ICT Policies & Procedures

Transcription

1 ICT Policies & Procedures

2 2

3 Contents Acceptable Use Policy Backup Policy and Procedures Bandwidth Use Policy Data Classification Policy Information Security Policy Network Access Control Policy OneDrive Cloud Storage Policy Password Policy ICT User Authentication Policy Web Hosting Policy with Third-Party Service Providers Core ICT Services Service Level Agreement 3

4 Acceptable Use Policy 4 Back to Contents

5 Deanship of Information & Communications Posted Date: Policy Number: Technology ICT Policy: Acceptable Use Policy Approval Date: Page: Objective: To ensure the appropriate use of the University s Information and Communication Technology (ICT) Services and define the responsibilities of users of the University s ICT Services and Infrastructure. Responsible Official: Responsible Office: :Signature ITC Reference Policies : (a) Information Security Policy (b) Password Policy Executive Summary University of Dammam (UOD) information and Communication technology (ICT) resources have been provided to support University business and mission. These facilities are expected to be used for educational, instructional, research, professional development and administrative activities of the University. The use of these resources is a privilege that is extended to qualified members of the community. Access to computers, computing systems and networks owned by the University imposes certain responsibilities and obligations and subject to university policies and codes and the Kingdom s local laws. It is important that these ICT resources are used for the purpose for which they are intended. All users of these resources must comply with specific policies and guidelines governing their use, and act responsibly while using shared computing and network resources. The ICT Acceptable Use Policy (AUP) informs the University s faculty, support staff, students, management and other individuals authorized to use University facilities, of the regulations relating to the use of ICT systems. The University expects users to use the ICT facilities in an appropriate and responsible manner in accordance with this policy. Anyone who abuses the privilege of the ICT resources, either directly by promoting inappropriate activities and by misusing or indirectly by inadvertently allowing unauthorized users to access for personal and professional purposes will be subject to sanctions or legal action Introduction The University provides ICT for its educational purposes, particularly teaching and research, as well as for reasonable personal use which is acceptable to the University environment. University of Dammam allows users to access the computing and network resources in order to facilitate them in carrying out their duties and the university expects these resources be used for purposes related to their jobs and not be used for unrelated purposes. These resources include all university owned, licensed, or managed hardware and software, and use of the university network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network. The purpose of this policy is to promote the efficient, ethical and lawful use of the University of Dammam s computer and network resources. Acceptable Use Policy Objectives 5 Back to Contents

6 The following are the objectives of acceptable use policy: 1. Provide guidelines for the conditions of acceptance and the appropriate use of the computing and networking resources provided for use by academic, professional and support staff and students of the University. 2. Ensure that ICT resources are used in an appropriate fashion, and support the university s mission and institutional goals. 3. Encourage users to understand their own rights and responsibility for protecting the University ICT resources. 4. Protect the privacy and integrity of data stored on the University network. 5. Elaborate the consequences of the inappropriate use of these resources. Outcomes of the Policy By enforcing the acceptable use policy, we aim to achieve the following outcomes: 1. Better informed university community regarding acceptable and unacceptable use of university ICT resources. 2. Responsible UOD community regarding the value and use of ICT resources. Policy Rationale There needs to be commitment to protect UOD faculty, students, staff, management and contractors from illegal or damaging action by individuals, either knowingly or unknowingly. Inappropriate use of these ICT resources exposes UOD to risks including virus attacks, compromise of network systems and services, and legal issues. Entities affected by this Policy This policy applies to all the community of University of Dammam using computing and network resources. These include Users (academic, professional and support staff, students and management) using either personal or University provided equipment connected locally or remotely to the network of the University. All ICT equipment connected (locally or remotely) to University servers. ICT systems owned by and/or administered by the Deanship of ICT. All devices connected to the University network irrespective of ownership. Connections made to external networks through the University network. All external entities that have an executed contractual agreement with the University. Business Impact of No AUP The potential adverse business impact to the university due to lack of acceptable use policy may include: 6 Back to Contents

