity Policy in HKUST follows a few guiding principles including:
1. Confidentiality, Integrity and Availability as Objectives
We aim at three high-level objectives: Confidentiality, Integrity and Availability. Confidentiality refers to the protection of IT resources from unauthorized access (e.g. unintended disclosure of information). Integrity concerns the preservation of intended functions of IT resources (e.g. corruption of data). Availability refers to the protection of IT resources from unintended disruption (e.g. denial-of-service).
2. Shared Responsibilities
Maintaining a healthy level of cybersecurity campus-wide is in the interest of, and requires the contribution from, every member of the University. While ITSC is charged with the responsibility of providing core services, tools and technical support for cybersecurity, every member of the University is responsible for protecting the IT resources under his/her control. For instance, it is the responsibility of individuals to protect their personal data, passwords and sensitive information, etc. The management of a site/department/office/unit is responsible for leading the unit to maintain a healthy level of cybersecurity by meeting Minimum Security Standard and adopting suggested good practices, etc.
3. Risk-based Approach to Protection
While the University is an open and free environment, it is equally important to protect the University from unnecessary risks and maintain healthiness of critical IT resources and data for operational needs. To strike a balance between openness and control as well as costs and benefits, it is most effective to adopt a risk-based approach for cybersecurity. Such approach is manifested in the classification of IT resources and information into different risk categories such that different levels of protection can be applied for different risk categories.
4. Defense in Depth
It is more effective to mitigate risks with multiple measures deployed at different levels:
- Network – segregation by risk, intrusion detection, anti-denial-of-service, etc.
- Server – vulnerability management, physical security, etc.
- End-Point – anti-virus, patching, physical security, etc.
- Application System – development standard, penetration test, etc.
- Data – encryption, data loss protection, etc.
- People – awareness, conformance, skills, etc.
An example of effective defense in depth is the scenario that end users do not attempt to open suspicious email attachments although anti-virus protection is already in place at End-Point, Network and Server levels.
5. Holistic Consideration for Different Stages in Life Cycles
Rapid advances in IT has led to a relatively shorter life cycle of IT resources, from creation, deployment to retirement. Protection of IT resources and information should be tied in with different stages in the life cycle. For instance, cybersecurity protection for application systems or other IT resources should be embedded in their respective lifecycles, from acquisition to disposal.
Structure of Cybersecurity Policy
The Cybersecurity Policy document is structured around several core and important aspects that have profound effects on the University’s cybersecurity posture. The document is organized as follows:
- Organizational Structure Supporting Cybersecurity
- Risk Assessment, Classification and Mitigation
- Minimum Security Standard, Acceptable and Recommended Practices
- Incident Handling
- IT Infrastructure Security
- Acceptable Use Policy
- Personal Data Privacy
- IT Security Officer
- Cybersecurity Coordinators
- Cybersecurity Health Report
- Risk Classification Examples of Common IT Resources
- Minimum Security Standard
- Acceptable Practices for Handling High Risk Data
- Cybersecurity Incident Handling Policy
- IT Infrastructure Security
- Recommended Practices for Access Control
- Recommended Practices for Sites and Physical Security
- Application Development Guidelines
- Adoption of New Technologies Policy
- Cybersecurity Exception Request
- Guidelines on choosing Cloud Service Provider
- SANS 20
- Stanford University
- Office of Government CIO