Qatar University Information Security Policies Handbook November 2013 Information Security Policies Handbook November 2013 Produced by Information Technology Services Department / Information Security Reviewed by Office of Associate Vice President for Facilities & Information Technology
Table of Contents 1 PL-ITS-ISO-001: INFORMATION SECURITY POLICY... 3 2 PL-ITS-ISO-002: INFORMATION SECURITY MANAGEMENT... 6 3 PL-ITS-ISO-003: INFORMATION ASSET CLASSIFICATION... 11 4 PL-ITS-ISO-004: PRIVACY AND PROTECTION OF PERSONAL INFORMATION... 16 5 PL-ITS-ISO-005: RISK MANAGEMENT... 18 6 PL-ITS-ISO-006: BUSINESS CONTINUITY MANAGEMENT... 21 7 PL-ITS-ISO-007: IT SYSTEMS SECURITY COMPLIANCE... 28 8 PL-ITS-ISO-008: ACCESS CONTROL AND PRIVILEGES... 33 9 PL-ITS-ISO-009: SOFTWARE SECURITY... 35 10 PL-ITS-ISO-010: MEDIA SECURITY... 41 11 PL-ITS-ISO-011: MALWARE PROTECTION... 46 12 PL-ITS-ISO-012: MOBILE COMPUTING AND TELEWORKING... 50 13 PL-ITS-ISO-013: DATA RETENTION AND ARCHIVAL... 52 14 PL-ITS-ISO-014: SECURITY AWARENESS... 54 15 PL-ITS-ISO-015: INTELLECTUAL PROPERTY... 56 16 PL-ITS-ISO-016: LEGAL AND FORENSICS POLICY... 58 17 PL-ITS-ISO-017: PHYSICAL SECURITY... 62 18 PL-ITS-ISO-018: ACCEPTABLE USE OF INFORMATION RESOURCES... 65 19 PL-ITS-ISO-019: USE OF NETWORK SERVICES... 70 20 PL-ITS-ISO-020: USER ACCOUNT MANAGEMENT... 75 21 PL-ITS-ISO-021: EMAIL ACCESS POLICY... 79
1 PL-ITS-ISO-001: Information Security Policy Contents: Policy Description Policy Security Values Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 1.1 Policy Description Qatar University considers information to be a strategic asset that is essential to its core mission and business operations. Furthermore, the University values the privacy of individuals and is dedicated to protecting the information with which it is entrusted. Therefore, the University is committed to providing the resources needed to ensure the confidentiality, integrity, and availability of its information as well as reduce the risk of exposure that would damage the reputation of the University. 1.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Information Security Policy 3
1.3 Policy The Board of Regents, President, senior management and employees at Qatar University are committed to protect the confidentiality and integrity of all the information assets, ensure availability in accordance to business objectives and conduct business in compliance with all statutory, regulatory and legal requirements. 1.4 Security Values The policy supports the following core security values: 1. The Policy is designed to support the mission of the University by protecting the University s resources, reputation, legal position, and ability to conduct its operations. It is intended to facilitate activities that are important to the University. 2. The Policy is consistent with and serves to enforce relevant University policies, contracts and license agreements governing software, copyrighted files, and other forms of intellectual property; and laws and policies governing student, employee, student, and research information, other sensitive information, and records retention laws and policies. 3. Information Privacy is covered in the University Privacy Policy. 4. Not all University resources require the same level of protection. Policy requirements are formulated with the objective that the application of measures be commensurate with the sensitivity and value of resources and the actual threats to those resources. The intent is not to dictate requirements whose implementation would impose unnecessary costs. 5. The Policy articulates requirements that are intended to be consistent with the best practices at institutions of higher education, and in line with local and International standards. 6. All members of the University community share in the responsibility for protecting University resources for which they have access or custodianship. The Policy recognizes that people will need adequate information, training, and tools to exercise their responsibilities and that these responsibilities must be made explicit. 7. The Policy intends that members of the University community be accountable for their access to and use of University resources. 8. The Policy aims to mandate specific procedures and practices only where necessary to provide adequate protection. The goal is that members of the University community be able to exercise their discretion and best judgment when determining how to protect resources for which they have responsibilities, subject to legal and other obligations and policies of the University. Where procedures and practices are required, they are meant to be flexible enough to change as circumstances change. Information Security Policy 4
9. It is not possible to prevent all incidents affecting information technology. 10. The Policy is designed to ensure that appropriate measures are taken to prepare for possible incidents, including implementation of business continuity measures to protect critical information systems and processes. 11. The Policy recognizes that revisions may be required and that reassessment of the Policy is valuable. Information Security Policy 5
2 PL-ITS-ISO-002: Information Security Management November 2013 Contents: Policy Description Who Should Know This Policy Scope Policy Roles and Responsibilities Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 2.1 Policy Description The Information Security Management Policy establishes the foundation for managing the information security program at Qatar University. 2.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Information Security Management 6
2.3 Scope This policy applies to all systems and individuals that access, handle, or use QU information assets. 2.4 Policy Qatar University is committed to ensuring the proper management and security of its information assets in accordance with established best practices, and in compliance with all relevant laws and regulations. In particular, the University shall keep the Qatar Government Information Assurance Policy (GIA) in focus as it develops its information security and assurance strategy. In that regard: 1. Qatar University s executive management fully supports the establishment of an Information Security Office (ISO) that will be the focal point for all information security-related matters involving QU information assets. 2. Qatar University s leadership team is the highest approval authority for all policies and strategic plans related to information security. 3. Qatar University shall establish a steering committee to address the organization s information security issues and provide guidelines for the proper management of information assets. This committee shall include representatives from various academic, research, administrative, and technology fields. 4. The Information Security Office (ISO) is responsible for the development, oversight, and implementation of all information security related functions at all QU managed and operated locations and venues. In addition, the ISO shall assure the proper handling of QU information by third parties through oversight and constant monitoring and review. 5. Major business units at QU shall identify at least one person to act as a liaison with the central Information Security Office. This information security liaison shall be well versed with the major aspects of the business unit, in particular with respect to the flow of information within the unit. 6. Information owners shall be responsible for the identification, proper classification of their information asset. They are also responsible for defining proper access authorization levels to their institutional data. 7. Information custodians shall be responsible for implementing controls identified and recommended by the ISO. 8. Ultimately, the protection of all information resources including hardware, software, data, and documentation, is a fundamental responsibility for all QU personnel. Information Security Management 7
2.5 Roles and Responsibilities All QU constituents are expected to fully cooperate with the Information Security Office in its mission to ensure the confidentiality, integrity, and availability of QU information assets. 2.5.1 QU Executive Management Committee With regard to information security, the QU Executive Management Committee shall: 1. Provide insight, guidance, and general input with regards to QU strategy as it relates to information assurance. 2. Ensure support of various business units for various information assurance initiatives. 2.5.2 Information Security Steering Committee The Information Security Steering Committee s role is mainly to validate and promote the recommendations of the Information Security Office s leading role in the information assurance process. The Committee s role is critical in: The establishment and ratification of information security policies, guidelines, and standards. Monitoring of guidelines to ensure that QU personnel adhere to the Information security policies. The promotion of information security awareness and its importance to the University. 2.5.3 Information Security Office (ISO) The ISO shall work with the various functional and technical groups on campus to assure the appropriate levels of confidentiality, integrity, and availability of information assets to the respective stakeholders. The Information Security Office (ISO) shall: 1. Identify, develop, and produce the necessarily policies, guidelines, standards, and other documents needed to ensure the appropriate levels of confidentiality, integrity, and availability (C.I.A.) of information assets. This shall be accomplished in cooperation with the various entities identified in the Information Security Management Policy. 2. Respond to and manage exceptions to information security-related policies. 3. Establish and maintain compliance with relevant laws, regulations, standards, and generally-accepted best practices as they related to information assurance. Information Security Management 8
4. Ensure that QU s information security policies are in compliance with the Qatar Government Information Assurance Policy or its equivalent, and associated laws and regulations. 5. Embrace a risk-based information security management program that identifies risks associated with the processing, storage, transmission, and management of QU information assets. 6. Report to senior management and shall have: a. Status sufficient to effectively review systems security and implement recommendations for improvements to systems security; and b. Sufficient authority to implement the QU information security policies and standards 7. Have sufficient resources to execute tasks it has been assigned. 8. Provide central IT management with audit logs of their critical system components. The review and follow-up of issues will be performed on a regular basis. 9. Be directly responsible for ensuring that all QU personnel are aware of their obligations to safeguard the University s information assets. 10. Enforce the implementation of information security policies as set out in this document. 2.5.4 Information Security Liaison Major business and technical units shall be identified and requested to appoint at least one Information Security Liaison to act as the single point of contact for the ISO within the unit. The Information Security Liaison shall: 1. Be well-versed with the business conducted within the business unit, in particular with regard to the flow and handling of information. 2. Assist the ISO in data classification, process analysis, and risk assessment efforts necessary to implement a risk-based security management framework. 3. Inform the business unit of relevant information security efforts, policies, and guidelines. 4. Ensure that business unit input is communicated to, and considered by the ISO for further action. 2.5.5 Information Owners Information owners are expected to: 1. Be able to assert their ownership of their data Information Security Management 9
2. Define and maintain information assurance profiles for their information and related processes, e.g. classification, access control, chain of authority, etc. 3. Report any breaches or attempts at compromising their information to the appropriate authority. 2.5.6 Information Custodians Information custodians are expected to: 1. Be able to identify the owners of the data with which they are entrusted. 2. Implement and maintain the required baseline controls necessary to protect the data per the QU information security guidelines. 3. Report any breaches or attempts at compromising their information to the appropriate authority. 2.5.7 Information Users Information Users must: 1. Comply with all policies approved by Qatar University s Higher Management and communicated by the ISO. 2. Ensure that QU s information resources are maintained and utilized in the most efficient way possible and they are used for legitimate business purposes only. 3. Ensure that information and data are solely used for purposes specified by the resource owner/custodian. Information Security Management 10