7 Violations of either personal or copy righted material Security breaches Bad publicity and embarrassment to individuals or University Identity or financial fraud Policy Benefits 1. It will define the responsibilities of users of the University s ICT Services and Infrastructure. 2. It will deter unacceptable ICT use by declaring the punitive actions for such an act. 3. Fair use of services. 4. Better service quality. Section B Policy Statement: Acceptable Use Policy Statements: 1. This policy applies to all users of computing resources owned or managed by University of Dammam. Individuals covered by the policy include (but are not limited to) UoD faculty and visiting faculty, staff, students, alumni, guests or members of the administration, external individuals and organizations such as contractors and their employees accessing network services via UoD s computing facilities. 2. The resources should be used for the purpose for which they are intended. 3. Users must adhere to the confidentiality rules governing the use of passwords and accounts, details of which must not be shared. 4. Users may use only the computers, computer accounts, and computer files for which they have authorization. 5. The university encourages and promotes using the university for administrative, learning and professional purposes. Hence, the users must use their university in their business communications. 6. The only way to access to the university s network is to have a valid account, and any other way such as plugging own internet to the university network shall be considered as a violation. 7. All users of the university s network and computing resources are expected to respect the privacy and personal rights of others. 8. The University reserves the right to monitor all activities performed by the users on the internet by recording and reporting without the consent of the user. 9. The University has the right to block any site or group of sites according to its policies and will take necessary action that violates this policy. 10. The University reserves the right to make any amendments in this policy at any time. 11. Users, who discover or find security problems or suspicious activity, must immediately contact Technical Support of the DICT. Unacceptable Use Policy 1. Users must not use the university network in any illegal manner e.g. commercial purposes nor use it to login or browse illegal web sites or content. 2. Users must not disclose their login information and access or copy another user s , data, programs, or other files. 3. Users must not attempt to violate or compromise the security standards on the University network or any other device connected to the network or accessed through the Internet. 4. University network may not be used for the creation, dissemination, storage and display 7 Back to Contents

8 of obscene or pornographic material, abusive, indecent, obscene, and defamatory or hate literature etc. 5. University users should not create illegal copies or violate copyright protected material in order to use, or save such copies on University devices or send them through the University network. It also prevents the illegal use such as sending or downloading or publishing any material that violates the laws of the Kingdom of Saudi Arabia and is against the Islamic values. 6. This policy prevents users adding, deleting, or modifying any information on university network in an attempt to disrupt or mislead others. 7. Users are not allowed to indulge into any activity that may adversely affect the ability of others to use the Internet services provided by the university e.g. denial of service attacks, hacking, virus, or consuming gratuitously large amounts of system resources (disk space, CPU time, print quotas, and network bandwidth) or by deliberately crashing the machine(s). 8. The university prevents downloading any programs and installing in the university s computers. Any such request should be done through DICT technical support. 9. Non serious, disruptive, destructive or inconsiderate conduct in computer labs or terminal areas is not permitted. 10. DICT is not responsible of the internet content that been browsed by the end user, or problems that might happen to user from browsing untrusted websites. Policy Breaches: Anyone who breaches this policy will be subject to any or all of the following actions: a. Suspension of the university internet account/access. b. The referral of the case to the University management along with supporting evidence for an appropriate action. c. The case may be investigated by the Communication & Information Technology Commission (CITC), Saudi Arabia who may initiate criminal investigation according to the e-crimes regulations. More information regarding these regulations may be found here. Definitions The following terms are used in this document. Access - Connection of University, personal or third party owned devices to ICT Infrastructure facilities via a direct or indirect connection method. Authorized User - An individual who has been granted access to University ICT services Device - Any computer or electronic device capable of accessing, storing and communicating data. End Host Device - An electronic device which can be connected to a network. End Host Devices include, but are not limited to: Desktop computers Notebook computers Workstations Servers Network Printers Telecommunications equipment 8 Back to Contents

9 Wireless Devices and Other network aware devices ICT Facilities All computers, terminals, telephones and communication links, end host devices, licences, centrally managed data, computing laboratories, video conference rooms, and software owned or leased by the University. ICT Infrastructure- All electronic communication devices, networks, data storage, hardware, and network connections to external resources such as the Internet. Information Resources - Assets and infrastructure owned by, explicitly controlled by, or in the custody of the university including but not limited to data, records, electronic services, network services, software, computers, and Information systems. References 1. Thomas M. Thomas; Donald Stoddard (2011), Network Security First-Step 2. Mark S. Merkow; Jim Breithaupt (2014), Information Security: Principles and Practices 9 Back to Contents

