IT Security Policy for Application Systems on Personal Data Handling

1. Principles of the Policy:

  • To ensure personal data is only used as intended and within (legal) restrictions
  • To apply appropriate security measures to protect personal data
  • To provide good security practices against hacking and eavesdropping


2. Scope of the Policy:

IT Application Systems containing [*1] personal data which is newly developed, revamped or having major system changes after this policy has been endorsed and published.

[*1]: Definition of Personal Data refers to the University Protection of Personal Data (Privacy) and Circular to all staff and students – Management and Security of Personal Data 


3. Policy Requirements

  • Application should minimize the data set with “Need to Know” principle
  • 2FA for Application-admin in which application processes personal data should be enabled
  • Application should encrypt personal data both [*2] at rest and [*3] in transit
  • Application should display limited personal data (on need basis)
  • For user self-service applications, personal data should be partially masked. e.g. display first few alphanumeric characters of Staff ID​
  • Application should enforce data retention as mandated by legislation
  • Application systems should follow [*4] Guidelines for Server Protection and Security Hardening

[*2], [*3] & [*4] : Refer to below tab of “Security Technology Standards” S1, S2 & S3 respectively



IT technology keeps changing and evolving, so does the security technology standards. ITSC will take care of these standards and do regular review. The following standards will subject to change in order to secure the University IT applications.

  • [S1] Data Encryption at rest , including but not limited to data in storage and logs :
    • Use Strong encryption algorithm : AES256 or above
    • Symmetric keys not to share across various applications and restrict to authorized user.


  • [S2] Data Encryption in transit, including but not limited to :
    • Browser access to web application is encrypted using HTTPS
    • Application access to database is encrypted using TLS-encrypted TCP connections to database server
    • Application access to the FTPS site is encrypted using TLS
    • Application access to the SFTP site is encrypted using SSH
    • Servers hosting the above connections are configured to disable weak SSL protocols and weak cipher suites and to force asymmetric keys expired every 3 years :
      • Disable Weak SSL protocols : Disable SSLv2, SSLv3 and anything below TLS v1.2
      • Disable Weak cipher suites : Disable RC2, RC4, MD5, CBC, 3DES, DES and SHA-1



Published on:  Feb 2022

Last Update on:  Mar 2022


  • Application owner or LAN admin may raise exemption request to state non-compliance items with strong justification.
  • Procedures:

Steps Responsibility Role Task
1 Application owner / LAN Admin Submit request application via ITSC Service Desk
2.1 ITSC Information Security Section (ISS) Evaluate submitted request and see whether the request should be proceeded for endorsement and approval.
2.2 Director of ITSC Endorse the application and seek approval from University Management via email or meeting.
3 University Management Approve ?
  • Remarks:  ITSC would record down all request details and approval status.



Published on Feb 2022