CITY UNIVERSITY OF HONG KONG



Similar documents
Information Security Program CHARTER

CITY UNIVERSITY OF HONG KONG. Information System Acquisition, PUBLIC Development and Maintenance Standard

GUIDANCE NOTE ON OUTSOURCING

(a) the kind of data and the harm that could result if any of those things should occur;

Information Security Program

CITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard

Third Party Security Requirements Policy

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Information Security Policies. Version 6.1

Information Security Policy

Cloud Computing. Introduction

Intel Enhanced Data Security Assessment Form

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Utica College. Information Security Plan

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

Client Security Risk Assessment Questionnaire

Cloud Computing: Legal Risks and Best Practices

A Best Practice Guide

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

Software Quality Subcontractor Survey Questionnaire INSTRUCTIONS FOR PURCHASE ORDER ATTACHMENT Q-201

CITY UNIVERSITY OF HONG KONG Change Management Standard

The Hidden Risks: Managing Risks in Outsourcing Relationships. Bruce Jones Global IT Security, Compliance & Risk Manager Eastman Kodak Company

Information Security Program Management Standard

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Service Children s Education

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

I S O I E C I N F O R M A T I O N S E C U R I T Y A U D I T T O O L

BUSINESS ASSOCIATE AGREEMENT ( BAA )

PCI Compliance for Cloud Applications


NSW Government Digital Information Security Policy

University of Sunderland Business Assurance Information Security Policy

Management of Cloud Computing Contracts and Environment

White Paper on Financial Institution Vendor Management

Newcastle University Information Security Procedures Version 3

ISO :2005 Requirements Summary

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Technology Engineers Examination. Information Technology Service Manager Examination. (Level 4) Syllabus

R345, Information Technology Resource Security 1

Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO / HIPAA / SOX / CobiT / FIPS 199 Compliant

VMware vcloud Air HIPAA Matrix

Politique de sécurité de l information Information Security Policy

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

FedRAMP Standard Contract Language

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Services Providers. Ivan Soto

ISMS Implementation Guide

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Data Management Policies. Sage ERP Online

Page 1 of 7 Effective Date: 12/18/03 Software Supplier Process Requirements

DQS UL ASSESSMENT AND CERTIFICATION REGULATIONS

IT Security Incident Management Policies and Practices

Supervisory Policy Manual

Privacy Governance and Compliance Framework Accountability

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Technical Competency Framework for Information Management (IM)

DATA SECURITY AGREEMENT. Addendum # to Contract #

Information Resources Security Guidelines

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

STATE OF NEW JERSEY Security Controls Assessment Checklist

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

TELEFÓNICA UK LTD. Introduction to Security Policy

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

Cloud Computing and Records Management

HIPAA BUSINESS ASSOCIATE AGREEMENT

Privacy and Cloud Computing for Australian Government Agencies

Office 365 Data Processing Agreement with Model Clauses

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

PBGC Information Security Policy

Microsoft s Compliance Framework for Online Services

Domain 1 The Process of Auditing Information Systems

Top Ten Technology Risks Facing Colleges and Universities

GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK

INFORMATION TECHNOLOGY SECURITY STANDARDS

Statement of Guidance: Outsourcing All Regulated Entities

NSW Government Digital Information Security Policy

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Request for Proposals on Security Audit Services

Information Security Management Systems

Transcription:

CITY UNIVERSITY OF HONG KONG (Approved by the Information Strategy and Governance Committee in December 2013) PUBLIC Date of Issue: 2013-12-24

Document Control Document Owner Classification Publication Date OCIO INTERNAL 2013-12-24 Revision History Version Date Summary of Changes 1.0 2013-12-19 Initial Release Distribution Copy Issued to Location Master Public http://www6.cityu.edu.hk/infosec/isps/docs/?page=00.about

Contents 1 Policy Statement... 1 2 Objective... 1 3 Roles and Responsibilities... 1 4 Impact Analysis... 3 5 Supplier Selection... 4 6 Supplier Contracts... 4 7 Supplier Control and Monitoring... 5 8 Service Transition... 6 9 Service Termination... 6 Reference... 6

