ICT Policies & Procedures

2

14/01/2015 Approved by: Dr.Saad Al-Amri

3

Contents

l Acceptable Use Policy

l Backup Policy and Procedures

l Bandwidth Use Policy

l Data Classification Policy

l Information Security Policy

l Network Access Control Policy

l OneDrive Cloud Storage Policy

l Password Policy

l ICT User Authentication Policy

l Web Hosting Policy with Third-Party Service Providers

l Core ICT Services Service Level Agreement

4 Back to Contents

Acceptable Use Policy

5 Back to Contents

Deanship of Information & Commu-

nications Technology

Posted Date: Policy Number:

ICT.2013.2

Policy: Acceptable Use Policy Approval Date: Page:

Objective: To ensure the appropriate use of the University’s Information and Com-

munication Technology (ICT) Services and define the responsibilities of users of the

University’s ICT Services and Infrastructure.

Responsible Official:

Responsible Office:

:Signature

ITC Reference Policies :

(a) Information Security Policy

(b) Password Policy

Executive Summary

University of Dammam (UOD) information and Communication technology (ICT) resources have been provided to support University business and mission. These facilities are expected to be used for educational, instructional, research, professional development and administrative activities of the University. The use of these resources is a privilege that is extended to qualified members of the community. Access to computers, computing systems and networks owned by the University imposes certain responsibilities and obligations and subject to university policies and codes and the Kingdom’s local laws. It is important that these ICT resources are used for the purpose for which they are intended. All users of these resources must comply with specific policies and guidelines governing their use, and act responsibly while using shared computing and network resources.

The ICT Acceptable Use Policy (AUP) informs the University’s faculty, support staff, students, management and other individuals authorized to use University facilities, of the regulations relating to the use of ICT systems. The University expects users to use the ICT facilities in an appropriate and responsible manner in accordance with this policy. Anyone who abuses the privilege of the ICT resources, either directly by promoting inappropriate activities and by misusing or indirectly by inadvertently allowing unauthorized users to access for personal and professional purposes will be subject to sanctions or legal action

Introduction

The University provides ICT for its educational purposes, particularly teaching and research, as well as for reasonable personal use which is acceptable to the University environment. University of Dammam allows users to access the computing and network resources in order to facilitate them in carrying out their du- ties and the university expects these resources be used for purposes related to their jobs and not be used for unrelated purposes. These resources include all university owned, licensed, or managed hardware and software, and use of the university network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network. The purpose of this policy is to promote the efficient, ethical and lawful use of the University of Dammam’s computer and network resources.

Acceptable Use Policy Objectives

6 Back to Contents

The following are the objectives of acceptable use policy:

1. Provide guidelines for the conditions of acceptance and the appropriate use of the com-

puting and networking resources provided for use by academic, professional and support staff and students of the University.

2. Ensure that ICT resources are used in an appropriate fashion, and support the university’s mission and institutional goals.

3. Encourage users to understand their own rights and responsibility for protecting the Uni- versity ICT resources.

4. Protect the privacy and integrity of data stored on the University network.

5. Elaborate the consequences of the inappropriate use of these resources.

Outcomes of the Policy

By enforcing the acceptable use policy, we aim to achieve the following outcomes:

1. Better informed university community regarding acceptable and unacceptable use of university ICT resources.

2. Responsible UOD community regarding the value and use of ICT resources.

Policy Rationale

There needs to be commitment to protect UOD faculty, students, staff, management and contractors from illegal or damaging action by individuals, either knowingly or unknowingly. Inappropriate use of these ICT resources exposes UOD to risks including virus attacks, compromise of network systems and services, and legal issues.

Entities affected by this Policy

This policy applies to all the community of University of Dammam using computing and network resources. These include

Users (academic, professional and support staff, students and management) using either personal or University provided equipment connected locally or remotely to the network of the University.

All ICT equipment connected (locally or remotely) to University servers. ICT systems owned by and/or administered by the Deanship of ICT. All devices connected to the University network irrespective of ownership. Connections made to external networks through the University network.

All external entities that have an executed contractual agreement with the University.

Business Impact of No AUP The potential adverse business impact to the university due to lack of acceptable use policy may include:

4. University network may not be used for the creation, dissemination, storage and display

7 Back to Contents

Violations of either personal or copy righted material Security breaches Bad publicity and embarrassment to individuals or University

Identity or financial fraud

Policy Benefits

1. It will define the responsibilities of users of the University’s ICT Services and Infrastructure. 2. It will deter unacceptable ICT use by declaring the punitive actions for such an act. 3. Fair use of services.

4. Better service quality.

Section B – Policy Statement:

Acceptable Use Policy Statements: 1. This policy applies to all users of computing resources owned or managed by University

of Dammam. Individuals covered by the policy include (but are not limited to) UoD faculty and visiting faculty, staff, students, alumni, guests or members of the administration, external individuals and organizations such as contractors and their employees accessing network services via UoD’s computing facilities.

2. The resources should be used for the purpose for which they are intended.

3. Users must adhere to the confidentiality rules governing the use of passwords and accounts, details of which must not be shared.

4. Users may use only the computers, computer accounts, and computer files for which they have authorization.

5. The university encourages and promotes using the university email for administrative, learning and professional purposes. Hence, the users must use their university email in their business communications.

6. The only way to access to the university’s network is to have a valid account, and any other way such as plugging own internet to the university network shall be considered as a violation.

7. All users of the university’s network and computing resources are expected to respect the privacy and personal rights of others.

8. The University reserves the right to monitor all activities performed by the users on the internet by recording and reporting without the consent of the user.

9. The University has the right to block any site or group of sites according to its policies and will take necessary action that violates this policy.

10. The University reserves the right to make any amendments in this policy at any time.

11. Users, who discover or find security problems or suspicious activity, must immediately contact Technical Support of the DICT.

Unacceptable Use Policy 1. Users must not use the university network in any illegal manner e.g. commercial purposes

nor use it to login or browse illegal web sites or content. 2. Users must not disclose their login information and access or copy another user’s email,

data, programs, or other files. 3. Users must not attempt to violate or compromise the security standards on the University

4. University network may not be used for the creation, dissemination, storage and display

7 Back to Contents

network or any other device connected to the network or accessed through the Internet.

8 Back to Contents

of obscene or pornographic material, abusive, indecent, obscene, and defamatory or hate literature etc.

5. University users should not create illegal copies or violate copyright protected material in order to use, or save such copies on University devices or send them through the Univer- sity network. It also prevents the illegal use such as sending or downloading or publishing any material that violates the laws of the Kingdom of Saudi Arabia and is against the Islamic values.

6. This policy prevents users adding, deleting, or modifying any information on university network in an attempt to disrupt or mislead others.

7. Users are not allowed to indulge into any activity that may adversely affect the ability of others to use the Internet services provided by the university e.g. denial of service attacks, hacking, virus, or consuming gratuitously large amounts of system resources (disk space, CPU time, print quotas, and network bandwidth) or by deliberately crashing the machine(s).

8. The university prevents downloading any programs and installing in the university’s computers. Any such request should be done through DICT technical support.

9. Non serious, disruptive, destructive or inconsiderate conduct in computer labs or terminal areas is not permitted.

10. DICT is not responsible of the internet content that been browsed by the end user, or problems that might happen to user from browsing untrusted websites.

Policy Breaches:

Anyone who breaches this policy will be subject to any or all of the following actions: a. Suspension of the university internet account/access.

b. The referral of the case to the University management along with supporting evi- dence for an appropriate action.

c. The case may be investigated by the Communication & Information Technology Commission (CITC), Saudi Arabia who may initiate criminal investigation according to the e-crimes regulations. More information regarding these regulations may be found here.

