CITY UNIVERSITY OF HONG KONG



Similar documents
CITY UNIVERSITY OF HONG KONG

Guideline for Roles & Responsibilities in Information Asset Management

Guidance Note on Recognition of Certification Authorities and Certificates under the Electronic Transactions Ordinance (Cap. 553)


The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

Information Integrity & Data Management

Hong Leong Asia Ltd.

INFORMATION TECHNOLOGY SECURITY STANDARDS

University of Sunderland Business Assurance Information Security Policy

GUIDANCE NOTE ON OUTSOURCING

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

Exercising Your Right of Consent to and Opt-out from Direct Marketing Activities under the Personal Data (Privacy) Ordinance 1

University of Sunderland Business Assurance Over-arching Information Governance Policy

Manage Compliance with External Requirements

Information Governance Policy

Personal Data & Privacy Policy Statement

University of Sunderland Business Assurance. Over-arching Information Governance Policy. Document Classification: Public

CITY UNIVERSITY OF HONG KONG

Consultation Document on Review of the Personal Data (Privacy) Ordinance

QUOTATION REQUEST WESTERN AUSTRALIA. How long has the business been in the WA? New 1 4 Yrs 5 8 Yrs 8 Yrs Plus

Department of the Premier and Cabinet Circular. PC030 Protective Security Policy Framework

QUOTATION REQUEST TASMANIA. How long has the business been in the TAS? New 1 4 Yrs 5 8 Yrs 8 Yrs Plus. Current Insurer: Expiry Date: / /

POLICY 5.9 CORNELL UNIVERSITY POLICY LIBRARY. Information technology data will be disclosed only according to the procedures outlined in this policy.

INFORMATION SECURITY MANAGEMENT POLICY

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules

University of Liverpool

Information Security Management System Policy

technical factsheet 176

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One

Supervisory Policy Manual

TELECOMMUNICATIONS ORDINANCE (Chapter 106) CLASS LICENCE. Section 8(1)(aa) of the Telecommunications Ordinance OFFER OF TELECOMMUNICATIONS SERVICES

Privacy and Cloud Computing for Australian Government Agencies

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Council Policy. Records & Information Management

How To Protect Decd Information From Harm

Personal Data Protection Policy and Practices ( the Policy )

POSITION DESCRIPTION, PERFORMANCE MEASURES AND TARGETS

Privacy Incident and Breach Management Policy

Cloud Computing. Introduction

This procedure is associated with BCIT policy 6700, Freedom of Information and Protection of Privacy.

Policy-Standard heading. Fraud and Corruption Policy

The Impact on Marketing-Related Activities of the Data Protection Act and Related Legislation

A Best Practice Guide

Guidance Note on Actuarial Review of Insurance Liabilities in respect of Employees Compensation and Motor Insurance Businesses

Information Security Program

(a) the kind of data and the harm that could result if any of those things should occur;

The taxation treatment of Australian financial products is not the same as for New Zealand financial products.

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT. January 7, 2011

INFORMATION PRIVACY POLICY FOR WORKERS

ISO27001 Controls and Objectives

PROCEDURE. The permission rights assigned to allow data custodians to view, copy, enter, download, update or query data.

Information Security Program CHARTER

ISO Controls and Objectives

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Information Security Policy

Code of Practice On Person-to-Person Marketing Calls

How has outsourcing affected public service delivery in Hong Kong? Illustrate with relevant cases.

Data Protection Policy

4 Guidelines on Administration Charges for Reporting of Site Accidents

1 LAWS of MINNESOTA 2015 Ch 67, s 2. CHAPTER 67--S.F.No. 86 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:

Bring Your Own Device (BYOD) Policy

I S O I E C I N F O R M A T I O N S E C U R I T Y A U D I T T O O L

Data Protection Policy June 2014

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

Document Management in the FIPPA Era

Document Title: System Administrator Policy

West Midlands Police and Crime Commissioner Records Management Policy 1 Contents

EXECUTIVE ORDERS ON OFFSHORE OUTSOURCING ISSUED IN OTHER STATES

Information Security Management System Information Security Policy

Guidance for Data Users on the Collection and Use of Personal Data through the Internet 1