10 Backup Policy and Procedures 10 Back to Contents

11 Deanship of Information & Communications Technology Posted Date: Policy: Backup Policy and Procedures Approval Date: Policy Number: ICT Page: Objective: This document outlines a set of policies and procedures for Data Backup and Retention to facilitate restoration of applications and associated data. Also it lays emphasis on verifying that backups and recoveries are completed without errors. Responsible Official: Responsible Office: Signature: ITC Reference Policies : (a) Information Security Policy (b) Operational Unit Data Center SLA Executive Summary University of Dammam (UOD) information and Communication technology (ICT) resources have been provided to support University business and mission. The unprecedented growth in data volumes has necessitated an efficient approach to data backup and recovery. Deanship of Information & Communications Technology (DICT) recognizes that the backup and maintenance of data for servers are critical to the viability and operations of the respective departments. It is essential that certain basic standard practices be followed to ensure that data files are backed up on a regular basis. This document defines the backup policy for computer systems within the organization which are expected to have their data backed up. These systems are typically servers but are not necessarily limited to servers. The policy outlines the minimum requirements for the creation and retention of backups. The main purpose of this policy is to provide secure storage for data assets critical to the work flow of official university business, prevent loss of data in the case of accidental deletion / corruption of data, system failure, or disaster and permit timely restoration of archived data in the event of a disaster or system failure. Introduction This document outlines a set of policies and procedures for Data Backup and Retention to facilitate restoration of applications and associated data. Also it lays emphasis on verifying that backups and recoveries are completed without errors. Purpose To ensure server and data continuity and to support the retrieval and restoration of archived information in the event of a disaster, equipment failure, and/or accidental loss of files. Goals 11 Back to Contents

12 The goals of this backup policy will be as follows: to safeguard the information assets of University of Dammam (UoD) Community. to prevent the loss of data in the case of accidental deletion or corruption of data, system failure, or disaster. to permit timely restoration of information and business processes should such events occur. to manage and secure backup & restoration processes and the media employed within these processes. Scope The Deanship of ICT (DICT) operational Unit (OU) is responsible for providing policy-based, system level, network-based backups of server systems under its stewardship. This document outlines the policies for backup implementation that define: Selections: what information needs to be backed up on which systems. Priority: relative importance of information for purposes of the performing backup jobs. Type: the frequency and amount of information to be backed up within a set of backup jobs. Schedule: the schedule to be used for backup jobs. Duration: the maximum execution time a backup job may execute prior to its adversely affecting other processes. Retention Period: the time period for which backup images created during backup jobs are to be retained. Backup Creation Backups will be created using industry standard data backup software that support enterprise level data assurance. The product, defined by the data backup standard, must support scheduled backups, full or differential or incremental backups, and centralized management. System Backup Profiles The DICT Operational Unit maintains the following type of backup profiles: 1. Standard Backup: The standard backup is provided for most centralized University computer systems. The backup could be full, differential or incremental. The frequency of backup could be daily, weekly or monthly and is dependent upon the application. The retention of these backups could vary from 1 week up to 2 months. For some applications backup is performed on a day and time agreed upon by the OU and application owner. Appendix I shows the applications along with backup type, frequency of backup and reten- 12 Back to Contents

13 tion period. 2. Critical System Backup: Certain enterprise-wide systems are deemed critical to University operations and dictate longer retention periods from 6 months up to 1 year. The type, frequency and retention period is different for different applications. Prior to a major upgrade of a production system, database, or application, a full system backup is performed and retained for 6 months. Appendix I shows the applications along with backup type, frequency of backup and retention period. 3. Special Request Backup: Some departments or applications may require an exception to the standard backup retention periods mentioned above. Exceptions are permitted, but must be fully documented 4. No Backup: ICT Services is responsible for backing up data that is stored in central systems and databases. Data residing on individual workstation hard drives is the responsibility of the user to backup. Furthermore the systems that fall under this category might include development or test systems that do not contain important business or academic data. Students, faculty, staff and third parties who store data on University equipment are responsible for ensuring the data is stored in a way that will ensure it is properly backed up. However, most systems that are centrally managed by DICT are backed up on one of the schedules listed above. Storage Locations and Retention Period of Backups Unless a system supporting an application or business function requires a custom retention period, DICT will maintain full and incremental backups. Backup tapes for the current weekly backup period will be stored within the DICT for purposes of current backups and restores. Tapes representing backups from the former weekly backup period will be stored within a secured, fireproof place until such time as the backup images stored on these tapes expire and the tapes are re-used or destroyed. After a successful backup, it will be stored in a secure, off-site media vaulting location for an appropriate period for disaster recovery purposes. This will ensure that no more than one week of information would be lost in the event of a disaster in which campus systems and backup images are destroyed. After the period of six months has elapsed, the tapes may optionally be returned to DICT and re-used or destroyed. Backup Verification On a periodic basis, logged information generated from each backup job will be reviewed for the following purposes: 13 Back to Contents

