ITSC: Information Security FAQ

Alerts, News and Events

Good Practices for

	General Users
	Technical Professionals (Intranet Only)

Information Security Policies (Intranet Only)

Useful Tools and Links

	Anti-virus centre - Kaspersky
	Certificate Authority
	Central Authentication and Directory Service
	More...

FAQ

Glossary

Report IS incidents


Frequently Asked Questions

1.	Q:	How to check if the mail is a phishing email?
	A:	I.	Check whether it is a reported case through our page on Phishing:
		II.	Confirm with your LAN administrator or ITSC to verify if ITSC have sent such an email.

2.	Q:	What to do if I have answered phishing email?
	A:	Please refer to here.

3.	Q:	Where to find anti-virus software?
		A: Please refer to here.

4.	Q:	Any tools to encrypt data?
	A:	There are a lot of tools, one of them is a free open source encryption software - Truecrypt from here

5.	Q:	Any suggestion for securely use of mobile computing devices, e.g. USB memory drive, moveable hard drive, laptop?
	A:	Please refer to the guidelines for securely managing mobile computing devices and removable storage media in ITSC homepage.

6.	Q:	How to avoid data leakage if I need to send a computing device with sensitive data for maintenance?
	A:	You can use a software Darik's Boot and Nuke (DBAN) to erase all the data stored in hard drive.

7	Q:	How long should I set the session timeout?
	A:	In general, 5 minutes for high-value applications, 10 minutes for medium value applications, and 20 minutes for low risk applications. For detailed information, please refer to here.

8.	Q.	How long should the audit logs be kept?
	A:	An audit trail shows how the system is being used from day to day. Logs shall be retained for a period. In most cases, the type of business will define the external requirements for information retention. Legal counsel and audit staff should always be included in the development process for any data retention policies to ensure the business is complying with all contracts, local laws, industry regulations, and national or international laws. For instance, the Sarbanes-Oxley Act (SOX) that affects US Corporations specifies retaining audit logs for up to seven years. The VISA Cardholder Information Security Program (CISP) specifies retaining audit logs for at least six months. Some organisations retain audit logs until it is determined that they are no longer needed for administrative, legal, audit, evidence or other operational purposes. Some choose to retain all evidence for months or years after the incident ends. As a general guideline on information security, you may consider to keep the logs for six months or more. The following documents may be useful for your reference:
		1.	IT Security Guidelines
		2.	Information Security Guide for Small Businesses, Third Edition
		3.	Guide to Computer Security Log Management (Sep 2006) by NIST

Need Help?
For comments and enquiries about this service, please write to the ITSC Electronic HelpDesk at
http://helpdesk.itsc.cuhk.edu.hk

	Organization
	Mission
	Green IT
	ITSC Digest
	Announcements
	System Availability
	LAN Admin Resources (Intranet Only)
	Student User Consultation Committee
	Video Tour
	Locations
	Opening Hours
	Contact Us

	Using Computers
	Facilities (Datalocker, Training and Discussion Rooms)
	Services (Printing, Scanning and HelpDesk)
	Lost and Found
	Locations
	Opening Hours
	Conditions of Use

	eLearning
	High-performance Computing
	iHome Server
	Logic Server
	Maintenance Schedule

	Computer Equipment Acquisition (Intranet Only)
	Software Licensing
	Software Standards
	Services to Department
	University Administration Systems
	AMSD Forms

	MyCUHK
	CUSIS
	CU Link
	Add Value to Print Account
	Print Account Management System
	e-Card
	e-Survey
	e-Ticketing
	ITSC Training Courses
	Training Room Booking
	Application Forms
	User Guides
	Posters and Wallpapers