Policy v1.0

Policy v1.
0
Information & Technology
King Fahd University of Petroleum & Minerals, KSA
Abdullah Al Mamun
To Dr. Talal AlKharobi
Preface
This paper is done as a coursework for the course computer & network security. We have learned
many important and necessary things about policy regarding information and technology. In
addition, we learned, how to analysis, organization, collaboration and write up policies. We tried
best to make a complete set of security policy for ITC department of our university. Also, we
tried to consider all possible cases and scenarios.
However, we enjoyed and learned during this work. We have plan to make policies for all
departments in our university as future work.
Author
Abdullah Al Mamun
Co-Author
Hassan Ali
Ahmad M. Shaheen
Essa Q. Shahra
Sultan Anwar
Contents
0.1
Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
0.1.1
Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
0.1.2
Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
0.1.3
Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
0.1.4
Roles and Responsibilities for Information Security . . . . . . . . . . . . . . . . . . . .
0.1.5
Sensitive Information
0.1.6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10
0.1.5.1
Top Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10
0.1.5.2
Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10
0.1.5.3
Confidential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10
0.1.5.4
Restricted
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10
Personal Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
0.1.6.1
Staff Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12
0.1.6.2
Student Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14
0.1.6.2.1
0.2
Disclosure of Student Information . . . . . . . . . . . . . . . . . . .
16
Information Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
0.2.1
Email Address Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
20
0.2.1.1
Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
20
0.2.1.2
Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
20
0.2.1.2.1
University Contact Directory . . . . . . . . . . . . . . . . . . . . . .
21
0.2.1.3
0.3
0.2.1.2.2
Account Closure and Deletion . . . . . . . . . . . . . . . . . . . . .
21
0.2.1.2.3
Account Withdrawal . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
Student Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
22
0.2.1.3.1
Account Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . .
22
0.2.1.3.2
Student Account Type . . . . . . . . . . . . . . . . . . . . . . . . .
22
0.2.1.3.3
Non-Capped Student Accounts . . . . . . . . . . . . . . . . . . . . .
23
0.2.1.3.4
Capped Student Accounts
. . . . . . . . . . . . . . . . . . . . . . .
23
0.2.1.3.5
Account Closure and Deletion . . . . . . . . . . . . . . . . . . . . .
24
0.2.1.4
Administrations and Implementation Compliance . . . . . . . . . . . . . . .
25
0.2.1.5
Ownership of Email Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
26
0.2.1.6
Personal Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
27
0.2.1.7
Privacy and Right of University Access . . . . . . . . . . . . . . . . . . . . .
27
0.2.1.8
Data Purging and Record Retention . . . . . . . . . . . . . . . . . . . . . . .
27
0.2.1.9
Data Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
28
0.2.1.10 Expiration of Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
28
0.2.1.11 Appropriate Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
29
0.2.1.12 User Responsibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
30
0.2.1.13 Departmental Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31
0.2.1.14 Temporary User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
32
0.2.1.15 Supported Mail Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
32
0.2.1.16 Inappropriate Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
32
0.2.1.16.1 The exchange of email content that: . . . . . . . . . . . . . . . . . .
33
0.2.1.16.2 Other improper uses of the email system include:
. . . . . . . . . .
33
0.2.1.17 SPAM and Virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
34
Systems Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
35
0.3.1
35
Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
0.3.2
0.3.3
36
0.3.2.1
Servers and Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
36
0.3.2.2
Workstations and accessible systems . . . . . . . . . . . . . . . . . . . . . . .
37
Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
37
0.3.3.1
Prohibited Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . .
37
0.3.3.2
Organizational and Non-Organizational Computers . . . . . . . . . . . . . .
37
0.3.3.3
Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
38
0.3.3.4
Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
38
0.3.3.4.1
Authorization of Software . . . . . . . . . . . . . . . . . . . . . . . .
39
0.3.3.4.2
Prohibited Software . . . . . . . . . . . . . . . . . . . . . . . . . . .
39
0.3.3.5
Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
39
0.3.3.6
Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
40
0.3.3.6.1
Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
40
0.3.3.6.2
Printing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
40
0.3.4
Consequences of Misuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
40
0.3.5
Information Storage and Disposition . . . . . . . . . . . . . . . . . . . . . . . . . . . .
40
0.3.5.1
Electronic Information
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
41
0.3.5.2
Paper based information . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
41
Release of Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
42
0.3.6.1
Legal Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
42
0.3.6.2
Requests for information from External Entities . . . . . . . . . . . . . . . .
42
0.3.7
Internal Monitoring and auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
43
0.3.8
Violations and misuse of Information Security . . . . . . . . . . . . . . . . . . . . . . .
43
0.3.6
0.4
Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Password Policy
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
44
0.4.1
Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
44
0.4.2
Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
45
0.4.3
Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
45
0.4.3.1
Password rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
45
0.4.3.2
Password Expiration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
46
0.4.3.3
New Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
46
0.4.3.4
Change Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
46
0.4.3.5
Forgotten Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
47
0.4.3.6
Administrator Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . .
47
0.4.3.7
Storing Sensitive Information . . . . . . . . . . . . . . . . . . . . . . . . . . .
47
0.4.3.8
Security Awareness Training . . . . . . . . . . . . . . . . . . . . . . . . . . .
47
0.4.3.9
Password Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
47
0.4.3.9.1
Storing Password . . . . . . . . . . . . . . . . . . . . . . . . . . . .
48
Responsibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
48
Data Backup Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
48
0.5.1
Preamble . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
48
0.5.1.1
Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
48
0.5.1.2
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
48
0.5.2
Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
49
0.5.3
Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
49
0.5.4
Backup Types
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
50
0.5.5
Statement of Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
50
0.5.5.1
Information to be Backed up and Schedules . . . . . . . . . . . . . . . . . . .
52
0.5.5.2
Storage of Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
53
0.5.5.3
Data Backup Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
53
0.5.5.4
Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
56
0.5.6
Policy Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
56
0.5.7
Backup procedure Flowchart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
57
0.4.4
0.5
0.5.8
Backup Procedures Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
58
Internal Network and Internet Network usage . . . . . . . . . . . . . . . . . . . . . . . . . . .
62
0.6.1
Internal Network usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
62
0.6.2
Internet Network usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
67
0.7
System administration and User access management . . . . . . . . . . . . . . . . . . . . . . .
76
0.8
User Account Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
84
0.8.1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
84
0.8.2
Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
87
0.8.3
Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
87
0.8.4
Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
87
0.8.5
Account Management Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
88
0.8.6
Application and Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
90
0.8.7
Sponsored Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
90
0.8.8
Staff Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
90
0.8.9
Email Address and Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
91
0.8.10 Associate Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
93
0.6
0.1
0.1.1
Information Security Policy

Purpose
Information is a vital resource of the University and the basic purpose of this information security policy is to
make sure the safeguard of this resource. University information used for research, administration, teaching
and economic activities must be secured from threats that can result in financial losses, damage of reputation
and law exposure. This information must be saved from unauthorized, intentional and unintentional access
or damage while also preserving the open and shared information according to requirements. Information
security can be achieved by the responsibilities and controls assigned by the security companies, external
businesses and regulatory bodies. Security measures include:
Confidentiality: Protection of information from unauthorized and illegal entity must be ensured. Information must be secured throughout its life cycle from creation to disposal.
Integrity: Protection against unauthorized modifications and amendments must be ensured. The accuracy,
purity and completeness of information must be maintained.
Availability: To make sure that only the authorized entity can have access to information, resources and
other associated services whenever desired.
Accountability: To make sure that the entitys activity can be traceable uniquely to that entity.
Legislative compliance: All of the University community members should be cognizant of and adhere
the law which applies to information processing. Personal data can only be shared, managed, disclosed,
moved, discard and copied only when all the security measures mentioned above are taken into account in
correspondence with the data managing laws.
Risk assessment must be performed to ensure reasonable security measures to identify security failures and
threats. These risk assessments must be accommodated with entire information handling procedure and
must be present even in normal conditions. This information security policy document is for entire information handling which is supported by additional points, procedures, and guidelines that as a whole will define
information handling and security environment in the University.
0.1.2
Scope
Each type of university information related to internal or external stake holders must be protected. The
level of protection can be carried out according to sensitivity, worth and importance regardless of the type
of storage media, storage locations and data processing systems.
This policy is for all employees, students, faculty and staff who are given the rights to use of University
resources of information.
All contractors, suppliers, University partners and external researchers and visitors who may be authorized access to University information.
This policy specifies all University information resources whether individually controlled or shared,
stand-alone or networked.
This policy is for all computer and communication facilities owned, leased, operated, or contracted by
the University.
This includes networking devices, telephones, wireless devices, personal computers, workstations,
servers, and any associated peripherals and software, regardless of whether used for administration,
research, teaching or other purposes.
All locations from which University information is accessed including home and offsite/remote use.
Information entrusted to the University will also be safeguarded in accordance with this policy.
0.1.3
Policy
The resources of information are critical assets just like the physical resources, facilities and equipment. Any
person or organization that is responsible to provide and use the resources of information must maintain and
protect these assets. Because computer network and systems are shared resources among several users, the
misuse of these resources can create consignee to others.
Usually problems arise where we have to ensure the confidentiality of information and at the same time we
7
encourage to share the ideas and information of several people in one group for brain storming sessions. This
problem must be avoided by recognizing that which of the information needs to be kept secure and which of
the information should be shared among several entities. It is also important to assess the information and
its resources according to their values and vulnerabilities. The balanced effort must be provided in terms of
expenditures and efforts against the worth and sensitivity of information resources. However the following
actions must be inhibit while considering this policy.
Unauthorized access to an account or computer. Password stealing or obtaining by means of illegal or
unsocial behavior without the consent of original user.
Unauthorized access to any system with the help of Universitys internal network.
Knowingly performing an act which will interfere with the normal operation of computers, peripherals,
or networks.
To install or run any malicious software or program on network or any computer system that can
damage the resources of university. These programs includes but not limited to Trojan horses, worms
or viruses that may cause extra load for a resource and restricts it to operate naturally.
Any action towards bypassing the schemes for data protection and exploit security vulnerabilities and
loopholes.
Wasting of IT resources by means of any attempt, action or activity.
Using emails for illegal, unsocial and immoral purposes.
Masquerading, spoofing and claims the identity which you dont possess.
Distribution and publishing of electronic data, resources and materials that circumvents the Universitys
code of conduct.
Attempt to snoop or tamper with the communication of others, or deleting, changing, copying and
reading of another users files or software without the knowledge and consent of its owner.
8
Faculty, students, staff and all the members of University who commit or if proven to attempt the above
mentioned prohibited acts shall be treated according to Universitys legislature code of conduct and can be
dismissed from the campus.
The University will be able to take legal and specified actions against any unaffiliated person or organization
that is responsible for any misuse of University information and its resources. The actions of authorized
IT persons responsible for maintaining the systems, networks and their resources will be not be considered
illegal or prohibited. Their authorities and job responsibilities are defined in other policies.
0.1.4
Roles and Responsibilities for Information Security
The basic purpose of information security is to protect the university resources of information from unauthorized access or damage. Following are the principles to achieve such objectives:
The Rector has the overall responsibility for the implementation of this policy in the KFUPM, with
day-to-day responsibility delegated to the Information Security Manager.
Managers of departments who run systems have the responsibility to implement controls and identify
risks with their individual systems, in accordance with the advice of specialist risk sections within the
University.
The Librarian and Director of IT Services is responsible for ensuring that appropriate security measures
are put in place for centrally managed IT systems.
The Information Security Manager is responsible for this and subsequent information security policies
and will provide specialist advice throughout the University on information security issues.
The Head of Security is responsible for physical aspects of security and will provide specialist advice
throughout the KFUPM on physical security issues.
All staff, students, visitors and third parties related to the University must handle information in
accordance with this policy and any relevant local legislation where ever the information or data are
being held or processed.
9
The implementation of this policy shall be reviewed independently by an agreed party at regular
intervals agreed by Internal Audit and IT Services.
The University will establish and maintain appropriate contacts with other organisations, law enforcement authorities, regulatory bodies, and network and telecommunications operators in respect of its
information security policy.
Any actual or suspected breach in information security must be reported to the Information Security
Manager in a timely manner, who will take appropriate action and inform the relevant authorities.
Failure to comply with this policy, or its subsidiary regulations, may result in disciplinary action.
It is the responsibility of each and every person to protect the resources and information he is assigned to. It
is his duty to make informed decisions, protect and secure personal information of others. The responsibilities
range in scope depends on the role of individuals.
All users of University information including staff, students and faculty:
Must describe their abilities for understanding the laws and practices for data protection. These abilities will ultimately lead towards satisfactory responsibilities which are described in policies, guidelines
and procedures that are set up to secure the information. They should take guidance and advices from
their seniors or supervisors if any explanation is needed.
Must report any substantive, suspected or doubtful breaches for information security that can exploit
and imperil the information of University in any form.
Disobeying with this policy will be subjected towards disciplinary procedures of University for staff, students
and other members.
Individuals such as Head of business unit, chairmen of departments, deans of colleges and managers having
administrative responsibilities for universitys organizational units must:
Analyze the resources for electronic information resources within their controlling fields.
10
Define the purpose and function of the resources and ensure that requisite education and documentation
are provided to the concerned personnel as needed.
Establish acceptable levels of security risk for resources by assessing factors such as:
1. What is the level of sensitivity of data, such as research data or information protected by policy.
2. The level of criticality or overall importance to the continuing operation of the campus as whole,
individual departments, research projects, or other essential activities.
3. How negatively the operations of one or more units would be affected by unavailability or reduced
availability of the resources.
4. How likely it is that a resource could be used as a platform for inappropriate acts towards other
entities.
5. Limits of available technology, cost, and staff support.
6. Ensure that requisite security measures are implemented for the resources.
Providers (individuals who design, manage, and operate campus electronic information resources, e.g. IT
managers, application programmers, or system administrators) must:
Become knowledgeable regarding relevant security requirements and guidelines.
Analyze potential threats and the feasibility of various security measures in order to provide recommendations to administrative officials.
Implement security measures that mitigate threats, consistent with the level of acceptable risk established by administrative officials.
Establish procedures to ensure that privileged accounts are kept to a minimum and that privileged
users comply with privileged access agreements.
Users (individuals who access and use campus electronic information resources) must:
Become knowledgeable about relevant security requirements and guidelines.
11
Protect the resources under their control, such as access passwords, computers, and data they download.
Ultimately the community depends on a well-balanced security program and the ethical and knowledgeable
behavior of all who use and provide information resources.
0.1.5
Sensitive Information
The information must be given a security level according to its sensitiveness. Following are the definitions
of certain kind of sensitive information.
0.1.5.1
Top Secret
Top secret is the highest level of sensitive information of the University. This information can be accessed
by providing a code word or RFID cards etc. The information includes student files data base system to
which only deanship of admissions has access.
0.1.5.2
Secret
Secret information if publicly available can cause serious damage to University and its reputation. Appropriate actions and systems are developed to ensure the protection of such information.
0.1.5.3
Confidential
Confidential information is itself can be classified according to upper bounds and lower bounds. It is associated to the personnel of University whom personal information must remain confidential against other
University employees. For example certain information of University faculty can be disclosed into their
students but not all. So it is necessary to identify and describe the sort of information that needs to be
confidential by the University policy.
0.1.5.4
Restricted
Restricted Information sometimes known as private information which is mentioned above must be protected
against unauthorized entities. It can be disclosed only after the consent of owner.
12
0.1.6
Personal Information
Information related to any university member, student, faculty or staff. This sensitive information could
be like national number, drivers license numbers, phone number, personal contact information, birth date,
home address.
Privacy of Personal Information
Latest and previous information about individual students, faculty, and staff must be maintained for
educational, research, and other institutional purposes, it is Universitys policy that such information
be collected, maintained, and used by the Institute only for appropriate, necessary, and clearly defined
purposes, and that such information be controlled and safeguarded in order to ensure the protection
of personal privacy to the extent permitted by law. The following associate points are essentials to be
considered while describing personal information.
Security responsibility
Responsible persons should ensure accuracy and completeness against accidental or intentional misuse
or improper disclosure within or outside University.
Use of Personal Information
Whenever anyones information is asked by someone than he must be informed the consequence and
should ask about reasons. Such information should not be used or exchanged within the Institute for
purposes other than those stated, for legitimate purposes.
Reviewing Personal Information
One can see his information maintained by the university in accordance with University and state laws
while respecting the privacy of others. University personnel can see and review his information and
can have legitimate copies, modification and updates.
Disclosure of Personal Information outside to University
Information other than directory information about students and standard personnel information
13
should not be released to anyone outside university without the permission of the owner, except in
connection with court orders or other legal process.
Foreign Nationals information
Information about individual foreign nationals, other than directory information about students and
standard personnel information, should be directed to the information manager. The manager can
deliver this to senior government official, national security or law enforcement for assessment purposes.
Records of Personal Information
When records are no longer actively needed, they should be retired and maintained in accordance with
the Institute database record policy. The database holder may grant researchers access to records that
have been inactive for so long. Students educational records should be maintained according to all of
the rights and restrictions.
0.1.6.1
Staff Information
Information includes employee ID, salary and benefits information, previous work experience, education and
training, job description, health records, performance and disciplinary reviews.
1. Staff directory Information
Staff information can be used by other employees who have responsibilities to manage the information
and job description of whole staff such as HR department. This information can be used by high ups
without their consent to assign and evaluate job responsibilities.
Staff directory information includes:
Full Name,
Permanent and Resident address,
University office address,
Phone number,
14
Electronic mail address,