14 to check for and correct errors to monitor duration of the backup job to optimize backup performance where possible DICT will identify problems and take corrective actions to reduce any risks associated with failed backups. Test restores from backup tapes for each system will be performed. Problems will be identified and corrected. This will work to ensure that both the tapes and the backup procedures work properly. DICT will maintain records demonstrating the review of logs and test restores so as to demonstrate compliance with this policy for auditing purposes. Media Management Media will be clearly labeled and logs will be maintained identifying the location and content of backup media. Backup images on assigned media will be tracked throughout the retention period defined for each image. When all images on the backup media have expired, the media will be re-incorporated amongst unassigned (available) media until reused. Periodically and according to the recommended lifetime defined for the backup media utilized, DICT will retire & dispose of media so as to avoid media failures. Storage, Access, and Security All backup media must be stored in a secure area that is accessible only to designated OU staff or employees of the contracted secure off-site media vaulting vendor used by DICT. Backup media will be stored in a physically secured, fireproof place when not in use. During transport or changes of media, media will not be left unattended. Retirement and Disposal of Media Prior to retirement and disposal, DICT will ensure the following: the media no longer contains active backup images or that any active backup images have been copied to other media the media s current or former contents cannot be read or recovered by an unauthorized party. with all backup media, CICT will ensure the physical destruction of the media prior to disposal. Disaster Recovery Considerations As soon as is practical and safe post-disaster, DICT will: Restore existing systems to working order or obtain comparable systems in support of defined business processes and application software. Restore the backup system according to documented configuration so as to restore server systems. Obtain all necessary backup media to restore server computing systems Restore server computing systems according to the priority of systems and processes as out- 14 Back to Contents

15 lined for restoration and recovery in the Disaster Recovery Plan. Documentation Essential documentation is will be maintained for orderly and efficient data backup and restoration. The person-in-charge of data backup should fully document the following items for each generated data backup:.s. No Action Item Action Date of data backup )Type of data backup (incremental, differential, full Number of generations Responsibility for data backup )Extent of data backup (files/directories Data media on which the operational data are Data media on which the backup data are stored Data backup hardware and software (with version )number Storage location of backup copies 15 Back to Contents

16 Bandwidth Use Policy 16 Back to Contents

17 Deanship of Information & Communications Posted Date: Policy Number: Technology ICT Policy: Bandwidth Use Policy Approval Date: Page: Objective: The purpose of the bandwidth usage policy is to enhance the internet usage of UoD users by proper management and control of bandwidth. All in all the bandwidth usage policy shall set guidelines important to use bandwidth as a scarce resource in the university. Responsible Official: Responsible Office: Signature: ITC Reference Policies : (a) Acceptable Use Policy Executive Summary University of Dammam provides high speed internet access as a service to its management, faculty, students, researchers and administrative staff. The purpose of the bandwidth usage policy is to enhance the internet usage of UoD users caused by improper management and control of bandwidth. The bandwidth is a precious shared resource and hence ought to bed dedicated foe teaching, learning and research purposes. Its usage should be in line with the university mission, vision and strategy. This bandwidth policy is prepared to define the appropriate use of bandwidth in the university so that optimum gains are achieved from the network. Bandwidth Use Policy Objectives The following are the objectives of the policy: 1. to establish awareness and accountability for bandwidth use 2. to educate the users of the priority related to internet traffic 3. to provide guidelines for responsible use Scope The aim of this policy is to manage bandwidth use proactively in order to avoid degradation of network performance. This policy applies to all users of University of Dammam accessing computing and internet resources, whether initiated from a computer and/or network device located on or off campus. Audience This policy shall be subjected to all faculty, management, staff and students of University of Dammam and 17 Back to Contents

