Objective
To establish the policy of the University for the use, protection, and preservation of computer-based information generated by, owned by, or otherwise in the possession of Imam Abdulrahman Bin Faisal University, including all academic, administrative, and research data.
Executive Summary
ّnformation is a vital asset to any organization and this is especially so in a knowledge-driven organization such as the Imam Abdulrahman Bin Faisal University (IAU), where information will relate to learning and teaching, research, administration and management. It is imperative that computer data, hardware, networks and software be adequately protected against alteration, damage, theft or unauthorized access.
Imam Abdulrahman Bin Faisal University is committed to protecting information resources that are critical to its academic and research mission. These information assets, including its networks, will be protected by controlling authorized access, creating logical and physical barriers to unauthorized access, con guring hardware and software to protect networks and applications. An effective Information Security Policy will provide a sound basis for de ning and regulating the management of institutional information assets as well as the information systems that store, process and transmit institutional data. Such a policy will ensure that information is appropriately secured against the adverse effeects of breaches in confidentiality, integrity, availability and compliance which would otherwise occur. This policy sets forth requirements for incorporation of information security practices into daily usage of university systems.
Information Security Policy Objectives
The University recognizes the role of information security in ensuring that users have access to the information they require in order to carry out their work. Computer and information systems underpin all the University’s activities, and are essential to its research, learning, teaching and administrative functions.
The university is committed to protecting the security of its information and information systems. The following are the objectives of the information security policy:
-
to protect academic, administrative and personal information from threats.
-
to maintain the confidentiality, integrity and availability of the IAU information assets.
-
to prevent data loss, modification and disclosure, including research and teaching data from unauthorized access and use.
- to protect from information security incidents that might have an adverse impact on IAU business, reputation and professional standing.
- to establish responsibilities and accountability for information security.
Information Security Principles
Enforcing an appropriate information security policy involves knowing university information assets, permitting access to all authorized users and ensuring the proper and appropriate handling of information. The University has adopted the following principles, which underpin this policy:
- Information is an asset and like any other business asset it has a value and must be protected.
- The systems that are used to store, process and communicate this information must also be protected.
- Information should be made available to all authorized users.
- Information must be classified according to an appropriate level of sensitivity, value and criticality as presented in the ‘data classification policy’.
- Integrity of information must be maintained; information must be accurate, complete, timely and consistent with other information.
- All members of the University community who have access to information have a responsibility to handle it appropriately, according to its classification.
- Information will be protected against unauthorized access.
- Compliance with this policy is compulsory for IAU community.
Outcomes of the Policy
- Mitigation of the dangers and potential cost of IAU computer and information assets misuse.
- Improved credibility with the IAU community and partner organizations.
- Protected information at rest and in transit.
Policy Rationale
Imam Abdulrahman Bin Faisal University possesses information that is sensitive and valuable, ranging from personally iden- ti able information, research, and other information considered sensitive to nancial data. This information needs to be protected from unauthorized use, modi cation, disclosure or destruction. The exposure of sensitive information to unauthorized individuals could cause irreparable harm to the University or University community. Additionally, if University information were tampered with or made unavailable,it could impair the University’s ability to do business. The University therefore requires all employees to diligently protect information as appropriate for its sensitivity level.
The information security policy has been laid down in accordance with the principles and guidelines de- ned and enforced by the ‘Communications & Information Technology Commission’ in the document titled “Information Security Policies and Procedures Development Framework for Government Agencies”.
Entities a ected by this Policy
- All full-time, part-time and temporary sta employed by, or working for or on behalf of the University.
- Students studying at the University.
- Contractors and consultants working for or on behalf of the University.
- All other individuals and groups who have been granted access to the University’s ICT systems
- and information.
Business Impact of no Information Security
- Loss of critical campus information
- Higher costs due to waste of resources
- Damage to the reputation of the IAU
- Lack of corrective actions or repairs
- Violation of University and government regulatory policies and procedures
Policy Benefits
- It will address risks associated with the unauthorized disclosure, use, modi cation and deletion of university data.
- Improved and appropriate security measures for the data.
- Protect IAU information assets.
Policy Statement
Information is fundamental to the e ective operation of the University and is an important business as- set. The purpose of this Information Security Policy is to ensure that the information managed by the University is appropriately secured in order to protect against the possible consequences of breaches of con dentiality, failures of integrity or interruptions to the availability of that information. Any reduction in the con dentiality, integrity or availability of information could prevent the University from functioning e ectively and e ciently.
Applicability
- All full-time, part-time and temporary sta employed by, or working for or on behalf of the University. Students studying at the University.
- Contractors and consultants working for or on behalf of the University.
- All other individuals and groups who have been granted access to the University’s ICT systems and information.
Security Roles and Responsibilities
All members of the University have direct individual and shared responsibilities for handling infor- mation or using university information resources to abide by this policy and other related policies. In order to ful ll these responsibilities, members of the University must:
- be aware of this policy and comply with it,
- understand which information they have a right of access to,
- know the information, for which they are owners,
- know the information systems and computer hardware for which they are responsible.
Information Users
Every member of the university community, who has a legitimate access to the university ICT resources, is responsible to abide by this policy. No individual should be able to access information to which they do not have a legitimate access right. Information users should neither violate this policy nor allow others to do so. Information users must be aware of the nature of the information to which they have been granted access and must handle information carefully according to its classi cation. They should protect the con- dentiality of information and do not give access to other illegitimate individuals knowingly or unknowingly.
For the purpose of information security, access to all emails servers other than Imam Abdulrahman Bin Faisal University email server will be blocked through University network resources.
Information Owners
The information owners have responsibility to maintain the con dentiality, integrity and availability of information. In particular
- Each university unit (Deanship, Department, College, Section and Center) will identify its sensitive and critical information assets and classify it according to the University ‘Data Classi cation Policy’.
- Heads of departments, departmental administrators and IT support sta are responsible for the con dentiality, integrity and availability of information maintained by members of their department, such as students’ academic records. They are also responsible for the security of all depart-
- mentally operated information systems.
- Data and systems managers in support services are responsible for the con dentiality, integrity
- and availability of information, such as student, personnel and nancial data.
- Project managers leading projects for the development or modi cation of information systems are responsible for ensuring that projects take account of the needs of information access and security and that appropriate and e ective control mechanisms are instituted, so that the con - dentiality, integrity and availability of information is guaranteed.
- Information owners will conduct risk assessment of their information assets and may recommend the mitigation strategies.
- Any information security incident will be reported to the chief security o cer.