Data Management Policy - Verification and Information Risk Assessment Policy

Verification and Information Risk Assessment Policy

1. Verification of Information Security Policy Implementation

Conduct audits and verification of compliance with the University’s information security policies. Identify any non-compliant or at-risk systems and report to the University’s IT Security Committee for further action.

2. Risk Assessment Guidelines

Assess information security risks covering:

2.1 Risks from human errors, such as accidental data deletion or misconfigurations

2.2 Risks from internal threats, such as intentional data breaches by staff

2.3 Risks from external threats, such as cyberattacks or hacking attempts

2.4 Risks due to data or software loss

2.5 Risks from hardware failures or system malfunctions

2.6 Risks from physical damage, such as fire, flood, or equipment theft

3. Risk Assessment Methodology

Establish procedures for identifying risks and evaluating the potential severity of impacts. The assessment should consider:

4.1 The probability level of each identified risk

4.2 The severity level of potential consequences

4.3 The threats or events that could trigger the risk

4.4 Vulnerabilities or weaknesses that may be exploited

4. Reporting

Audit results and compliance with the University’s Information Security Policy must be included in the ICT performance monitoring and evaluation reports.

Part 4: Information Security Awareness Policy

Objective

To disseminate the policy and guidelines to all staff and relevant stakeholders, ensuring they understand and recognize the importance of information security and can apply it correctly.

Responsible Parties

1. Computer and Information Center

2. Assigned training units

3. Assigned system administrators

4. Designated officers

Standards Referenced

Standards for Electronic Transaction Security

Implementation Guidelines

1. Develop training courses related to information security awareness, integrating policy guidelines into the department’s regular training programs.

2. Educate users to raise awareness of threats and the consequences of careless or unintentional system usage, and establish preventive measures where applicable.

3. Conduct regular training on the safe use of University information systems, especially when changes or updates are made.

4. Provide user manuals for secure information system usage and publish them on the department’s website.

5. Deliver security best practices and warnings in easily digestible formats (e.g., posters, brochures, website updates), rotating topics regularly.

6. Encourage participation and hands-on implementation through monitoring, evaluation, and needs assessments from users.