Definitions

The following terms are used in this document.

Access - Connection of University, personal or third party owned devices to ICT Infrastructure facilities via a direct or indirect connection method.

Authorized User - An individual who has been granted access to University ICT services

Device - Any computer or electronic device capable of accessing, storing and communicating data.

End Host Device - An electronic device which can be connected to a network. End Host Devices include,

but are not limited to: Desktop computers Notebook computers Workstations Servers Network Printers

Telecommunications equipment

http://www.citc.gov.sa/English/RulesandSystems/CITCSyste/Documents/LA_004_%20E_%20Anti-Cyber%20Crime%20Law.pdf

9 Back to Contents

Wireless Devices and

Other network aware devices

ICT Facilities – All computers, terminals, telephones and communication links, end host devices, licences, centrally managed data, computing laboratories, video conference rooms, and software owned or leased by the University.

ICT Infrastructure- All electronic communication devices, networks, data storage, hardware, and network connections to external resources such as the Internet.

Information Resources - Assets and infrastructure owned by, explicitly controlled by, or in the custody of the university including but not limited to data, records, electronic services, network services, software, computers, and Information systems.

References

1. Thomas M. Thomas; Donald Stoddard (2011), Network Security First-Step

2. Mark S. Merkow; Jim Breithaupt (2014), Information Security: Principles and Practices

10 Back to Contents

Backup Policy and Procedures

11 Back to Contents




ICT.2013.4

Policy: Backup Policy and Procedures Approval Date: Page:

Objective: This document outlines a set of policies and procedures for Data Backup

and Retention to facilitate restoration of applications and associated data. Also it lays

emphasis on verifying that backups and recoveries are completed without errors.


Responsible Office:

Signature:



(b) Operational Unit Data Center SLA

Executive Summary

University of Dammam (UOD) information and Communication technology (ICT) resources have been provided to support University business and mission. The unprecedented growth in data volumes has necessitated an efficient approach to data backup and recovery. Deanship of Information & Communica- tions Technology (DICT) recognizes that the backup and maintenance of data for servers are critical to the viability and operations of the respective departments. It is essential that certain basic standard practices be followed to ensure that data files are backed up on a regular basis.

This document defines the backup policy for computer systems within the organization which are expected to have their data backed up. These systems are typically servers but are not necessarily limited to servers. The policy outlines the minimum requirements for the creation and retention of backups. The main purpose of this policy is to provide secure storage for data assets critical to the work flow of official university business, prevent loss of data in the case of accidental deletion / corruption of data, system failure, or disaster and permit timely restoration of archived data in the event of a disaster or system failure.

Introduction

This document outlines a set of policies and procedures for Data Backup and Retention to facilitate restoration of applications and associated data. Also it lays emphasis on verifying that backups and recoveries are completed without errors.

Purpose

To ensure server and data continuity and to support the retrieval and restoration of archived information in the event of a disaster, equipment failure, and/or accidental loss of files.

Goals

12 Back to Contents

The goals of this backup policy will be as follows:

• to safeguard the information assets of University of Dammam (UoD) Community.

• to prevent the loss of data in the case of accidental deletion or corruption of data, system failure, or disaster.

• to permit timely restoration of information and business processes should such events occur.

• to manage and secure backup & restoration processes and the media employed within these processes.

Scope

The Deanship of ICT (DICT) operational Unit (OU) is responsible for providing policy-based, system level, network-based backups of server systems under its stewardship. This document outlines the policies for backup implementation that define:

• Selections: what information needs to be backed up on which systems.

• Priority: relative importance of information for purposes of the performing backup jobs.

• Type: the frequency and amount of information to be backed up within a set of backup jobs.

• Schedule: the schedule to be used for backup jobs.

• Duration: the maximum execution time a backup job may execute prior to its adversely affecting other processes.

• Retention Period: the time period for which backup images created during backup jobs are to be retained.

Backup Creation

Backups will be created using industry standard data backup software that support“enterprise level” data assurance. The product, defined by the data backup standard, must support scheduled backups, full or differential or incremental backups, and centralized management.

System Backup Profiles

The DICT Operational Unit maintains the following type of backup profiles:

1. Standard Backup:

• The standard backup is provided for most centralized University computer systems.

• The backup could be full, differential or incremental. The frequency of backup could be daily, weekly or monthly and is dependent upon the application. The retention of these backups could vary from 1 week up to 2 months.

• For some applications backup is performed on a day and time agreed upon by the OU and application owner.

• Appendix I shows the applications along with backup type, frequency of backup and reten-

13 Back to Contents

tion period.

2. Critical System Backup:

• Certain enterprise-wide systems are deemed critical to University operations and dictate longer retention periods from 6 months up to 1 year.

• The type, frequency and retention period is different for different applications.

• Prior to a major upgrade of a production system, database, or application, a full system backup is performed and retained for 6 months.

• Appendix I shows the applications along with backup type, frequency of backup and retention period.

3. Special Request Backup:

Some departments or applications may require an exception to the standard backup retention periods mentioned above. Exceptions are permitted, but must be fully documented

4. No Backup:

ICT Services is responsible for backing up data that is stored in central systems and databases. Data residing on individual workstation hard drives is the responsibility of the user to backup. Furthermore the systems that fall under this category might include development or test systems that do not contain important business or academic data. Students, faculty, staff and third parties who store data on University equipment are responsible for ensuring the data is stored in a way that will ensure it is properly backed up. However, most systems that are centrally managed by DICT are backed up on one of the schedules listed above.

Storage Locations and Retention

Period of Backups

Unless a system supporting an application or business function requires a custom retention period, DICT will maintain full and incremental backups. Backup tapes for the current weekly backup period will be stored within the DICT for purposes of current backups and restores.

Tapes representing backups from the former weekly backup period will be stored within a secured, fireproof place until such time as the backup images stored on these tapes expire and the tapes are re-used or destroyed.

After a successful backup, it will be stored in a secure, off-site media vaulting location for an appropriate period for disaster recovery purposes.

This will ensure that no more than one week of information would be lost in the event of a disaster in which campus systems and backup images are destroyed. After the period of six months has elapsed, the tapes may ‘optionally’ be returned to DICT and re-used or destroyed.

Backup Verification

On a periodic basis, logged information generated from each backup job will be reviewed for the following purposes:

14 Back to Contents

• to check for and correct errors

• to monitor duration of the backup job

• to optimize backup performance where possible

DICT will identify problems and take corrective actions to reduce any risks associated with failed backups. Test restores from backup tapes for each system will be performed. Problems will be identified and cor- rected. This will work to ensure that both the tapes and the backup procedures work properly.

DICT will maintain records demonstrating the review of logs and test restores so as to demonstrate compliance with this policy for auditing purposes.

Media Management

Media will be clearly labeled and logs will be maintained identifying the location and content of backup media. Backup images on assigned media will be tracked throughout the retention period defined for each image. When all images on the backup media have expired, the media will be re-incorporated amongst unassigned (available) media until reused. Periodically and according to the recommended lifetime defined for the backup media utilized, DICT will retire & dispose of media so as to avoid media failures.

Storage, Access, and Security

All backup media must be stored in a secure area that is accessible only to designated OU staff or employees of the contracted secure off-site media vaulting vendor used by DICT. Backup media will be stored in a physically secured, fireproof place when not in use. During transport or changes of media, media will not be left unattended.

