The risks associated with the use of an IT resource can be mapped to one of three different risk categories, namely high-risk, moderate-risk and low-risk, depending on the outcome of risk assessment. Risk assessment should be considered according to the purposes of use and good assessment often requires sound understanding of prominent business or operational concerns.
To assist IT resource users and owners to arrive at appropriate risk assessment for their particular use cases, this document shows some risk classification examples using common types of IT resources.
Since risk assessment is closely related to purposes of use, it is anticipated that the reference classification may not be adequate in certain cases. All members of the University are strongly encouraged to assess any associated risks before using any IT resource, and always apply the stronger protection measure if in doubt.
Risk Category: High-risk
High-risk items are those which protection are required by law (e.g. Personal Data Privacy Ordinance) or that, if compromised, can lead to significant impact on University’s business, safety or finances. Common IT resources belonging to the high-risk category include but are not limited to the following:
Data Level
- Restricted data according to HKUST Data Classification Guidelines that is kept in electronic form
- Staff personal records
- Student personal records
- Alumni personal records
- Donor personal records
- Financial data
- Non-disclosure agreements or contracts
Application System Level
- Application systems handling high-risk data
- Central administrative information systems
- Central email system
End-Point Level
- Desktop or notebook computers used to store high-risk data
Server Level
- Servers supporting high-risk applications
- Servers supporting IT infrastructure
Network Level
- Central backbone network housing high-risk servers
Risk Category: Moderate-risk
Moderate-risk items are those that, if compromised, can lead to noticeable impact on University’s business, safety or finances. Common IT resources belonging to the moderate-risk category include but are not limited to the following:
Data Level
- Non-published research data
- Non-public meeting notes
- Usage and access logs
- Non-sensitive data with person identifiable information
Application System Level
- Application software handling moderate-risk data
- Learning management systems
- Official web sites
End-Point Level
- Desktop or notebook computers used for office work
- Desktop computers in Computer Barns
Server Level
- Servers supporting moderate-risk applications
Network Level
- Network housing moderate-risk servers and end-points
- Office network
- Network for teaching venues
- Network for research labs
- Staff residential network
Risk Category: Low-risk
Low-risk items are those that are not classified as high-risk or moderate-risk. It should be noted that even items classified as low-risk should also meet Minimum Security Standard where applicable.
Related Links