18 guests who are given accesses to UoD network. All users are to be made aware of the policy and sign it as appropriate. Section B Policy Statement: Bandwidth may be used for any activity supporting teaching, research and consultancy in such a way that it will not prevent other users from using the same. DICT maintains the right to use monitoring tools that log and analyze bandwidth usage of all users of the network. However, the collected data is to be used exclusively for the purpose of enhancing proper bandwidth usage. DICT maintains the right to block any traffic that is not inline with the university mission and vision and that wastes bandwidth. DICT maintains the right to give priority for one type of traffic over the other based on predefined rules. Whenever necessary, DICT maintains the right to give priority to some users more than the other by giving more accesses to bandwidth. This will be based on the relevance of the work to the university s mission. DICT maintains the right to enforce user authentication for using the Internet by assigning them accounts and keep the logs of usage history for analysis of user s usage behavior. Users will be responsible for all usage history registered in their account. DICT Internet users shall use the proxy server to access the Internet for centralized bandwidth monitoring and management purpose. Bandwidth may not be used for any non-educational activities or activities that consume bandwidth for a benefit of few users. Users should not involve in activities such as hacking, cracking, spamming, streaming, web serving and p2p file sharing using the universities resource. DICT users may not be allowed to do tasks that disturb the bandwidth management and optimization system on any machine connected to the network. Bandwidth quotas are applied to all traffic passing between student computers and the Internet. Excessive use of the network To ensure that all qualified users making use of the internet resources receive a fair share of the bandwidth available, each individual s bandwidth is limited to no more than 1GB in a rolling 24-hour period. Individual bandwidth will be calculated as the combined network traffic from all personal computer systems used. This includes use of the wired network service, the vpn and wireless network services. However the internal university traffic including services and access to central file servers will be exempted. Exceptions Users who have a genuine academic requirement for a larger quota should identify this need before exceeding their quota, and should then follow the below process: o Obtain authorization for a higher quota from user s respective Dean or Manager o Present the request and supporting authorization to the DICT and be prepared for a discussion. o Properly supported requests will normally be granted, provided that their impact on the use of the network as a whole is not disproportionate. 18 Back to Contents

19 Consequences of exceeding the Bandwidth usage Users will be allocated to a restricted network which will allow access to only authorized university web based systems. This includes university website, departmental websites, VLE and SIS. User should use this time to identify the cause of the high bandwidth usage. If user require help rectifying the problem then they should contact the ICT Service Desk. This withdrawal of network services only applies to your personal computer. Your university account is still fully operational and you will be able to use computing facilities in your department or library. Appeals To appeal contact the ICT Service Desk and clearly state the grounds on which your appeal is based. You should only appeal against the decision if you believe that: o You have not exceeded the bandwidth limits for the service (1GB in any 24 hour period). o You have mitigating circumstances to warrant a review of the penalty. The following reasons would NOT be acceptable grounds for appeal: o o o o You were unaware that your actions were illegal / in breach of the Conditions of Use of the network. Your guest or friend made use of your connection. You accidentally left your computer system switched on downloading copyrighted content. You know of other users currently downloading similar content on the network. Definitions The following terms are used in this document. Bandwidth: the transmission capacity of a computer or a communications channel stated in megabits per second (Mbps). Monitoring tools: logging and analysis tools used to accurately determine traffic flows, utilization, and other performance indicators on a network. Authentication: the process that validates a user s logon information by comparing the user name and password to a list of authorized users. Proxy server: A software package running on a server positioned between an internal network and the Internet. Mirror site: A duplicate Web site that contains the same information as the original Web site and reduces traffic on that site by providing a local or regional alternative. Hacking: using a computer or other technological device or system in order to gain unauthorized access to data held by another person or organization. P2P file sharing: direct communication or sharing of resource between commercial or private users of the Internet. Streaming: the playing of sound or video over the Internet or a computer network in real time. 19 Back to Contents

20 Data Classification Policy 20 Back to Contents

21 Deanship of Information & Communications Posted Date: Policy Number: Technology ICT Policy: Data Classification Approval Date: Page: Objective: To ensure UOD s information assets are identified, properly classified, and protected throughout their lifecycles. Responsible Official: Responsible Office: Quality Unit Signature: ITC Reference Policies: (a) Information Security Policy (b) Acceptable Use Policy Data classification is the act of placing data into categories that will dictate the level of internal controls to protect that data against theft, compromise, and inappropriate use. University of Dammam must protect its institutional assets as the data is prepared, managed, used, or retained by one of the constituent units or an employee relating to the activities or operations of the university. This does not include individually-owned data not related to university business. The policy will help educate the university community about the importance of protecting data generated, accessed, transmitted and stored by the university, to identify procedures that should be in place to protect the confidentiality, integrity and availability of university data and to comply with privacy and confidentiality of information. Data Classification Policy Objectives The purpose of this policy is to establish a framework for classifying University of Dammam data based on its level of sensitivity, value and criticality to its business activities. The following are the objectives of data classification policy: 1- Assist UOD community in the assessment of data to determine the level of security, which must be implemented to protect that data whether it is in paper copy or on the information system for which they are responsible. 2- Protect UOD s data in terms of availability, confidentiality and integrity. 3- Identify who gets access to which kind of data. 4- Implement security provisions against unauthorized access. 21 Back to Contents

