What is ISO 27001? Does it have any relationship with you?

ISO27001 is an information security management standard (ISMS), which is based on risk management principles to establish, implement, operate, monitor, review, maintain, and improve an organization’s information security system. Its purpose is to ensure the security and reliability of information services, and to provide users with information security operation standards. In other words, in the field of information security management, information is a valuable asset. Therefore, it is necessary to maintain that the information meets the following three elements in the process of creation, transmission, storage, and use, generally called CIA, and such requirements are also the requirement of the Macao Cybersecurity Law, in which the University must fulfill the relevant regulations.

  • Confidentiality To ensure not to disclose to any unauthorized persons
  • Integrity To ensure there is no unauthorized tampering of information
  • Availability To ensure authorized users can access information and resources properly and reliably

ICTO used to attach great importance to information security. In order to ensure that the University’s information management can meet the international standards and best practices, since the end of last year, ICTO has actively planned to obtain the certification for ISO27001 information security management in stages, and the first stage of certification is about to be carried out.

In addition, information security is everyone’s shared responsibility. Every user may need to send, handle, and access different types of information. ICTO will timely announce and refine the related information security reference materials, guidelines and tips, etc., so as to ensure that users can easily understand the related requirements and important matters of information security.


The Cybersecurity Law is now in effect. Are you ready for it?

Information technology was developed rapidly in recent year. With the development of artificial intelligence and 5G networks, some technologies that seemed to be impossible before have gradually entered the lives of everyone, which also show the importance of information technology services. Especially during the anti‑epidemic period in recent months, public’s dependence on IT services has become more obvious, and information security has become a topic of discussion. Hence, the requirements on information security will become higher.

With the effective of the Macao Cybersecurity Law, in accordance with the relevant regulation, the University must ensure that information networks, computer systems and data are protected properly, and strengthen the alert and response towards information security incidents. ICTO will continue to safeguard the information security for our campus network, and cooperate with the Cybersecurity Incident Alert and Response Centre in order to fulfill the reporting obligations, including reporting information security incidents and providing updated Internet service information (such as the account name for connecting to the Internet service provider, IP address, domain name and other related information.)

In addition, if you need to setup IT facilities or providing IT services in UM, you are obliged to ensure that the provided services are secure and reliable. Therefore, please note the following:

  • Make sure the operating system and application are updated to the latest version to ensure the maximum protection;
  • Pay attention to the system default setting whether it is secure or not, including initial passwords, permission and system services;
  • Enable any information security measures, system logging and perform backup for important data;
  • For outsourced IT services, you must also ensure that their provided services meet the relevant requirements ofthe Cybersecurity Law ;
  • If you need to change the network architecture or encounter an information security incident, you must inform ICTO*.

* Note: ICTO will be responsible for implementing the above reporting obligations for UM in accordance with the Cybersecurity Law. The detail information will be announced in due course.

Besides service providers must pay attention to information security. In fact, it is also the responsibility of each user. Users must always maintain security awareness in order to build a secure IT environment.


Scammers keep changing the way of fraud. Are you always ready to protect yourself?

Over the years, there are many different street scams around us such as the “spiritual blessing gangs” and “tout scam”, which have been evolved into phone scams and phishing scams in recent years. Many people were scammed and losing a lot of money. According to the official crime statistics report in Macao, the number of reported scam cases increased from 743 to 1525 cases during 2016 to 2019. Among the scam cases, around 30% of the cases are related to phone or cyber scam. Since the beginning of the year until now, there have been numbers of scam cases related to online-shopping of face mask in Macao and nearby regions, with thousands of victims losing tens of millions of Macao dollars. Such situation cannot be ignored.

In fact, scammers usually use some recent hot topics highly concerned by many people, such as procurement of face masks, new coronary pneumonia, shortage of daily necessities, crude oil prices, video conferencing, etc. They will adopt social engineering techniques to carry out various scams, such as scams of money, personal data, account passwords, or tricking victims to install Trojan horse for long-term surveillance or stealing information, etc.

Social engineering most commonly appears in phishing emails. Although our email system can filter malicious emails, users’ awareness of information security is actually the front line of defense besides technology. Taking one of the phishing emails reported in February as an example, it is not difficult to find some suspicious flaws (see the figure below).


* Remark: Refer to UM official internal email about payrolls as below, the real URL address will be shown when the mouse moves over to the web link. You can see the URL address containing the UM domain name “um.edu.mo” or “umac.mo”.

Although scammers will keep changing the way of fraud, their essence will not change. You should stay alert all the time and remember “Stop and Think! Do Fact Check!” for preventing scammers from taking advantage of the scam opportunities.


How much do you know about Information Security?

In recent years, Advanced Persistent Threat (APT) is a common threat on the Internet. Intruders will try to break into a target network. They often lurk in the network for months to collect cues until they obtained any valuable information, and some would even stay hidden in the network for long-term monitoring. Usually, an intruder would try to enter the target network in the first step, no matter you are handling important information or not, you may become the next target of the intruder.