3 PL-ITS-ISO-003: Information Asset Classification Contents: Policy Description Who Should Know This Policy Overview Scope Policy Information Asset Classification Model Data Handling Guidelines Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 3.1 Policy Description The purpose of the Information Asset Classification Policy is to provide a foundation for the development and implementation of necessary security controls to protect information according to its value and/or risk. 3.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Information Asset Classification 11
3.3 Overview For the purpose of information assurance, an information asset ( Asset ) is defined as one of the following: 1. Electronic or other forms of data that are used to conduct a University business 2. Hardware, software, processes, and/or people utilized in the access, processing, transport, and/or storage of data as defined above. A consistent framework for asset classification is a fundamental requirement and a basic building block in establishing of a sound information security policy. The Information Asset Classification Policy defined in this document demands close cooperation between various business units and the Information Security Office in order to properly control and protect QU information. This policy shall remain consistent with the Qatar Government s Information Assurance Policy (GIAP) or equivalent. 3.4 Scope The Information Asset Classification Policy applies to all information assets that handled, maintained, or operated by Qatar University or its associates in the course of conducting the University s business. This policy applies equally to all QU information assets regardless of their location or custodian affiliation. 3.5 Policy 1. All information owners shall classify their information and associated processes according to the guidelines provided below under Guidelines. 2. Qatar University shall implement the minimum appropriate set of baseline controls required to ensure the confidentiality, integrity, and availability of QU information assets. Information custodians and/or the Information Security Office may require the implementation of additional controls as deemed appropriate. 3. All individuals who access/process QU information assets shall adhere to the defined protection controls. 4. The Information Asset Classification policy shall remain in compliance with the Qatar Government Information Assurance Policy (GIAP) or equivalent. 3.6 Information Asset Classification Model The Information Asset Classification model is based on the Qatar Government Information Assurance Policy Manual s Asset Classification Model. Unless otherwise specified, the default classification for all assets is C1 ( Internal ). Information Asset Classification 12
The following table summarizes the various classification labels for an asset: Confidentiality, Integrity, and Availability(C.I.A.). The full labeling of an asset is the combination of all three labels, e.g. C0I1A2 label results in an overall M (Medium). Security Classification Table (Adopted from the Qatar Government Information Assurance Manual) Availability A0 A1 A2 A3 Integrity Confidentiality Security Classification C0 L M H I0 C1 L L M H C2 M M M H C3 H H H H C0 L L M H I1 C1 L L M H C2 M M M H C3 H H H H C0 M M M H I2 C1 M M M H C2 M M M H C3 H H H H C0 H H H H I3 C1 H H H H C2 H H H H C3 H H H H 3.6.1 Confidentiality C0 Public Public information is intended for general disclosure. There is no requirement for confidentiality controls. Classification label: Unclassified, Public or no label. C1 Internal For internal use; material whose disclosure would cause light to moderate damage to the affected party Only QU employees and staff should have access to internal departmental information. Employees may share internal information with others based upon University business and operational needs. Information Asset Classification 13
Classification label: Internal C2 Limited Access November 2013 Access for defined users, roles or user groups, according to specific rules; material whose disclosure would cause serious damage to the affected party (e.g. HR data, sensitive constituent data, etc.). Only QU employees and staff who have a legitimate business and operational need may have access to this type of information. Disclosure of this type of information requires the approval of the data owner. Classification label: Limited Access C3 Restricted Confidential information with access limited to a very small set of persons; material whose disclosure would cause severe damage to the affected party (Board/executive/minister level management changes, decisions etc.). Highly sensitive information should be strictly controlled, granted limited access and disclosure within the QU campus. Only QU employees and staff who have authorization from the relevant information owner, and have a signed confidentiality agreement can access this type of information. In certain cases a written approval might be needed to handle this type of information depending on the data owner and department director. Classification label: Restricted C4+ - National Security Markings Information which has nationwide implications should be marked as Confidential, Secret or TOP secret. 3.6.2 Integrity Labels Label Description I0 Source of information and time of change are not important I1 It should be possible to identify the source of information and time of changes I2 Source of information and time of change is identified and periodically checked I3 Authenticity and integrity should be provable to third party Information Asset Classification 14
3.6.3 Availability Labels Label Reliability Allowed Downtime Allowed Max. Response Time A0 Reliability and productivity/reaction time not important A1 90% 17 hr/week 1-10 hours A2 99% 2 hr/week 1-10 minutes A3 99.90% 10 min/week 1-10 seconds 3.7 Data Handling Guidelines Guidelines on the handling of classified assets at Qatar University include: 1. Do not discuss or display QU restricted or limited access information in an environment where it may be viewed by unauthorized persons. 2. When sending classified information by email, ensure that the content is encrypted. 3. Do not send classified messages via instant messaging or unsecured file transfer unless it is encrypted. 4. Store electronic media (including backups) containing such information in a secure location. If this media contains QU classified information, encrypt it, inventory it and review the inventory periodically. 5. When printing, photocopying or faxing QU classified information, ensure that only an authorized person will be able to obtain the output. 6. Paper documents should be stored in a locked area to prevent unauthorized access. 7. Do not leave keys or access badges for rooms or file cabinets containing classified confidential information in areas accessible to all. 3.7.1 Destruction University information records should be properly disposed with the assistance of the Information Security Office, which will assist in properly destroying the media holding this information and will take special care not to wipe out needed information. 3.7.2 Declassification Data declassification can be done either by the owner or by University if the information is no longer Restricted, Limited Access or Internal. While defining the information classification the owner should define the time period for which the information can be considered as classified information. Information Asset Classification 15
4 PL-ITS-ISO-004: Privacy and Protection of Personal Information Contents: Policy Description Who Should Know This Policy Scope Responsibilities Policy Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 4.1 Policy Description The purpose of this policy is to identify and implement controls that will keep the risks to information assets at an acceptable level. 4.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Privacy and Protection of Personal Information 16
4.3 Scope The policy applies to all personal data held by QU. 4.4 Responsibilities All users of QU IT resources are responsible for adherence to this policy. 4.5 Policy 1. QU is committed to comply with applicable requirements of local and International laws and regulations for data protection and privacy. 2. QU ensures compliance with contractual requirements for data protection and privacy. 3. All QU users handling personal data are responsible for the protection and privacy of the data held in any form, including paper and electronic. 4. Personal data is classified as C2 Limited Access. 5. Any breach of this policy is subject to disciplinary action. Privacy and Protection of Personal Information 17
5 PL-ITS-ISO-005: Risk Management Contents: Policy Description Who Should Know This Policy Overview Scope Policy Roles and Responsibilities Vulnerability Assessment Guidelines Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 5.1 Policy Description The purpose of this policy is to identify and implement controls that will keep the risks to information assets at an acceptable level. Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Risk Management 18
5.2 Overview Periodic threat and vulnerability assessments are essential and allow for proactive management of the risks associated with the use of information assets. A threat and vulnerability assessment can point out potential weaknesses, thereby allowing the responsible security team to take proactive measures in mitigating the associated risks. The resulting actions can range from defining policies to implementing specific administrative or technical controls. 5.3 Scope This policy applies to all QU information systems, defined as any device, system, or service owned and/or operated by QU or holds QU information. 5.4 Policy 1. Periodic threat and vulnerability assessments shall be carried out based on the criticality of the QU information systems. Identified threats and/or vulnerabilities shall be recommended by the ISO and mitigated by the custodians of the information system prior to deployment. For information systems that are already deployed, the system custodian shall coordinate with the ISO on a suitable mitigation plan. 2. If the system custodians do not mitigate identified threats and/or vulnerabilities within a pre-defined time interval, the ISO shall have the authority to isolate the information system from the network until corrective action is taken. 5.5 Roles and Responsibilities The asset owners shall: 1. In coordination with the ISO, categorize the QU information system as high, moderate or low based on ISO-approved and published guidelines. 2. Ensure that proper authorization and access is given to an ISO-approved assessor for conducting the security assessment. Consent should be provided before performing such assessment. 3. Devise a Plan of Action and Milestone (POAM) based on the threat and/or vulnerability findings and mitigation plans. 4. Authorize re-testing after action is taken to mitigate the identified risks. The security assessor shall: 1. Inform the appropriate stakeholders, including management, the system administrators and system owners of threat and vulnerability assessment activities. Risk Management 19
2. Develop threat and vulnerability assessment plans in cooperation with the system managers, which cover the scope of the plans and activities that will be carried out. 3. Execute examinations and tests, and collect all relevant data. 4. Analyze collected data and develop mitigation recommendations. 5. Conduct additional examinations and tests as needed to validate mitigation actions. 5.6 Vulnerability Assessment Guidelines Vulnerability assessment frequency depends on the criticality of the information system based on the Confidentiality, Integrity and Availability ratings, as outlined in the table below: Category Security Assessment Frequency High 6 months Moderate 12 months Low 18 month Risk Management 20
6 PL-ITS-ISO-006: Business Continuity Management November 2013 Contents: Policy Description Who Should Know This Policy Scope Policy Institutional Context Responsibilities and Approvals Procedures Definitions Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 6.1 Policy Description QU shall conduct Business Continuity Planning to minimize any disruption to the continuity of its operations. Information Technology Services shall take the necessary steps to ensure the restoration of information service related operations/activities as soon as possible following an emergency or critical incident. 6.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Business Continuity Management 21