22 Outcomes of the Policy By enforcing the data classification policy, we aim to achieve the following outcomes: 1. Better aware and informed university community regarding data and its value. 2. Mapped data protection methods with the university policies. 3. Accountability of the management and use of data. 4. Appropriate levels of confidentiality, integrity and availability in place. Policy Rationale The classification of data, information, and documents is essential to differentiate between nonsensitive and sensitive / confidential information. When data is stored, created, amended or transmitted, it should be appropriately classified and protected in accordance to the sensitivity level. The privacy, security, and integrity of data are critical to the university business. It is also necessary to evaluate the impact to the university should that data be disclosed, altered or destroyed without authorization. Classification of data will aid in determining baseline security controls for the protection of data. Data classification provides several benefits by providing an inventory to university information assets. In many cases, information asset owners aren t aware of all of the different types of data they hold. It will also allow ICT to work with departments to develop specific security requirements that can be readily utilized. Entities affected by this Policy This policy applies to all University administrative data, all user-developed data sets and systems that may access this data, regardless of the environment where the data reside (including systems, servers, personal computers, laptops, portable devices, etc.). The policy applies regardless of the media on which data reside (including electronic, microfiche, printouts, CD, etc.) or the form they may take (text, graphics, video, voice, etc.). Audience All faculty, management, staff, students, employees as well as third-party contractors, consultants and guests should abide by this policy. Business Impact of no data classification The potential adverse business impact to the university due to lack of data classification policy may include: Loss of critical campus operations Loss of opportunities or value of the data 22 Back to Contents

23 Damage to the reputation of the campus Lack of corrective actions or repairs Violation of University mission and policies Policy Benefits 1. The university community will become familiar with this data classification policy and will consistently use it in their daily business activities. 2. Consistent use of data classification reinforces with users the expected level of protection of data assets. 3. It will address risks associated with the unauthorized disclosure, use, modification, and deletion of university data. 4. Improved and appropriate security measures for the data. Policy Relevance for UOD Community Category High Medium Low Notes The organization Administration Staff Faculty Students Other(s) Section B Policy Statement: The UOD data classification policy provides a framework for assessing data sensitivity measured by the adverse business impact a breach of data would have on the campus from risks including, but not limited to, unauthorized use, access, modification, disclosure, destruction and removal. Thus all members of the university community have a responsibility to understand data classification and protect university data. This policy outlines measures and establishes protection profile requirements for each class of data. Violations of this policy can lead to disciplinary action up to and including dismissal, expulsion, and/or legal action. Data Classification The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. Reasonable precautions and protections should be taken, regardless of classification. All UOD institutional data has been classified into four levels or classifications: Tier1- High Confidential Data Data is classified as Confidential when an unauthorized disclosure, alteration or destruction of that data will cause a significant level of risk to the University. Access to Confidential data must be individually requested and then authorized by the Data Owner who is responsible for the data. The assessment of risk and access approval will be determined by the data owner or risk committee. Tier2- Confidential Data Confidential or sensitive information that would not necessarily expose the University to significant loss, 23 Back to Contents