Retirement and Disposal of Media

Prior to retirement and disposal, DICT will ensure the following:

• the media no longer contains active backup images or that any active backup images have been copied to other media

• the media’s current or former contents cannot be read or recovered by an unauthorized party.

• with all backup media, CICT will ensure the physical destruction of the media prior to disposal.

Disaster Recovery Considerations

As soon as is practical and safe post-disaster, DICT will:

• Restore existing systems to working order or obtain comparable systems in support of defined business processes and application software.

• Restore the backup system according to documented configuration so as to restore server systems.

• Obtain all necessary backup media to restore server computing systems

• Restore server computing systems according to the priority of systems and processes as out-

15 Back to Contents

lined for restoration and recovery in the Disaster Recovery Plan.

Documentation

Essential documentation is will be maintained for orderly and efficient data backup and restoration. The person-in-charge of data backup should fully document the following items for each generated data backup:

.S. No Action Item Action

Date of data backup

(Type of data backup (incremental, differential, full

Number of generations

Responsibility for data backup

(Extent of data backup (files/directories

Data media on which the operational data are

Data media on which the backup data are stored

Data backup hardware and software (with version

(number

Storage location of backup copies

16 Back to Contents

Bandwidth Use Policy

17 Back to Contents

This




ICT.2013.5

Policy: Bandwidth Use Policy Approval Date: Page:

Objective: The purpose of the bandwidth usage policy is to enhance the internet usage

of UoD users by proper management and control of bandwidth. All in all the bandwidth

usage policy shall set guidelines important to use bandwidth as a scarce resource in the

university.


Responsible Office:

Signature:


(a) Acceptable Use Policy

Executive Summary

University of Dammam provides high speed internet access as a service to its management, faculty, students, researchers and administrative staff. The purpose of the bandwidth usage policy is to enhance the internet usage of UoD users caused by improper management and control of bandwidth. The bandwidth is a precious shared resource and hence ought to bed dedicated foe teaching, learning and research purposes. Its usage should be in line with the university mission, vision and strategy. This bandwidth policy is prepared to define the appropriate use of bandwidth in the university so that optimum gains are achieved from the network.

Bandwidth Use Policy Objectives

The following are the objectives of the policy:

1. to establish awareness and accountability for bandwidth use

2. to educate the users of the priority related to internet traffic

3. to provide guidelines for responsible use

Scope

The aim of this policy is to manage bandwidth use proactively in order to avoid degradation of network performance. This policy applies to all users of University of Dammam accessing computing and internet resources, whether initiated from a computer and/or network device located on or off campus.

Audience

policy shall be subjected to all faculty, management, staff and students of University of Dammam and

18 Back to Contents

guests who are given accesses to UoD network. All users are to be made aware of the policy and sign it as appropriate.


Bandwidth may be used for any activity supporting teaching, research and consultancy in such a way that it will not prevent other users from using the same.

DICT maintains the right to use monitoring tools that log and analyze bandwidth usage of all users of the network. However, the collected data is to be used exclusively for the purpose of enhancing proper bandwidth usage.

DICT maintains the right to block any traffic that is not inline with the university mission and vision and that wastes bandwidth.

DICT maintains the right to give priority for one type of traffic over the other based on predefined rules.

Whenever necessary, DICT maintains the right to give priority to some users more than the other by giving more accesses to bandwidth. This will be based on the relevance of the work to the university’s mission.

DICT maintains the right to enforce user authentication for using the Internet by assigning them accounts and keep the logs of usage history for analysis of user’s usage behavior. Us- ers will be responsible for all usage history registered in their account.

DICT Internet users shall use the proxy server to access the Internet for centralized bandwidth monitoring and management purpose.

Bandwidth may not be used for any non-educational activities or activities that consume bandwidth for a benefit of few users.

Users should not involve in activities such as hacking, cracking, spamming, streaming, web serving and p2p file sharing using the universities resource.

DICT users may not be allowed to do tasks that disturb the bandwidth management and optimization system on any machine connected to the network.

Bandwidth quotas are applied to all traffic passing between student computers and the Internet.

Excessive use of the network

To ensure that all qualified users making use of the internet resources receive a fair share of the bandwidth available, each individual’s bandwidth is limited to no more than 1GB in a rolling 24-hour period.

Individual bandwidth will be calculated as the combined network traffic from all personal computer systems used. This includes use of the wired network service, the vpn and wireless network services. However the internal university traffic including email services and access to central file servers will be exempted.

Exceptions Users who have a genuine academic requirement for a larger quota should identify this need before exceeding their quota, and should then follow the below process:

o Obtain authorization for a higher quota from user’s respective Dean or Manager

o Present the request and supporting authorization to the DICT and be prepared for a discussion.

o Properly supported requests will normally be granted, provided that their impact on the use of the network as a whole is not disproportionate.

19 Back to Contents

Consequences of exceeding the Bandwidth usage Users will be allocated to a restricted network which will allow access to only authorized

university web based systems. This includes university website, departmental websites, VLE and SIS.

User should use this time to identify the cause of the high bandwidth usage. If user require help rectifying the problem then they should contact the ICT Service Desk.

This withdrawal of network services only applies to your personal computer. Your university account is still fully operational and you will be able to use computing facilities in your department or library.

Appeals To appeal contact the ICT Service Desk and clearly state the grounds on which your appeal is based. You should only appeal against the decision if you believe that:

o You have not exceeded the bandwidth limits for the service (1GB in any 24 hour period).

o You have mitigating circumstances to warrant a review of the penalty.

The following reasons would NOT be acceptable grounds for appeal:

o You were unaware that your actions were illegal / in breach of the Conditions of Use of the network.

o Your guest or friend made use of your connection.

o You accidentally left your computer system switched on downloading copyrighted content.

o You know of other users currently downloading similar content on the network.

Definitions


Bandwidth: the transmission capacity of a computer or a communications channel stated in megabits per second (Mbps).

Monitoring tools: logging and analysis tools used to accurately determine traffic flows, utilization, and other performance indicators on a network.

Authentication: the process that validates a user’s logon information by comparing the user name and password to a list of authorized users.

Proxy server: A software package running on a server positioned between an internal network and the Internet.

Mirror site: A duplicate Web site that contains the same information as the original Web site and reduces traffic on that site by providing a local or regional alternative.

Hacking: using a computer or other technological device or system in order to gain unauthorized access to data held by another person or organization.

P2P file sharing: direct communication or sharing of resource between commercial or private users of the Internet.

Streaming: the playing of sound or video over the Internet or a computer network in real time.

20 Back to Contents

Data Classification Policy

21 Back to Contents




ICT.2013.3

Policy: Data Classification Approval Date: Page:

Objective: To ensure UOD’s information assets are identified, properly classified, and

protected throughout their lifecycles.


Responsible Office: Quality Unit

Signature:

ITC Reference Policies:


(b) Acceptable Use Policy

Data classification is the act of placing data into categories that will dictate the level of internal controls to protect that data against theft, compromise, and inappropriate use.

University of Dammam must protect its institutional assets as the data is prepared, managed, used, or retained by one of the constituent units or an employee relating to the activities or operations of the university. This does not include individually-owned data not related to university business. The policy will help educate the university community about the importance of protecting data generated, accessed, transmitted and stored by the university, to identify procedures that should be in place to protect the confidentiality, integrity and availability of university data and to comply with privacy and confidentiality of information.

Data Classification Policy Objectives

The purpose of this policy is to establish a framework for classifying University of Dammam data based on its level of sensitivity, value and criticality to its business activities. The following are the objectives of data classification policy:

1- Assist UOD community in the assessment of data to determine the level of security, which must be implemented to protect that data whether it is in paper copy or on the information system for which they are responsible.

