Organization
Mission
Green IT
Guided Tour
Opening Hours
Location
LAN Administrators Resources Website
ITSC Student User Consultation Committee
Announcements
System Availability
Getting Started Guide for New Users
Location
Opening Hours
Facilities
Services
System Maintenance Schedule
Computing ID and Password
Computer Account Application
Accounts Information Management System
Computer Resources Assignment on various Systems
Request Additional Computer Resources
Alerts, News and Events
Good practices for general users
Good practices for technical professionals (Intranet only)
Information Security policies (Intranet only)
Useful tools and links
FAQ
Glossary
Report IS incidents
eLearning
High-performance Computing
iHome - CUHK Community Homepage Server
Logic - General Purpose UNIX Server
PC LAN Services at User Areas
Computer Equipment Acquisition (Intranet only)
Software Licensing
University-wide Software Standards
Departmental Support
Departmental Technology Solutions
Learning and Multimedia Technologies
University Administration Systems
AMSD Forms
MyCUHK
CU Link
ITSC Training Courses
Training Room Booking
Application Forms
Print Account Management System
eSurvey System
ITSC Digest
User Guides
E-Card Service
Wallpapers
Internet Applications
Campus-wide E-mail (CWEM)
CU Net-TV
More..
Campus Network
ResNet
ClassNet
Wireless LAN
Off-Campus Access
VPN
Wi-Fi Hotspot Partnership Programme
Internet and Other Links
The Chinese University of Hong Kong Information Technology Services Centre 資訊科技服務處 香港中文大學
bullet Alerts, News and Events
bullet Good Practices for General Users
bullet Good Practices for Technical Professionals (Intranet Only)
bullet Information Security Policies (Intranet Only)
bullet Useful Tools and Links
bullet FAQ
bullet Glossary
bullet Report IS incidents
   
   
Purpose
 

Mobile computing devices are the computer devices that store and process data such as laptop computers, personal digital assistants (PDAs) and smart phones. Removable storage media is memory for storing data such as external hard drives, memory card, CDs, DVDs and universal serial bus drives (a.k.a. memory sticks and thumb drives).

Both mobile computing devices and removable storage media (thereafter called portable devices) have common characteristics that they are portable and small, and therefore they are also easy to lose or be stolen. This document is to communicate to all staff and students the guidelines on securely managing their portable devices which are used to store sensitive and and restricted information.
   
Guidelines
  Below are the ten major guidelines:
     
  1. Storage of sensitive and restricted data on portable devices should be avoided or restricted to the minimal quantity required to accomplish the business purpose.
     
  2.

Use a strong password to protect the access to the portable devices. Although a strong password could not stop a determined hacker from gaining access to your device, it will make reading your data difficult and may deter a less skillful hacker.
     
  3. Encrypt the sensitive andrestricted data stored in portable devices to lower the risk of disclosing the data. For more information about encryption software or secure portable devices, please feel free to seek advice and assistance from us.
     
  4.

Care should be taken when using portable devices in public places such as meeting rooms, libraries and computer rooms. All portable devices should not be left unattended or be shared with unauthorized persons. They should be in the possession of an authorized person at all times or be physically locked away.
     
  5.

Data stored on portable devices should not be the only copy. Back-ups of the data to another secure media such as a secure server should be carried out regularly.
     
  6. Obsolete portable devices should be securely disposed of to minimize the risk of information leakage to unauthorized persons, e.g. by degaussing the devices, physically destroying them, or by using a data cleaner to erase data inside (more information can be found at here).
     
  7. Only use a reliable service provider in case maintenance service is needed for the portable devices. Erase all sensitive and restricted data inside the portable devices if possible before sending the portable device to the service provider. Otherwise, sign a confidentiality agreement with the service provider to demonstrate your due diligence.
     
  8.

Use anti-virus and malicious code detection software, with latest virus signatures and malicious code definition files, to regularly scan the portable devices to ensure they are free of computer viruses and malicious code.
     
  9. If any portable devices containing sensitive and restricted data is lost, stolen or appears to have been accessed without permission, you should immediately report this to the Director, ITSC (via email dir-itsc@cuhk.edu.hk) and the Department Chairmen/Unit Heads concerned so that remedial actions can be taken to prevent or minimize the damages caused.
     
  10.

The above guidelines focus on the direct protection of the portable devices. For a more complete protection, you should also refer to good practices of information security in other areas and ITSC Policies and Guidelines .
    top of page
Definitions
  The abbreviations and terms used in this document have the following meaning:
 

"mobile computing devices" are computer devices that store and process data such as laptop computers, personal digital assistants (PDAs) and smart phones.

"removable storage media" is memory for storing data such as external hard drives, memory card, CDs, DVDs and universal serial bus drives (a.k.a. memory sticks and thumb drive).

"portable devices" refers to all mobile computing devices and removable storage media.

"sensitive data" means information generally used internally by authorized users or externally by authorized partners for business needs. It includes security-sensitive information.

"restricted data" is data restricted by law and legal contract such as peronal data. It also includes information which enables the access to restricted data such an access password.

"personal data" means any data

  a. Relating directly or indirectly to a living individual;
  b. From which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
  c. In a form in which access to or processing of the data is practicable
   
    top of page
References
  ISO27002 "Code of practice for information security management" published by International Organization for Standardization.
  "InfoSec website"
  "Recommended Procedures for IT Practitioners on Personal Data Handling"
  "Personal Data (Privacy) Ordinance"
    top of page
Contact
  This document is prepared by the Information Security Section (ISS) of the University Information Technology Services Centre. For any comments and enquiries regarding the content of this document, please send to ITSC electronic helpdesk https://helpdesk.itsc.cuhk.edu.hk/group/is-enquiries
 
top of page

Need Help?
Please send your problems/requests to
http://helpdesk.itsc.cuhk.edu.hk