Year and registration type,
Qualification,
Date of birth,
Date of employment.
2. Service Information
Previous and current Experience
Field of expertise
Department
Job Description
Employment status and designation
Audit and accountability report
Service plan and funding information
3. Medical Records
Medical department is responsible for maintaining the medical record of each employee. Medical
department will be expected to adhere the University policies upon medical information usage and disclosures. Medical records may be available for inspection and checking upon patient or other legitimate
authority demands.
4. Employment Records
Job contract
Service agreement
Period of employment
Assets (Provided by University) record
15
5. Information Disclosure
Staff information is not allowed to exchange within the Institute other than the stated purposes
by Institute officials.
Personal staff information should not be disclosed to persons outside of the Institute without his
written consent, with certain exceptions.
Institute officials who have a legitimate interest can access the staff information without any
notification to fulfill their professional responsibilities.
Staff information can be transfer to other departments and offices with their consent for training
purposes or to exchange certain expertise.
All inquiries for information made by law enforcement agents in conjunction with an investigation
require a subpoena for that information.
Information can be made available for officials for institutional surveys or to check the overall
staff performance.
0.1.6.2
Student Information
1. Student Directory Information

Certain information of students is designated by the University as directory information and may be
released without the students knowledge and consent. This information includes:
Name,
Term and permanent home address,
University office/Hostel address
Phone number,
Electronic mail address,
Course,
16
Year and registration type,

Degrees received,
Date of birth,
Dates of attendance,
Any distinction and awards received,
Extra curriculum activities, weight and height.
Students have the right to withhold directory information from disclosure, including disclosure in
printed and online publications of the directory, except to Institute officials who have a need to know
it. Using or facilitating the use of other Student Directory or similar listings for non-Institute purposes
is a violation of Institute policy. In making the student directory available online and accessible through
the World Wide Web, University will take precautions to minimize prohibited uses of this information.
2. Faculty and staff data
Notes and similar records regarding a student that are made for, and restricted to, the personal use of
a faculty or staff member are not subject to review by the student.
3. Campus Police records
The students can only see the daily log of the Campus Police Department that is open to public
inspection under University procedure. Such records regarding students are not subject to review by
students or others. The Campus Police Department, however, can deliver such records to other public
safety agencies for law enforcement purposes.
4. Medical records
Medical records are to be maintained by the medical department that is subjected to separate provisions
of University procedures that protect their confidentiality. Medical department is allowed to make such
medical records available for inspection and copying by patients.
17
5. Records of students as staff

Student employment records that relate to jobs that students hold being students at University must
be kept secured by the Employment and training department. These records can be reviewed by the
department or can be provided on request by the student.
6. Library records
Library circulation records are not allowed to be disclosed to others, including Institute faculty and
staff, except as necessary for enforcement of library rules such as fines and returning of books and stuff
that library provides.
7. Alumni records
Information about former students that pertain to the time period after they have left the Institute
may be used for general purposes determined by the Institute.
0.1.6.2.1
Disclosure of Student Information When access to student information is granted to in-
dividuals, other than the students themselves, the following principles apply:
1. Disclosure of information to insiders
Student information is not allowed to exchange within the Institute other than the stated purposes by
Institute officials. A person who is given access to student information cannot transmit the information
to another person unless that person has such permission as well.
2. Disclosure of information to outsiders
Personal student information should not be disclosed to persons outside of the Institute without the
students written consent, with certain exceptions. The written consent must be signed, dated and
should state the purpose of the disclosure, and the party to whom the disclosure is made. Upon request,
the student shall be provided with a copy of a record that is disclosed. In emergencies, Institute officials
can disclose student information necessary to protect the health or safety of the student or others.
3. Disclosure of Student Information To Officials
18
Institute officials who have a legitimate educational interest can access the student information without
any notification to fulfill their professional responsibilities. It should be understood that access will be
limited to the records of those specific students and categories of information to which it is needed.
The following are examples of assigned responsibilities that constitute a legitimate need to know:
Provide academic or personal advice and counsel to students,
Administer academic programs,
Create and maintain student educational records,
Award and administer financial aid,
Assess and collect fees,
Supervise and certify student educational progress for Institute or government purposes,
Enforce student conduct and discipline,
Administer the residential system,
Plan, conduct and review research related to the Institutes educational programs,
Conduct individual research projects provided that the privacy of the students is protected.
4. Student work disclosure within and outside the Institute
University schools, academic departments, laboratories, and centers should make students attentive
in advance the kinds of academic work of the students have that will be made publicly available.
5. Record of disclosures
Information about all disclosures of records containing student information and identity to which
disclosure was made, must be maintained as part of the students record.
6. Disclosure Of Student Information To Students
Students have a right, subject to the need to protect the privacy of other students. Students can view
records, files, and data, held about them on an official basis by the Institute. Students also have the
19
right to challenge the content of those records, files, and data that they believe are inaccurate and
misleading.
7. Disclosure of information for institutional research
The professionals who have the administrative responsibilities to carry out institutional research such as
the analysis of data, including information about students that supports the evaluation of educational
programs and more broadly, the planning and decision-making by the University faculty and staff.
Institutional research also includes the reporting and analysis required by government and other outside
agencies.
8. Disclosure of information for disciplinary charges and proceedings
Information concerning student disciplinary charges and proceedings, including the outcome of the
proceedings and therefore may not be disclosed except in accordance with policy. Victims of crimes
of violence will be informed of the outcomes of disciplinary proceedings about those incidents. In
addition, other schools with legitimate educational interests may be informed of disciplinary actions
taken against students on account of behavior that posed a risk to the students.
9. Grades
Lists of grades with any form of potentially personal identification must not be posted in electronic or
paper form. Graded student work (problem sets, exams, papers) should be returned to students in a
manner that will protect the privacy of graded materials and minimize access by others.
10. Disclosure of student information to parents and guardians
University policy is made to provide confidentially to student information with respect to their academic, health and advising matters, but encourages the students themselves to share such information
with their parents or guardians. In extraordinary cases including emergency health and safety, the
Dean may consult with parents, guardians, individuals designated by the student or others as appropriate. Individuals contacting the Institute for information about a specific student should be referred
to the Office of the Dean of Students and Undergraduate Education or the Graduate Students Office.
20
11. Background checks

Faculty and staff may provide information to law enforcement agents, or their representatives, who are
conducting background checks only when they can present a form signed by the student authorizing
the investigation.
12. Other investigations
All other inquiries for information about students made by law enforcement agents in conjunction with
an investigation require a subpoena for that information.
13. Disclosure of student information to the media
Requests from the media about current and former students should be directed to the News Office.
Permission to release information, other than directory information, must be obtained from the student.
0.2
Information Transmission
Electronic communication has transformed both academic and administrative activities and will continue to
facilitate greater communication among faculty, students, and staff. With the ongoing benefits, precautions
must also be taken to protect personal privacy and the confidentiality of student information. All members
of the University community are expected to abide the policies on the use of information technologies.
1. E-Mail
As email has become an integral part of the academic process, confidential information about students
is being transmitted, including evaluations and grades. Faculty, staff and students must recognize that
although there is an expectation of privacy, unencrypted email is not a secure means of transmitting
information. Federal law and Institute policy make it clear that the unauthorized interception of email
is a serious offense. In light of those legal and policy rules, this policy does not prohibit student
information from being transmitted by email. However, caution must be exercised about the content
of messages and the access to email files and machines in which confidential information resides. The
ITC department of University has always done its best to secure the email system.
21
0.2.1
Email Address Policy
0.2.1.1
Purpose
The purpose of this policy is to ensure the proper use of KFUPMs email system located on the
Universitys server and used by faculty, staff and graduate students (the University Email Accounts)
and the email accounts for undergraduate students and alumni using the Universitys domain name
pursuant to an agreement between the University and Google, Inc. Electronic Mail is a tool provided
by the University to complement traditional methods of communication and to improve education and
administrative efficiency. Users have the responsibility to use this resource in an efficient, effective,
ethical and lawful manner. Violations of the policy may result in restriction of access to the University
Email Accounts and or other appropriate disciplinary action. In the event a University employee holds
both a University Email Account, the more stringent rules of this policy for University Email Accounts
shall apply.
0.2.1.2
Policies
The email address of a user account takes the form of username@kfupm.edu.sa e.g. jboggs@kfupm.edu.sa.
An alias is created for each account based on a preferred standard of firstname-lastname e.g.
joe-bloggs@KFUPM.edu.au. ITS contacts the applicant for selection of a suitable alternative if
duplicates are encountered. Given this, the use of firstname-lastname as an assumption for the
email address is limited, and may result in emails being sent to an unintended recipient. Mail
users are encouraged to access the Online Contact Directory (http://www.KFUPM.edu.au/cgibin/contactdir) and the University Address book (accessible via individual mail clients) to determine email addresses.
Users are advised of their alias on account collection but can also look up their aliases online via
the check aliases option on http://www.KFUPM.edu.au/its/services/manage-mail/.
22
Because of the changing nature of an alias, under no circumstances should they be recorded in
any subsidiary systems.
0.2.1.2.1
University Contact Directory
The name and contact details of an individual appear
in the KFUPM Contact Directory for each associate account holder. The entry is removed from the
directory at the point the account is closed.
0.2.1.2.2
Account Closure and Deletion
Associate accounts remain active at the discretion of the sponsor and can be closed (deactivated)
at anytime.
Revoking access to an account in advance of the accounts official closure is covered below under
Account Withdrawal.
Closure of an account means the account is frozen, i.e. the password is revoked, until such time
as the account is reinstated or has been deactivated for 1 year, at which time it is deleted.
Account holders who wish to be contactable on their account following its closure should ensure
that they record an automatic reply or forwarding prior to the closure of their account. The
automatic reply/forward will continue to operate until the account is deleted.
At this stage associate account usernames are not reused.
ITS reserves the right to undertake a periodic audit of associate accounts for the purpose of
validating active accounts.
0.2.1.2.3
Account Withdrawal
A users access to their associate account can be withdrawn in advance of their accounts official
closure given a written request from an appropriate staff member of the sponsoring organization.
Account access may also be temporarily withdrawn by ITS in response to a suspected policy
violation.
23
A user whose access has been withdrawn may request reconsideration of the decision by the Chief
Technology Officer, or delegated person, who shall consider the withdrawal with the relevant Senior
Executive, Executive Dean, Faculty Executive Manager or Director. Following this, the Chief
Technology Officer, or delegated person, shall confirm the withdrawal or reinstate the account.
For further information on account withdrawal, refer to the section titled Compliance below.
0.2.1.3
Student Accounts
0.2.1.3.1
Account Creation
An individual may hold only one student account at any point in time.
Students create their student account, using the electronic account creation process within SMP
Student Online Services (SOLS). To create a student account, a student must be recognized as a
current student in the Student Management Package, which is defined as:
An undergraduate, postgraduate research or postgraduate coursework student who has an
active course; or
A non-award or KFUPM College student with a current or future subject enrolment; or
A miscellaneous student attached to a current miscellaneous student group.
A miscellaneous student is not formally a student of the KFUPM. A miscellaneous students
affiliation with the University is recorded in SMP for the purpose of managing their access to
University facilities, as opposed to recording information for any formal recognition of studies.
item Each student account is created with a unique username based on the students initials
followed by a number.
Each account is created with a maximum disk and email quota.
The Internet quota applied to the account is dependent on the account type as detailed below.
0.2.1.3.2
Student Account Type