6.3 Scope This policy applies to all staff and areas within the University and its controlled entities. 6.4 Policy 1. Business continuity management is an integral part of the University s overall risk management, corporate governance and quality management framework. 2. Using a risk management approach, the University s key business interruption risks are to be identified and assessed so as to ensure the uninterrupted availability of all key business resources required to support essential or critical business activities. 3. All unacceptably high business interruption risks will be subject to risk mitigation treatment in line with the University s overall risk management plans. The effectiveness of the business continuity management program is to be constantly monitored and regularly reviewed. 6.5 Institutional Context The University has an obligation to its stakeholders (students, staff and wider community) to ensure that its operations can continue to a pre-determined minimum level in the event of a major disruptive incident. Through the adoption of Business Continuity Management best practices the University will achieve its business continuity objectives of: 1. Providing timely availability of key resources necessary to operate the critical business processes at a level of operation that is acceptable to management 2. Maintenance of staff, student, client and other stakeholder contact and confidence 3. Fulfillment of regulatory requirements 4. Safeguarding our reputation and public image 5. Controlling extraordinary expenditure caused by the event 6. Controlling risk in priority areas. All organizations have potential risk areas. Some of the most common, in the educational institute s context, with associated preventative requirements (controls), are: 1. Information Systems (including academic & other records): ensuring security is maintained; ensuring the physical assets are protected against damage/loss and records are controlled and secure. Business Continuity Management 22
2. Financial Systems and Procedures: ensuring systems cannot be misused; ensuring appropriate accountability for expenditure of funding; ensuring security of financial assets. 3. Buildings, Infrastructure and other Assets: ensuring the organization s resources are protected against damage/loss; ensuring University material assets are available to support key business activities. 3. 6.6 Responsibilities and Approvals 6.6.1 Risk Management Committee Business Continuity Management is a component of the overall risk management function of the University, overseen at a strategic level by the Risk Management Committee. This committee: 1. ensures that the University maintains effective risk management practices across all areas of its activities; 2. oversees the development of a systematic and coordinated risk management framework; 3. monitors the external risk environment; 4. ensures appropriate 6.6.2 Business Units It is the responsibility of the business units, both academic and administrative, to ensure that they have enough information in their specific Business Continuity Plans to enable them to recover from an incident and continue to provide a service to clients within acceptable timeframes. 6.6.3 Information Security Office The University Information Security Office shall consider coverage and review of this policy during the course of the annual audit program. 6.7 Procedures Under this Policy, it is incumbent upon all University managers to ensure that the key functions for which they have responsibility are able to continue following major disruptive events and that arrangements are in place to achieve this. This requires the proactive development, maintenance and devolution of business continuity planning within their areas. Managers are expected to encourage and Business Continuity Management 23
facilitate the active participation of staff in business continuity issues and must ensure that key personnel are able to perform competently during a major disruptive event. 6.7.1 Developing the Business Continuity Plan (BCP) While a variety of approaches may achieve the same result, there is a common set of requirements that any approach should provide for. These include the means of identifying: 1. The critical business objectives that still must be achieved during and after a major disruption. 2. Stakeholder expectations of acceptable service delivery. 3. The likely scenarios that may result in disruption to the business. 4. What is important to protect, provide or operate during a disruption ie. the critical 5. business functions and processes. 6. The people, infrastructure and data resources required to maintain a minimal 7. acceptable level of operations. 8. Communications requirements and the methods and channels of dissemination. 6.7.2 The Process 1. Identify the critical business functions and processes that support achievement of key business objectives. This involves the identification of core business objectives, critical business functions that support these objectives and their critical success factors. 2. The maximum period of time (Maximum Acceptable Outage) that each of the University s key functions and processes can operate before the loss of critical resources affects overall operations needs to be defined at this time. 3. Identify the types of disruptions (risks) that are likely to occur and that will need to be catered for. The actual events do not necessarily have to be considered individually, but the impact of losing key resources, facilities, processes etc. as a result of a disastrous event must be. 4. These impacts will probably be similar across the operations of the University but each business unit will need to consider such impacts on its own operations. The vulnerability of business processes and interdependencies should be considered as part of this analysis. Business Continuity Management 24
5. Any Business Continuity Plan (BCP) should allow the organization to respond flexibly to a wide variety of potential disruption scenarios. 6. Each business unit will then need to identify its business cycles, because the severity of a disruption will depend upon where each area is within its business cycle. 7. While this, in the University context, will be similar for many areas and units, it will not necessarily be the same for all. During some stages of a business cycle (academic year, for example), a limited resource outage can be more disruptive than at other stages. At these times, decisions in relation to implementing emergency alternative procedures to cater for the outage/loss will need to be made more quickly. 8. Conduct a business impact analysis to identify the effect of the different types of outages/losses on the key business functions/processes at each phase of the business cycle. Often there will need to be alternative approaches to cater for disruptions to or losses of different resources, facilities etc. at various times of the year. The loss of a work space, for example, will require different contingency procedures to the loss of computing resources, even at the same point in the business cycle. Business Continuity Management 25
9. Identify and document existing workarounds and continuity arrangements. The development of alternative procedures to be implemented in the event of a major disruption can become part of the area s business improvement plan. 10. Identify the resources required to ensure speedy restoration of a minimum acceptable level of the area s key operations. 11. These might include people (specialist and support); IT infrastructure; information and data (hardcopy and electronic); office and specialist equipment; facilities and accommodation; internal dependencies and/or interfaces (eg. other business units); external dependencies and/or interfaces (eg. suppliers, contractors, customers, competitors and regulators etc), and current stock holdings, among others. 12. The resource requirements for business continuity can be considered in relation to other business requirements and included in budget proposals. 13. Senior management will need to consider the business impact analysis of each area to determine what additional resources are required across the University. The approach to meeting these requirements, including the sequence in which they should be provided, is to be determined. 14. The BCP should be documented in such a way that it is of practical use in a disaster and that it fulfills business, regulatory, training and audit requirements. 15. A BCP communications strategy should be developed which should include identification of who needs information, what information is needed, how that information can be provided, what constraints on its provision might exist and who has the authority to approve the communications. 16. The strategy should also define the means by which different types of messages will be promulgated to each of the stakeholders. 17. There should be BCP testing and training, a verification process to ensure that staff is familiar with the business continuity measures to be implemented and that the various components of the plan function properly. At this stage, plan inadequacies are identified and corrected. 18. BCP reviews and updates should occur on a regular basis to ensure its currency. Any changes to business functions and activities, key dependencies, facilities and supporting infrastructure etc must be reflected in the plan. 6.8 Definitions Disaster : An unexpected disruption to normal business of sufficient duration to cause unacceptable loss to the organization necessitating disaster recovery procedures to be activated. Business Continuity Management 26
Disaster Recovery : Activities and procedures designed to return the organization to an acceptable condition following a disaster. November 2013 Business Continuity : The uninterrupted availability of all key resources supporting essential business functions. Business Continuity Management : Provides for the availability of processes and resources in order to ensure the continued achievement of critical objectives. Business Continuity Planning : A process developed to ensure continuation of essential business operations at an acceptable level during and following a disaster. Maximum Acceptable Outage (MAO), also Maximum Tolerable Outage (MTO) and Maximum Downtime (MD): The maximum period of time that critical business processes can operate before the loss of critical resources affects their operations. Business Continuity Management 27
7 PL-ITS-ISO-007: IT Systems Security Compliance Contents: Policy Description Who Should Know This Policy Overview Scope Policy Exceptions Security Compliance Standard Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 7.1 Policy Description The purpose of the IT Systems Security Compliance policy is to ensure that information security is considered prior to any IT system procurement or deployment. 7.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets IT Systems Security Compliance 28
7.3 Overview The IT Systems Security Compliance Policy defines compliance guidelines for all information systems considered for use at Qatar University. 7.4 Scope The IT Systems Security Compliance policy applies to all IT systems under consideration for use at Qatar University. An IT System is any combination of hardware, software, and/or IT services that will access and/or process Qatar University electronic data. 7.5 Policy 1. All IT systems being considered, purchased, or deployed must undergo a security assessment by the Information Security Office. 2. The security assessment must be included as an integral part of any Request for Proposals, feasibility studies, contracts, or other such efforts that may lead to the procurement of an IT system. 3. IT system compliance requirements are to be set by the QU Information Security Office. 7.6 Exceptions Exceptions to this policy MUST be submitted to the Information Security Office which will review the request and pass it on to the office of the VP for Facilities and Information Technology for further action. Approved exceptions are then documented and communicated to the requesting party. 7.7 Security Compliance Standard Requests for Proposal (RFPs) or communication with potential vendors regarding the requisition of an IT system must consider the security implications of the IT system early in the process. The sections below outline the information that is needed for the Information Security Office to properly assess the suitability of a proposed solution from an information security perspective. 7.7.1 General Information The following information must be provided to the Information Security Office prior to the RFP/request being released to Procurement: 1. Name/Title of the IT system IT Systems Security Compliance 29