2- Protect UOD’s data in terms of availability, confidentiality and integrity.

3- Identify who gets access to which kind of data.

4- Implement security provisions against unauthorized access.

22 Back to Contents


By enforcing the data classification policy, we aim to achieve the following outcomes:

1. Better aware and informed university community regarding data and its value.

2. Mapped data protection methods with the university policies.

3. Accountability of the management and use of data.

4. Appropriate levels of confidentiality, integrity and availability in place.

Policy Rationale

The classification of data, information, and documents is essential to differentiate between non- sensitive and sensitive / confidential information. When data is stored, created, amended or transmitted, it should be appropriately classified and protected in accordance to the sensitivity level.

The privacy, security, and integrity of data are critical to the university business. It is also necessary to evaluate the impact to the university should that data be disclosed, altered or destroyed without authorization. Classification of data will aid in determining baseline security controls for the protection of data.

Data classification provides several benefits by providing an inventory to university information assets. In many cases, information asset owners aren’t aware of all of the different types of data they hold. It will also allow ICT to work with departments to develop specific security requirements that can be readily utilized.


This policy applies to all University administrative data, all user-developed data sets and systems that may access this data, regardless of the environment where the data reside (including systems, servers, personal computers, laptops, portable devices, etc.). The policy applies regardless of the media on which data reside (including electronic, microfiche, printouts, CD, etc.) or the form they may take (text, graphics, video, voice, etc.).

Audience

All faculty, management, staff, students, employees as well as third-party contractors, consultants and guests should abide by this policy.

Business Impact of no data classification The potential adverse business impact to the university due to lack of data classification policy may include:

Loss of critical campus operations

Loss of opportunities or value of the data

23 Back to Contents

Damage to the reputation of the campus Lack of corrective actions or repairs

Violation of University mission and policies

Policy Benefits 1. The university community will become familiar with this data classification policy and will

consistently use it in their daily business activities. 2. Consistent use of data classification reinforces with users the expected level of protection

of data assets. 3. It will address risks associated with the unauthorized disclosure, use, modification, and

deletion of university data. 4. Improved and appropriate security measures for the data.

Policy Relevance for UOD Community

Category High Medium Low Notes

The organization

Administration

Staff

Faculty

Students

Other(s)


The UOD data classification policy provides a framework for assessing data sensitivity measured by the adverse business impact a breach of data would have on the campus from risks including, but not limited to, unauthorized use, access, modification, disclosure, destruction and removal. Thus all members of the university community have a responsibility to understand data classification and protect university data. This policy outlines measures and establishes protection profile requirements for each class of data. Violations of this policy can lead to disciplinary action up to and including dismissal, expulsion, and/or legal action.

Data Classification

The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. Reasonable precautions and protections should be taken, regardless of classification. All UOD institutional data has been classified into four levels or classifications:

Tier1- High Confidential Data

Data is classified as Confidential when an unauthorized disclosure, alteration or destruction of that data will cause a significant level of risk to the University. Access to Confidential data must be individually re- quested and then authorized by the Data Owner who is responsible for the data. The assessment of risk and access approval will be determined by the data owner or risk committee.

Tier2- Confidential Data

Confidential or sensitive information that would not necessarily expose the University to significant loss,

24 Back to Contents

but the data owner has determined security measures are needed to protect from unauthorized access, modifications, or disclosure.

Tier 3-Internal Data

Data is classified as Internal/Private for all the information assets that are not explicitly classified as Confi- dential or Public data A reasonable level of security controls should be applied to internal data.

Tier 4-Public Data

Data will be classified as Public when the unauthorized disclosure, alteration or destruction of that data would results in little or no risk to the University and its affiliates.

Data Classification and Handling

Definition Public Internal Confidential High Confidential

Information that is widely

available to the public through

publications, pamphlets, web

content, and other distribution

methods and disclosure,

alteration or modifications will

cause no risk to the university

Routine or daily operational

information requiring no special

measures to protect from

unauthorized access, modifications,

or disclosure, but these are not

widely available to the public

Confidential or sensitive information that

would not necessarily expose the

University to significant loss,

but the data owner has determined

security measures are needed to protect

from unauthorized access,

modifications, or disclosure

Information requiring the

highest levels of protection

because disclosure is likely to

result in significant adverse

impact to

the university (embarrassment,

financial loss, etc.)

Examples brochures, news releases,

pamphlets, web sites,

internal phone directories,

marketing materials

Routine correspondence,employee

newsletters, inter-office memoranda,

internal policies & procedures

Intellectual property licensed and/or

under development, records, purchasing

information, vendor contracts, system

configurations, system logs, risk reports,

RFP, RFI etc.

Protected Health Information

(PHI), Student Identifiable

Information, department financial

data, personnel information, credit

or bank details. contract research

protocols Transmissions 1. E-mail within the 1. No special handling required 1. No special handling required, but 1. Use of e-mail to transfer confidential 1. Use of e-mail to transfer confidential

organization reasonable precautions should be information is discouraged. Forwarding information is discouraged. .

taken only allowed by data owner Forwarding onlyallowed by data owner

2. E-mail outside of the organization 2. No special handling required 2. No special handling required, 2. Use of e-mail strongly discouraged. 2. Encryption is required.

but reasonable precautions Consider using encryption. Broadcast to should be taken distribution lists is prohibited. Forwarding 3.Data transfers only allowed by data owner (file 3. No special precautions are 3. Encryption is recommended 3. Encryption is required 3. Encryption is required

transmissions, required but not required website, etc.)

4. Data print and 4. No restrictions 4. printer to be located in an area 4. Monitoring required and removal of 4. Monitoring required and removal of

printer location not accessible by general public the printed material immediately the printed material immediately

Backup

and

Recovery

Should be backed up

monthly and incrementally

based on content change

- Should be backed up monthly

and incrementally based on

information recovery

requirements by data owners and

business operational needs

- Backups Should be tested

regularly to ensure

reliability







regularly to ensure

reliability







regularly to ensure

reliability

- Never overwrite the most

recent backups

25 Back to Contents

Definition Public Internal Confidential High Confidential

Storage 1. Printed materials 1. No special precautions required 1. Reasonable precautions to 1. Storage in a secure manner, e.g. 1. Storage in a lockable

prevent access by nonemployees. secure area, lockable enclosure. Must be enclosure. Must be locked when

locked when unattended not in use

2. Electronic 2. Storage on all drives allowed but 2. Storage on all drives allowed but 2. Store on secure drives or secure 2. Storage on secure drives only.

documents access controls must be enforced access controls must be enforced shared drives only. Data should be Password protection of document

stored on an internally accessible server, preferred.

and cannot be stored on a server directly accessible from the Internet.

3. emails 3. No special precautions required 3. Reasonable precautions to 3. Store in a secure manner, e.g. 3. Store in a secure manner, e.g.

prevent access by non-staff & password access or reduce to printed password access or reduce to printed

employees format, delete electronic form, and store format, delete electronic form, and store

in accordance with storage of print in accordance with storage of print

materials materials

4. portable devices 4. No special precautions required 4. Use lockable containers or 4. Use lockable containers or devices. 4. Use lockable containers or devices.

devices 5. storage by third 5. No special precautions required 5. Secured with lockable enclosures 5. Secured with lockable enclosures and 5. Secured with lockable enclosures and

party and access controls required access controls required access controls required

Marking

1. Documents

No restrictions

“Internal Use Only” note at the bottom

“Confidential” note at the top

“Confidential” at the top and bottom

Physical Security Password protected screen-saver Password protected screen-saver to Password protected screen-saver to Password protected screen-saver to

1. Workstations to be used when not in use. Sign off be used when not in use. Sign off when be used when not in use. Sign off when

be used when not in use. Sign off when not in use for long time. not in use for long time. not in use for long time.

when not in use for long time.