24
Student accounts may be one of two types: non-capped or capped.

The type of a student account is maintained automatically based on records in the University
Student Management Package. For the purposes of defining the type of the student account the
following business rules apply:
an account is defined, as a non-capped account where a student is a Postgraduate Research
student of the KFUPM;
in the absence of a postgraduate research enrolment, a student account is a capped account.
0.2.1.3.3
Non-Capped Student Accounts
Only postgraduate research students of the KFUPM are provided with a non-capped student
account.
An Internet quota does not apply to non-capped student accounts. Charges for usage apply to
cost centre based on the students enrolment records.
Refer to the Internet Access Policy for more information on Internet quotas.
0.2.1.3.4
Capped Student Accounts
Capped student accounts apply to all but Postgraduate research students of the KFUPM. This
covers:
Undergraduate and postgraduate coursework students of the KFUPM;
Non-award students of the KFUPM;
KFUPM College students; or
Miscellaneous students i.e. students attached to a Miscellaneous Student Group which provides for the management of students within SMP where students fall outside of the Universities mainstream student management processes.
25
A capped student account has an imposed Internet quota as per the KFUPM Internet Access
Policy. The Internet quota allocated to each account is based on a set six monthly allocation of
quota, which is the same for all capped student accounts.
Regardless of when the account is established, the accounts quota is reset to the six monthly
allocations at the beginning of each year and midyear.
Internet quota on an account is set to zero during periods when a student does not have an active
course or is not attached to a Miscellaneous Student Group. This also applies when the student
is on leave of absence.
Charges for usage apply to cost centre based on the students enrolment records.
The quota assigned to an account can be increased on an individual basis as outlined in IT Internet
Access Policy.
Refer to the Internet Access Policy for more information on Internet access.
0.2.1.3.5
Account Closure and Deletion
Continued access to the account is maintained automatically based on records in the University
Student Management Package. For the purposes of managing the official closure of a student
account, an account remains open while ever:
An undergraduate, postgraduate coursework or postgraduate research student has an active
course. A retention period of three months is accommodated; as such the account closes three
months after the course is completed. Where a course is closed for reasons other than completion,
e.g. where the course is lapsed, given exclusion due to minimum rate of progress, a retention
period of 14 days applies,
A non-award or KFUPM College student has a current or future subject enrolment. A retention
period of 21 days is accommodated i.e. accounts in this category close 21 days after the end date
of the students most recent subject enrolment.
26
A miscellaneous student is attached to a current miscellaneous student group. A retention period

of 7 days is accommodated i.e. accounts in this category close one week after the end date of the
students most recent miscellaneous student group enrolment.
The University reserves the right to revise the above criteria.
Closure of an account means the account is frozen, i.e. the password is revoked, until such
time as the individual resumes study, at which point the account is reactivated. Accounts are
automatically reactivated under the original username and password if the account still exists.
Students receive an email indicating the pending closure of their account in the 14 days leading
up to the closure of their account.
Accounts that have been closed for a period of nine months are deleted.
Account holders who wish to be contactable on their account following its closure should ensure
that they record an automatic reply or forwarding prior to the closure of their account. The
automatic reply/forward will continue to operate until the account is deleted.
At this stage student account usernames are not reused.
A student may request an extension to access their account past their official closure date. Such
extensions must be applied for in writing, to the Academic Registrar, and will only be granted in
exceptional circumstances.
0.2.1.4
Administrations and Implementation Compliance
User accounts are issued on the basis that a user agrees to abide by the Universitys terms and
conditions for acceptable use of ITC facilities as detailed in the ITC Acceptable Use Policy.
The University treats misuse of its IT facilities seriously. Violations of the conditions of use of IT
facilities may result in temporary or indefinite withdrawal of access, disciplinary action under the
Universitys, or relevant entities, discipline procedures, and/or reimbursement to the University.
27
IT misconduct by students will be dealt with under the Student Conduct Rules. The Chief
Technology Officer or their nominee will be the Primary Investigation Officer of allegations of IT
misconduct by students. Detailed investigation procedures and the penalties that may be awarded
to students engaging in IT misconduct can be found in the Student Conduct Rules.
A users access will be withdrawn given a written request from an appropriate staff member of the
sponsoring organization. Access may also be withdrawn by ITC in response to a suspected policy
violation.
A student whose IT access has been withdrawn as a result of an investigation under the Student
Conduct Rules can appeal the decision or the penalty to the Student Conduct Committee. Otherwise, a user whose access has been withdrawn may request reconsideration of the decision by the
Chief Technology Officer who shall consider the withdrawal with the relevant Senior Executive,
Executive Dean, Faculty Executive Manager or Director. Following this the Chief Technology
Officer shall confirm the withdrawal or reinstate access.
Misuse or unauthorized use of University IT facilities may constitute an offence under the Crimes
Act and/or other pieces of legislation. Nothing in this policy or the Requirements Governing the
Use of IT Facilities may be taken as in any way diminishing or removing a persons obligations to
comply with the law, or their liability to prosecution and punishment under law.
Users are encouraged to report any misuse and any reports will be treated as confidential.
0.2.1.5
Ownership of Email Data
The University owns both the University Email Accounts. Subject to underlying copyright and other
intellectual property rights under applicable laws and University policies, the University also owns data
transmitted or stored using the University Email Accounts.
28
0.2.1.6
Personal Use
While incidental personal use of a University Email Account is acceptable, conducting business for
profit using a University Email Account is forbidden. Use of a University Email Account for political
activities (supporting the nomination of any person for political office or attempting to influence the
vote in any election or referendum) is forbidden. Any use of a University Email Account to represent
the interests of a non-University group must be authorized by an appropriate University official.
0.2.1.7
Privacy and Right of University Access
While the University will make every attempt to keep email messages secure, privacy is not guaranteed
and users should have no general expectation of privacy in email messages sent through a University
Email Account. Under certain circumstances, it may be necessary for the ITC staff or other appropriate
University officials to access University Email Accounts; these circumstances may include, but are not
limited to, maintaining the system, investigating security or abuse incidents or investigating violations
of this or other University policies, and KFUPM staff or University officials may also require access
to a University Email Account in order to continue University business where the University Email
Account holder will not or can no longer access the University Email Account for any reason (such as
death, disability, illness or separation from the University for a period of time or permanently). Such
access will be on an as-needed basis and any email accessed will only be disclosed to those individuals
with a need to know or as required by law.
0.2.1.8
Data Purging and Record Retention
Individuals are responsible for saving email messages as they deem appropriate. Unless a legal hold
has been placed on an account, messages in University Email Accounts are automatically purged from
folders as follows:
Sent / Sent Items - 60 days
29
Trash / Deleted Items - 15 days

Junk / Junk Email - 30 days
Due to finite resources, the University has the right to restrict the amount of user space on the University Email Accounts as necessary, to revise the above purge policies with appropriate IT Committee
approval and advance notice, and to purge and remove University Email Accounts of any students
remaining on the Universitys email system who have not registered for a semester or more.
Employees who have actual knowledge of matters in which it can be reasonably anticipated that a
court action will be filed, a subpoena has been served or notice of sale has been given, or records are
sought pursuant to an audit, a government investigation or in similar circumstances preserve University
records, including emails or instant messages.
0.2.1.9
Data Backup
The University Email Accounts are backed up on a regular basis as a way of recovering from a systematic
loss impacting the entire email system. User files and folders are not backed up individually, and the
ITC staff cannot accommodate requests to restore these files or folders. While in some cases it may
be possible to recover from the accidental deletion of files by a user, this is generally not feasible, and
therefore each email user is responsible for backing up individual messages and folders as appropriate.
0.2.1.10
Expiration of Accounts
Individuals may leave the University to take other employment, retire, transfer to another college, or
simply go on to other activities. There are many situations at the University where the length of
email privileges or expiration of accounts will differ, as set forth below. Notwithstanding the guidelines
below, the University (KFUPM, RI, Student Life, or General Counsel) reserves the right to remove
email privileges at any time, both for a University Email Account.
30
Faculty who leave before retirement: Faculty who leave before retirement may keep their
email account for one year from the end of the last term in which they taught. If such separation
is for cause, email privileges may be immediately suspended indefinitely without notice.
Staffs that leave before retirement: Staff members who leave the University will have email
privileges removed effective on their last worked day. If such separation is for cause, email privileges may be immediately suspended indefinitely without notice.
Retired Faculty: Faculty who has retired from the University will retain their email privileges
indefinitely; however, if there is no usage for a period of one year, email privileges will be removed.
Retired Staff: Staff who has retired from the University will have email privileges removed
effective on their last worked day.
Adjunct Faculty: will maintain email privileges for 3 academic years from the last term in
which they taught, unless informed otherwise by the Registers office.
Students who leave before graduation: Students who leave the University without completion of their degree or other program may keep their email privileges for one academic year from
the last term when they were registered.
A student who is expelled: If a student is expelled from the University, email privileges will
be terminated immediately upon the directive of the Dean of Students Office.
For alumni who do not wish to participate in the opt in service, the University will hold the email
address for 2 years. At the end of the 2 years, the available email address will be reused.
0.2.1.11
Appropriate Use
When using email as an official means of communication, students, faculty and staff should apply the
same professionalism, discretion, and standards that they would use in written business communication.
Furthermore, students, faculty and staff should not communicate anything via email that would not
be prepared to say publicly. Users of email shall not disclose information about students or employees
31
in violation of University policies or laws protecting the confidentiality of such information.

No private personally identifiable information about University faculty, staff, students, alumni or other
University members should be transmitted via email or stored in an unencrypted format. This includes
but is not limited to Social Security number, bank account information, tax forms or other sensitive
data.
No technical data with potential for military defense application or otherwise subject to export control
or other international trade control laws may be transmitted or stored in an unencrypted format.
Users who use email communications with persons in other countries should be aware that they may
be subject to the laws of those other countries and the rules and policies on others systems and
networks. Users are responsible for ascertaining, understanding and complying with the laws, rules,
policies, contracts and licenses applicable to their particular uses. Students who are employed by the
University may not store information relating to their employment on their Email Account.
Approval and transmission of email containing essential University announcements to students, faculty,
and /or staff must be obtained from the responsible University official noted as follows:
for sending to all faculty, approval from the Vice President of Academic Affairs is required,
for sending to all staff, approval from the Senior Vice President of Administration is required,
And sending to all students, approval from the Vice President of Student Life is required.
Use of distribution lists or reply all features of email should be carefully considered and only used
for legitimate purposes as per these guidelines. In some cases where email messages generate a high
number of responses due to the subject matter, it may be appropriate to utilize KFUPM discussion
boards in lieu of email.
0.2.1.12
User Responsibility
KFUPM maintains the Universitys official email system; faculty, staff and students are expected to
read email on a regular basis and manage their accounts appropriately. An email message regarding
32
University matters sent from an administrative office, faculty, or staff member is considered to be an
official notice. Faculty, staff, or students who choose to use another email system are responsible for
receiving University-wide broadcast messages and personal mail by checking the Universitys official
email system, newsgroups, and the Universitys World Wide Web Homepage. An alternate method of
checking University email is to utilize the Forwarding Feature, which can be set to forward mail to an
individuals personal email account.
Sharing of passwords is strictly prohibited. Each individual is responsible for his/her account, including
the safeguarding of access to the account. All email originating from an account is deemed to be
authored by the account holder, and it is the responsibility of that holder to ensure compliance with
these guidelines.
0.2.1.13
Departmental Accounts
Requests for shared departmental accounts will be accommodated, but require a designation of an
account holder, who will administer the addition, deletion, or modification of names within the account,
as well as manage the account as per these guidelines. These accounts will be created with an expiration
date of 1 year, at which time the holder can request a renewal, which will be granted pending verification
of identity and the member list. Shorter expiration dates will be given where appropriate, such as to
accommodate specific time-sensitive needs. Supported types of shared accounts are designated as:
Type 1: This id will be able to receive mail from anywhere on the Internet, but will have no direct
reply capability. The group/organization utilizing this type of generic id will have to utilize their own
personal mail id to respond to the originators of any mail received by this generic id. These accounts
will only be granted for Register or Faculty/Staff recognized activities or organizations with approval
for the faculty advisor of the organization.
Type 2: This id will be able to receive mail from anywhere on the Internet, and will be able to respond
directly to the sender. The generic id will be unable to access any of the predefined mailing groups that
exist within the campus environment. Members of the group/organization utilizing this type of generic
33
id will have to utilize WEB mail to read and respond to any mail sent to the generic id. The WEB
interface will allow users to sign in to the generic id utilizing the generic id and their own personal
LDAP password. Mail sent from the generic id will not reflect the identity of the responder, but will
instead carry the identity of the generic id. Due to security concerns given the anonymous nature of
email originating from these types of ids, no students will be allowed access to Type 2 accounts. If a
student is found to have access to these accounts the holder will be notified of the impending removal
of the student account. Repeated violations will result in deletion of the type 2 account.
0.2.1.14
Temporary User
Faculty, staff, or departments can request temporary email privileges for users outside of the University.
Full time Faculty or Staff requesting these types of accounts will be required to submit user information,
rationale for account, expiration date, and sponsor information. Such requests shall be approved by the
appropriate Dean or Vice President. A mandatory one year re-sponsorship is required to maintain the
account. Those accounts that are not re-sponsored after one year will have email privileges removed.
0.2.1.15
Supported Mail Clients
University-supported email clients are office 365 and Outlook Web Access (OWA). If a problem is
encountered with the use of an alternate method, Helpdesk personnel will work with the individual
to access email via the supported methods and will verify functionality of the supported environment.
The University ITC department is continually evaluating tools and technologies and reserves the right
to modify the list of supported clients with appropriate notification.
0.2.1.16
Inappropriate Use
University Email Accounts of current students, any inappropriate email usage, examples of which
are described below and elsewhere in this policy, is prohibited. Users receiving such email should
immediately contact KFUPM, who in certain cases may also inform the Department of Public Safety.
34
0.2.1.16.1
The exchange of email content that:
Generates or facilitates unsolicited bulk commercial email;