2. General system description/purpose 3. System type (e.g. major application, general support system, etc.) 4. Data sources and types that will be used in the product/service November 2013 5. Data security classification, if known (Low, Medium, High; contact the ISO for further details) 6. Contact information: a. QU authorizing official/sponsor b. QU functional/end user contact(s) c. QU technical contact(s) d. Vendor contacts (sales, management, technical) e. Other designated contacts (e.g. major stakeholders) f. Assignment of security responsibility (i.e. person/group responsible for communicating with the Information Security Office regarding information security requirements). 7.7.2 VENDOR Requirements The following information must be requested from potential VENDORs as part of their proposal response submittal: 1. An architecture overview of the proposed IT system depicted major components and associated interactions and data exchange boundaries 2. Major IT system components and roles (hardware, software, communication equipment, databases, web servers, etc.) 3. Detailed security design for the proposed solution, including: a. Organizational structure and relationships between systems managers, security personnel, and users b. User roles and access requirements c. Authentication method d. Logical access control (authorization) e. Access control f. Application security and malicious code protection mechanisms g. Security audit and reporting process h. Security awareness requirements i. Physical security requirements 4. A list of security controls that are included, planned, and/or expected for the IT system. A table with the following information would be preferred: IT Systems Security Compliance 30
a. Security control title November 2013 b. Details on the implementation requirements and plan for the security control c. Any scoping guidance that has been applied and what type of consideration d. Indicate if the security control is a common control and who is responsible for its implementation 5. A data classification matrix for each data element. At a minimum, the matrix should include: a. Data element description b. Data classification, as follows: C0 Public C1 Internal C2 Limited Access C3 Restricted C4 National Security Markings c. Function/process using the data d. System and/or database where the data is stored e. Associated security controls, as detailed above 7.7.3 Hosted Service Requirements For IT systems that are not hosted at QU-managed facilities, potential vendors must provide details on the following, IN ADDITION to the above: 1. Data recoverability and migration process 2. Details on VENDOR s hosting and storage facilities and network redundancy capabilities 3. Operational controls adopted at VENDOR s facilities 4. Data protection controls 5. Incident response process 6. Service level agreements, including clauses that address timely notification of breaches to data security. 19. 7.8 Notification of Change to Solution IT Systems Security Compliance 31
Any changes to the project as approved must be communicated to the Information Security team for further review and re-examination for compliance. 7.9 Notification of Security Compliance The Information Security Office will work with the project team on addressing the security requirements and will notify the project manager of the compliance status prior to the RFP being released. IT Systems Security Compliance 32
8 PL-ITS-ISO-008: Access Control and Privileges Contents: Policy Description Who Should Know This Policy Overview Scope Policy Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 8.1 Policy Description The purpose of this policy is to prevent inappropriate use of QU resources by the staff, faculty, students and other employees. 8.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Access Control and Privileges 33
8.3 Overview The policy is developed to minimize risk to QU resources and information assets by establishing the principle of least privileges for QU users, which includes staff, faculty, students, guests and other employees, to perform the job functions. Technical support staff, security administrators, system administrators and others may have special access account privilege requirements compared to normal users. 8.4 Scope The policy applies to all students, faculty, staff and other employees having access to QU computing systems, applications, network, files and other information resources. 8.5 Policy 1. Asset owners should consider the principle of least privileges, while defining access, to ensure that users has only the right permission to perform their job functions. 2. The allocation of privileged rights should be restricted and controlled 3. Access privileges beyond the need-to-know requirements shall be assessed for risk and dealt with accordingly. 4. Privileges assigned to each user must be reviewed on a regular basis, and modified or revoked upon a change in status within the University. When the privileges assigned to an individual change (e.g. due to a change in role or responsibilities), access to University IT resources should be adjusted accordingly. 5. QU holds the right to revoke the access privileges in case of abuse. 6. Privileged users should not access user data under any circumstances, unless expressly authorized by the university or the asset owner. 7. Each individual that uses Administrative/Special access accounts must use the account privilege most appropriate for the work being performed 8. Access granted to vendors, sub-contractor and to other non-qu employees or workers shall be revoked when their association with QU end. Access Control and Privileges 34
9 PL-ITS-ISO-009: Software Security Contents: Policy Description Who Should Know This Policy Scope Policy Guidelines Non-Compliance and Exceptions References Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 9.1 Policy Description The purpose of this policy is to ensure that the appropriate information security controls are implemented for all of the QU In-house \ Outsourced and Contracted application development. 9.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Software Security 35
9.3 Scope This standard applies to all software applications being developed or administered by faculty, staff, student employees, contractors and vendors that are designed to handle or manage university data and that are running on devices, physical or virtual. Adherence to this standard will increase the security of applications and help safeguard university resources. 9.4 Policy To keep risk to an acceptable level, the Information Security Office shall ensure that the proper security controls will be implemented for each application developed. These controls will vary in accordance with the sensitivity and criticality of each application. 9.5 Guidelines 9.5.1 Minimum Security Standards The minimum standards applicable to the development of applications designed to handle or manage university data are listed below. All listed standards are generally required for applications designed to handle or manage confidential university data and are either required or recommended for all other applications. Standard Practice 1 2 3 Classify the university data handled or managed by the application Prominently display a Confidential Record banner to the screen or interface in use by the application, depending on the type of data being accessed Display no data that have been specifically restricted by external law or policy. Confidential University Data Required All Other Data Required Recommended Recommended Required 4 Ensure applications Required Recommended Software Security 36
validate input properly and restrictively, allowing only those types of input that are known to be correct. Examples include, but are not limited to, cross-site scripting, buffer overflow errors, and injection flaws. 5 6 7 8 Ensure applications execute proper error handling so that errors will not provide detailed system information, deny service, impair security mechanisms, or crash the system. Ensure applications processing data properly authenticate users through central authentication systems (Active Directory, LDAP, RADIUS), where possible. Establish authorizations for applications by affiliation, membership, or employment, rather than by individual, where possible. Use central authorization tools (Enterprise Directory Service or Active Directory for rudimentary authorization decisions with appropriate configuration) where possible, and if additional functionality (such as attribute or grouping) is needed, coordinate development with the Required Required Required Required Recommended Recommended Recommended Recommended Software Security 37
9 10 11 12 13 Information Security Office. Provide automated review of authorizations where possible. Set any individual authorizations to expire and require their renewal on a periodic basis, at least annually. Ensure applications make use of secure storage for university data as required by confidentiality, integrity and availability needs. Personal information must be encrypted. Security for all other data can be provided by means such as, but not limited to, encryption, access controls, file system audits, physically securing the storage media, or any combination thereof as deemed appropriate. Implement encrypted communications for services or applications, as required by confidentiality and integrity needs. Implement the use of application logs to the extent practical, given the limitations of certain systems to store large amounts of log data. When logging access to university data, store logs of all users and times of access for at least 14 days. November 2013 Recommended Recommended Required Recommended Required Recommended Required Recommended Required Recommended Software Security 38
14 15 16 17 18 19 Conduct code-level security reviews with peers for all new or significantly modified applications; particularly, those that affect the collection, use, and/or display of confidential university data, documenting the actions that were taken. Use threat modeling to prioritize the review. Conduct security tests of new applications before they are released to a production environment. Conduct annual security reviews and tests of applications. Ensure that obsolete applications or portions of applications and codes are removed from any possible execution environment. Implement and maintain a change management process for changes to existing software applications. Require third parties providing software and/or receiving university data to enter into written agreements with the University to secure systems and data. Required Required Required Required Required Required Required for all Web Based\Internet\Intranet applications; recommended for all others Required for all Web Based\Internet\Intranet applications; recommended for all others Required for all Web Based\Internet\Intranet applications; recommended for all others Recommended Recommended Required Software Security 39
9.6 Non-Compliance and Exceptions If any of the minimum standards contained within this document cannot be met for applications manipulating data supported by the development team, an Exception Process must be initiated that includes reporting the non-compliance to the Information Security Office, along with a plan for risk assessment and management. Non-compliance with this standard may result in revocation of developer or administrator access, notification of supervisors, and reporting to the Information Security Steering Committee. 9.7 References SOURCES: ISO/IEC 27034 Information technology -Security techniques- Application security; ISC2/CISSP/CBoK http:://resources.infosecinstitute.com/cissp-domainapplication-development-security/ Software Security 40
10 PL-ITS-ISO-010: Media Security Contents: Policy Description Who Should Know This Policy Scope Policy Media Handling Standards Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 10.1 Policy Description The purpose of this policy is to establish minimum standards for the secure handling, transport and storage of QU stored electronic information in order to maintain the confidentiality and integrity of the information being handled, transported or stored and to prevent unauthorized use or disclosure of the information. 10.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Media Security 41