24 but the data owner has determined security measures are needed to protect from unauthorized access, modifications, or disclosure. Tier 3-Internal Data Data is classified as Internal/Private for all the information assets that are not explicitly classified as Confidential or Public data A reasonable level of security controls should be applied to internal data. Tier 4-Public Data Data will be classified as Public when the unauthorized disclosure, alteration or destruction of that data would results in little or no risk to the University and its affiliates. Data Classification and Handling Definition Public Internal Confidential High Confidential Examples Transmissions 1. within the organization 2. outside of the organization 3.Data transfers (file transmissions, website, etc.) Information that is widely available to the public through publications, pamphlets, web content, and other distribution methods and disclosure, alteration or modifications will cause no risk to the university brochures, news releases, pamphlets, web sites, internal phone directories, marketing materials 1. No special handling required 2. No special handling required 3. No special precautions are required Routine or daily operational information requiring no special measures to protect from unauthorized access, modifications, or disclosure, but these are not widely available to the public Routine correspondence,employee newsletters, inter-office memoranda, internal policies & procedures 1. No special handling required, but reasonable precautions should be taken 2. No special handling required, but reasonable precautions should be taken 3. Encryption is recommended but not required Confidential or sensitive information that would not necessarily expose the University to significant loss, but the data owner has determined security measures are needed to protect from unauthorized access, modifications, or disclosure Intellectual property licensed and/or under development, records, purchasing information, vendor contracts, system configurations, system logs, risk reports, RFP, RFI etc. 1. Use of to transfer confidential information is discouraged. Forwarding only allowed by data owner 2. Use of strongly discouraged. Consider using encryption. Broadcast to distribution lists is prohibited. Forwarding only allowed by data owner 3. Encryption is required Information requiring the highest levels of protection because disclosure is likely to result in significant adverse impact to the university (embarrassment, financial loss, etc.) Protected Health Information (PHI), Student Identifiable Information, department financial data, personnel information, credit or bank details. contract research protocols 1. Use of to transfer confidential information is discouraged.. Forwarding onlyallowed by data owner 2. Encryption is required. 3. Encryption is required 4. Data print and printer location 4. No restrictions 4. printer to be located in an area not accessible by general public 4. Monitoring required and removal of the printed material immediately 4. Monitoring required and removal of the printed material immediately Backup and Recovery Should be backed up monthly and incrementally based on content change - Should be backed up monthly and incrementally based on information recovery requirements by data owners and business operational needs - Backups Should be tested regularly to ensure reliability - Should be backed up monthly and incrementally based on information recovery requirements by data owners and business operational needs - Backups Should be tested regularly to ensure reliability - Should be backed up monthly and incrementally based on information recovery requirements by data owners and business operational needs - Backups Should be tested regularly to ensure reliability - Never overwrite the most recent backups 24 Back to Contents

25 Definition Public Internal Confidential High Confidential Storage 1. Printed materials 2. Electronic documents 1. No special precautions required 2. Storage on all drives allowed but access controls must be enforced 1. Reasonable precautions to prevent access by nonemployees. 2. Storage on all drives allowed but access controls must be enforced 1. Storage in a secure manner, e.g. 1. Storage in a lockable secure area, lockable enclosure. Must be enclosure. Must be locked when locked when unattended not in use 2. Store on secure drives or secure 2. Storage on secure drives only. shared drives only. Data should be Password protection of document stored on an internally accessible server, preferred. and cannot be stored on a server directly accessible from the Internet. 3. s 3. No special precautions required 3. Reasonable precautions to prevent access by non-staff & employees 3. Store in a secure manner, e.g. password access or reduce to printed format, delete electronic form, and store in accordance with storage of print materials 3. Store in a secure manner, e.g. password access or reduce to printed format, delete electronic form, and store in accordance with storage of print materials 4. portable devices 5. storage by third party 4. No special precautions required 5. No special precautions required 4. Use lockable containers or devices 5. Secured with lockable enclosures and access controls required 4. Use lockable containers or devices. 5. Secured with lockable enclosures and access controls required 4. Use lockable containers or devices. 5. Secured with lockable enclosures and access controls required Marking 1. Documents Physical Security 1. Workstations No restrictions Internal Use Only note at the bottom Confidential note at the top Confidential at the top and bottom Password protected screen-saver Password protected screen-saver to Password protected screen-saver to Password protected screen-saver to to be used when not in use. Sign off be used when not in use. Sign off when be used when not in use. Sign off when be used when not in use. Sign off when not in use for long time. not in use for long time. not in use for long time. when not in use for long time. 2. Servers Not permitted Secured area location and limited access based on the job responsibilities Secured area location and limited access based on the job responsibilities Secured area location and limited access based on the job responsibilities 3. Printing No restrictions Printouts to be collected immediately Minimize the prints and collect immediately Print only when necessary and do not leave unattended 4. Office access 5. Portable devices No restrictions Devices must not be left unattended at any time No restrictions Devices must not be left unattended at any time Access to the sensitive area must be restricted using access control Devices must not be left unattended at any time. Consider using lock and access control Access to the sensitive area must be restricted using access control. Confidential information must be kept under lock. Devices must not be left unattended at any time aznd must be placed under lock and access control Access Control Content changes by only authorized persons Password access control Password access control Content changes based on the data owner and business needs Password/Biometric/ Authentication based access control Content changes based on the data owner and business needs 25 Back to Contents