2. Se rve rs

Secured area location and limited

Secured area location and limited access

Secured area location and limited

Not permitted access based on the job based on the job responsibilities access based on the job responsibilities

responsibilities

3. Printing

No restrictions

Printouts to be collected immediately

Minimize the prints and collect

Print only when necessary and do not

immediately leave unattended

4. Office access

No restrictions No restrictions

Access to the sensitive area must be

Access to the sensitive area must be

restricted using access control restricted using access control.

Confidential information must be kept

5. Portable Devices must not be left Devices must not be left unattended under lock.

devices unattended at any time at any time Devices must not be left unattended at Devices must not be left unattended at

any time. Consider using lock and access any time aznd must be placed under

control lock and access control

Access Control Content changes by only authorized

persons

Password access control Password access control

Content changes based on the data

owner and business needs

Password/Biometric/ Authentication

based access control

Content changes based on the data

owner and business needs

26 Back to Contents

Responsibilities

Data owners are responsible for appropriately classifying data.

Data custodians are responsible for labeling data with the appropriate classification and applying required and suggested safeguards.

Data users are responsible for complying with data use requirements and must report immediately any breach of the policy to the data owner.

Data users are responsible for immediately referring requests for public records to the University Relations Division – Office of Public Affairs or to the Office of the Vice President and General Counsel.

Disciplinary Actions Violation of this policy may result in disciplinary action, which may include suspension or termination from UOD or legal action as determined by the legal department.

Definitions


Availability - The assurance that information and services are delivered when needed. Certain data must be available on demand or on a timely basis.

Confidential - Sensitive data that must be protected from unauthorized disclosure or public release

Confidentiality - The assurance that information is disclosed only to those systems or persons who are intended to receive the information.

Data custodian – Individual or group responsible for classifying data and generating guidelines for its lifecycle management.

Data owner - Senior leadership, typically at the dean, director or department chair level, with the ultimate responsibility for the use and protection of university data.

Data user - Any member of the university community who has access to university data, and thus is en- trusted with the protection of that data.

Impact – A combination of data confidentiality, integrity and availability.

Integrity - The assurance that information is not changed by accident or through a malicious or otherwise criminal act.

Public - Data for which there is no expectation for privacy or confidentiality.

References:

1. Robert Johnson; Mark Merkow (2010), Security Policies and Implementation Issues

2. Woody, Aaron (2013), Enterprise Security: A Data-Centric Approach to Securing the Enterprise

27 Back to Contents

28 Back to Contents

Information Security Policy

29 Back to Contents




ICT.2013.1

Policy: Information Security Policy Approval Date: Page:

Objective:

To establish the policy of the University for the use, protection, and preservation of

computer-based information generated by, owned by, or otherwise in the possession of

University of Dammam, including all academic, administrative, and research data.

Responsible Official: Information Security Officer

Responsible Office: Operational Unit

Signature:


(a) Data Classification Policy

Executive Summary

Information is a vital asset to any organization and this is especially so in a knowledge-driven organization such as the University of Dammam (UOD), where information will relate to learning and teaching, research, administration and management. It is imperative that computer data, hardware, networks and software be adequately protected against alteration, damage, theft or unauthorized access.

University of Dammam is committed to protecting information resources that are critical to its academic and research mission. These information assets, including its networks, will be protected by controlling authorized access, creating logical and physical barriers to unauthorized access, configuring hardware and software to protect networks and applications. An effective Information Security Policy will provide a sound basis for defining and regulating the management of institutional information assets as well as the information systems that store, process and transmit institutional data. Such a policy will ensure that information is appropriately secured against the adverse effects of breaches in confidentiality, integrity, availability and compliance which would otherwise occur. This policy sets forth requirements for incorporation of information security practices into daily usage of university systems.

Information Security Policy Objectives

The University recognizes the role of information security in ensuring that users have access to the information they require in order to carry out their work. Computer and information systems underpin all the University’s activities, and are essential to its research, learning, teaching and administrative functions.

The university is committed to protecting the security of its information and information systems. The following are the objectives of information security policy:

1. to protect academic, administrative and personal information from threats.

2. to maintain the confidentiality, integrity and availability of the UOD information assets.

3. to prevent data loss, modification and disclosure, including research and teaching data from unauthorized access and use.

30 Back to Contents

4. to protect information security incidents that might have an adverse impact on UOD business, reputation and professional standing.

5. to establish responsibilities and accountability for information security.

Information Security Principles

Enforcing an appropriate information security policy involves knowing university information assets, per- mitting access to all authorized users and ensuring the proper and appropriate handling of information. The University has adopted the following principles, which underpin this policy:

• Information is an asset and like any other business asset it has a value and must be protected.

• The systems that are used to store, process and communicate this information must also be protected.

• Information should be made available to all authorized users.

• Information must be classified according to an appropriate level of sensitivity, value and criticality as presented in the ‘data classification policy’.

• Integrity of information must be maintained; information must be accurate, complete, timely and consistent with other information.

• All members of the University community who have access to information have a responsibility to handle it appropriately, according to its classification.

• Information will be protected against unauthorized access.

• Compliance with this policy is compulsory for UOD community.


By enforcing the data classification policy, we aim to achieve the following outcomes:

1. Mitigation of the dangers and potential cost of UOD computer and information assets misuse.

2. Improved credibility with the UOD community and partner organizations.

3. Protected information at rest and in transit.

Policy Rationale

University of Dammam possesses information that is sensitive and valuable, ranging from personally identifiable information, research, and other information considered sensitive to financial data. This information needs to be protected from unauthorized use, modification, disclosure or destruction. The exposure of sensitive information to unauthorized individuals could cause irreparable harm to the University or University community. Additionally, if University information were tampered with or made unavailable,

31 Back to Contents

it could impair the University’s ability to do business. The University therefore requires all employees to diligently protect information as appropriate for its sensitivity level.

The information security policy has been laid down in accordance with the principles and guideline defined and enforced by the‘Communications & Information Technology Commission’in the document titled “Information Security Policies and Procedures Development Framework for Government Agencies”.


• All full-time, part-time and temporary staff employed by, or working for or on behalf of the Uni- versity.

• Students studying at the University. • Contractors and consultants working for or on behalf of the University.

• All other individuals and groups who have been granted access to the University’s ICT systems and information.

Business Impact of no Information Security

The potential adverse business impact to the university due to lack of information security policy may include:

• Loss of critical campus information • Higher costs due to waste of resources • Damage to the reputation of the UOD • Lack of corrective actions or repairs

• Violation of University and government regulatory policies and procedures

Policy Benefits

1. It will address risks associated with the unauthorized disclosure, use, modification and deletion of

university data.

2. Improved and appropriate security measures for the data.

3. Protect UOD information assets.

32 Back to Contents

Section B – Policy Statement: Information is fundamental to the effective operation of the University and is an important business asset. The purpose of this Information Security Policy is to ensure that the information managed by the University is appropriately secured in order to protect against the possible consequences of breaches of confidentiality, failures of integrity or interruptions to the availability of that information. Any reduction in the confidentiality, integrity or availability of information could prevent the University from functioning effectively and efficiently.

A. Applicability

• All full-time, part-time and temporary staff employed by, or working for or on behalf of the University. • Students studying at the University. • Contractors and consultants working for or on behalf of the University.