10.3 Scope This policy applies to all QU employees, faculty and students any other individual with access to QU information and / or QU systems, devices and networks. For this standard, personally owned devices are out of scope. 10.4 Policy Portable devices and electronic media containing QU information shall only be removed from QU facilities to meet business requirements. Portable devices and removable media include, but are not limited to computers, tablets, smart phones, personal digital assistants (PDAs), backup media, tapes, disks, CDs/DVDs, flash drives, hard drives and any other electronic devices with memory storage Examples of portable devices that may be use off-campus include laptops, smart phones, and tablets. 10.5 Media Handling Standards The minimum standards applicable to the development of applications designed to handle or manage university data are listed below. 1. The use and handling of portable devices and media will be restricted to those individuals who are authorized to access the device or media. 2. The use of personally owned electronic storage media to store QU confidential or internal-use information is prohibited. 3. Any portable electronic media or device containing QU information classified as confidential or internal use and must be encrypted and password protected. 4. Loss, theft or destruction of QU electronic media or devices containing QU Information must be reported to the relevant Business Unit Head and the Information Security Office. 10.5.1 Chain of Custody for Information Assets 1. Laptops assigned to the business unit and any other portable devices or electronic media such as flash drives, PDAs, smartphones or other memory storage devices are the responsibility of the business unit manager where the device is being used. 2. Laptops assigned to the faculty or students and any other portable devices or electronic media such as flash drives, PDAs, enhanced cell phones or other memory storage devices are the responsibility of the faculty member or the student where the device is being used. Media Security 42
3. Portable devices and media that process or store QU confidential or internal-use information must be registered with the Business Unit Head and Information Security Office and will be audited on a quarterly basis. 4. Portable devices and media that process or store QU confidential or internal-use information must be inventoried and inventory logs maintained by the Business Unit Manager. Logs should include: a. Name of workforce member assigned b. Asset tag number and/or serial number c. Date assigned d. Date returned e. Encryption status 10.5.2 Media Labeling 1. Data owners, and/or business unit managers should identify and appropriately label all electronic storage media that contains QU information. If business requirements do not require the QU information be present on the portable media or device, such information shall be removed. For media where labeling is infeasible or unwarranted (e.g., due to form-factor or typical use of media) reasonable means must be used to provide some physical identifying characteristic to the media indicating ownership and content (e.g., owner s name, contact information) 2. Label information may vary depending on media purpose. Backup media labels or backup library information should generally include: a. classification of the information present on the media b. format of the data c. software and version used to generate the information d. operating system and version e. date the media was last read and checked (for backup media) 10.5.3 Device and Media Storage 1. Business unit managers shall develop procedures for the secure handling and storage of media and devices for which they are responsible. 2. Media and devices that store confidential or internal use QU information must be secured from unauthorized access and use at all times. 3. Appropriate redundant copies of QU information stored on devices and portable electronic media should be maintained to ensure information availability should the device or media be lost, stolen or damaged. Media Security 43
4. Media and devices must be stored in a location providing physical security appropriate to the media classification level. 5. Access to electronic media storage must be restricted to enable viewing, handling or use only by authorized individuals. 6. Information classified as public should be protected to maintain integrity and availability as per QU Information Classification Standard. 10.5.4 Off Site Media Storage 1. QU information which must be kept long-term may be stored off-site in an environment providing physical security appropriate to the information classification level. 2. Media containing QU confidential or internal-use information that is stored off-site shall be encrypted and password protected. 3. In the event QU electronic information must be retained for an extended period of time, the data owner shall ensure that both the storage media and access technologies (e.g., applications) are also retained. A comprehensive migration strategy should account for vendor stability, system obsolescence and media longevity. 4. Appropriate privacy / security agreements must be in place with the media storage vendor before the devices or media are transferred to the custody of the vendor. All contracts for off-site media storage will be submitted to QU Legal Department and Information Security Office for review and inclusion of appropriate agreements. 10.5.5 Media Transport 1. QU employed couriers or contracted third-party carriers should be used to transport media or devices with a classification of confidential or internal use, and must protect the QU information assets from unauthorized disclosure. A formal record of transfer must be kept of the media or device given to the courier or third-party carrier and its receipt at the destination. 2. Individuals transporting portable devices or media off-site must be proficient in the use of appropriate security controls for those devices/media. 3. Media being retired or returned to vendor/manufacturer and contain QU information should have the data irretrievably removed prior to transfer from QU custody. Media Security 44
10.5.6 Media Disposal (End of Life) 1. When media has reached its end of life, you must dispose of it securely. The following are examples of end of life conditions for media: a. It cannot be erased (e.g. permanent media, such as CD-ROMs), b. It is broken beyond repair, c. It is too costly to repair, d. It is outdated technology, e. It capacity has been exceeded, f. It has been replaced by upgraded technology, and g. It has exceeded the number of allowable times for reuse (e.g. backup tapes, cleanup tapes). 2. Before disposing of the media, it must be verified that no residual data can be extracted from the media. (Media Sanitization). 3. Disposal of such media should be done securely, using a approved method. These methods include, but are not limited to: a. Donating to charity, b. Buy back by the vendor, c. Destruction, and d. Inter-agency transfer. 10.5.7 Media Used In Investigation 1. Strict control of media should be maintained when such media contains information required during a security investigation. In such cases, media must be retained, sealed, and stored where limited and logged access controls are in place. A check-in/out procedure should be followed in the presence of Information Security Office personnel. 2. When handling media used in an investigation, the following rules should be adhered to: a. Media should not be altered in any way. b. Media must not be duplicated before investigation c. Media should not be removed Media Security 45
11 PL-ITS-ISO-011: Malware Protection Contents: Policy Description Who Should Know This Policy Overview Scope Policy Guidelines Exceptions Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 11.1 Policy Description To establish requirements which must be met by all devices connected to QU networks to ensure effective virus detection and prevention. 11.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Malware Protection 46
11.3 Overview The number of computer security incidents and the resulting cost of business disruption and service restoration continue to escalate. QU has taken measures to provide appropriate protection against malware threats, such as viruses and spyware applications. Effective implementation of this policy will limit the exposure and effect of common malware threats to the systems they cover. 11.4 Scope This policy applies to all computers that are PC-based or utilize PC-file directory sharing. This includes, but is not limited to, desktop computers, laptop computers, servers and other computing devices. 11.5 Policy 11.5.1 End User Computing Devices All computing devices connected to Qatar University Network must have QU standard, supported anti-virus software installed and scheduled to run at regular intervals. In addition, the anti-virus software and the virus pattern files must be kept up-to-date. QU prohibits the creation, distribution, or sharing of malicious programs (malware). Users shall ensure that their removable data storage media are free from malware before using them. The malware protection software installed on QU-provided devices must not be disabled or bypassed. The settings for the virus protection software must not be altered in a manner that will reduce the effectiveness of the software 11.5.2 Servers 1. ITS shall be the custodian of all IT infrastructure components that serve QU operations. Exceptions must be expressly granted by ITS. 2. All production servers should adhere to minimum-security standard policy. 3. Wherever technically feasible, servers shall have malware detection and removal software installed that offers real-time scanning protection to files and applications running on the target system if they meet one or more of the following conditions: a. Non-administrative users have remote access capability b. The system is a file server Malware Protection 47
11.6 Guidelines November 2013 c. NBT/Microsoft Share access is open to this server from systems used by non-administrative users d. The system provides a service that is accessible from the Internet. End users should follow these best-practice guidelines: 1 Never open any files or macros attached to an email from an unknown, suspicious or untrustworthy source. Delete these attachments immediately, then "double delete" them by emptying your Trash. 2 Never download files from unknown or suspicious sources. 3 Avoid direct disk sharing with read/write access unless there is absolutely a business requirement to do so. 4 Always scan removable media obtained from an unknown source for malware before using it. 5 Back up critical data and system configurations on a regular basis and store the data in a safe place. 6 Do not disable anti-malware software running in laptops and desktops, 7 Malware-infected computers must be removed from the network until they are verified as malware-free. Anti-Malware Software: 1 Devices provided by QU to active faculty and staff are preloaded with antimalware software that is properly configured and should not be bypassed. 2 Users can get support from ITS to install licensed antivirus software on their computing devices. This service is available for faculty, staff and students. 3 In all cases, anti-malware software should be configured to clean or quarantine infected files and/or block malware from infecting the computer. Server Protection: 1 Anti-malware software should be installed in servers to protect against malicious software. 2 ITS should ensure that the anti-malware software running on servers is kept up to date. 3 ITS staff should monitor servers for any malicious software installation and for virus attacks. Malware Protection 48
11.7 Exceptions Exceptions to the above standards will generally be granted if the antivirus software adversely affects the services running on the server and alternate protection mechanism are in place to mitigate the risk. Malware Protection 49
12 PL-ITS-ISO-012: Mobile Computing and Teleworking November 2013 Contents: Policy Description Who Should Know This Policy Scope Responsibilities Policy Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 12.1 Policy Description The purpose of this policy is to identify and implement controls which will keep the risks to information assets at an acceptable level. 12.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Mobile Computing and Teleworking 50