Infringes on another persons copyright, trade or service mark, patent, or other property right or
is intended to assist others in defeating those protections;
Violates, or encourages the violation of, the legal rights of others or federal and state laws;
Is for any unlawful, invasive, infringing, defamatory, or fraudulent purpose;
Intentionally distributes viruses, worms, Trojan horses, malware, corrupted files, hoaxes, or other
items of a destructive or deceptive nature;
Interferes with the use of the email services, or the equipment used to provide the email services,
by customers, authorized resellers, or other authorized users;
Alters, disables, interferes with or circumvents any aspect of the email services;
Tests or reverse-engineers the email services in order to find limitations, vulnerabilities or evade
filtering capabilities;
Constitutes, fosters, or promotes pornography;
Is excessively violent, incites violence, threatens violence, or contains harassing content;
Creates a risk to a persons safety or health, creates a risk to public safety or health, compromises
national security, or interferes with a investigation by law enforcement;
Improperly exposes trade secrets or other confidential or proprietary information of another person;
Misrepresents the identity of the sender of an email.
Is otherwise malicious, fraudulent or may result in retaliation against the University by offended
viewers.
0.2.1.16.2
Other improper uses of the email system include:
35
The use or attempt to use the accounts of others without their permission. Newsgroups are
provided as a service to faculty, staff, and students for posting University-related information.
These will be monitored by those responsible for their content; any posted material deemed
inappropriate may be removed without prior notification.
Collecting or using email addresses, screen names information or other identifiers without the consent of the person identified (including, without limitation, phishing, Internet scamming, password
robbery, spidering, and harvesting);
Use of the service to distribute software that covertly gathers information about a user or covertly
transmits information about the user;
Any conduct that is likely to result in retaliation against the Universitys network or website, or
the Universitys employees, officers or other agents, including engaging in behavior that results in
any server being the target of a denial of service attack (DoS).
These guidelines provide some examples of permitted or prohibited use of email. This list is not
intended to be exhaustive but rather to provide some illustrative examples.
0.2.1.17
SPAM and Virus
Incoming email on the University Email Accounts is scanned for viruses and for messages deemed to
be SPAM, or unsolicited advertisements for products or services sent to a large distribution. Suspected
messages are blocked from the users inbox. Due to the complex nature of email, it is impossible to
guarantee protection against all SPAM and virus infected messages. It is therefore incumbent on each
individual to use proper care and consideration to prevent the spread of viruses. In many cases viruses
appear to be sent from a friend or coworker, therefore attachments should only be opened when the
user is sure of the nature of the message. If any doubt exists, the user should contact the Helpdesk.
DO NOT FORWARD THE MESSAGE! SPAM messages, however, can quarantined via Anti Spam
QuarantinePure Message.
36
2. School and department web pages

Faculty, staff and students must exercise caution in posting directory and other information to a web
page that is accessible to University or public. Students have the right to withhold directory and other
information from public distribution. Faculty and staff must receive permission from each student to
post personal information and identification photographs to web pages.
3. Class pages and blogs
Email and web based class work will remain central to the education process. While most of the
information related to class should be posted on web sites can be public or individual communication
with students as well as the work prepared by the students for the class are regarded as student
information. Therefore, the following three categories of information must be restricted to use by the
staff and students of that class only:
Class lists, including identification photographs
Online discussions among faculty, staff and students in which student participation is required
and the student contributors are identified, and
Student papers, reports and other work.
0.3
0.3.1
Systems Usage
Purpose
Systems can provide access to resources on campus, as well as the ability to communicate with other users
worldwide. Such open access is a privilege, and requires that individual users act responsibly. Users must
respect the rights of other users, respect the integrity of the systems and related physical resources, and
observe all relevant laws, regulations, and contractual obligations. Use of Universitys computer resources
should support the basic missions of the University in teaching, learning and research. Users of computer
resources are responsible to properly use and protect information resources and to respect the rights of
37
others. This policy provides guidelines for the appropriate use of computing resources. The aforementioned
problem statements apply to all the policy sections defined under Section 3.3 below.
0.3.2
Scope
Scope is defined for all of the policy sections defined under Section 3.3.
Applies to the use of all campus computing resources.
University systems including hardware and software are classified according to the scope by considering
level of support and university operations. The classification of systems takes into account legal
protection, agreements of contracts, ethical behaviors, and worth of information that these systems
have. Such categorization provides the basis for planning, allocation of resources, support, and security
controls and access controls appropriate for those systems.
The system classifications are as follows:
0.3.2.1
Servers and Applications
1. Enterprise Systems
These are the Systems that can be accessed or located in several departments of University. These
systems are considered as business-essential and require a high degree of availability. Examples include
PeopleSoft application systems, Black Board eLearning, One Card, and GroupWise.
2. Department Critical Systems
These are the Systems which are only accessible locally by their own departments. They are considered
to be essential for conducting business processes or academic purposes.
3. Department Servers
Servers that provide an academic and/or administrative function that may have storage of Restricted
or Sensitive Information. All systems hosting server services must be registered with the Information
Security Office.
38
0.3.2.2
Workstations and accessible systems
Users who access university systems and data with the help of workstations are responsible for exercising
proper accountability in protecting the confidential, sensitive, private, personal or institutional information
they access or use in the conduct of their job responsibilities. In order to protect university data from inappropriate disclosure, all workstations that store Restricted Information must encrypt the data in compliance
with Universitys data encryption guidelines. User access to university systems and information resources
will be assigned by the type of workstation used, which is as follows:
1. Managed Workstations
Workstations that access Restricted or Sensitive Information shall follow the configuration standards
and maintenance procedures. Failure to meet these requirements will be grounds for denial of system
or university network access.
2. Non Managed Workstations
Non Managed workstations may include faculty and staff workstations, personal computers, PDAs,
etc. Non Managed Workstations shall have no access or limited access critical systems as allowed by
University regulatory body.
0.3.3
Policies
0.3.3.1
Prohibited Communication
Universitys computing resources cannot be used for sending, receiving, storing (SRS) prohibited communications which are discriminatory, derogatory to any individual or group, obscene, sexually explicit,
pornographic and threatening.
0.3.3.2
Organizational and Non-Organizational Computers
Non-organizational computers can be used for storing personal information.

Non-organizational computers can have internet facilities by providing username and password.
39
Universitys resources like printing, files sharing can only be accessed via organizational computers.
If the employee is expected to do some work at home, University will provide a suitable computer.
Only university-provided computers can be used to connect to the organizations internal computer
systems via a remote access system.
All computers that are owned by the university or are provided to employees are to be used in accordance with their jobs within the University.
University computers are to be used only for teaching, learning and research facilities.
University doesnt allow employees to play games across the internal network.
0.3.3.3
Information
All information stored on or used by university computers belongs to the KFUPM.

Employees cannot use university computers to store personal information: Data which isnt related to
teaching, research or any educational purpose.
0.3.3.4
Software
KFUPM will only use legal copies of OS. Cracked versions are not allowed.
Software will be used only in accordance with its license agreement
Latest Anti-Virus Software must be installed and maintained on all systems.
Proper firewalls and proxy servers must be implemented.
Duplication of copyrighted software is a violation of copyright law except for backup and archival
purposes by the software manager or ITC Department.
No user will give administrative software to any outsiders, including clients, customers, and others.
40
Under no circumstances will university, use software that has been brought in from any unauthorized
location.
0.3.3.4.1
Authorization of Software
New software to be installed on any universities computer must be approved by respective department,
ITC and software manager.
0.3.3.4.2
Prohibited Software
BETA software which is not updated for security vulnerabilities by the vendor.
Software which has known vulnerabilities
Software versions that are no longer supported by the vendor (example: Microsoft Windows 98 and
ME, XP or MacOS 10.3)
0.3.3.5
Privacy
Employee should have no expectation of privacy for any information stored, sent, or received on any
university computers.
System administrators may access or examine files or accounts that are suspected of unauthorized use
or misuse, or that have been corrupted or damaged.
Administrators or security staff can monitor all computer-related activities, including the visiting of
Web sites. For monitoring, they can use any monitoring tools but that tool should abide by the policies
defined in Software Section.
For monitoring, they can use any monitoring tools but that tool should abide by the policies defined in
Software Section
41
0.3.3.6
Facilities
0.3.3.6.1
Lab
There must at least one 24 hour lab in every building/department to aid in learning, teaching and
researching facilities.
0.3.3.6.2
Printing
RAs, Students will get 100 pages per month.

LBs, TAs will get 250 pages per month.
Teaching Staff will be provided by separate printers.
0.3.4
Consequences of Misuse
First of all, Users are expected to cooperate with system administrators in any investigation. Misuse of
computing resources may result in the restriction of computing privileges. Users may be held accountable
for their conduct under any applicable organization policies, procedures, or collective bargaining agreements.
Complaints alleging misuse of campus computing resources will be directed to respective department head
for taking appropriate disciplinary action. Computing privileges can also be suspended or restricted during
an investigation; users may appeal and petition for reinstatement of privileges through the Dean of respective
departments.
Users misuse of computer such as unauthorized use of another persons identification or password, using the
network to send abusive messages, or using computer facilities to interfere with the work of another student
or faculty or staff member may result in rustication from the organization.
0.3.5
Information Storage and Disposition
Information and records, whether maintained in electronic files or on paper, must be stored and disposed of
securely, in accordance with the Universitys policies, laws and procedures.
42
0.3.5.1
Electronic Information
1. Restricted Information
Restricted Information access is limited to users that are assigned computer accounts by the Information
technology center. Restricted Information must be maintained within data centers which are centrally
managed and controlled. Restricted Information must be avoided to store in distributed servers, work
stations, or mobile devices such as USB drives, external drives, laptops, notebook computers, PDAs,
CDs, DVDs, etc. If it is not possible to avoid storing information on these devices then it must be
encrypted with the approval and documentation of ITC office.
2. Sensitive Information
Departments having Sensitive Information may follow the policies and practices for Restricted Information with reasonable care, depending on the requirements of the information stakeholders.
3. General University Information
This information must be secured from unauthorized modification only.
0.3.5.2
Paper based information
1. Restricted Information
Documents must be stored in locked areas with authorized access only and disposed of according to
University and country law when no longer needed.
2. Sensitive Information
Departments having Sensitive Information may follow the policies and practices for Restricted Information with reasonable care, depending on the requirements of the information stakeholders.
3. General University Information
Documents should be recycled when no longer needed.
43
0.3.6
Release of Information
In some cases the University has to disclose, or authorized to release information that would normally be
protected under this policy. Examples include disclosures of information for the state and federal reporting
requirements, legal processes such as writs, court orders or warrants, etc. and disclosures about certain
authorized releases of information about particular individuals like students, employees or customers.
0.3.6.1
Legal Process
Any employee or a stakeholder of the university who is given with a legal document for example, a writ,
court order, summons or warrant, etc. that refers to university records or data shall notify University Legal
Services immediately and before the release of any requested information. University Legal Services will
review the legal document to determine the validity and enforceability of the document, and to provide
guidance and assistance by responding properly. Legal documents that are addressed to a particular person
should be accepted only by that person. If an unintended recipient is given with the legal document, it
should not be accepted. The person who will serve the process should be referred to that person identified
on the document, by name, title or job description, or should be directed to University Legal Services.
0.3.6.2
Requests for information from External Entities
The university receives many requests for information and records maintained by the university from external
persons and entities. These external entities may include law enforcement agencies or attorneys etc. The
release of information about a particular person may require the consent and authorization by that person.
Publicly available information about individuals and other types of information that can be released are
available at the universitys web pages. University Legal Services are available to assist in checking the
validity and scope of any authorization provided for the release of information, as well as providing guidance
for appropriately responding to information requests given to an authorization.
Before responding to requests of information, University Legal Services and the Department of Public Safety
should be contacted to determine the authenticity of the request and the person who is requesting. All the
44
requests for information should be evaluated on a case-by-case basis for which University Legal Services are
available for assistance. In general, any request for information from any entity, whether by legal process or
not, should be immediately referred to University Legal Services.
0.3.7
Internal Monitoring and auditing
The information security management system, controls and responsibilities will be subjected to the internal
monitoring and auditing throughout the University, and the outcomes from these processes will inform and
improve practices as part of the commitment to continual improvement. The University will also undertake
appropriate benchmarking and external auditing exercises.
0.3.8
Violations and misuse of Information Security
The violations can be included:

Enabling unauthorized entities to have access to information
Disclosing information in such a way that violates restricted access and procedures of confidentiality
Handling or using of information in such a way that depict illegal regulations and procedures
Modifying and destroying of information or university records
Inadequately protecting restricted Information or Sensitive Information
Ignoring the requirements of information stakeholders for the proper management, use and protection
of information resources.
According to authorities, violations may result in network jam, access denial, by pass security schemes, university disciplinary action and criminal pursuit. Disciplinary action should be implemented, up to dismissal
and suspension that must be taken according to applicable university policies and procedures. Authorities
will be notified about the event and action that a university office or department is found in violation of this
policy. Corrective actions and possible financial costs associated with an information security incident will be
45
coordinated accordingly. If vendors or consultants found to have breached their respective agreements with
the university may be subject to consequences such as vendor/consultant access to university information
technology resources, removal of the vendor/consultant from university facilities, termination/cancellation
of the agreement, payment of damages, and criminal or civil charges based on the nature of the violation.
The university is sometimes asked to transmit information by state or federal authorities. In this situation
university employees should transmit such information by following the university policy and utilize appropriate security measures in the transmission of that information. It is important to work with state and
federal officials in striving to meet industry best practices in the transmission of information.
0.4
0.4.1
Password Policy
Purpose
One of the potentially weakest links in computer security is the individual password. University information
used for research, administration, teaching and economic activities must be secured from threats that can
result in financial losses, damage of reputation and law exposure. This information must be saved from
unauthorized, intentional and unintentional access or damage while also preserving the open and shared
information according to requirements. Despite the Universitys efforts to keep hackers away from personal
files and various resources, easily-guessed passwords is a big problem. The aforementioned problem statements apply to all the policy sections defined under Section 4.3. If properly implemented, aids in various
important security measures like
Confidentiality: Protection of information from unauthorized and illegal entity must be ensured. Information must be secured throughout its lifecycle from creation to disposal..
Integrity: Protection against unauthorized modifications and amendments must be ensured. The accuracy,
purity and completeness of information must be maintained.
Availability: To make sure that only the authorized entity can have access to information, resources and
other associated services whenever desired.
46
0.4.2
Scope
Scope is defined for all of the policy sections defined under Section 4.3
This policy is for all employees, students, faculty and staff who are given accounts to use University
resources.
All contractors, suppliers, University partners and external researchers and visitors who are authorized
to access Universitys information.
0.4.3
Policies
0.4.3.1
Password rules
All users must adhere to the following rules.

1. Based on Password Length
Minimum Password Length

Passwords must be at least 8 characters long.
If Password Length between 8 11 Characters
Password should contain mixed case letters, numbers, symbols
Password should contain mixed case letters and numbers.
Password should contain mixed case letters.
If Password Length 20+ Characters
There are no restrictions.
47
d) If Password Length 16 and above

Password should contain mixed case letters.
2. Other Rules
Password must not be equal to your
Current Password
Previous Passwords
University ID
Password Reset Answer
A single word that appears in the dictionary
A single letter cannot come consecutively more than twice. e.g. Sultaaan
0.4.3.2
Password Expiration
Change of password should be made mandatory every 3 months
0.4.3.3
New Account
Each time you open a new account, the system should prevent you from setting a password that can be easily
cracked and must adhere to the above mentioned rules. How new accounts are created? Refer to accounts
creation Sections.
0.4.3.4
Change Password
Each time you change your password, the system should prevent you from setting a password that can
be easily cracked and must adhere to the above mentioned rules
Passwords can be changed through
User Accounts login page
ITC Department
48
0.4.3.5
Forgotten Password
Users can change password by providing necessary information.

First Name
Last Name
University ID
Date of Birth
Answering Secret Question
Unable to provide information should contact Help Desk.
0.4.3.6
Administrator Termination
This policy is only related to password. For details of administrator termination, see later sections.
Administrators usually have many accounts and they are likely to know common administrative passwords. All of these passwords must be changed.
0.4.3.7
Storing Sensitive Information
All the information which is marked as sensitive in compliance with the policies defined earlier in this
document, must be password protected along with different security levels.
0.4.3.8
Security Awareness Training
Employees should be taught how to pick strong passwords that are easy to remember.
0.4.3.9
Password Sharing
Sharing a password even with best friend, room-mate, and relative or with any other is prohibited.
University never asks users for passwords.
49
0.4.3.9.1
Storing Password
Administrators and service providers should store account passwords such that cannot be produced
later on under any circumstances.
Encrypted password storage application can be used only if access protection to that application is
guaranteed.
0.4.4
Responsibility
Account holders are held responsible for all activities associated with their accounts. As such, the
strength and protection of the password is critical to ensuring that unauthorized activity does not
become associated with a persons account.
Each computer user is responsible for his or her use of technology on campus. The integrity and secrecy
of an individuals password is a key element of that responsibility.
0.5
Data Backup Policy
0.5.1
Preamble
0.5.1.1
Purpose
The purpose of this policy is to define the need for performing periodic computer system backups to ensure
that mission critical administrative applications, system data and archives, users data and archives are
adequately preserved and protected against data loss and destruction.
0.5.1.2
Overview
Information can be damaged by framework glitch or unintentional or deliberate means. Satisfactory backups
permit information to be promptly recovered as needed. The progressing accessibility of University information is basic to the operation of the faculties. To minimize any potential damage or defilement of this
50
information, units accountable of giving and working authoritative applications or record storing administrations need to guarantee that information is enough backed up by making and taking a proper system
backup strategy. Having a streamlined information backup policy is key to the development of a powerful
Business Continuity Plan (BCP).
0.5.2
Scope
Information overseers are responsible for giving sufficient backups to guarantee the recovery of electronic data
(includes KFUPM information and software) in the occasion of disappointment. These backup procurements
permit University business methods, including the exploration endeavor to be continued in a sensible measure
of time with insignificant loss of information. Since disappointments can take numerous structures, and may
happen over the long run, various eras of backups ought to be kept up. This procedure applies to all staff/
users that are directly or indirectly employed by KFUPM, subsidiaries or any entity conducting work on
behalf of KFUPM that involves the use of information assets owned by KFUPM.
0.5.3
Definitions
Archives, Data and Administrative Applications:is the group of information components which
are related to the operations, arrangements, or administration of one or more KFUPM faculty or
Centers.
Archives and Users Data:is the group of clients information located either on desktop gear or file
servers.
System Backup:a document strategy for copying applications programming and information documents that exist in PC disks to a convenient medium, (for example, tape or diskette) or to a medium
that is physically remote from the starting framework.
Data Custodian:for the purposes of this policy, a Data Custodian shall be the officer ultimately
responsible for the delivery of Information Technology resources to a faculty or Centre.
51
Three Generation:There are media and capacity expenses connected with backups. Backup sets
dont have to be kept everlastingly and the media is reusable.
A prominent media turn arrangement is called Generation. Utilizing this arrangement media is kept for
three backup cycles. Backups are made on media called child. Amid every backup cycle, the generation
increase; child sets get to be father sets, father sets get to be granddad sets. The granddad sets are turned,
reused and get to be child sets.
0.5.4
Backup Types
Full Backup:A Full Backup creates a copy of every file on a storage device. This is absolutely the
most complete, comprehensive, and fool-proof type of backup. It is also the most costly in terms of
effort, time and dollar output.
Partial Backup:A Partial Backup creates a copy of selected files on a storage device. The user selects
which files to backup and which to skip. This can be almost as comprehensive as a full backup since
there are many files that have absolutely no long-term value. Files with no long-term value include
temporary files and cache files that can take up many megabytes of disk space.
Incremental Backup:An Incremental Backup creates a copy of files that have changed (modified,
added to, or created) since the last backup was performed. This method can be used in conjunction
with full and partial backups to maximize protection and minimize cost.
Differential Backup:A Differential Backup creates a copy of files that have changed (modified, added
to, or created) since a specific date and time. This method is also used in conjunction with full and
partial backups to maximize protection and minimize cost.
0.5.5
Statement of Policy
Backups of all KFUPM data and software must be retained such that computer operating systems
and applications are fully recoverable. This may be achieved using a combination of image copies,
52
incremental backups, differential backups, transaction logs, or other techniques

The frequency of backups is determined by the volatility of data; the retention period for backup
copies is determined by the criticality of the data. At a minimum, backup copies must be retained for
180 days.
At a minimum, one fully recoverable version of all data must be stored in a secure, off-site location.
An off-site location may be in a secure space in a separate University building, or with an off-site
storage vendor approved by the Manager, ITC. The practice of taking backup media to the personal
residence of staff is not acceptable.
Derived data should be backed up only if restoration is more efficient than creation in the event of
failure.
All KFUPM information accessed from workstations, laptops, or other portable devices should be
stored on networked file server drives to allow for backup. KFUPM information located directly on
workstations, laptops, or other portable devices should be backed up to networked file server drives.
Convenience data or other information which does not constitute KFUPM data does not carry this
requirement.
Required backup documentation includes identification of all critical data, programs, documentation,
and support items that would be necessary to perform essential tasks during a recovery period. Documentation of the restoration process must include procedures for the recovery from single-system or
application failures, as well as for a total data center disaster scenario, if applicable.
Backup and recovery documentation must be reviewed and updated regularly to account for new
technology, business changes, and migration of applications to alternative platforms.
Recovery procedures must be tested on an annual basis.
53
0.5.5.1
Information to be Backed up and Schedules
The KFUPM University requires that all faculty data is backed up according to the following schedules:
Backup of structured data (application data and databases)
Every day a data backup is taken and retained for 14 days. Date created or deleted less than 24 hours
between backups or data deleted more than 14 days before the backup was created cannot be recovered.
The following schedule provides for data to be restored with at most one working day data missing.
Granularity
Retention
Location
Length of time between backed up copies
Length of time the backup copy is kept
Location of the backed up copy
1 day
14 days
Secondary Data Centre
Backup of unstructured data (email and documents stored in electronic files)

This schedule is required to protect against accidental deletion of files that could go unnoticed for more
than two weeks (staff and student documents, emails and lecture recordings are examples).
Custodians of structured data (applications and databases) that require additional protection offered
by this backup schedule should request that their data be backed up in accordance with this schedule.
Granularity
Retention
Location
1 day
14 days
1 week
30 days
1 month
90 days
Backup of development and test data

This schedule is required to protect against the accidental deletion of development source code and/or
54
test data. A backup is taken once a week and will be retained for 4 weeks.
Data created and deleted within a period of less than one week between backups or data deleted or
lost more than 4 weeks previous to the backup will not be recoverable.
Granularity
Retention
Location
1 week
4 weeks
0.5.5.2
Storage of Backups
The KUPM ITC offers limited file storage to students, faculty and staff. While this data is backed up
regularly, it may not provide the security or protection required of the research work. Many storage of
backups are available, as shown in Table 1.
0.5.5.3
Data Backup Test
The ability to restore data from backups shall be tested at least quarterly.
It must at least once be proven that complete data restoration is possible (e.g. All data contained
in a server must be installed on an alternative server using substitute reading equipment to the data
backup writing equipment). This ensures reliable testing as to Weather:
Data restoration is possible.

The data backup procedure is practicable.
There is sufficient documentation of the data backup, thus allowing a substitute to carry out the
data restoration if necessary.
The time required for the data restoration meets the availability requirements.
55
Table 1: Backup Storage

Storage type
Description
Type of services
Access and security
Notes
Should be
Not secure unless

regularly
kept in a secure
tested as
location and
Storage and often
External hard drives
hard drives
sensitive data are
Also known as
used as a backup
can fail
encrypted. Higher
hard disk drives

option
over time.
end hard drives can
General life
be protected by
span is about
passwords.
1-5 years.
regularly
tested as
hard drives
Storage and often
Storage and often
can fail
used as a backup
used as a backup
over time.
option
option
General life
Flash drives, CDs,

Portable media
and DVDs
span is
about 1-5
years.
Departmental or
Your departments
college server
IT unit may offer
or storage
storage on their
network
server or network
Generally protected
Contact your
Storage and often
by user accounts and
departments
used as a backup
passwords, but you
IT
option
will need to discuss
unit for
security needs with IT
information
56
The Universitys
contract with Box
includes
language that
A web-based
NetID restricted;
reflects the
service for storing,
Storage
can add permissions
sharing, and
and backup
for campus or
UofI.Box.net
Universitys
data security
editing files
external users
policies
and practices,
including
FERPA
CITES Backups
service provides
Protected by user
Often included if
accounts and
your workstation
passwords.
is managed by
Sensitive
the
data can be
CITES Workstation
encrypted.
Services Group
automated,
centrally
CITES Enterprise
managed, reliable
Backup only
Backup Service
backup facilities for
a variety of
workstations and
servers
University has no
Amazon S3,
Third Party
Storage and
Cloud Storage
negotiated terms
Varies
Dropbox, and
backup services
of services with
others
these providers.
57
Accepts materials
Digital repository
Can be shared
as discrete files in
with the public
final
or restricted to
unchanging form only.
specified UIUC
Materials will receive a
users
permanent URL and will be
for research and

scholarship
Archival storage
including datasets
and backup
IDEALS
produced at
the University
maintained indefinitely.
The personincharge must maintain records demonstrating the review of logs and test restores so
as to demonstrate compliance with this policy for auditing purposes.
0.5.5.4
Responsibilities
Resistance with this approach could extremely affect the operation of the organization by presenting the
University to lasting loss of University information prompting loss of financial records, students records,
research material and/or University and research funds. It might likewise uncover the individual or the
University to lawful activity.
0.5.6
Policy Framework
Electronic records are responsible to the full scope of laws applying to electronic interchanges furthermore, to
record continuing, including copyright, rupture of certainty, criticism, protection, disdain of court, provocation, denunciation and against segregation enactment, the making of contractual commitments, information
transfers and criminal laws.The management of electronic records must take into account KFUPM policies
and guidelines. Certain laws and understandings require the University to offer access to records or the data
contained in that to gatherings outside the KFUPM group. These incorporate guard, information transfers
and flexibility of data enactment, other legitimate rules(e.g. concerning subpoenas), and concurrences with
outside web suppliers that oversee the transmission of email and distribution by electronic means.
58
0.5.7
Backup procedure Flowchart
Figure 1: Backup Procedure
59
0.5.8
Backup Procedures Activities
1. Backup Request Received