• All other individuals and groups who have been granted access to the University’s ICT systems and information.

B. Security Roles and Responsibilities

All members of the University have direct individual and shared responsibilities for handling information or using university information resources to abide by this policy and other related policies. In order to fulfill these responsibilities, members of the University must:

• be aware of this policy and comply with it, • understand which information they have a right of access to, • know the information, for which they are owners,

• know the information systems and computer hardware for which they are responsible.

Information Users

Every member of the university community, who has a legitimate access to the university ICT resources, is responsible to abide by this policy. No individual should be able to access information to which they do not have a legitimate access right. Information users should neither violate this policy nor allow others to do so. Information users must be aware of the nature of the information to which they have been granted access and must handle information carefully according to its classification. They should protect the confidentiality of information and do not give access to other illegitimate individuals knowingly or unknowingly. For the purpose of information security, access to all emails servers other than University of Dammam email server will be blocked through University network resources.

Information Owners

The information owners have responsibility to maintain the confidentiality, integrity and availability of information. In particular

• Each university unit (Deanship, Department, College, Section and Center) will identify its sensitive and critical information assets and classify it according to the University‘Data Classification Policy’.

• Heads of departments, departmental administrators and IT support staff are responsible for the confidentiality, integrity and availability of information maintained by members of their department, such as students’ academic records. They are also responsible for the security of all depart- mentally operated information systems.

• Data and systems managers in support services are responsible for the confidentiality, integrity and availability of information, such as student, personnel and financial data.

• Project managers leading projects for the development or modification of information systems,

33 Back to Contents

are responsible for ensuring that projects take account of the needs of information access and security and that appropriate and effective control mechanisms are instituted, so that the confidentiality, integrity and availability of information is guaranteed.

• Information owners will conduct risk assessment of their information assets and may recommend the mitigation strategies.

• Any information security incident will be reported to the chief security officer.

Definitions


Availability - The assurance that information and services are delivered when needed. Certain data must be available on demand or on a timely basis.

Confidentiality - The assurance that information is disclosed only to those systems or persons who are intended to receive the information.

Data Custodian – Individual or group responsible for classifying data and generating guidelines for its lifecycle management.

Data Owner - Senior leadership, typically at the dean, director or department chair level, with the ultimate responsibility for the use and protection of university data.

Data User - Any member of the university community who has access to university data, and thus is en- trusted with the protection of that data.

ICT Infrastructure- All electronic communication devices, networks, data storage, hardware, and network connections to external resources such as the Internet.

Impact – A combination of data confidentiality, integrity and availability.

Information Resources - Assets and infrastructure owned by, explicitly controlled by, or in the custody of the university including but not limited to data, records, electronic services, network services, software, computers, and Information systems. Information System - Any tangible item such as hardware, software, communications facilities and networks, used to store, process and transmit Information Assets owned, controlled, or hosted by the Univer- sity.

Integrity - The assurance that information is not changed by accident or through a malicious or otherwise criminal act.

Reference

1. Alan Calder; Steve G. Watkins (2010), ISO27000 and Information Security: A Combined Glossary

2. Mark Rhodes-Ousley (2013), Information Security The Complete Reference

34 Back to Contents

Network Access Control Policy

35 Back to Contents




ICT.2014.1

Policy: Network Access Control Approval Date: Page:

Objective: The purpose of the Network Access Policy is to establish the rules for the access and use of the

network infrastructure. These rules are necessary to preserve the integrity, availability and confidentiality

of UOD information.


Responsible Office:

Signature:



(b) Information Security Policy

Executive Summary

In order to comply with information security policy and data classification policy, the Deanship of ICT has implemented a network access control (NAC) policy that will challenge computers and devices that try to access network resources. The policy lays down the principles used to secure the campus wired and wireless networks through user authentication. It ascertain that only authorized students, faculty and staff gain access to our network by checking that computer systems meet established policy configuration requirements. The purpose of the NAC is to ensure that computers and devices trying to gain access to the network resources have a minimum requirement of both Operating System versions and patches and Anti- Virus software. If a computer and/or device meets the minimum requirements, it is granted access to the network. If a computer does not meet the requirements, then it will be given limited access to the Internet in order to update and/or install Operating System updates/Anti-Virus software.

Introduction

Network access control (NAC) is a method of assessing devices and computers that try to use network resources (file shares, printers, web pages, etc) to see if they meet certain criteria, as defined by the Univer- sity, such as requiring anti-virus software and the most recent operating system patches.

Network access control policies will define who is allowed access to which physical locations and logical resources. The policy enforcement will ensure that all computers that use network resources have both updated anti-virus software and updated operating system (Windows 7, etc) patches applied. NAC allows us to grant access to computers that meet these requirements, and deny access while still allowing temporary Internet access to address the requirements that are not met.

To provide a more stable and secure network, UOD employs a Network Access Control (NAC) system assur- ing that devices connected to the network meet these minimum security requirements:

▪ Each desktop computer or other listed device must be authenticated using UOD ID and password and joined to domain.

▪ Must be running Microsoft Windows 7 with SP1 operating System.

36 Back to Contents

▪ Must have Symantec Endpoint Protection AntiVirus software with current definitions.

▪ Firewall feature is installed and enabled.

Rationale:

The need to respond to security incidents on campus, and an obligation to protect our valuable network resources, UOD must be able to identify every individual who connects to the campus network. For these reasons, UOD has implemented a network access control to be used by all students, employees and others to authenticate for campus network use. This will also provide a single point for collecting and reporting on user access to information for security incident investigations.

NAC Policy Objectives


1. Prevent unauthorized physical and logical access

2. Use appropriate and robust identification and authentication techniques to control access

3. Use unique identifiers for all users

4. Ensure good password policies are implemented

5. Implement measures to prevent and trace misuse of general access machines


By enforcing the NAC policy, we aim to achieve the following outcomes:

1. Access to systems by default and explicitly authorize access.

2. Network access to confidential information is secured with appropriate encryption and authentication


This policy applies to all persons who have, or are responsible for, an account on any system accessed on the University network or computer systems.

Supported Operating Systems and Browsers for endpoints

37 Back to Contents

OS Support (Genuine OS only) Supported Browser

Windows 8 (x64, Professional, Professional x64,Enterprise, Enterprisex64) Microsoft IE 10

Windows 7 (x64, Professional, Professional x64,Enterprise, Enterprisex64) Microsoft IE 9 and later

Google Chrome 11 and later

Mozilla Firefox 5 and later

Apple iOS 6.1, 6, 5.1, 5.0.1, 5.0 Safari 5,6,7, Firefox 5

Apple Mac OS X 10.6, 10.7, 10.8 Mozilla Firefox 3.6, 4, 5, 9, 14, 16

Safari 4, 5, 6

Google Chrome 11 Google Android 4.1.2, 4.0.4, 4.0.3, 4.0, 3.2.1, 3.2, 2.3.6, 2.3.3, 2.2.1, 2.2 Native browser

Mozilla Firefox 5 VMware ESX 4.x, ESXi 4.x, ESXi 5.x

NAC Process:

1. Once you join/register your computer or device, an agent software will run automatically to scan your computer for compliance with OS, antivirus and firewall.

2. If you FAIL the scan, you must contact the ICT help desk for an appropriate update

3. If you PASS the scan, your computer will be allowed FULL access to all network resources and the Internet

Wired Access:

NAC for employees:

• Check for anti-virus Symantec endpoint, Antispyware and Antivirus definitions for an update not older than 5 days.

• Compliant machines will get access to UoD network based on the agreed policy – Full Ac- cess based on the Port VLAN membership.