12.3 Scope This policy applies to individuals who use mobile computing devices and teleworking facilities to access QU information resources. 12.4 Responsibilities All users of mobile computing devices and teleworking facilities are responsible for adherence to this policy. 12.5 Policy The Mobile Computing and Teleworking policy applies to individuals that are expected to work from off-campus and is divided into two sections: 1. Mobile Computing and 2. Teleworking. 12.5.1 Mobile computing 1. QU provides mobile computing facilities to improve the productivity, flexibility, responsiveness and effectiveness of its operations. 2. QU takes appropriate steps for physical protection, access controls, backups, and malware protection for mobile devices. 3. Users are imparted appropriate training on acceptable usage before they are issued with mobile devices. 4. Users are required to accept in writing, their responsibilities with regard to backups, malware protection and use of devices in unprotected environments. 12.5.2 Teleworking 1. QU may provide teleworking facilities based on business need to improve the productivity, flexibility, responsiveness and effectiveness of its operations. 2. Before providing teleworking facilities, QU shall conduct a risk assessment to ensure that the teleworking site is secure. 3. QU authorize and control teleworking facilities to ensure that information is secure. 4. Users are imparted appropriate training on acceptable usage before they are allowed to commence teleworking. 5. Users are required to accept in writing, their responsibilities with regard to backups, malware protection and allowing unauthorized access to third parties. Mobile Computing and Teleworking 51
13 PL-ITS-ISO-013: Data Retention and Archival Contents: Policy Description Who Should Know This Policy Overview Scope Policy Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 13.1 Policy Description The purpose of this policy is to establish rules for storing and backing up electronic data. 13.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Data Retention and Archival 52
13.3 Overview This policy defines the data retention and archival policy for user data within the organization. The guidelines provided will educate the user community on where to backup data, retention period and on how to restore the data. 13.4 Scope This Policy applies to all individuals within the QU that are responsible for the installation and support of Information Resources, individuals charged with Information Resources security and data owners. 13.5 Policy 1. All users should identify and store data that needs backup on shared store provided to users. 2. All information asset owners and/or custodian should identify the data that needs to be backed up, define the type of data backup and retention period. 3. The backup media should be stored either offsite or in QU campus based on the criticality of data stored in the media. 4. Same media should not be used for capturing information assets with different classification levels. 5. Backup media should be protected in accordance with the highest classification level of the information stored in the media. 6. Information Resources backup and recovery process for each system must be documented and periodically reviewed. 7. Backup operators should verify the success of the QU electronic information backup 8. Backups must be periodically tested to ensure that they are recoverable. Data Retention and Archival 53
14 PL-ITS-ISO-014: Security Awareness Contents: Policy Description Who Should Know This Policy Scope Policy Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 14.1 Policy Description The purpose of the Security Awareness Policy is to raise and maintain awareness of information security-related issues among all users of the QU information assets, including but not limited to: employees, students, contractors, consultants, and other individuals and/or entities. 14.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Security Awareness 54
14.3 Scope All users of QU information assets. 14.4 Policy In order to raise and maintain an acceptable level of information security awareness among its information users, the University shall: 1. Define a comprehensive communication program with commensurate budget to implement it. 2. Maintain ad hoc and periodic training sessions for its information handlers that covers, among others: a. QU s security requirements b. Legal responsibilities c. Business controls d. Correct use of information processing facilities e. Information on the enforcement and exceptions process f. Details of the QU confidentiality standards, agreements, and expectations g. Information on reporting information security incidents and communicating information security needs h. Provide all QU constituents with appropriate training on information security matters, as they relate to the individual and/or group function i. The baseline requirements of the Government Information Assurance Manual (GIAM) or equivalent 3. All such training and communication shall be updated and communicated on a regular basis. 4. Training should include feedback mechanisms that help QU assess the effectiveness of the communication plan. Such measures may include, but are not limited to, surveys, tests, and statements signed by the individual to attest to receiving the training. Security Awareness 55
15 PL-ITS-ISO-015: Intellectual Property November 2013 Contents: Policy Description Who Should Know This Policy Scope Responsibilities Policy Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 15.1 Policy Description The purpose of this policy is to protect the intellectual rights with regard to IT resources. 15.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Intellectual Property 56
15.3 Scope This policy applies to all intellectual property owned and controlled by ITS. 15.4 Responsibilities All users of QU IT resources are responsible for adherence to this policy. 15.5 Policy 1. ITS shall acquire software only through known sources, to ensure copyright is not violated 2. ITS shall maintain a software asset register together with proof of ownership of software licenses, etc. 3. Periodic checks are carried out during internal audits to ensure no unlicensed software is installed and that maximum number of user licenses not exceeded. 4. Users shall not use unlicensed software on QU information systems. 5. Users are forbidden from copying or duplicating anything (whether document, digital asset, or anything else) in violation of local and international copyright laws. 6. Any breach of this policy is subject to disciplinary action. Intellectual Property 57
16 PL-ITS-ISO-016: Legal and Forensics Policy Contents: Policy Description Who Should Know This Policy Overview Scope Policy Privacy Procedures Roles and Responsibilities Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 16.1 Policy Description The purpose of the Legal and Forensics Policy is to provide a foundation for the development and implementation of necessary processes to conduct a proper investigation framework for information security incidents. 16.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Legal and Forensics 58
16.3 Overview The Legal and Forensics Policy is defined to allow proper management of incidents that involve a breach of QU information security policies or other local government laws and regulations or put in jeopardy the reputation of the University or its personnel. 16.4 Scope The Legal and Forensics Policy applies equally to all individuals who use or handle any Qatar University information resource. Incidents covered by the policy include, but are not limited to, the following: 1. Internet misuse/abuse 2. Electronic mail misuse/abuse 3. Unauthorized use of computing resources, including computing devices and network resources 4. Storage of pornography or adult related material and illegal content 5. Unauthorized access to hardware, software 6. Violations of the QU Employee Non-Disclosure Agreement 7. Activities that warrant further investigation by QU or government agencies 16.5 Policy 1. QU shall investigate all incidents related to information security breaches using proper, standards-based procedures and guidelines. Confidentiality of the process shall be maintained throughout. 2. The Information Security Office (ISO) is the authoritative body for all information security-related investigations and it holds the right to investigate any actions that can impact the services offered by QU, QU s reputation or incidents that violate Acceptable Use of Information Resources policy. 3. The ISO also holds the right to seize the data, asset or resource used for illegal activity. 4. The ISO is responsible for sharing information about the investigation with the appropriate agencies, after approval from the VP/CFO, without consent of the asset owner. 16.6 Privacy The Privacy clauses defined in the Acceptable Use of Information Resources Policy apply. In particular: Legal and Forensics 59
In the course of investigating a security incident, user communication any/all communication may be fully monitored, tracked, audited, and archived. Monitoring the contents of such communication requires approval from the VP/CFO, in consultation with the QU Legal Counsel. As required, the authorization may be escalated to the President s office. 16.7 Procedures 16.7.1 Initiation An investigation may be initiated: 1. At the request of any QU business unit or local government agencies, with the approval of the office of the VP/CFO 2. At the request of the QU Information Security Office as a requirement for securing the QU infrastructure 16.7.2 Preservation of Evidence In order to ensure the proper preservation of a device s state, a device being investigated MUST NOT be handled by anyone other than the investigating person. Depending on the level of investigation being conducted, copies of specific files, drive images, or the whole devices may be retained by the investigating team. Snapshot images may also be taken showing device content as necessary. All evidence collected during the course of an investigation will be retained until its proper destruction is approved by the appropriate authority. If no evidence of abuse is identified, all collected evidence MUST be deleted immediately. 16.7.3 Seizure of Equipment The ongoing investigation MAY require the seizure of equipment and/or storage devices by the investigating group. 16.7.4 Record of Activities All activities related to an investigation MUST be documented. If the presence of illegal content is discovered, all investigations MUST stop and the appropriate authority contacted. 16.7.5 Data Destruction The information collected during the investigation phase will be deleted by using proper degaussing technique to ensure that the data is not recoverable. In case Legal and Forensics 60
the evidence is passed to other investigation bodies, QU investigation office (ISO) will not be liable for data destruction. 16.8 Roles and Responsibilities The Information Security Office is the focal point for all information securityrelated investigations. The ISO will coordinate with all parties involved and will strive to maintain the confidentiality of the investigation as warranted. For highly sensitive incidents involving QU personnel, the chain of approvals shall be as follows: 1. The department head/director of the business unit where the incident is discovered/reported must authorize the investigation in writing. 2. Approval of the VP/CFO is required, in writing. 3. In case any of the officials mentioned above is the subject of the investigation, the President s office will be consulted and an alternate authority shall be named and its approval sought, in writing. 4. In cases that involve legal entities or groups external to Qatar University, the President s office will be informed throughout the process. 5. All records of the investigation shall be kept as outlined in the procedure above. Department President s Information VP/CFO Head/Director Office Security Office Initiate Investigation R I R Approve Sensitive Cases I A R Approve Normal Cases I A Conduct investigation I I A Override Chain of Authority A R Liaise with Law Enforcement Agencies I C A Report Findings I C AR Responsible Accountable Consulted Informed The person who is assigned to do the work The person who makes the final decision and has the ultimate ownership The person who must be consulted before a decision or action is taken The person who must be informed that a decision or action has been taken. Legal and Forensics 61
17 PL-ITS-ISO-017: Physical Security Contents: Policy Description Who Should Know This Policy Scope Policy Non-Compliance and Exceptions Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 17.1 Policy Description The purpose of this policy to ensure that University information technology resources are protected by physical security measures that prevent physical tampering, damage, theft, or unauthorized physical access. 17.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Physical Security 62