Responsibility: Backup Requester / Asset Owner
Inputs
Backup Request Form
Activities
Backup Requester / Asset Owner will identify backup needs, and fill up backup request form.
Proceed to step 2.
Outputs
Backup Request Form
2. Evaluate Security Requirements
Responsibility: Information Security Officer
Inputs
Backup Request Form
Activities
Once the backup request form initiated, Information Security Officer will evaluate the request
according to security requirements and then sends it to ITC Backup Administrators for
assessment
Proceed to step 3.
Outputs
Backup Request Form with Security Requirements
3. Evaluate Technical Needs / Backup Plan
Responsibility: ITC Backup Administrators
60
Inputs
Backup Request Form with Security requirements
Activities
Determine technical requirement, dependencies and limitations to perform backup job once
or maintain periodic backup plan.
With the participation of ITC Backup Administrators, Asset Owner and Information Security
Officer, a backup plan will be developed, which consists of the following:
Backup Scope: what type of information/ data needs back up (e.g. databases, network
settings, file system, etc.).
Backup Frequency: durations by which back up will be taken (taking into consideration the
criticality/ availability factors)
Backup Type: is it (full, incremental, online, etc.).
Backup Mechanism: is it (automatic or manual)
Backup Storage Location: the storage for the backup media shall be in a secure location onsite/off-site in different zones if possible, taking into consideration the criticality/ availability
factors.
Backup Retention Period: establish the retention period for the backup media.
Backup Encryption: agree if encryption is required, for which data.
Media Labeling: agree on a labeling scheme.
Media Destruction: agree on media disposal process.
Proceed to step 4.
Outputs
Backup Form with Technical Requirements
Backup Plan
61
4. Evaluate and Approve Backup Request and Plan

Responsibility: ITC SOS Manager
Inputs
Backup Form with Business Needs, Technical and Security Requirements
Backup Plan
Activities
Once the plan has been determined, ITC SOS Manager will evaluate the backup request, plan
and make a decision:
If it is approved, then proceed to step 5.
If it is rejected, then go to step 9.
Outputs
Approved / Rejected Backup Request and Plan
5. Backup Process and Verification
Inputs
Approved Backup Request and Plan
Activities
Start backup process, prepare the environment and perform backup.
The backup process will be validated to confirm the success of the process and no problems
were encountered.
If it is successful, then go to step 7.
If it is failed, then go to step 6 to analyze the issue and then go to step 5 and re-perform
the backup if required.
62
Outputs
Backup
6. Inspect Backup Log and Take Corrective Action
Inputs
Failed Backup
Activities
In case of failed backup process, ITC Backup Administrators will inspect backup logs for
errors detection; and corrective actions will be taken.
Go back to step 5 to retry the backup process again.
If it is failed several times, then end process and inform requester.
Outputs
Backup Inspection Results
Corrective Actions
7. Media Storage
Inputs
Successful Backup Process
Activities
ITC Backup Administrators will perform the following:
Store backup media as per Backup Plan.
Update storage record.
End of procedure.
63
Outputs
Successful Backup Media Process and Storage
Updated Storage Log
8. Inform Requester
Responsibility: ITC SOS Manager/ ITC Backup Administrators
Inputs
Rejected Backup Request and Plan
Failed Backup Process
Activities
Once the request has been rejected, ITC SOS Manager will inform the requester with justification.
Add notification / update the request status.
End process if request is rejected / process completed.
Outputs
Approved / Rejected Backup Request and Plan
Requester Updated with Request Evaluation and Approval Status
0.6
0.6.1
Internal Network and Internet Network usage

Internal Network usage
Introduction
King Fahd University network facilitates communication among the members of the university community,
provides a resource for gathering information, and supports the university learning environment. Scope
and Purpose of this Policy
64
KFUPMs private network is available to authorized users. Network use is governed by this policy. This policy
documents standards for appropriate and fair use of limited networking resources, protects user security and
privacy, and assures university compliance with local lows.
Exceptions to this policy may be granted by petition to the Administrative Council if any portion of this
policy is presumed a hindrance to an academic purpose. In this document, the term users refers to anyone
using KFUPMs network. Appropriate Use
Users are expected to follow the Golden Rule and cooperate with system administrators.
User activity on the network must not prevent or inhibit others from accessing network resources or
the Internet.
Users must not use or provide tools that damage files or computers, compromise network security, or
disable accounts.
Users must not violate university policy nor local laws.
Users must not impersonate another individual or misrepresent authorization to act on behalf of another
individual or the university. Messages stored on or transmitted through the university network must
correctly identify the sender. Users must not modify the original attribution of email messages or
postings and must not send anonymous messages.
Users must not distribute copyrighted material without written consent of the copyright holder. The
copyright law makes provision for fair use of short excerpts from copyrighted materials. When using
such excerpts the source must be credited. Unless otherwise indicated by the author, users should
assume that any material not created by themselves is copyrighted.
Users are responsible for all use made of their accounts. Account owners are to prevent unauthorized
use and to report suspected intrusions or other inappropriate activity to Information Systems.
Users must not attempt to undermine the security or integrity of the university network and must
not attempt to gain unauthorized access. Users must not use any computer program or device to
65
intercept or decode passwords or similar access-control information. Suspected security breaches or

vulnerabilities should be reported immediately to Information Systems.
Privacy
User privacy is important to the university and is protected to the extent that is technically feasible
and allowed by law. The university does not routinely monitor personal communication or information
without probable cause. Messages sent and received electronically are accessible to administrators
through normal maintenance activities, and to the public through public record laws, subpoenas,
decoding, interception, or other means. Because of this, the university cannot guarantee complete
privacy of electronic communications.
Network administrators endeavor to maintain the integrity and proper functioning of the systems for
the benefit of all users. In connection with this responsibility, designated administrators may need
to access or monitor parts of the system. All administrators are to respect the privacy of personal
communications encountered on the system. However, if administrators, while involved in routine
duties, encounter information that indicates that a crime or a breach of this policy may have been
committed or is about to be committed, they are required to report the existence and source of this
information to the proper university authorities.
Searching and monitoring of personal electronic communications may be authorized by the university
president or an employee he appoints. Authorization, including delegation if applicable, must be in
writing and must specify the information or communications to be examined.
Security
While it is impossible to make the network totally secure, our goal is to provide a reasonably secure environment for personal and institutional computing and communication. Network
The network is divided into several security zones. Academic buildings, employees, students housing
and staff housing.
66
Internet Protocol (IP) addresses used on the university network are university property, are assigned by
Information Systems, and may only be used by permission. Every computer connected to the network
must use a university supplied IP address.
Any device physically connected to the university network must be registered with Information Systems.
Students housing and staff housing are considered as general-use areas.
Servers
Servers are computers connected to the university network that provide services or storage to multiple
users.
Only persons designated by the executive director of Information Systems have physical access or
administrative password access to centrally administered servers or equipment. Keys to these facilities
are not issued to any individual without the permission of the executive director.
All servers connected to the university network must be registered as such with Information Systems.
System administrators must take steps to ensure that the servers are reasonably secure. Information
Systems performs periodic security audits of all servers connected to the university network.
A university server found to be a security threat will be reported to the administrator of that server as
well as to Information Systems. If necessary, the server will be disconnected until the problem is fixed.
Workstations
A workstation is a computer connected to one of the university networks and is designated for use by
a single person.
Workstations connected to a university network must not be configured to allow access to that network
from any other network or from off-campus. Users requiring access to secure resources while away from
their workstation may request a virtual private network (VPN) account from Information Systems.
General-use Computers
67
A general-use computer is any computer routinely used by more than a single designated user.
General-use computers must comply with the policies for workstations.
General-use computers are not given access to secure network zones.
Staff housing and Students housing networks are considered as general-use networks.
Blocking
Blocking-software is maintained to protect users from encounters with inappropriate materials. However, this should not be construed as an endorsement of any site which is not blocked.
Users may report sites which they feel should not be restricted to blocking@KFUPM.edu.
User responsibility
While Information Systems takes steps to make the network secure, security is ultimately the responsibility of the user.
Users are not to share passwords with anyone. No one, including Information Systems employees, is
authorized to ask for a password. We strongly suggest that all users take time to learn passwords in
order to avoid writing them down.
Users should not remain logged in to university systems when away from their desks for an extended
period of time.
Sanctions
First Minor Incident. When a user appears to have violated the Network Usage Policy in a manner
that is deemed minor by Information Systems and the user has not been implicated in prior incidents,
he/she is furnished a copy of the Network Usage Policy and is asked to sign an agreement to conform
to policy statement.
Repeated and/or Major Violations. Repeated or major violations are referred to Student Services (for
students) or the appropriate vice president or the president (for employees) for disciplinary action.
68
Disciplinary actions for violations may include, but are not limited to, loss of network access, dismissal,
and legal action. When violations may constitute criminal offenses, the university reports the activity
to the appropriate authorities.
The processes for appealing actions are outlined for students and employees in the respective handbooks.
0.6.2
Internet Network usage
Overview
Internet connectivity presents the university with new risks that must be addressed to safeguard the facilitys
vital information assets. These risks include: Access to the Internet by personnel and students that is
inconsistent with business and student needs results in the misuse of resources. These activities may adversely
affect productivity due to time spent using or surfing the Internet. Additionally, the university may face
loss of reputation and possible legal action through other types of misuse. All information found on the
Internet should be considered suspect until confirmed by another reliable source. There is no quality control
process on the Internet, and a considerable amount of its information is outdated or inaccurate. Access
to the Internet will be provided to users to support business activities and only on an as-needed basis to
perform their jobs and professional roles.
Purpose
The purpose of this policy is to define the appropriate uses of the Internet by KFUPM students, employees
and affiliates.
Scope
The Internet usage Policy applies to all Internet users who access the Internet through the computing or
networking resources. The universitys Internet users are expected to be familiar with and to comply with
this policy, and are also required to use their common sense and exercise their good judgment while using
Internet services.
Internet Services Allowed
69
Internet access is to be used for business and research purposes only. Capabilities for the following standard
Internet services will be provided to users as needed:
E-mail Send/receive E-mail messages to/from the Internet (with or without document attachments).
Navigation WWW services as necessary for business and research purposes, using a hypertext transfer
protocol (HTTP) browser tool. Full access to the Internet; limited access from the Internet to dedicated
university public web servers only.
File Transfer Protocol (FTP) Send data/files and receive in-bound data/files, as necessary for business
and research purposes.
Telnet Standard Internet protocol for terminal emulation. User Strong Authentication required for
Internet initiated contacts into the university
Management reserves the right to add or delete services as business and research needs change or conditions
warrant.
All other services will be considered unauthorized access to/from the Internet and will not be
allowed.
Request and Approval Procedures
Internet access will be provided to users to support business activities and only as needed to perform their
jobs.
Request for Internet Access
As part of the Internet access request process, the employee and the student is required to read both this
Internet usage Policy and the associated Internet/Intranet Security Policy The user must then sign the
statements (located on the last page of each document) that he understands and agrees to comply with the
policies. Users not complying with these policies could be subject to disciplinary action up to and including
termination.
Policy awareness and acknowledgment, by signing the acknowledgment form, is required before access will
be granted.
70
The request for Internet access is just applied for academic buildings and employees. Staff and students
housing are considered as general-use areas.
Approval
Internet access is requested by the user or users manager submitting an IT Access Request form to the IT
department along with an attached copy of a signed Internet usage Coverage Acknowledgment Form.
Removal of privileges
Internet access will be discontinued upon termination of employee or student, completion of contract, end
of service, or disciplinary action arising from violation of this policy. In the case of a change in job function
and/or transfer for both student and employee the original access code will be discontinued, and only reissued if necessary and a new request for access is approved. All user IDs that have been inactive for thirty
(30) days will be revoked. The privileges granted to users must be reevaluated by management annually.
In response to feedback from management, systems administrators must promptly revoke all privileges no
longer needed by users.
Policy
Resource Usage
Access to the Internet will be approved and provided only if reasonable business or research needs are identified. Internet services will be granted based on an employees current job or student status responsibilities.
If an employee moves to another business unit or changes job functions, a new Internet access request must
be submitted within 5 days.
User Internet access requirements will be reviewed periodically by university departments to ensure that
continuing needs exist.
Allowed Usage
Internet usage is granted for the sole purpose of supporting business activities or student research that necessary to carry out university functions. All users must follow the corporate principles regarding resource
usage and exercise good judgment in using the Internet. Questions can be addressed to the IT Department.
71
Acceptable use of the Internet for performing university functions might include (for academic buildings and
employees only):
Communication between employees and non-employees for business and research purposes;
IT technical support downloading software upgrades and patches;
Reference regulatory or technical information.
Research
Personal Usage
Using university computer resources to access the Internet for personal purposes (for academic buildings
and employees only), without approval from the users manager and the IT department, may be considered
cause for disciplinary action up to and including termination. All users of the Internet should be aware
that the university network creates an audit log reflecting request for service, both in-bound and out-bound
addresses, and is periodically reviewed. users on general-use areas are free of this part of the policy.
Users who choose to store or transmit personal information such as private keys, credit card numbers or
certificates or make use of Internet wallets do so at their own risk. The university is not responsible for any
loss of information, such as information stored in the wallet, or any consequential loss of personal property.
Prohibited Usage
Information stored in the wallet, or any consequential loss of personal property.
Acquisition, storage, and dissemination of data which is illegal, pornographic, or which negatively depicts
race, sex or creed is specifically prohibited.
The university also prohibits the conduct of a business enterprise, political activity, engaging in any form of
intelligence collection from our facilities, engaging in fraudulent activities, or knowingly disseminating false
or otherwise libelous materials.
Other activities that are strictly prohibited include, but are not limited to:
Accessing university information that is not within the scope of ones work. This includes unauthorized reading of accounts information, unauthorized access of personnel file information, and accessing
72
information that is not needed for the proper execution of job functions.
Misusing, disclosing without proper authorization, or altering student or personnel information. This
includes making unauthorized changes to a personnel file or sharing electronic student or personnel
data with unauthorized persons.
Deliberate pointing or hyper-linking of university Web sites to other Internet/WWW sites whose
content may be inconsistent with or in violation of the aims or policies of the university.
Any conduct that would constitute or encourage a criminal offense, lead to civil liability, or otherwise
violate any regulations, local, state, national or international law.
Use, transmission, duplication, or voluntary receipt of material that infringes on the copyrights, trademarks, trade secrets, or patent rights of any person or organization. Assume that all materials on the
Internet are copyright and/or patented unless specific notices state otherwise.
Transmission of any proprietary, confidential, or otherwise sensitive information without the proper
controls.
Creation, posting, transmission, or voluntary receipt of any unlawful, offensive, libelous, threatening,
harassing material, including but not limited to comments based on race, national origin, sex, sexual
orientation, age, disability, religion, or political beliefs.
Any form of gambling.
The following activities are also strictly prohibited (except general-use areas):
Unauthorized downloading of any shareware programs for use without authorization in advance from
the IT Department and the users manager.
Playing of any games.
Forwarding of chain letters.
73
Participation in any on-line contest or promotion.