Page 1 of 6 1 Policy Statement The City University of Hong Kong ( University ) must ensure that IT related products and services delivered by suppliers and their practices on information security are compliant with the University s information security policy. 2 Objective This standard is established to provide guidelines for the University to achieve the goals of information security in the supplier management process. This standard applies to the evaluation, monitoring, and controlling of suppliers to ensure provision of seamless and quality service 3 Roles and Responsibilities Details procurement and tendering procedures are documented in Financial Policies and Procedure Manual of the University. The table below describes the information security related roles and responsibility of different parties at different stage of the purchase cycle. Stages Identify Needs All Products or Services Roles User Departments Aware and conform to Information Security Policies and Standards and Information Security Standard for Suppliers Identify information used in services Classify information used Identify mode of service, o On-site Service, o Supplier is hosting/housing University s information, o Supplier has access to University s Internal Network and Servers Specify security requirements and controls in service specifications Computing Services Centre Office of the Chief Information Officer Purpose and maintain "University's Information Security Policies and Standards" and "Information Security Standard for Suppliers" and submit to ISGC for endorsement Assists in identifying information and classifying information Provide advisory services on security requirements and corresponding security controls

Page 2 of 6 Stages IT Products or Services which will be hosted in the University or access to Networks or Servers of the University Roles User Departments Liaise with CSC to have an initial understanding to suitability and compatibility to the University s IT Infrastructure and Requirements Approved Requisitions by Budget Controller All Products or Services Include cost for security requirements and controls when preparing and approving budget Quotation/ Tendering Assessment & Approval For any products Consider suppliers or services that ability in handling handle or use sensitive information CONFIDENTIAL of suppliers when or RESTRICTED evaluating suppliers information of the Notify OCIO if purchase University value is over IT Products or Services which will be hosted in the University or access to Networks or Servers of the University HK$500,000. Liaise with CSC ensure suitability and compatibility of suppliers purposed services to the University s IT Infrastructure and Requirements Issue of Purchase Order/Contract All Products or Services that handles or uses INTERNAL, CONFIDENTIAL, or RESTRICTED information Sign Mutual NDA with Supplier before exchanging any INTERNAL, CONFIDENTIAL, or RESTRICTED information with supplier Computing Services Centre Provide advice and verify suitability and compatibility of service to the University s IT Infrastructure and Requirements Provide advice and verify suitability and compatibility of suppliers purposed services to the University s IT Infrastructure and Requirements Office of the Chief Information Officer Provide advice on security requirements and controls Provide advice on supplier selection and evaluation

Page 3 of 6 Stages Roles User Departments Receiving of Goods & Services For all Services Monitor and ensure compliance to applicable policies of the University, including but not limited to "Data Privacy Policy", "Information Security Policies and Standards" Monitor and ensure compliance to applicable legislations, including but not limited to PDPO For all Departmental managed Online IT Services For all Online IT Services managed by Central IT Liaise with CSC and ISU to conduct assessment before launch of services. Manage risks before service launch Liaise with CSC and ISU to conduct assessment before launch of services Manage risks before service launch Computing Services Centre Conduct toolbased assessment Revert finds to user departments Provide consultation service on risk management Office of the Chief Information Officer Conduct tool-based scanning Provide consultation service on risk management Conduct tool-based scanning Provide consultation service on risk management 4 Impact Analysis Impact analysis is required to be conducted for all new products or services that will handle or use CONFIDENTIAL and/or RESTRICTED information of the University, and requires "4 or more written tenders". Impact analysis is a process to determine: Processes impacted by the new product or service (manual or automated); Details of type and sensitivity of information impacted; Availability requirement for the new product or service; Risk of the product or service(if applicable);