17.3 Scope This policy applies to all University equipment that stores, processes are transmits data that has been classified as confidential or protected data. 17.4 Policy Technical support staff, security administrators, system administrators, and others may have Information Resource physical facility access requirements as part of their function. The granting, controlling, and monitoring of the physical access to Information Resources facilities is extremely important to an overall university security program. QU Physical Access for Information Resource Policy states; 1. Each University department is required to have a Facility Security Plan which shall include measures to safeguard Information Technology resources. The plan shall describe ways in which all Information Technology resources shall be protected from physical tampering, damage, theft, or unauthorized physical access. 2. Access to areas containing confidential or protected data information must be physically restricted. All individuals in these areas must wear an identification badge on their outer garments so that both the picture and information on the badge are clearly visible. 3. Physical access to all Information Resources restricted facilities must be documented and managed. 4. Restricted IT areas including data centers, computer rooms, telephone closets, network router and hub rooms, voicemail system rooms, and similar areas containing IT resources. All access to these areas must be authorized and restricted. 5. Sensitive IT resources located in unsecured areas should be secured to prevent physical tampering, damage, theft, or unauthorized physical access to confidential or protected data. 6. IT equipment must be marked with some form of identification that clearly indicates it is the property of the QU. 7. Equipment shall be sited or protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. 8. Physical access to records containing confidential or protected data, and storage of such records and data in locked facilities, storage areas or containers shall be restricted. Physical Security 63
17.5 Non-Compliance and Exceptions Violation of this policy may result in disciplinary action up to and including termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of QU Information Resources access privileges, civil, and criminal prosecution. Physical Security 64
18 PL-ITS-ISO-018: Acceptable Use of Information Resources Contents: Policy Description Who Should Know This Policy Overview Scope Policy Compliance Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 18.1 Policy Description The Acceptable Use of Information Resources policy is defined to achieve the following: Establish prudent and acceptable practices regarding the use of QU information resources. Educate individuals who may use information resources with respect to their responsibilities associated with QU. 18.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Acceptable Use of Information Resources 65
18.3 Overview Qatar University provides its active students, faculty and staff with information resources to support the academic, educational, administrative, public service, and research initiatives. Users are responsible for adhering to the highest standards of ethical, considerate and proper use of such computing resources to serve these purposes. 18.4 Scope The QU Acceptable Use of Information Resources policy applies equally to all individuals granted access privileges to any QU information resources. 18.5 Policy The Acceptable Use of Information Resources policy covers all means of communication, including the ones listed below. 18.5.1 Privacy 1. Users of QU information resources are not guaranteed the privacy of their communication. For example, QU cannot guarantee that email messages sent by a user are not intercepted by a malicious user in transit or on the destination system. 2. User communication is subject to the terms of confidentiality that are outlined in the University s non-disclosure agreements. 3. Tracking of users activities may be required for such purposes as capacity planning and resolving problems with the services. Such tracking may be conducted in a manner that preserves the anonymity of the end users. 4. In the course of investigating a security incident, user communication may be monitored, tracked, audited, and/or archived. Monitoring the contents of such communication requires approval from VP/CFO in consultation with the QU Legal Counsel. As required, authorization from the President s office may be necessary. 18.5.2 Computing Devices For the purpose of this policy, computing devices include, but are not restricted to laptops, desktops, mobile devices and other electronic devices that are owned by, or are in use at, Qatar University facilities. 1. Computing devices provided by the QU are the sole property of the University. As such, users should handle them responsibly and with care to avoid breaking, failure and physical damage. Acceptable Use of Information Resources 66
2. All accounts with administrative or elevated privileges must be protected by a password. 3. Users shall not use their computing devices to: access illegally or without authorization, data, computers, accounts, or networks; distribute offensive, abusive and/or harmful material; intentionally or knowingly install or distribute computer malware or other malicious software that could potentially harm systems, cause loss of data, or disrupt network services; attempt to circumvent any established security measures to gain access to confidential and restricted information; install or copy unlicensed material; create, transmit or participate in pranks, hacking schemes, chain letters, false or deceptive information, or any other fraudulent or unlawful purposes; attempt to format or repair a University owned computing device; violate Qatar University or Qatar government laws and regulations. 18.5.3 Electronic Mail 1. Users shall be held responsible for inappropriate use of electronic mail. 2. Qatar University strictly prohibits the transmission of offensive, abusive, violent, threatening and harmful content through email. Violator will be subject to disciplinary actions as applicable. 3. Users shall not share passwords, credit card information, and restricted data through emails without proper protection such as encryption. 4. Users may not: a. transmit, forward, or post internal emails or attach internal classified documents containing sensitive information to anyone outside of QU. b. transmit, forward, or post non Qatar University related chain letters emails to anyone at any time. c. falsify or impersonate a sender address. d. give the impression that they are representing, giving opinions, or otherwise making statements on behalf of QU or any unit of the QU, while communicating with domains outside QU. Exceptions require proper authorization and a strong business case justifying such representation. Acceptable Use of Information Resources 67
e. use email broadcasts or mailing list services offered by QU for personal, commercial, and non-university related announcements. Exceptions require justification and proper authorization. 5. All QU material with classification C2 and above transmitted over email should be encrypted. 18.5.4 Internet Access 1. Users accessing the Internet through QU s network are expected to use their access responsibly and ethically. Users may not compromise the University resources by intentionally downloading malicious, offensive, abusive, profane, illegal and/or harmful content. 2. Users should refrain from using peer-to-peer file sharing protocols within QU network infrastructure. If any business case arises, prior approval from their respective department head/dean is required. 3. Users shall not bypass the security mechanism implemented and managed by QU for accessing the Internet. Examples include bypassing firewalls installed by the Information Technology Services department. 4. Individuals are solely responsible for any indirect, consequential, special or punitive damages or losses that may arise from their inappropriate use of the Internet access. 18.5.5 Web Space & Services 1. Users/Owners are accountable for any content they post on QU web servers and that is deemed inappropriate by Qatar University officials. 2. Qatar University classified data shall not be made available via QU Web sites or portal without appropriate security measures. 3. Access to the QU portal and other web services shall be terminated when a user's role expires, i.e. the user is no longer a faculty, staff or student at the University. Exceptions are allowed with proper authorization. 4. When the owner of a web space leaves QU, his web space will be available for 12 months after which QU may take the site offline. 18.5.6 Printers and Scanners Use 1. Printers and scanners provided by QU are the sole property of QU and should be treated as such by all users. 2. Users should consider the printer environment while printing confidential classified information, and should promptly remove the printed material from the printer. 3. Users may not: Acceptable Use of Information Resources 68
a. remove or move printers and scanners from their locations except for temporary use and with prior approval of ITS; b. attempt to fix a printer or scanner without contacting the ITS Helpdesk for support; c. print or distribute abusive, offensive or unethical material. 18.5.7 Maintenance of Clear Screen Users shall maintain a clear screen on their desktops/laptops by: 1. Activating the screen saver on their PC/desktop/laptop/netbook 2. Configuring the screen saver to: a. lock the screen if the system is idle for more than 5 minutes b. require a password to resume operation 3. Users shall not tamper with the screensaver settings enforced by ITS to defeat the purpose of this policy 18.5.8 Maintenance of Clear Desk Users are to exercise due care in protecting classified information by: 1. Not leaving any information (paper/books/ledgers) being entered into the system unattended if moving away from the desk even for a short while like attending a phone call, lunch or break hours etc. 2. Keeping restricted and limited access information protected while entertaining visitors at their desk. 18.6 Compliance Failure to comply with this policy may result in: 1. Termination of access to resources provided by Qatar University, including access to wired and wireless network infrastructure; 2. Disciplinary action up to and including termination of employment, services or relationship with university; 3. Actions in accordance with the local law enforcement authorities. Acceptable Use of Information Resources 69
19 PL-ITS-ISO-019: Use of Network Services November 2013 Contents: Policy Description Who Should Know This Policy Overview Scope Policy Guidelines Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 19.1 Policy Description The policy is defined to secure the network infrastructure, both wired and wireless. 19.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Use of Network Services 70
19.3 Overview The QU network infrastructure is provided as a central utility for all users to access services offered by QU. QU provide both wired and wireless network infrastructure to its students, faculty, staff and other employees. 19.4 Scope This policy applies to all faculty, staff, students and contractors who connects to QU wired/wireless infrastructure. For the purpose of this policy, QU users are all individuals that use or plan to use the University s network, regardless of their affiliation. Exceptions include individuals expressly authorized by the Information Technology Services Department (ITS). 19.5 Policy The Use of Network Resources policy ensures the proper use of QU network resources. 19.5.1 Device Connections 1. QU users are not allowed to install switches, hubs, routers, servers, or any other active or passive network device other than end-user computing devices such as computer workstations or printers. 2. QU users may not contract with any non-university entity to install network and/or security devices. 3. No device may be connected that presents itself as multiple, concurrent IP addresses without the express consent of ITS. 4. Routing and bridging shall only be performed by the devices managed by ITS. 5. Connections may not be made to any external entity without the knowledge and express consent of the QU ITS department. This restriction applies to connections to commercial enterprises such as Internet Service Providers (ISPs) and to companies that provide a service to the university. 6. QU Users may not manually configure an IP address for use on the university s networks. If a static IP address is required, the user should contact ITS. Use of Network Services 71