26 Responsibilities Data owners are responsible for appropriately classifying data. Data custodians are responsible for labeling data with the appropriate classification and applying required and suggested safeguards. Data users are responsible for complying with data use requirements and must report immediately any breach of the policy to the data owner. Data users are responsible for immediately referring requests for public records to the University Relations Division Office of Public Affairs or to the Office of the Vice President and General Counsel. Disciplinary Actions Violation of this policy may result in disciplinary action, which may include suspension or termination from UOD or legal action as determined by the legal department. Definitions The following terms are used in this document. Availability - The assurance that information and services are delivered when needed. Certain data must be available on demand or on a timely basis. Confidential - Sensitive data that must be protected from unauthorized disclosure or public release Confidentiality - The assurance that information is disclosed only to those systems or persons who are intended to receive the information. Data custodian Individual or group responsible for classifying data and generating guidelines for its lifecycle management. Data owner - Senior leadership, typically at the dean, director or department chair level, with the ultimate responsibility for the use and protection of university data. Data user - Any member of the university community who has access to university data, and thus is entrusted with the protection of that data. Impact A combination of data confidentiality, integrity and availability. Integrity - The assurance that information is not changed by accident or through a malicious or otherwise criminal act. Public - Data for which there is no expectation for privacy or confidentiality. References: 1. Robert Johnson; Mark Merkow (2010), Security Policies and Implementation Issues 2. Woody, Aaron (2013), Enterprise Security: A Data-Centric Approach to Securing the Enterprise 26 Back to Contents

27 27 Back to Contents

28 Information Security Policy 28 Back to Contents

29 Deanship of Information & Communications Posted Date: Policy Number: Technology ICT Policy: Information Security Policy Approval Date: Page: Objective: To establish the policy of the University for the use, protection, and preservation of computer-based information generated by, owned by, or otherwise in the possession of University of Dammam, including all academic, administrative, and research data. Responsible Official: Information Security Officer Responsible Office: Operational Unit Signature: ITC Reference Policies : (a) Data Classification Policy Executive Summary Information is a vital asset to any organization and this is especially so in a knowledge-driven organization such as the University of Dammam (UOD), where information will relate to learning and teaching, research, administration and management. It is imperative that computer data, hardware, networks and software be adequately protected against alteration, damage, theft or unauthorized access. University of Dammam is committed to protecting information resources that are critical to its academic and research mission. These information assets, including its networks, will be protected by controlling authorized access, creating logical and physical barriers to unauthorized access, configuring hardware and software to protect networks and applications. An effective Information Security Policy will provide a sound basis for defining and regulating the management of institutional information assets as well as the information systems that store, process and transmit institutional data. Such a policy will ensure that information is appropriately secured against the adverse effects of breaches in confidentiality, integrity, availability and compliance which would otherwise occur. This policy sets forth requirements for incorporation of information security practices into daily usage of university systems. Information Security Policy Objectives The University recognizes the role of information security in ensuring that users have access to the information they require in order to carry out their work. Computer and information systems underpin all the University s activities, and are essential to its research, learning, teaching and administrative functions. The university is committed to protecting the security of its information and information systems. The following are the objectives of information security policy: 1. to protect academic, administrative and personal information from threats. 2. to maintain the confidentiality, integrity and availability of the UOD information assets. 3. to prevent data loss, modification and disclosure, including research and teaching data from unauthorized access and use. 29 Back to Contents

30 4. to protect information security incidents that might have an adverse impact on UOD business, reputation and professional standing. 5. to establish responsibilities and accountability for information security. Information Security Principles Enforcing an appropriate information security policy involves knowing university information assets, permitting access to all authorized users and ensuring the proper and appropriate handling of information. The University has adopted the following principles, which underpin this policy: Information is an asset and like any other business asset it has a value and must be protected. The systems that are used to store, process and communicate this information must also be protected. Information should be made available to all authorized users. Information must be classified according to an appropriate level of sensitivity, value and criticality as presented in the data classification policy. Integrity of information must be maintained; information must be accurate, complete, timely and consistent with other information. All members of the University community who have access to information have a responsibility to handle it appropriately, according to its classification. Information will be protected against unauthorized access. Compliance with this policy is compulsory for UOD community. Outcomes of the Policy By enforcing the data classification policy, we aim to achieve the following outcomes: 1. Mitigation of the dangers and potential cost of UOD computer and information assets misuse. 2. Improved credibility with the UOD community and partner organizations. 3. Protected information at rest and in transit. Policy Rationale University of Dammam possesses information that is sensitive and valuable, ranging from personally identifiable information, research, and other information considered sensitive to financial data. This information needs to be protected from unauthorized use, modification, disclosure or destruction. The exposure of sensitive information to unauthorized individuals could cause irreparable harm to the University or University community. Additionally, if University information were tampered with or made unavailable, 30 Back to Contents