Acceptance of promotional gifts.
Bandwidth both within the university and in connecting to the Internet is a shared, finite resource. Users
must make reasonable efforts to use this resource in ways that do not negatively affect other employees and
students. Specific departments may set guidelines on bandwidth use and resource allocation, and may ban
the downloading of particular file types.
Software License
The university strongly supports strict adherence to software vendors license agreements.
When university computing or networking resources are employed, copying of software in a manner not
consistent with the vendors license is strictly forbidden.
Questions regarding lawful versus unlawful copying should be referred to the IT Department for review or
to request a ruling from the Legal Department before any copying is done.
Similarly, reproduction of materials available over the Internet must be done only with the written permission of the author or owner of the document. Unless permission from the copyright owner(s) is first
obtained, making copies of material from magazines, journals, newsletters, other publications and online
documents is forbidden unless this is both reasonable and customary. This notion of fair use is in keeping
with international copyright laws.
Using university computer resources to access the Internet for personal purposes, without approval from the
users manager and the IT department, may be considered cause for disciplinary action up to and including
termination.
All users of the Internet should be aware that the university network creates an audit log reflecting request
for service, both in-bound and out-bound addresses, and is periodically reviewed.
Users who choose to store or transmit personal information such as private keys, credit card numbers or
certificates or make use of Internet wallets do so at their own risk.
Review of Public Information
All publicly-writeable directories on Internet-connected computers will be reviewed and cleared each evening.
74
This process is necessary to prevent the anonymous exchange of information inconsistent with university rules.
Examples of unauthorized public information include pirated information, passwords, credit card numbers.
Monitoring
Users should consider their Internet activities as periodically monitored and limit their activities accordingly.
Management reserves the right to examine E-mail, personal file directories, web access, and other information stored on university computers, at any time and without notice. This examination ensures compliance
with internal policies and assists with the management of university information systems.
E-mail Confidentiality
Users should be aware that clear text E-mail is not a confidential means of communication. The university
cannot guarantee that electronic communications will be private. Employees and students should be aware
that electronic communications can, depending on the technology, be forwarded, intercepted, printed, and
stored by others. Users should also be aware that once an E-mail is transmitted it may be altered. Deleting
an E-mail from an individual workstation will not eliminate it from the various systems across which it has
been transmitted.
Representation
When using university resources to access and use the Internet, users must realize they represent the university. Whenever employees or students state an affiliation to the university, they must also clearly indicate
that the opinions expressed are my own and not necessarily those of the university. Questions may be
addressed to the IT Department.
University Materials
Users must not place university material (examples: internal memos, press releases, product or usage information, documentation, etc.) on any mailing list, public news group, or such service. Any posting of
materials must be approved by the employees or students manager and the public relations department and
will be placed by an authorized individual.
Creating Web Sites
All individuals and/or business units wishing to establish a WWW home page or site must first develop
75
business, implementation, and maintenance plans. Formal authorization must be obtained through the IT
Department. This will maintain publishing and content standards needed to ensure consistency and appropriateness.
In addition, contents of the material made available to the public through the Internet must be formally
reviewed and approved before being published. All material should be submitted to the Corporate Communications Directors for initial approval to continue. All university pages are owned by, and are the ultimate
responsibility of, the Corporate Communications Directors.
All university web sites must be protected from unwanted intrusion through formal security measures which
can be obtained from the IT department.
Usage Compliance Reviews
To ensure compliance with this policy, periodic reviews will be conducted. These reviews will include testing
the degree of compliance with usage policies.
Policy Maintenance Reviews
Periodic reviews will be conducted to ensure the appropriateness and the effectiveness of usage policies.
These reviews may result in the modification, addition, or deletion of usage policies to better suit university
information needs.
Compliance Measurement
The IT team will verify compliance to this policy through various methods, including but not limited to,
business tool reports, internal and external audits, and feedback to the policy owner.
Exceptions
Any exception to the policy must be approved by the IT Team in advance.
Non-Compliance
An employee or student found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment or student status.
Additionally, the university may at its discretion seek legal remedies for damages incurred as a result of
any violation. The university may also be required by law to report certain illegal activities to the proper
76
enforcement agencies.
Before access to the Internet via university network is approved, the potential Internet user is required to
read this Internet usage Policy and sign an acknowledgment form. The signed acknowledgment form should
be turned in and will be kept on file at the facility granting the access. For questions on the Internet usage
Policy, contact the Information Technology (IT) Department.
INTERNET USAGE COVERAGE ACKNOWLEDGMENT FORM
After reading this policy, please sign the coverage form and submit it to your facilitys IT department or
granting facilitys IT department for filing. By signing below, the individual requesting Internet access
through university computing resources hereby acknowledges receipt of and compliance with the Internet
Usage Policy. Furthermore, the undersigned also acknowledges that he has read and understands this policy
before signing this form. Internet access will not be granted until this acknowledgment form is signed by
the individuals manager. After completion, the form is filed in the individuals human resources file (for
permanent employees), or in a folder specifically dedicated to Internet access (for contract workers, etc.),
and maintained by the IT department. These acknowledgment forms are subject to internal audit.
ACKNOWLEDGMENT
I have read the Internet Usage Policy. I understand the contents, and I agree to comply with the said Policy.
Department
Purpose
Name
ID SignatureDateManager/Supervisor SignatureDate
77
0.7
System administration and User access management
Procedure Objective
The main objective of User Access Management Procedure is to control and secure the creation and deletion
of KFUPM user accounts and access to secure information processing facilities within KFUPM.
Procedure Scope
This procedure applies to KFUPM and all parties, its affiliated partners or subsidiaries, including data
processing and process control systems, that are in possession of or using information and/or facilities owned
by KFUPM.
This procedure applies to all staff/ users that are directly or indirectly employed by KFUPM, subsidiaries
or any entity conducting work on behalf of KFUPM that involves the use of information assets owned by
KFUPM.
Procedure Inputs / Invocation
Procedure should be followed whenever there is:
User Account Creation:To register and grant access privilege for the new users of KFUPM information resources (e.g. internet, printers and LAN).
User Privileges Modification:To review and modify existing user privileges.
User Termination:To revoke access privileges of resigned / terminated users.
Premises Access:To grant physical access permission to KFUPM premises
Secure Areas Access:Grant access to KFUPM secure areas
78
Procedure Flowchart
Figure 2: User Access Management Procedure
79
Procedure Activities
Step 1: Access Request
Responsibility: User / Department Manager
Inputs
User Account Creation
User Privileges Modification
User Termination / Account Removal
Physical / Premises Access
Activities
The procedure will be initiated by Department Manager / User, who will fill-up the user access form.
Proceed to step 2.
Outputs
Logical/Physical User Access Form.
Step 2: Forward Request

Responsibility: User / Department Manager
Inputs
Logical/Physical User Access Form
Activities
Once the access form has been filled in, Department Manager / User will sign and forward the form to
Information Security Officer for review and evaluation.
Outputs
80
Step 3: Evaluate Business and Security Needs

Responsibility: Information Security Officer
Inputs
Activities
Evaluate the request (logical account creation, modification, deletion) / (physical entry / access permission) as per KFUPMs business and security requirements.
Provide comments and forward the request to ITC Manager for approval.
Outputs
Logical/Physical User Access Form (Business and Security Needs Evaluation)
Step 4: Review and Approval

Responsibility: ITC Manager
Inputs
Logical/Physical User Access Form (Business and Security Needs Evaluation)
Activities
Review and evaluate the request based on KFUPMs business and technical requirements:
If the request is approved, then it will be forwarded to:
Logical Access: to ITC Department for Implementation.
Physical Access: to Security and Safety Department for Implementation / Maintenance Department.
If the request is rejected, then go to step 5
Outputs
Approved/Rejected Logical/Physical User Access
81
Step 5: Inform Requester

Responsibility: ITC Manager
Inputs
Rejected Logical / Physical User Access Request
Access Implementation Status
Activities
Inform the requester with the result of the access form and if the request is accepted the process will
move on, and the requester will be notified upon the completion of request
End of procedure.
Outputs
None
Step 6: Implementation
Responsibility: ITC Department
Inputs
Approved Logical User Access Request
Activities
Necessary actions are followed to implement user logical access request.
The user logical access request form is updated with the technical actions taken.
Proceed to step 7.
Outputs
Implemented Logical Access Request
82
Step 7: Update Access Record

Responsibility: ITC Department
Inputs
Implemented Logical Access Request
Activities
Update the account management logs / access records related to the access actions taken.
Go to step 5.
Outputs
Updated Access Records
Step 8: Implementation
Responsibility: Security and Safety Department/ Maintenance Department
Inputs
Approved Physical User Access Form
Activities
Necessary actions are followed to implement user physical access request.
The user physical access request form is updated with the actions taken.
Go to step 9.
Outputs
Implemented Physical User Access Request
Step 9: Update Account Management Logs

Responsibility: Security and Safety Department/ Maintenance Department
Inputs
83
Implemented Physical User Access Request

Activities
Physical user access implementation logs will be updated with related access actions.
Go to step 5.
Outputs
Updated Account Management Log
Procedure Outputs
The following activity will be an output of the process:
The intended user is granted logical and physical accesses based on Access Control Policy.
User access rights and privileges are managed and controlled according to Access Control Policy.
Records
The following are the list of all applicable records that are the evidence of implementation of the process.
The records are maintained in hard and soft copy:
User Access Form
User Access Record
Definitions and Terms
All terms and acronyms used in this document are specified in the Information Security Management Systems
Glossary.
ISO/IEC 27001:2005 References
The following are the useful references which can be used to carry out the defined process based on ISO
27001 standards:
A.11: Access Control
84
A.8.3.3: Removal of Access Rights

Related Policies and Procedures
The following are all policies and procedures that are related to this procedure:
Access Control Policy
Communications and Operations Management Policy
Personnel Security Procedure
Document Owner
ITC Department
Procedure Changes, Review and Update
Technological advancements and changes in the business requirements will necessitate periodic revisions
to policies. Therefore, this procedure may be updated to reflect changes or define new or improved
requirements.
This document may be viewed, printed by authorized personnel only.
A procedure review should be performed at least on an annual basis to ensure that the procedure is
current.
It is the responsibility of ISMS Manager to facilitate the review of this procedure on a regular basis.
Personnel and Department Head from relevant departments should also participate in the annual review
of this procedure.
Deficiencies within this procedure should be immediately communicated to the ISMS Manager. Procedure changes should require the approval of Management.
Change log should be kept current and should be updated as soon as any change has been made.
85
Procedure Enforcement / Compliance

Compliance with this procedure is mandatory and all KFUPM Department Heads should ensure continuous compliance monitoring within their department.
Compliance with the statements of this procedure is a matter of periodic review by the Information
Security Officer. Any violation will result in disciplinary action by the management.
Disciplinary action will be depending on the severity of the violation which will be determined by
investigations. Actions such as termination or others as deemed appropriate by Senior Management
should be taken.
Procedure Exceptions
This procedure is intended to address information security requirements. If needed, waiver requests
should be formally submitted to ISMS Manager, including justification and benefits attributed to the
waiver.
The procedure waiver period have maximum period of six months, and should be reassessed and reapproved, if necessary for maximum three consecutive terms. No procedure should be provided waiver
for more than three consecutive terms.
0.8
0.8.1
User Account Policy

Introduction
The accepted academic principle that information should be shared is founded upon the fact that information
is a unique resource that increases rather than dissipates when it is used. However, this principle must be
tempered by the fact that access to University information carries with it the responsibility to protect privacy,
confidentiality and integrity.
Unauthorized access to the Universitys information or systems has been identified as a major information
86
security risk that must be proactively managed.