Actually, information security is everyone’s responsibility. Even though IT personnel have tried the best to take any necessary measures for reducing risk of intrusion, including network security technology, network monitoring and regular maintenance, etc., the intruder can still attack the network through phishing scams. Therefore, users must have good awareness of information security. How much do you know about Information Security? Take our “Information Security Awareness Quiz” immediately and challenge yourself!

* Remark:

    1. Click the URL Information Security Awareness Quiz and login with your UMPASS;
    2. Click “Enrol me”;
    3. Choose to answer in Chinese or English;
    4. There are 6 groups of questions and each group contains 5 multiple choice questions. You can have unlimited trials and the quiz result is for your reference only.


Beware of Fake News. Avoid Spreading Rumors!

At the end of 2019, an outbreak of  COVID-19 pneumonia occurred in Mainland. In Macao, the first case was also confirmed in January 2020, which caused widespread concern.

According to previous experience, when a critical incidence such as epidemic, serious natural disaster, accident, or social event occurs, there will be relevant fake news disseminated in different channels including email, social networking, and instant messaging, etc. It may also be used to initiate phishing attacks, which brings information security threats. Therefore, we would like to draw your attention on the below:

  • DO NOT arbitrarily believe unconfirmed news. It is recommended to refer to official news;
  • When receiving any information with URL link or attachment, DO NOT open it unless you are expecting it and absolutely certain that it is legitimate;
  • DO NOT arbitrarily forward unconfirmed news. If you spread fake news or rumor, you may violate the related laws of the relevant country or region.

Tips for Safety Use of Mobile Payment Tools

In recent years, mobile payment has become so popular that you can simply pay with your mobile phone, which makes shopping easier and more convenient! However, at the same time, did you recognize the safety when using mobile payment? Here are some tips:

  • Be careful with your belongings and mobile phone. In addition to money loss, your bank card or mobile phone wallet may also be stolen. If your ID card is lost, your personal data may also be misused;
  • DO NOT overcharge your mobile phone wallet and avoid linking a bank account with large amount to your mobile phone wallet. DO set an appropriate transaction limit, check the transaction records regularly, and change account and transaction passwords regularly;
  • Avoid using public, unknown or unsecured networks for mobile payment transactions, and avoid exposing the screen with payment QR code;
  • Beware of phishing messages, especially those involving red-pocket, special offers, money transfer requests, passwords or personal information, you must confirm the authenticity of the sender in order to avoid any loss;
  • Protect mobile devices:
    • Protect your devices with password or fingerprint;
    • Turn on the “Find Me” function and wipe feature, to avoid data loss or being stolen;
    • Make sure the operating system and application, including anti-virus protection, are updated to the latest version;
    • Do not crack your mobile phone system and avoid downloading and installing software from untrusted sites;
  • Enable SIM pin. For most mobile payment account registration, password recovery, or some online transactions, you may need to use SMS for identity verification. Using SIM pin can reduce the probability of identity theft due to SIM card loss;
  • Use the licensed mobile payment service, carefully read the terms and conditions, understand the reporting loss procedure and stolen protection policy, etc.

In case you lose your phone, please stay calm and try to use the “Find Me” function and wipe feature to locate your phone, or remotely erase your data. In addition, if necessary, please report the loss to the related bank or service provider, for example, report the loss of bank card, SIM card, and suspend the mobile phone wallet account, etc.

Basic Knowledge of Online Safety and Security

Shopping, surfing, banking, and gaming are some of the many actions performed each minute in cyberspace. However, phishing attack, identity theft, bullying and location tracking are coming along with these common everyday activities. Among the unlimited cyber threats, how can we reduce the risk from these cyber threats without abandoning our online activities? Here are some tips for you to stay secure while online.

  • Set up alerts. Consider setting up alerts on your financial accounts. Many banks provide account activity notifications, which keeps you in control of your account activities. Whenever a transaction meets or exceeds a designated spending limit, a message will be sent by email or SMS to let you know the account activity. These types of alerts are useful as they make you aware of what is going on with your account more immediately compared to monthly statements. When you receive an alert about a transaction that you did not authorize, you can reach out to the bank immediately. Don’t be late! Log on your online bank account to set up alerts for your accounts.
  • Keep devices and apps up to date. This general tip is useful even if you are just casually surfing the Internet. Keeping your devices up to date (including apps and operating systems) ensures you have the latest security fixes.
  • Be cautious about public WiFi hot spots. Avoid performing financial or other sensitive transactions while connected to public WiFi hot spots.
  • Personal information is like money: value it and protect it. When making a purchase online, be alert to the kinds of information being collected to complete the transaction. Consider carefully whether it is necessary for the vendor to obtain such information. Remember that you only need to fill out the required fields at checkout.
  • Be vigilant. Be aware, there are many fake websites online trying to deceive valuable information from others. Make sure you are visiting a legitimate website by double-checking the URL website address to make sure it is spelled correctly. In addition, it is important to note that legitimate website usually has a padlock on the URL bar, and the URL will begin with “https://”.

As long as you keep the above security tips in mind, you can continue to stay online with peace of mind.

