Cybersecurity Policy

Escalating Threats in Cybersecurity

Advances in technology has led to the widespread application of Information Technology (IT). This has in turn steadily increased the number of cybersecurity incidents in the modern society. In particular, higher education organizations that embrace the open and free academic culture and normally adopt IT in large scales are, unfortunately, attractive targets to cyber attackers. Cybersecurity threats targeted at the higher education sector has been escalating.

Since the use of IT has become an integral part of HKUST’s day-to-day business, a reasonable level of cybersecurity is in the interest of everyone in HKUST. To that goal, it is important that all members of the University community understand and perform their responsibilities in protecting the IT resources (e.g. data, end-points, servers, application systems, etc.) under their control. This document intends to outline how cybersecurity is managed and governed in the University and the relevant roles and responsibilities of everyone in upholding the University’s cybersecurity.

Guiding Principles

Considering recommendations from international standards (e.g. ISO27001, ISO27002, SANS 20, etc.) and adopting current best practices in similar organizations worldwide (e.g. Stanford University), the Cybersecurity Policy in HKUST follows a few guiding principles including:

1. Confidentiality, Integrity and Availability as Objectives

We aim at three high-level objectives: Confidentiality, Integrity and Availability. Confidentiality refers to the protection of IT resources from unauthorized access (e.g. unintended disclosure of information). Integrity concerns the preservation of intended functions of IT resources (e.g. corruption of data). Availability refers to the protection of IT resources from unintended disruption (e.g. denial-of-service).

2. Shared Responsibilities

Maintaining a healthy level of cybersecurity campus-wide is in the interest of, and requires the contribution from, every member of the University. While ITSC is charged with the responsibility of providing core services, tools and technical support for cybersecurity, every member of the University is responsible for protecting the IT resources under his/her control. For instance, it is the responsibility of individuals to protect their personal data, passwords and sensitive information, etc. The management of a site/department/office/unit is responsible for leading the unit to maintain a healthy level of cybersecurity by meeting Minimum Security Standard and adopting suggested good practices, etc.

3. Risk-based Approach to Protection

While the University is an open and free environment, it is equally important to protect the University from unnecessary risks and maintain healthiness of critical IT resources and data for operational needs. To strike a balance between openness and control as well as costs and benefits, it is most effective to adopt a risk-based approach for cybersecurity. Such approach is manifested in the classification of IT resources and information into different risk categories such that different levels of protection can be applied for different risk categories.

4. Defense in Depth

It is more effective to mitigate risks with multiple measures deployed at different levels:

  1. Network – segregation by risk, intrusion detection, anti-denial-of-service, etc.
  2. Server – vulnerability management, physical security, etc.
  3. End-Point – anti-virus, patching, physical security, etc.
  4. Application System – development standard, penetration test, etc.
  5. Data – encryption, data loss protection, etc.
  6. People – awareness, conformance, skills, etc.

An example of effective defense in depth is the scenario that end users do not attempt to open suspicious email attachments although anti-virus protection is already in place at End-Point, Network and Server levels.

5. Holistic Consideration for Different Stages in Life Cycles

Rapid advances in IT has led to a relatively shorter life cycle of IT resources, from creation, deployment to retirement. Protection of IT resources and information should be tied in with different stages in the life cycle. For instance, cybersecurity protection for application systems or other IT resources should be embedded in their respective lifecycles, from acquisition to disposal.

Structure of Cybersecurity Policy

The Cybersecurity Policy document is structured around several core and important aspects that have profound effects on the University’s cybersecurity posture. The document is organized as follows:

  1. Organizational Structure Supporting Cybersecurity
  2. Risk Assessment, Classification and Mitigation
  3. Minimum Security Standard, Acceptable and Recommended Practices
  4. Incident Handling
  5. IT Infrastructure Security
     

Related Links