Access to IT resources by unauthorized people or computer processes can result in: the Universitys sensitive
information (personal, both staff and students; research; financial) being compromised;
Non-compliance to legal and regulatory requirements;
Prosecution through non-adherence to legislation;
Adverse impact on the Universitys image and reputation.
It may be argued that less strict policies than those defined in this document are appropriate for systems
that do not store sensitive information. However, it must always be remembered that if such systems are
connected to the University network they can potentially provide a means of unauthorized access to sensitive information residing in other locations. Whenever possible, therefore, the comprehensive access control
regime defined here should be adopted to mitigate the risks in this area.
Account Provisioning and Access Control Standards
Accounts that access electronic computing and information resources require prudent oversight. The following security precautions should be part of account management:
All accounts must have a password that adheres to the practices outlined in the Password Management
Policy document.
Any account that is not used for interactive login or authentication must be locked or disabled according
to the definition of those terms for the particular OS in question.
Prior to creating a user account, that users affiliation with the University must be verified by the
sponsoring unit or division (i.e., DGS, Registrar).
Users must attend all appropriate application or data handling training courses prior to their account
being activated.
Accounts for individuals not affiliated with the University must have prior approval from ITC.
87
There may be only one user associated with an account. Users may NOT share an account.
Accounts should not be granted any more privileges than those that are necessary for the functions
the user will be performing. When establishing accounts, standard security principles of least required
access to perform a function must always be used, where administratively feasible. For example, a root
or administrative privileged account must not be used when a non-privileged account will suffice.
Directory and file permissions should be set correctly to prevent users from listing directory contents
or reading, modifying, or deleting files that they are not authorized to access.
Account setup and modification shall require the signature of the account requestor, the requestors
immediate supervisor, the data owner and the Office of Information Technology.
The organization responsible for a resource shall issue a unique account to each individual authorized to
access that networked computing and information resource. It is also responsible for the prompt deactivation of accounts when necessary, i.e., accounts for terminated individuals shall be removed/disabled/
revoked from any computing system at the end of the individuals employment or when continued access is no longer required; and, the accounts of transferred individuals may require removal/disabling
to ensure changes in access privileges are appropriate to the change in job function or location.
The identity of users must be authenticated before providing them with account and password details.
If an automated process is used, then the account holder should be asked to provide several information
items that in totality could only be known by the account holder. In addition, it is highly recommended
that stricter levels of authentication (such as face-to-face) be used for those accounts with privileged
access (e.g., user accounts used for email do not require an identity validation process as thorough as
for those user accounts that can be used to post information to public web pages or modify department
budgets).
Passwords for new accounts should NOT be emailed to remote users unless the email is encrypted.
88
The date when the account was issued and its expected expiration date (if applicable) should be
recorded in an audit log.
All managers of accounts with privileged access to MSU data must sign a Confidentiality Agreement
that is kept in the department file under the care of a Human Resources representative or liaison.
0.8.2
Purpose
This policy outlines the Universitys administration of user accounts for authorized users of the University IT Facilities.
The KFUPM is committed to the appropriate use of Information Technology and Services in support of
its teaching, research, administrative and service functions. This policy is an adjunct to the Universitys
IT Acceptable Use Policy which defines the acceptable behavior expected of users and intending users
of the facilities. The University requires users to accept the IT policies and associated Requirements
Governing the Use of IT Facilities as a condition of their use. These are accessible on the University
Policy Directory.
0.8.3
Scope
This policy is applicable to those responsible for the management of user accounts or access to shared
information or network devices. Such information can be held within a database, application or shared file
space. This policy covers departmental accounts as well as those managed centrally.
0.8.4
Definitions
University:
KFUPM
User:
Any person using any of the Universitys Information Technology Facilities.
89
IT facilities:
Information Technology facilities operated by the University, whether owned or leased.
Chief Technology Officer:
The Chief Technology Officer, Information Technology Services.
ITS:
Information Technology Services at the KFUPM.
Account holder:
Any person granted a user account with the KFUPM.
User Account:
An authorized user account, provided to a user, to be used solely by that user, for the purpose of accessing
services as granted to that user account
0.8.5
Account Management Key Terms
Username
All KFUPM user accounts are uniquely identified by a username, where the username may be up to 8
characters and relates to name of the account owner. The format of the username is dependent on the
type of account.
A username is issued to an individual for the duration of that individuals affiliation with the University.
The facility does not exist to change a username. In the case of a legal name change where extraordinary
circumstances justify a username change, an account holder may be issued a new account, given an
application made in writing and accepted by the Chief Technology Officer.
User Account Groups
The KFUPM currently supports two groups of user accounts these being sponsored accounts and
student accounts.
90
An individual may hold one account from each group at any point in time but should have no more
than two accounts.
An individual must use an account for the purpose provided i.e. for staff purposes if a staff account
and student purposes if a student account.
User Account Sponsors
All user accounts require a sponsoring organization/entity.
Organizations sponsoring accounts may be the KFUPM, subsidiaries of the University, or a recognized
business or community affiliate of the University.
The terms and conditions for the issue of accounts are dependent upon the agreement set in place
between the University and the sponsoring organization. However, in all cases the University IT
policies, including this policy, apply without exception.
Account Status
The status of a user account may be:
A. active - an active account is a fully operational account;
B. expired - an expired account is one where the account password has expired and is required to be
reset before the account can be used;
C. closed (deactivated) - a closed (deactivated) account is one where access to the account is revoked
given that the account holder no longer satisfies the criteria for holding that type of KFUPM account
(Note the University retains closed accounts for a defined period after which time they are deleted.
Until deleted the account can be reinstated to the account holder); or
D. withdrawn (restricted) - a withdrawn (restricted) account is one where the users access to the
account is withdrawn in advance of the official closure of the account. Refer under each account type
for further details on withdrawing access to an account.
91
Account Holder Entitlements

The University provides an extensive range of computing and networking facilities to user account
holders, including email, internet access, calendar, timeshare access, modem access, and access to
other systems integrated with the Universitys account system. Access to these services is based on the
privileges of the accounts type and any individual systems access assigned to the individual account
holder.
Exceptions to the standard privileges that apply to an account may be permitted where a request is
made in writing and accepted by the Chief Technology Officer or delegated persons.
0.8.6
Application and Scope
This policy applies to all account holders of the University IT facilities. This policy represents the University Institutional position and takes precedence over other relevant policies which may be developed
at a local level.
All users should be aware of the policy, their responsibilities and legal obligations. All users are required
to comply with the policy and are bound by law to observe applicable statutory legislation.
0.8.7
Sponsored Accounts
Sponsored accounts may be one of two types: Staff Accounts or Associate Accounts.
To hold a sponsored account, an individual must be 16 years of age or over.
0.8.8
Staff Accounts
Account Creation
To hold a staff account, an individual must be a paid staff member of the KFUPM or one of its
subsidiaries, or hold an honorary academic appointment as in an honorary or visiting fellow. Such
92
accounts are issued for the period of employment only and as such the account should be used for staff
purposes only.
In addition, staff accounts may be held by Emeritus Professors and Fellows of the University, as
conferred by the University Council.
A staff account is created on receipt of a staff account user account application which is approved by
the relevant Head of Unit or equivalent, or a recognized user account manager.
On application for an account an individual acknowledges their acceptance of the declaration to abide
by the KFUPM IT Policies.
Each account is created with a unique username, which can be up to 8 characters in length, and is
based on the account holders name.
A staff account is created with a maximum disk and email quota, as set by ITS. An Internet quota is
not imposed on staff accounts but charges for usage apply to the accounts sponsor(s) as determined
from the HR records for the individual7. An increase to the email quota of a staff account may be
permitted given a request from the Senior Executive, Executive Dean, Faculty Executive Manager or
Director, made in writing and accepted by the Chief Technology Officer or delegated persons.
0.8.9
Email Address and Alias
The email address of a user account takes the form of username@KFUPM.edu.au e.g. jboggs@KFUPM.edu.au.
An alias is created for each account based on a preferred standard of firstname-lastname e.g. joebloggs@KFUPM.edu.au. Where duplicates are encountered, ITC contact the applicant for selection of
a suitable alternative. Given this, the use of firstname-lastname as an assumption for the email address
is limited, and may result in emails being sent to an unintended recipient.
Users are advised of their alias on account collection
93
Because of the changing nature of aliases, under no circumstances should they be recorded in any
subsidiary systems.
University Contact Directory
The name and contact details of an individual appear in the KFUPM Contact Directory for each staff account
holder. The entry is removed from the directory at the point the account is closed. Account Closure and
Deletion
Staff accounts remain active while ever the account holder has a current or future appointment with
their sponsoring organization. For the purposes of managing the official closure of an account, an
appointment is deemed to have ended:
Three weeks after the end date of a permanent or limited term appointment,
Seven weeks after the end date of a casual academic authority;
Three weeks after the end date of a general staff non-academic casual authority;
Three months after the end date of an honorary academic appointment; and
Three weeks after the last paid date for any other appointment types.
The University reserves the right to revise the above criteria.
Accounts held by University Council award recipients, i.e. Emeritus Professors and Fellows, remain
active until the University is advised that the account is no longer required.
The retention period applied to casual academic appointments is intended to ensure that account
holders retain their account while ever they continue to work consecutive sessions.
Revoking access to an account in advance of the accounts official closure is as outlined under the section
titled Account Withdrawal below.
Closure of an account means the account is frozen, i.e. the password is revoked, until such time as
the individual resumes employment or the account has been deactivated for 1 year, at which time it is
94
deleted. Should the individual resume employment, their account can be reactivated under the original
username and password if the account still exists.
Account holders who wish to be contactable on their account following its closure should ensure that
they record an automatic reply or forwarding prior to the closure of their account. The automatic
reply/forward will continue to operate until the account is deleted.
At this stage staff account usernames are not re-used.
The University reserves the right to undertake a periodic audit of sponsored accounts for the purpose
of validating active accounts.
Account Withdrawal
A users access to their staff account can be withdrawn in advance of their accounts official closure
given a written request from an appropriate staff member of the sponsoring organization.
Account access may also be temporarily withdrawn by ITS in response to a suspected policy violation.
A user whose access has been withdrawn may request reconsideration of the decision by the Chief
Technology Officer, or delegated person, who shall consider the withdrawal with the relevant Senior
Executive, Executive Dean, Faculty Executive Manager or Director. Following this, the Chief Technology Officer, or delegated person, shall confirm the withdrawal, or reinstate the account.
For further information on account withdrawal, refer to the section titled Compliance below.
0.8.10
Associate Accounts
Account Creation
The provision also exists for an individual to hold an associate account with the KFUPM.
Associate accounts apply to individuals who are granted access to the University IT facilities by virtue
of an affiliation with the University or one of its subsidiaries. Recognized affiliations are:
95
contractors and consultants providing services to the University or one of its subsidiaries, typically
involving a contract for services;
visiting academics of the University, other than those holding an honorary academic appointment
as in an honorary or visiting fellow;
members of the University Council;
A member of a recognized business or community affiliate of the KFUPM.
An associate account is created on receipt of an application from an individual, approved by a relevant head of unit or equivalent, or a recognized user account manager. Personal information collected
will only be used in accordance with the University privacy practices. For further information access
http://www.KFUPM.edu.au/about/privacy/ or contact the University Privacy Officer. item On application for an associate account an individual acknowledges their acceptance of the declaration to
abide by the KFUPM IT Policies.
Each associate account is created with a unique username, which can be up to 8 characters in length,
and is based on the account holders name.
An associate account is created with a maximum disk and email quota, as set by ITS. An Internet
quota is not imposed on Associate accounts but charges for usage apply to the relevant sponsoring
organization. Refer to the Internet Access Policy for further information on Internet quotas. item An
increase to the email quota of an associate account may be permitted given a request from the Senior
Executive, Executive Dean, Faculty Executive Manager or Director, made in writing and accepted by
the Chief Technology Officer or delegated persons.
96

Policy v1.0

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Policy v1.0

Uploaded by

Copyright:

Available Formats

Policy v1.

To Dr. Talal AlKharobi

Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Roles and Responsibilities for Information Security . . . . . . . . . . . . . . . . . . . .

Disclosure of Student Information . . . . . . . . . . . . . . . . . . .

Email Address Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

University Contact Directory . . . . . . . . . . . . . . . . . . . . . .

Account Closure and Deletion . . . . . . . . . . . . . . . . . . . . .

Student Account Type . . . . . . . . . . . . . . . . . . . . . . . . .

Non-Capped Student Accounts . . . . . . . . . . . . . . . . . . . . .

Capped Student Accounts

Account Closure and Deletion . . . . . . . . . . . . . . . . . . . . .

Administrations and Implementation Compliance . . . . . . . . . . . . . . .

Ownership of Email Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Privacy and Right of University Access . . . . . . . . . . . . . . . . . . . . .

Data Purging and Record Retention . . . . . . . . . . . . . . . . . . . . . . .

0.2.1.10 Expiration of Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

0.2.1.11 Appropriate Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

0.2.1.12 User Responsibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

0.2.1.13 Departmental Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

0.2.1.14 Temporary User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

0.2.1.15 Supported Mail Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

0.2.1.16 Inappropriate Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

0.2.1.16.1 The exchange of email content that: . . . . . . . . . . . . . . . . . .

0.2.1.16.2 Other improper uses of the email system include:

0.2.1.17 SPAM and Virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Servers and Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Workstations and accessible systems . . . . . . . . . . . . . . . . . . . . . . .

Organizational and Non-Organizational Computers . . . . . . . . . . . . . .

Information Storage and Disposition . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Paper based information . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Requests for information from External Entities . . . . . . . . . . . . . . . .

Internal Monitoring and auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Violations and misuse of Information Security . . . . . . . . . . . . . . . . . . . . . . .

Storing Sensitive Information . . . . . . . . . . . . . . . . . . . . . . . . . . .

Security Awareness Training . . . . . . . . . . . . . . . . . . . . . . . . . . .

Data Backup Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Information to be Backed up and Schedules . . . . . . . . . . . . . . . . . . .

Data Backup Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Backup procedure Flowchart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Backup Procedures Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Internal Network and Internet Network usage . . . . . . . . . . . . . . . . . . . . . . . . . . .

Internal Network usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Internet Network usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

System administration and User access management . . . . . . . . . . . . . . . . . . . . . . .

User Account Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Account Management Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Application and Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Email Address and Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

0.8.10 Associate Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Information Security Policy

Roles and Responsibilities for Information Security

Electronic mail address,

1. Student Directory Information

Year and registration type,

5. Records of students as staff

Disclosure of Student Information When access to student information is granted to in-

11. Background checks

Email Address Policy

University Contact Directory

The name and contact details of an individual appear

Account Closure and Deletion

Student Account Type

Student accounts may be one of two types: non-capped or capped.