Home » IT Services News » IT Services News No. 166 Nov - Dec 2013 » University-Wide Data Loss Prevention Solution for the Use of USB Flash Drives

University-Wide Data Loss Prevention Solution for the Use of USB Flash Drives

1. Data Loss Prevention (“DLP”) – What is it and why do we need it?

DLP here refers to the encryption measures for preventing unauthorized and/or accidental access to the data kept on USB Flash Drives in cases when they are lost.  While loss of USB Flash Drives that may hold personal data is not uncommon, implementing a University-wide DLP solution for assuring data safety in the use of USB Flash Drives on PCs that are owned by the University and used by its staff members (“Staff PCs”) would be a requirement for meeting Data Protection Principle 4 (“DPP4”)  for compliance with the Personal Data (Privacy) Ordinance (“Ordinance”) <http://www.pcpd.org.hk/english/ordinance/ordglance.html> in Hong Kong.

The DLP solution to be implemented will support the Windows platforms as listed in 2.1, and in summary the solution will perform the following functions to achieve data safety and data loss prevention from users’ perspective:

  • Unrestricted import of data from any USB Flash Drives to Staff PCs.

  • Initialization of USB Flash Drives using the DLP software installed on Staff PCs to enable write access with data encryption to the Flash Drives.

  • Imposing Password authentication for Read/Write access to the DLP initialized USB Flash Drives from any PCs of the supported platforms.

  • Requiring mandatorily the use of DLP initialized USB Flash Drives for writing data onto Flash Drives from any Staff PCs installed with the DLP software.

  • Keeping the normal USB port functions of PCs for working with the common devices requiring USB connection, e.g. mouse, smart-phones, etc.

2. The University-wide DLP solution project

2.1 Supported Windows PC Platforms

The project will involve installation of the DLP software on all Staff PCs that are set up with the following editions of Microsoft Windows platforms:

  • Windows 8 (Standard, Enterprise & Professional Editions)
  • Windows 7 (Enterprise, Professional & Ultimate Editions)
  • Windows Vista (Enterprise, Business & Ultimate Editions; 32-bit only)
  • Windows XP Professional Edition (32-bit only)

It can be noted from the above that the Home Editions of the Windows platforms listed are not supported. Hence, installation of the DLP software will not be applied to such PCs. For compliance with DPP4 of the Ordinance, users of Staff PCs of the incompatible platforms are reminded that DLP initialized USB Flash Drives must still be used for data export from their PCs.  When new Staff PCs are acquired by departments, they must be installed with the DLP software to meet the DPP4 compliance requirement before deployment.  Information Technology Services (“ITS”) will assist departments to upgrade their incompatible Staff PCs that have been used for less than 3 years for installing the DLP software to meet the DPP4 requirement.

At present, the DLP solution does not support the Apple Mac and Linux platforms. Hence, Mac and Linux systems are not required to install with the DLP software until a new version supporting these platforms would be available.

2.2 Project Coverage and Implementation Schedule

ITS is now engaging a service vendor for implementing the DLP solution. We would work with departments to start installing the DLP software on all compatible Staff PCs early next year, i.e. 2014. Our current plan is to complete the installation in about 6 months.  As part of the project, a prescribed number of USB Flash Drives (of modest size) will be provided to departments to aid their management process for preventing data leakage due to potential loss of USB Flash Drives, in meeting DPP4 for compliance with the Ordinance.

When the installation of the DLP software on all compatible Staff PCs are completed, ITS will then assist departments to upgrade their incompatible Staff PCs that are newer than 3 years old for installing the DLP software.

2.3 Project Governance and Execution

The DLP Solution project will be overseen by a Project Steering Committee to be formed. It will be chaired by Executive Vice President with participations from the administrations of the University and Faculties. The University Data Protection Officer will be the adviser to the Committee.

The Information Security Team of ITS is in charge of the project implementation coordination. Our colleagues will work closely with departments, university colleagues and the solution vendor to deliver the DLP solution with the needed staff training. We look forward to seeing smooth progress of the project through the concerted effort of all departments and staff members of the University in enabling all of its departments, offices and work units to meet the DPP4 requirements for compliance with the Personal Data (Privacy) Ordinance. We will communicate further with our users when more details of the project implementation are worked out after procurement of the solution is done.

P.T. Ho
Deputy Director