• Non-compliant Domain PC/users will be denied access to the corporate network including the Internet connection

NAC for Students:

• Check for anti-virus Symantec endpoint, Antispyware and Antivirus definitions for an update not older than 5 days.

• Compliant machines will get access based on the agreed policy –Partial Access to SIS Serv- ers and Internet connection.

• Non-compliant Domain PC/users will be denied access to the SIS Servers including Inter- net connection.

Wireless Access

NAC for Employee:

• Web redirection to Cisco Web NAC agent to check for an anti-virus update not older than 5 days.

• Compliant users will grant access to UC services using their mobile devices after profiling.

38 Back to Contents

• Compliant users will get access to Internet but no internal network access.

• Non- compliant users will be denied access even to Internet.

NAC for students:

• Web redirection to Cisco Web NAC agent to check for an anti-virus update not older than 5 days.

• Compliant users will get access to Internet and internal SIS servers.

• Non- compliant users will be denied access even to Internet.

NAC for Guests:

• Guest will login to Open SSID.

• Enforce redirect to web page to submit required information

• Allowed for Self-registration by submitting first name, Last Name and Mobile Number.

• Will Receive an SMS.

• Login with credentials sent by SMS.

• Mapped to AD

• Will have access to Internet only.

Definitions



Authorized User - An individual who has been granted access to University ICT services

Authenticate: To authenticate is to determine whether someone or something is, in fact, who or what it is declared to be through the use of an identifier and password or related means.

Campus Network: A campus network is an autonomous network that exists on a university campus connecting local area networks in and among buildings and aggregating traffic to a wide area network.

Network Access Control system: Network access control (NAC), a method of bolstering the security of a proprietary network by restricting the availability of network resources to endpoint devices that authenticate. Additional features include checking for current virus protection and that operating system updates are enabled.

Network Access logs: Information captured upon network access, including identifier, time of connection, network card MAC address, and time of disconnection.


39 Back to Contents

40 Back to Contents

OneDrive Cloud Storage Policy

41 Back to Contents




ICT.2013.8

Policy:OneDrive Cloud Storage Policy Approval Date: Page:

Objective: This policy provides advice and best practices for using cloud storage services to support the

processing, sharing and management of institutional data


Responsible Office:

Signature:

ICT Reference Policies :


(b) Information security policy

Executive Summary

Cloud computing services are application and infrastructure resources that users access via the internet. These services, contractually provided by companies such as Apple, Google, Microsoft, and Amazon, enable customers to leverage powerful computing resources that would otherwise be beyond their means to purchase and support. Cloud services provide services, platforms, and infrastructure to support a wide range of business activities. These services support, among other things, online information storage. The stored data is generally easy for people to use and is accessible over the internet through a variety of platforms such as workstations, laptops, tablets, and smart phones. The purpose of this policy is to inform UOD community about the security risks associated with storing documents on the cloud and provide the guidance about the types of information which should and should not be stored in the cloud.

Introduction

Deanship of Information and Communication Technology (DICTY) is implementing cloud based storage ‘OneDrive’ provisioned by the Microsoft that will be available to its users. OneDrive is a convenient way to store files in the “cloud” and protect against hard drive failure, lost or stolen laptops. Keeping your important files in OneDrive means that you have access to them from anywhere in the world provided you have an internet connection. OneDrive also allows for easy sharing and collaboration with friends, family and colleagues. Microsoft provides OneDrive apps for your laptop, desktop, iPads, iPhones, Android devices, Windows 8 and Windows Phone.

This service is available to all students, faculty and employees at the University. To use OneDrive you use the same login and password credentials as you do for Microsoft Outlook.

It is important to keep in mind that the University does not have the ability to backup or restore the files that you keep on OneDrive. OneDrive is a service offered to the University, for free, from Microsoft in conjunction with other tools the University deploys. Microsoft maintains a “best effort” service level for OneDrive and while highly reliable you should periodically backup your important data to an external hard disk.

Use of this data storage must be in compliance with all other University policies and procedures. It is the responsibility of University community using such services to ensure that they are aware of, and are fully

42 Back to Contents

compliant with all relevant policies, procedures and legislation.

Policy Objectives


Inform UOD community about the security risks associated with storing documents on the cloud

Provide the guidance about the types of information which should and should not be stored in the cloud.


This policy applies to all the community of University of Dammam using computing and network resources. These include

Users (academic, professional and support staff, students and management) using either personal or University provided equipment connected locally or remotely to the network of the University.

All ICT equipment connected (locally or remotely) to University servers. ICT systems owned by and/or administered by the Deanship of ICT. All devices connected to the University network irrespective of ownership. Connections made to external networks through the University network.

All external entities that have an executed contractual agreement with the University.


1. To use OneDrive - all users must comply with Microsoft’s Terms and Privacy conditions. On

first use, you will be prompted to accept these Microsoft terms and conditions.

2. The use of OneDrive is optional. UOD does not require you to use OneDrive to complete your studies. If you do not wish to accept Microsoft’s Terms and Privacy conditions for the use of OneDrive - that is ok - but you will not be able to utilize the Microsoft OneDrive util- ity.

3. UOD and Microsoft will not be held responsible for any and/or all data loss or corruption. Students will have to arrange their own backup or replication of their data. Microsoft provides no commitment to guarantee continuous access to your files; therefore any loss of service may deny access to important files at critical times.

4. When information or data is stored in OneDrive which is not owned by the University, it is the responsibility of the staff member storing the information or data to ensure to backup important data to an external hard disk.

5. You should be aware that it is both a breach of the OneDrive contract and University terms and conditions to store any copyright material within this facility. This includes books, mu- sic or videos subject to copyright. Breach of these rules may result in your account being terminated by Microsoft without notification and result in the loss of all data within the account, which may well be irretrievable.

6. Information or data must not be stored in this storage where the University’s intellectual

43 Back to Contents

property, copyright, trademarks or patents may be compromised.

7. Use caution when storing documents and data in public cloud storage. Store only non- sensitive, non-critical, or non-confidential documents.

8. Do not use public cloud storage to store files containing sensitive information. Please refer to the University Data Classification policy for more complete data classifications.

9. Even for instances when you work with non-sensitive information, using public cloud storage services for institutional documents does not make a good long-term storage solution. In many cases, public cloud storage requires that files be associated with an individual›s personal account. Should that individual leave the University, the institution loses access to the data.

Definitions


Cloud computing Abstraction of virtualized web-based computers, resources, and services that support scalable IT solutions.

OneDrive (officially Microsoft OneDrive, previously Windows Live OneDrive and Windows Live Folders) is a file hosting service that allows users to upload and sync files to a cloud storage and then access them from a Web browser or their local device.

References

Tom Negrino (2014), Microsoft Office for iPad: An Essential Guide to Microsoft Word, Excel, PowerPoint, an- dOneDrive

44 Back to Contents

Password Policy

45 Back to Contents




ICT.2013.7

Policy: Password Policy Approval Date: Page:

Objective: The purpose of this policy is to establish a standard for the creation of strong passwords, the

protection of those passwords, and the frequency of change.


Responsible Office: Operation Unit

Signature:



Executive Summary

Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in a compromise of UOD entire network. The purpose of having a password policy is to ensure a more consistent measure of security for UODs’ network and the information it contains. The implementation of this policy will better safeguard the personal and confidential information of all individuals and organizations affiliated, associated, or employed by the University. Additionally, this policy establishes a standard for creation of strong passwords, the protection of those passwords, and the frequency of change of passwords.