Page 4 of 6 Additional information security requirements needed to safeguard the data (regardless of hosting location), if information impacted is sensitive or specifically protected by laws Requirements needed to limit access and safeguard data transmission, storage, and retention, if the system/ application/process is developed, outsourced and/or hosted at a supplier's location Information Security Unit is responsible for ensuring the appropriateness of impact analysis process and providing advice on the risk management strategy. The result of impact analysis shall be reviewed by User departments, CSC and Information Security Unit to ensure the suitability of new services. 5 Supplier Selection When selecting and evaluating suppliers for services or products which involves the handling of CONFIDENTIAL and/or RESTRICTED information, the following aspects and capability of supplier shall be considered: Maturity of supplier s information security policies, standards, and procedures Security protections in architecture, including network, application, server, remote access, etc. Configuration management, such as patches, baseline security configurations, etc. Security features in product design, such as features for compliance to PCI-DSS, security measures against common web application vulnerabilities, etc. Access control mechanisms in the product Monitoring and ability of the supplier in detecting abnormalities Physical security if the service or product is hosted under supplier s location Contingency plan, disaster recovery objectives and disaster recovery capability Data ownership, such as confidentiality agreements, and data removal requirements up on terminal of services, and etc. When the purchase value of a service or product is over HK$500,000, and the service or product will involve the handling of CONFIDENTIAL and/or RESTRICTED information, the User Department shall notify the Office of the Chief Information Officer ( OCIO ). The OCIO shall provide advice in supplier selection and evaluation. 6 Supplier Contracts Before using the supplier s services or products, the University shall establish and sign a contract with the supplier. A Statement of Work ( SOW ) or Scope of Service ( SOS ) must be established by the University in each contract to clearly state the products, services and deliverables provided the supplier. The contract must also clearly state the security requirements or the supplier to ensure that their products or services are consistent with the University s Information Security Policies and Standards.

Page 5 of 6 The following terms and conditions shall also be included in the contracts: The supplier shall observe laws and the University s policies for privacy, copyright and security; A mutual non-disclosure agreement ( NDA ) shall be established between University and suppliers if sensitive information (any information classified as INTERNAL, CONFIDENTIAL or RESTRICTED ) is used, stored and processed by the supplier; The supplier must use the University s sensitive information only for the purpose for which the University is entrusted to it. The supplier shall prevent disclosure of the University s sensitive information to other third parties including subcontractors, except as required or permitted by the contract terms of the University. Where subcontracting is allowed, the supplier s agreement with subcontractor should impose the same obligations in relation to processing on the subcontractors as are imposed on the supplier by the University; and the supplier shall remain fully liable to the University for the fulfillment of the imposed obligations. The supplier shall define a plan, subject to acceptance of the University, for the handling, return and destruction of the University s sensitive information upon completion of the contractual requirements in accordance with the University s Information Classification and Handling Standard. The supplier shall implement formal procedures to grant and remove authorization permission to its staff and subcontractor for accessing to the University s sensitive data based on need-to-know and need-to-use basis. The supplier shall ensure that its relevant staff will carry out the security measures and comply with the obligations under the contracting regarding the handling of sensitive information. The supplier is responsible for immediately reporting to the University of any sign of abnormalities and working with the University in recovery and remediation, in event of security breach. If CONFIDENTIAL or RESTRICTED information will be hosted in the supplier s location, the University should have the rights to carry out periodic security assessment and inspect how the supplier handles and stores the University s sensitive information within a mutually agreeable time to both parties; or the supplier shall provide security audit or assessment reports issued by qualified independent professionals and organizations. The consequence for violation of the contract. The User department shall also ensure that a Service Level Agreement ( SLA ) is established in the contract. 7 Supplier Control and Monitoring The User Department shall carry out regular monitoring on the performance of supplier and review the security level achieved by the supplier. The evaluation on performance of suppliers shall cover:

Page 6 of 6 Complaints, incidents, problems (e.g. service interruption, security breach, degradation of service level) encountered by the supplier; Contingency plan in the event the supplier cannot provide the services If agreed service level is not attained, or the supplier is providing non-conforming products/ services, User Department and Finance Office shall discuss with the supplier for rectification. Records of discussion and follow-up plan shall be prepared for monitoring purposes. If non-conformance persists, User Department and Finance Office can consider contract termination. 8 Service Transition The User Department shall ensure that quality of service is attained and security risks are managed during and after service transition. 9 Service Termination Upon termination of contracts, the User Department must inform suppliers to return or destroy all relevant data and resources of the University and require formal acknowledgement. User Department shall ensure that the quality of service is attained and security risks are managed during and after transition of service back to the University. Reference The following documents were consulted during the preparation of this document: City University of Hong Kong (2012), Financial Policies and Procedure Manual http://www6.cityu.edu.hk/fo/stafflan/htm/fppm_fo.htm GE Internal (2007), General Electric Third Party Information Security Policy Fujitsu (2012), Information Security Enhancement Measures in Cooperation with Suppliers Oracle (2012), Oracle Supplier Information and Physical Security Standards

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information