In view of escalating cybersecurity threats targeted at the higher education sector, it is imperative that every IT resource user and owner in HKUST should adopt appropriate cybersecurity protection. To strike a balance between openness and control as well as costs and benefits, it is most effective to adopt a risk-based approach for cybersecurity. Such approach is manifested in the classification of IT resources including data, application systems, endpoints, servers and networks into 3 risk categories, namely high-risk, moderate-risk and low-risk, depending on the actual purpose of use. Adequate levels of protection can be applied for different risk categories according to the minimum security standards defined for different risk categories.
We adopt a shared responsibility model that every IT resource user and owner needs to perform risk assessment and select appropriate protection according to a set of defined minimum security standards. IT Security Officer, posted in ITSC, together with a group of Cybersecurity Coordinators nominated by sites/departments/offices/units, is charged with the responsibility of facilitating this risk assessment process as well as implementing adequate protection.
Upholding cybersecurity is a continuous effort. Regular reviews in terms of Cybersecurity Health Report will be prepared by IT Security Officer and sent to management of sites/departments/offices/units such that adequate remediation measures can be arranged. Exceptions that cannot be dealt with will be escalated promptly according to existing management structure of the University. IT Security Officer will update the Cybersecurity Policy as well as adopt appropriate best practices in light of emerging threats in cybersecurity.
The Cyber Security Policy is structured as a set of related documents covering each element of the Policy. The following key documents will give all system owners and administrators a good understanding to start implementing the Policy:
- Cybersecurity Policy – the main document
- Minimum Security Standard – the detailed document on minimum cybersecurity requirement for end-points, servers and application systems according to risk classification
- IT Security Officer – the detailed document on the roles and responsibilities of IT Security Officer
- IT Infrastructure Security – the detailed document on the existing protection implemented in the University IT infrastructure encompassing the campus network, data centers, etc.