Organizational Structure Supporting Cybersecurity
  1. Governance and Operational Support

Cybersecurity related policies and updates are defined by ITSC in consultation with the senior management as well as the user community. ITSC is also charged with the operational responsibility of supporting the University’s cybersecurity at a healthy level, by providing a core set of services, tools as well as technical support to the University community. ITSC discharges this responsibility by dedicating manpower in attending to cybersecurity issues, through the setup of IT Security Officer and the Cybersecurity Incident Response Team, as well as collaboration with Cybersecurity Coordinators nominated by the management of individual sites/departments/offices/units.

  1. IT Resource User and Owner

Users of IT resources are expected to follow the Acceptable Use Policy as well as Personal Data Privacy Policy. Users of end-point devices (e.g. desktop and notebook computers) should follow, or ensure the ones supporting those devices follow, the Minimum Security Standard for end-points. Users handling sensitive data should follow the Acceptable Practices for Handling High Risk Data. Owners of servers or application systems should follow, or ensure the ones supporting those servers or application systems follow, the Minimum Security Standard for servers and application systems.

  1. Compliance and Risk Acceptance

In order to ensure cybersecurity related policies are effectively implemented across the University, regular monitor for compliance is required such that potential problems can be identified and addressed at an early stage. The compliance monitor is performed internally and externally, both at the University level and the site/departmental/office/unit level.

Internal compliance monitor is conducted by ITSC through automated scans as well as focused investigations on a regular basis. The management of individual sites/departments/offices/units will receive regular updates on the results of internal compliance monitor through the Cybersecurity Health Report, and is expected to address any issue that emerges in a timely manner. External compliance monitor is conducted by authorized cybersecurity consultants or auditors.

Management of individual sites/departments/offices/units will determine if any outstanding cybersecurity risks, as reflected from internal and external compliance monitor, can be accepted or should be discussed with ITSC for escalation. IT Security Officer is also empowered to escalate any misclassification of risks, non-compliance and emerging cybersecurity threats up to the senior management of the University such that appropriate action to be agreed.