| |
Securely Using Mobile IT Devices and Removable Storage Media Guideline
Purpose
| Mobile IT devices can be laptop computers, personal digital assistants (PDAs) and smart phones. Removable storage media can be external hard drives, memory card, CDs, DVDs and universal serial bus drives (a.k.a. memory sticks and thumb drives). |
| These handy portable devices are usually small. They can be lost or stolen easily. The following guidelines document various ways to securely manage these devices when they are used to store sensitive and restricted information. |
Guidelines
Below are the major guidelines:
| 1. Storage of sensitive and restricted data on portable devices should be avoided or limited to the minimal quantity required to accomplish the business purpose. |
| 2. Use a strong password to protect the access to the portable devices. This will make reading your data difficult and may deter a less skillful hacker. The password should be changed regularly. |
| 3. Encrypt sensitive and restricted data stored in portable devices to lower the risk of disclosing the data. For more information about encryption software or secure portable devices, please feel free to contact us. |
| 4. Do not let mobile devices with sensitive data be left unattended or be shared with unauthorized persons. They should be in the possession of an authorized person at all times or be physically locked away. |
| 5. Carry out back-up of data in portable devices to another secure media regularly. |
| 6. In disposing obsolete mobile storage, degaussing or physically destroying is recommended. |
| 7. Remove all sensitive and restricted data in the mobile storage before sending to reliable service providers for repairing. Service providers should normally sign a confidentiality agreement (see attachment) to demonstrate due diligence. |
| 8. Install anti-virus and malicious code detection software and perform regular scanning. |
| 9. Immediately report any loss, theft or unauthorized access of mobile storage containing sensitive and restricted data to the Director, Division Heads or IT Support Team of SCS. |
Definitions
The abbreviations and terms used in this document have the following meaning:
| "mobile IT devices" are IT devices like laptop computers, personal digital assistants (PDAs) and smart phones. |
| "removable storage media" is memory for storing data such as external hard drives, memory card, CDs, DVDs and universal serial bus drives (a.k.a. memory sticks and thumb drive). |
| "portable devices" refers to all mobile computing devices and removable storage media. |
| "sensitive data" means information generally used internally by authorized users or externally by authorized partners for business needs. It includes security-sensitive information. |
| "restricted data" is data restricted by law and legal contract such as personal data. It also includes information which enables the access to sensitive data such an access password. |
| "personal data" means any data |
| |
a. Relating directly or indirectly to a living individual; |
| |
b. From which it is practicable for the identity of the individual to be directly or indirectly ascertained; and |
| |
c. In a form in which access to or processing of the data is practicable |
|
| "strong password" can be set by following the rules below |
| |
a. Set your passwords with at least eight characters composed of random letters, digits and symbols; |
| |
b. Use different sets of password in different systems, and; |
| |
c. Never use dictionary words and personal related information such as name, date, telephone number, HKID and user ID, etc. |
|
| *** Adapted from the relevant guidelines published by ITSC of CUHK on 16/5/2008 *** |
|