Information & ICT Security Policy Framework

Proposal Form. Information Technology Combined Professional and Public & Technology Products Liability. Page 1 of 13

Highland Council Information Security Policy

CITY UNIVERSITY OF HONG KONG. Information Security PUBLIC Internal Assessment Standard

Initial Audit Engagements Opening Balances

Third Party Security Requirements Policy

Cyber Risks in the Boardroom

Information and Compliance Management Information Management Policy

Newcastle University Information Security Procedures Version 3

HIPAA Privacy Rule Policies

CITY UNIVERSITY OF HONG KONG. Information Classification and

La Trobe University is committed to maintaining a comprehensive and effective Compliance Framework.

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

Issue #5 July 9, 2015

Information Governance Standards in Relation to Third Party Suppliers and Contractors

HORIZON OIL LIMITED (ABN: )

FSPFCC04(SQA Unit Code-F88P 04) Ensure you comply with regulations in your financial services environment

Johnson Electric Group Code of Ethics and Business Conduct

Corporate ICT & Data Management. Data Protection Policy

The Cyprus mobile operators Code of Practice for the responsible and secure use of mobile services. Final version for publication

IP Considerations in Outsourcing Agreements

ACE Insurance Limited ELITE II PROFESSIONAL INDEMNITY INSURANCE POLICY

Data Protection Breach Management Policy

CITY UNIVERSITY OF HONG KONG. Inventory and Ownership Standard

MERCHANT SHIPPING (LIMITATION OF SHIPOWNERS LIABILITY) (AMENDMENT) ORDINANCE 2005

Transcription:

CITY UNIVERSITY OF HONG KONG (Approved by the Information Strategy and Governance Committee in December 2013; revision 1.1 approved by Chief Information Officer in September 2015) INTERNAL Date of Issue: 2015-10-19

Document Control Document Owner Classification Publication Date OCIO PUBLIC 2015-10-19 Revision History Version Date Summary of Changes 1.0 2013-12-19 Initial Release 1.1 2015-06-19 Replaced IT Security Officer with Information Security Unit Allowed disclosure of information only if as required and permitted by the contract terms of the University Modified to allow asset/process owners to report noncompliance to University s management as well as ISU Distribution Copy Issued to Location Master Public http://www6.cityu.edu.hk/infosec/isps/docs/?page=00.about

Contents 1 Policy Statement... 1 2 Roles and Responsibility... 1 2.1 Information Security Unit (ISU)... 1 2.2 Asset or Process Owners... 1 2.3 Legal Counsel... 1 2.4 All staff of the University... 1 3 Compliance Management for Legislation... 1 3.1 Applicable Legislations and Regulations... 1 3.2 New Legislation... 2 3.3 Update to Existing Legislation... 2 3.4 Monitoring... 2 4 Compliance Management for Contractual Requirement... 3 4.1 Establishment of Contractual Requirement for the University... 3 4.2 Contractual Requirement Required by Third Party Vendors... 3 4.3 Monitoring... 3

Page 1 of 3 1 Policy Statement The City University of Hong Kong ( University ) shall ensure full compliance with all legal, statutory, regulatory and contractual requirements that are applicable to the operations of the University. 2 Roles and Responsibility 2.1 Information Security Unit (ISU) Check for updates or additions to the relevant legal, statutory, regulatory or contractual requirements that the University needs to comply Coordinate with the asset or process owners of relevant University Units in the identification and implementation of compliance process within the University Develop, maintain and monitor implementation of Follow up on noncompliance and escalate to senior management of the University 2.2 Asset or Process Owners Inform the ISU of any updates or additions to relevant law, statutory, regulatory or contractual requirements that his or her responsible Unit needs to comply Update the inventory of contracts relevant to his or her responsible asset or process Communicate the responsibilities for compliance with relevant law, statutory, regulatory or contractual requirements to the staff, students or contractors under his or her responsible Unit Report any noncompliance to the University s management and/or ISU 2.3 Legal Counsel Provide professional advice regarding the compliance issues encountered by the University Assist the impact assessment of noncompliance or deviations noted around the compliance status of the University 2.4 All staff of the University Comply with all applicable legal, statutory, regulatory and contractual requirements 3 Compliance Management for Legislation 3.1 Applicable Legislations and Regulations The following is a list of legislations related to the protection of information security in the University: Legislation & Regulations Telecommunications Ordinance (Cap. 106) Unsolicited Electronic Messages Ordinance (Cap. 593) Personal Data (Privacy) Ordinance (Cap. 486) Copyright Ordinance (Cap. 528) Employment Ordinance (Cap. 57) Regulatory Bodies Communications Authority (CA) Communications Authority (CA) Privacy Commissioner for Personal Data (PCPD) Intellectual Property Department (IPD) Labour Department (LD)