19.5.2 Unauthorized Devices Users may not connect devices to the network which will negatively impact the network without prior approval from ITS. Such devices include, but are not limited to: 1. Wireless access points, switches, hubs, bridges, or routers. 2. DHCP servers or any device that acts as a DHCP server or equivalent function. 3. DNS servers or any device that acts as a DNS server. 4. Any device that consumes a disproportionate amount of network bandwidth. 5. Use device that can bypass the security mechanism enforced by the University. 19.5.3 Remote Access 1. Access to QU Campus networks, servers or computers shall be protected against unauthorized access and information disclosure. 2. Users accessing QU network using Virtual Private Network (VPN) services, dialup or any other remote access solutions should be authenticated before being granted access to QU resources. 3. Third party access to QU campus network resources must be monitored and logged. 4. Third party access should be terminated with immediate effect in case of unauthorized access or if the access causes any performance degradation in the QU network. Notification should be send to the end user or organization indicating the reason for such action. 19.5.4 Access To/From Untrusted Network 1. Requests to access QU resources from untrusted domains shall audited by QU Information Security Office before allowing the access. 2. Any access from QU network to Internet or any third party network should be through QU network only. 3. QU campus network users should not connect to Internet or any third party network from campus networks using Internet connection facility provided by third party service providers or using dial up connection. 19.5.5 Access Termination 1. The Information Security Office should proactively monitor the network infrastructure for any potential threats to its information system resources. Use of Network Services 72
2. ITS teams shall immediate action to mitigate any threats that can pose serious risk to campus information resources. If the threat level is high, the sources that pose the threat shall be blocked from accessing these resources. 3. QU users shall report to the ITS Help Desk whenever they come across potential threats to QU resources. The source of such threat shall be blocked from accessing QU information resources and corrective action planned and executed in cooperation with the Information Security Office. 19.6 Guidelines 19.6.1 Unauthorized Network Access 1. TS shall monitor the network for any unauthorized network extension devices connected to the network. If found, the concerned department head will be notified and the port(s) disabled immediately. 2. Wireless network coverage is offered by ITS to enable mobility and ensure that end users can connect from the desired locations. 3. Guest wireless access is provided to untrusted devices and non-qu individuals using the QU wireless infrastructure. 4. ITS monitors the wireless infrastructure for rogue access points and reserves the right to disable their access to the campus network. 5. End users should follow the recommended configuration of their devices and not alter it in a way that may cause damage to the network infrastructure or compromise other devices in the vicinity. 19.6.2 Network Access Blocking 1. The Information Security Office shall evaluate the risk of any threat to campus information resources or to the Internet from the QU network and shall take actions to mitigate the threat. Identified threats shall be the categorized into: a. Critical b. Non-critical 2. Critical level threats are those which: a. can seriously degrade the network performance (DoS, DDoS, mail spam, phishing attacks etc.); b. provide unauthorized accessed to systems or services; c. can be used as pivot points to attack another computer or network, regardless of the destination; Use of Network Services 73
d. negatively impact the University s reputation, legal and financial stability. For such threats, the device(s) in question shall be blocked immediately from accessing the QU network and notification will be sent to IT Management explaining the attack vector and threats. If the threat originates from the internal QU campus network, an alert will be send to the end users informing them of the reason for blocking their access. 3. Non-critical threats are attacks that do not cause any major impact on QU information system resources. For such threats, users will be informed of the potential threat and will be asked to perform tasks to mitigate the threat or contact ITS Help Desk. If no action is taken within 5 days, a second notice will be send. The offending system will be blocked within two days of the second notice unless a response is received indicating how the threat will be mitigated. 19.6.3 External Network Access Qatar University computers and networks that interface with external networks must maintain system logs that indicate the identity and activity performed by each user who accesses these systems. These logs must indicate time of day, date, user ID, any privileges utilized, and other details associated with all connections. Such logs must be available at the request of the Information Security Office. Use of Network Services 74
20 PL-ITS-ISO-020: User Account Management Contents: Policy Description Who Should Know This Policy Overview Scope Policy Exceptions Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 20.1 Policy Description This policy outlines the University s administration of user accounts for authorized users of the University IT resources. 20.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets User Account Management 75
20.3 Overview The Qatar University Identity (QUID) is a user account assigned to each faculty, staff, student and other employees using the University technology systems. These accounts are used for accessing various services offered by QU. 20.4 Scope The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at a Qatar University facility, has access to the QU network, or stores any non-public QU information. 20.5 Policy The User Account Management policy ensures the smooth operation of accounts that are created for the QU community are used for the purpose of conducting QU business. 20.5.1 QUID 1. Each students, faculty, staff and employees accessing QU resources shall be assigned a unique user ID, hereunto referred to as QUID, which can be used to access QU resources. 2. The accounts and its associate privileges shall be revoked once the user association with QU ends. Exceptions include those approved by QU concerned authorities and for retired Qatari faculty. 3. An individual may have no more than one QUID. 4. User account shall be audited on a regular basis and corrective action shall be taken for any found irregularities. 5. Vendors and subcontracts accessing QU resources for support functionality shall be given unique QUIDs that will expire when no longer required or the association with QU ends. 20.5.2 Generic Accounts For the purpose of this policy, a generic account is an account that is not tied to a specific person associated with the University. This can include, but is not limited to system accounts, shared accounts, and pre-configured accounts. 1. The generation and use of generic accounts must be justified in writing by the requesting entity and approved by the Information Security Office. 2. The least privileges needed for the requested account(s) must be clearly identified in terms that can be translated into implementable technical User Account Management 76
controls. No additional privileges shall be associated with the requested accounts. 3. Generic accounts shall be used for the purpose for which they were created and their access authorization cannot be used for any other purpose. 4. Passwords for generic accounts must follow strict complexity rules since they are not likely to be changed by regular users. 5. A deadline for the utilization of all generic accounts must be provided. 6. Regular account audits must be performed and generic accounts that are no longer justifiable must be removed from any/all associated systems. 7. The requesting individual/department shall appoint an individual or role to be the authoritative contact for the requested generic account(s). 8. The person/department requesting a generic account takes full responsibility for all actions taken using the generic account. 9. The Information Security Office has the right to block access for generic accounts to ensure the security of QU information and/or infrastructure. 20.5.3 Access Revocation Qatar University reserves the right to remove/revoke any user access rights IT resources at any time. 1. For employees the user account and entire application access apart from email access will be disabled as marked in the user s ERP record. 2. Qatari Professor Emeritus can use the email services and phone services offered by QU. The services can be revoked either upon request by users, at QU s discretion, or if the account is inactive for a period of 12 months. 3. Inactive student accounts will be disabled every year based on the information provided by Students Information System. If prolonged access is required, approval must be requested by the concerned authorities. 20.5.4 Password Change 1. All system privileged-level passwords must be changed on at least a quarterly basis. 2. All user-level passwords must be changed at least every six months. 20.5.5 Access monitoring ITS reserves the right to monitor user account access privileges and activities for statistical and security reasons. Users personal access data and information User Account Management 77
confidentiality will be maintained throughout the process unless an investigation is in progress that relates to the user activities. 20.6 Exceptions Exceptions to this policy may be requested in writing to the appropriate department, with approval of the Information Security Office. User Account Management 78
21 PL-ITS-ISO-021: Email Access Policy November 2013 Contents: Policy Description Who Should Know This Policy Overview Scope Policy Exceptions Version Number: 1.0 Effective Date: Approved by EMC on: Approved by the President on: 21.1 Policy Description The purpose of the Email Policy is to establish the rules for the use of QU email for the sending, receiving, or storing of electronic mail. 1. To establish prudent and acceptable practices regarding the use of email. 2. To educate individuals using email with respect to their responsibilities associated with such use. 3. To ensure proper security mechanism are in place to protect QU from treats arising from email services. 21.2 Who Should Know This Policy President Vice President Associate Vice President for Facilities & IT Associate Vice President for Administration Legal Advisor Dean Director/ Departmental Head Faculty Accounting/ Finance Personnel Students Employees All users of QU information assets Email Access 79
21.3 Overview Qatar University provides email services to its students, faculty, staff and other employees. The use of emails is a privilege granted by QU to facilitate the University s mission. This access is provided to active staff, faculty, and students in support of daily operations and University initiatives. Users of email services should follow professional practices in maintaining the security and information integrity of email communication. 21.4 Scope QU Email Policy applies equally to all individuals granted access privileges to any QU email services with the capacity to send, receive, or store electronic mail. 21.5 Policy The Email Access policy helps ensure that access to QU email systems is well defined and managed. 21.5.1 Email Access 1. All users at QU (including staff, faculty and students) having access to email services are granted a unique email account upon joining QU. 2. Email accounts for retired Qatari faculty members shall remain active. Access may be revoked upon user request or at QU discretion. 3. Email accounts for faculty and staff shall be disabled immediately after their association with the University ends. 4. The use of email broadcast services is governed by the External Relations policy and guidelines. 21.5.2 Departmental Accounts 1. Colleges or departments that require a departmental email account may send a request to ITS with all the necessary documentation. 2. Ownership of the account shall remain under the control of the department or business unit s head. 21.5.3 SPAM and Malware Control QU should implement suitable protection mechanism(s) to facilitate the detection and proper handling of undesirable email prior to reaching the user s mailbox. This includes, but is not limited to SPAM, phishing, malware-infected emails, etc. Email Access 80
21.5.4 Retention All email communication is archived as per the Data Retention and Archival Policy. 21.6 Exceptions In case an individual s email account is still required for further University endeavors, her/his email account may be kept active after initial and periodic review, validation, and written approval by a Dean or Director who should also provide the reason, individual's name and length of time for which the extended access will be required. Email Access 81