Information Security is everyone’s responsibility

Did you know? In the recent years, there were different types of industry occurred data breach in the world, involving education institutions, airline companies, government departments, banking and financial institutions, e-commerce corporations, web service providers, etc. More than half of the breaches were caused by activities directly attributable to human errors, including lost devices, physical loss and unintended disclosure. These breaches were arguably preventable through basic information security protection safeguards.

  • What can you do everyday to protect data? No matter what types of industry you are working in, you may need to transmit, process, access, and share such varying data elements. There is not a “one size fits all” blueprint for information security controls that all industries can follow. Yet all members have a responsibility to know basic information security protections to safeguard data and prevent those data from being mishandled.
  • Understand where, how, and to whom you are sending data: Many breaches occur because of our careless where we accidentally post confidential information publicly, mishandle or send confidential information to the wrong party. Taking care to know how you are transmitting or posting data is critical.
  • Create complex and unique passwords: Use different passwords for different accounts, in particular those for handling confidential data.
    Enable two-factor authentication: Two-factor authentication can prevent unauthorized access even if your login credentials are stolen or lost.
  • Protect your devices: Besides using password lock, it is also recommended to use some biometric technologies to protect your smartphone and tablet. It is critical to keep curious minds from accessing personal information, work email, or retail/banking applications. It also helps to protect your device in case you lost or misplaced it.
  • Update your computing devices: Ensure the operating system, web browser, and applications on all your electronic devices are updated to the latest version.
  • Getting ready to send data to a vendor or sign a contract? In daily work, we are obligated to ensure that the University’s confidential information are properly protected, especially if we need to use an outsource service or a cloud service. If the service involves confidential information, you must consider the related information security technology before the project begins or signing the contract, which ensures the data is protected properly.


Are you ready to prevent Ransomware?

Ransomware is a type of malicious software that encrypts the files on your computer and blocks the related information. Usually, user needs to pay a “ransom” or fee for the decryption key in order to decrypt and gain access to the files. Ransomware may spread to any shared networks or drives which your devices are connected. It is expected that increase number of ransomware attacks will occur in the future.

How will I get infected by Ransomware?
Common media for ransomware attacks include emails with malicious attachments or links to malicious websites. It is also possible to get an infection through instant messaging or texts with malicious links. Antivirus may not detect a malicious attachment, so it is important for you to be vigilant.

How can I protect myself against Ransomware?
There are two steps to protect yourself against ransomware:

  • Preparation   Back up your information regularly.Once a ransomware infection occurs, it is often too late to recover the encrypted information. Your research project or other important information may be lost permanently. For the PC which is provided by ICTO, there is a basic backup function for each user to prevent the lost of files from desktop and notebook computers which connecting to our campus network. For more details, please refer to “PC Data Backup“. Moreover, you can consider regularly performing extra backup for your important files to a location that you are not continuously connected to;
  • Identification   Ransomware typically appears as phishing emails, either with links to malicious websites or infected files attached. You might also see a ransomware attack perpetrated through a pop-up telling you that your computer is infected and asking you to click for a free scan. Another possible media is malvertising, such that malicious advertisement will be embedded in other normal websites to deceive users.

4 important things to “Ensure”

  • Ensure that your information is backed up regularly and properly. Because ransomware can encrypt the files on your computer and any connected drives, potentially including connected cloud drives such as Dropbox,as we just mentioned, it is important to back up your files regularly to a location that you are not continuously connected to;
  • Ensure that you are able to restore files from your backups. Users can periodically restore some of the files from the backup copies for verification;
  • Ensure that antivirus is up to date and functioning;
  • Ensure that you are keeping your system and mobile devices up to date with patches;

What should I do if I think I’m infected?

  • Report the ransomware attack to the related IT technical support immediately;
  • Isolate or shut down the infected computer. Disconnect it from WiFi network or unplug the network cable;
  • Infected systems should be removed from the network as soon as possible to prevent ransomware from attacking network or shared drives.

How to use Personal and Home Use Internet devices in a secure manner?

In the modern IT era, there are a lot of individual and home use Internet-enabled devices, including smart phones, smart watches, home routers, electronic game consoles, and a variety of smart home devices. While bringing convenience to life, it may also bring certain information security risks. Therefore, we would like to provide some security tips for you to ensure that the devices you are using are assets, rather than burdens.

  • Make sure your computer program is up to date Keep updating the system and software programs of the device regularly. If the anti-malware program has been installed, it should be updated to avoid damage or infection by malware;
  • Secure your network The wireless network should be protected properly using WPA2 encryption, complex passwords, and the software of WiFi router at home should be updated regularly;
  • Learn more about your device Have a solid understanding on how a device works, the nature of its connection to the Internet, and the type of information it stores and transmits;
  • Understand how to keep devices up to date Read the instructions carefully to understand all necessary safe use methods, including changing the default password and precautions;
  • Understand the data content being collected Some smart devices will collect data. Take some time to understand what information your connected devices collect and how the information is managed and used;
  • Know how your data is stored Smart devices will send and store the collected data on cloud. Therefore, users should be aware of where the data is stored and the security measures to protect personal data;
  • Do more studies Before adopting new smart devices, study and understand more about other users’ evaluation on the security and privacy of the devices and service provider.