Page 2 of 3 Crimes Ordinance (Cap. 200) Theft Ordinance (Cap. 210) Electronic Transactions Ordinance (Cap. 553) Department of Justice Department of Justice Office of the Government Chief Information Officer (OGCIO) Overseas units and offshore units of the University must also comply with all applicable laws and regulations from all applicable jurisdictions. 3.2 New Legislation Whenever there is a new legislation related to information security, the ISU shall perform an assessment of their applicability to the University. The ISU should seek clarification from the regulatory body as necessary. For the relevant legislations, the ISU shall initiate the implementation of the new standards. All members of the University shall be informed of the new legislation and the actions taken by the University to achieve compliance. The Management of the University shall be informed of any new legislations and reviews the corresponding actions taken by the University. 3.3 Update to Existing Legislation The ISU shall check for updates to the above legislation on a monthly basis. The ISU should regularly visit the web pages of relevant regulatory organizations, subscribe to relevant web sites or consult the Legal Counsel and relevant administrative units of the University. Upon identification of any changes to the above legislation, the ISU shall perform an assessment of their applicability to the University. The ISU should seek clarification from the regulatory body as necessary. For applicable changes, the ISU shall drive the implementation of the revised policies, standards, procedures and guidelines by coordination with respective University Units or third parties. The Management of the University shall be informed of any updates to the existing legislations and reviews the corresponding actions taken by the University. 3.4 Monitoring The Asset/Process Owners shall monitor the information security compliance status of the legislations applicable to their responsible area. The ISU shall provide guidance to relevant queries raised by the Asset/Process Owners and consult the Legal Counsel of the University when necessary. Any noncompliance noticed shall be reported to the University s management and/or ISU who will then escalate to the University s senior management and handle according to the Information Security Incident Management Standard.

Page 3 of 3 4 Compliance Management for Contractual Requirement 4.1 Establishment of Contractual Requirement for the University When sensitive information is provided to third party vendors, the written contractual requirement shall include the following terms at minimum: Require all contractors, consultants, or external vendors to observe laws and the University s policies for privacy, copyright and security; Prevent disclosure of sensitive information to other third parties including subcontractors, except as required and permitted by the contractual terms of the University; Require a plan for the handling, return and destruction of sensitive information upon completion of the contractual requirements in accordance with the University s Information Classification and Handling Standard ; Require access or authorization permissions for the fulfillment of contractual requirements to be specified. These permissions should be terminated once the contractual obligations have been completed; and Require compensation plan for any noncompliance noted. 4.2 Contractual Requirement Required by Third Party Vendors When the third party vendors sensitive information is provided to the University, the Asset/Process Owner shall initiate the review of relevant contractual requirements in relation to the protection of such information. The Asset/Process Owner and the ISU shall determine whether the University s information security policies, standards and procedures (e.g. Information Classification and Handling Standard ) are sufficient to fulfill such contractual requirements, or whether any additional actions should be taken. 4.3 Monitoring The Asset/Process Owners shall monitor the information security compliance status of the contractual requirements applicable to their responsible area. The ISU shall provide guidance to relevant queries raised by the Asset/Process Owners and consult the Legal Counsel of the University when necessary. Any noncompliance noticed shall be reported to the University s management and/or ISU, who will then escalate to the University s senior management, and handle according to the requirements established in Information Security Incident Management Standard.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information