Introduction

University of Dammam significantly provides access authentication to online information technology resources such as email, institutional data, University websites, library and e-learning portal, academic and personal data, cloud computing resources, and other sensitive services. In particular, passwords are the user’s ‘keys’ to gain access to University information and information systems. A compromise of these authentication credentials directly impacts the confidentiality, integrity, and availability of IT systems, and University as well as user information. This policy establishes minimum standards for the creation and protection of each person’s University password(s). All users accessing UOD IT resources are bound by the requirements as described in this policy, to create and secure their password(s).

Password Policy Objectives


1. Defend against unauthorized access of UOD systems that could result in a compromise of personal or institutional data

2. Ensure that ICT resources are used in an appropriate fashion, and support the university’s mission and institutional goals.

3. Encourage users to understand their own rights and responsibilities for protecting their passwords.

46 Back to Contents

4. Protect the privacy and integrity of data stored on the University network.


By enforcing the acceptable use policy, we aim to achieve the following outcomes:

1. Better informed university community regarding acceptable and unacceptable use of university ICT resources.

2. Responsible UOD community regarding the value and use of ICT resources.


This policy applies to all persons who have, or are responsible for, an account on any system accessed on the University network or computer systems.

Responsibilities

Users are responsible for assisting in the protection of the network and computer systems they use. The integrity and secrecy of an individual’s password is a key element of that responsibility. Each individual has the responsibility for creating and securing an acceptable password per this policy. Failure to conform to these restrictions may lead to the suspension of rights to University systems or other action as provided by University Policy


Guidelines & Procedures

• Passwords must be changed every 90 days.

• All passwords must meet the definition of a Strong password described below

• Each successive password must be unique. Re-use of the same password will not be allowed.

• Any temporary password will expire at 23:59:59 of the date issued

• A user account will be temporarily locked for after 3 consecutive failed logins

◆ Account Lockout Duration: 15 mins.

◆ Account Lockout Threshold: 3

• The “reset password” process will be applied to users who logs in for the first time

Poor, weak passwords have the following characteristics:

• The password contains less than eight characters.

• The password is a word found in a dictionary (English or foreign)

• The password is a common usage word such as:

47 Back to Contents

* Name of family, pets, friends, co-workers, fantasy characters, etc.

* Computer terms and names, commands, sites companies, hardware, software.

* Birthdays and other personal information such as addresses and phone numbers.

* Word or number patterns like aaabbb, 111222, zyxwvts, 4654321, etc.

* Any of the above spelled backward like fesuoy, damha, etc.

* Any of the above preceded or followed by a digit (e.g., secret1, 1secret).

Strong Password Construction Guidelines

• Are at least eight alphanumeric characters long • Passwords do not contain user ID

• Contain no more than two identical characters in a row and are not made up of all numeric or alpha characters

• Contain at least three of the five following character classes: ■ Lower case characters ■ Upper case characters ■ Numbers „ “Special” characters (e.g. @#$%^&*()_+|~-=\`{}[]:”;’<>/ etc)

■ Contain at least eight alphanumeric characters.

Definitions



Authorized User - An individual who has been granted access to University ICT services.

Expiration - Date at which password for access to University systems is required to be changed meeting strong password standards.


References

1. Mark S. Merkow; Jim Breithaupt (2014), Information Security: Principles and Practices

48 Back to Contents

ICT User Authentication Policy

49 Back to Contents




ICT.2013.6

Policy: ICT User Authentication Pol-

icy

Approval Date: Page:

Objective: The authentication and access control measures ensure appropriate access

to information and information processing facilities - including servers, desktop and

laptop clients, mobile devices, applications, operating systems and network services –

and prevent inappropriate access to such resources.


Responsible Office:

Signature:


(a) Information security policy

(b) Acceptable use policy

User Authentication Policy

Principle

All users should be authenticated, either by using User IDs and passwords or by stronger authentication such as smartcards or biometric devices (e.g. fingerprint recognition) before they can gain access to any information or systems within the installation.

Objective

To prevent unauthorized users from gaining access to any information or systems within the computer installation.

General

All users should be authenticated, either by using UserIDs and passwords or by stronger authentication such as smartcards or biometric devices before they can gain access to any information or systems within the organization.

1. All system-level passwords (e.g., root, enable, Windows Administrator, application administration accounts, etc.) must be changed on at least a quarterly basis.

2. All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least 4 months.

3. User accounts that have system-level privileges granted through group memberships or programs must have a unique password from all other accounts held by that user.

4. Where SNMP is used, the community strings must be defined as something other than the standard defaults of“public,”“private”and“system”and must be different from the passwords used to log in interactively. A keyed hash must be used where available (e.g., SNMPv2).

5. All user-level and system-level passwords must conform to the guidelines described below.

50 Back to Contents

User IDs and Password Attributes

User authentication should be enforced by automated means that:

1. Ensures UserIDs are unique

2. Ensures passwords are not displayed on screen or on print-outs

3. Issue temporary passwords to users that must be changed on first use

4. Force new passwords to be verified before the change is accepted

5. Ensures users set their own passwords

6. Ensures passwords are changed regularly and more frequently for users with special access privileges

Account Lockout Policies

Account Lockout Duration: 15 mins.

Account Lockout Threshold: 3

Reset Account Lockout Counter: 30 mins.

Password Changing Procedures

There should be a process for issuing new or changed passwords that:

a) Ensures s that passwords are not sent in the form of clear text e-mail messages

b) Directly involves the person to whom the password uniquely applies

c) Verifies the identity of the end user, such as via a special code or through independent confirmation

d) Includes notification to users that passwords will expire soon.

Acceptable Password Characteristics

The acceptable user passwords should as minimal:

1. Ensures passwords are a minimum 8 number of characters in length,

2. Differ from their associated UserIDs,

3. Contain no more than two identical characters in a row and are not made up of all numeric or alpha characters

4. Restrict the re-use of passwords: 5 previous passwords (e.g. so that they cannot be used again within a set period or set number of changes).

Password Protection Awareness

Where authentication is achieved by a combination of UserIDs and passwords, users should be advised to keep passwords confidential (i.e. to avoid writing them down or disclosing them to others) and to change passwords that may have been compromised.

If an account or password compromise is suspected, report the incident to ICT Help Desk number 322322.

Users should made aware of choosing a strong password; Strong passwords have the following characteristics:

o Contain at least three of the five following character classes:

▪ Lower case characters

51 Back to Contents

▪ Upper case characters

▪ Numbers

▪ Punctuation

“Special” characters (e.g. @#$%^&*()_+|~-=\`{}[]:”;’<>/ etc)

o Contain at least fifteen alphanumeric characters.

Weak passwords have the following characteristics:

o The password contains less than fifteen characters

o The password is a word found in a dictionary (English or foreign)

o The password is a common usage word such as:

▪ Names of family, pets, friends, co-workers, fantasy characters, etc.

▪ Computer terms and names, commands, sites, companies, hardware, software.

▪ Birthdays and other personal information such as addresses and phone numbers.

▪ Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.

▪ Any of the above spelled backwards.

▪ Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

Single Sign-on

Single sign-on (SSO) or reduced sign on should be applied within the organization upon completing a for- mal risk assessment and in compliance with the approved Identity and Access Management Architecture.

Two Factor Authentication

Two-factor authentication (e.g. smartcards or biometric devices, such as fingerprint recognition) should be applied to users with access to critical business applications or sensitive information and to users with special access privileges or access capabilities from external locations.

52 Back to Contents

Web Hosting Policy with

Third-Party Service Providers

53 Back to Contents




ICT.2014.2

Policy: Web Hosting Policy with

Third-Party Service Providers

Approval Date: Page:

Objective: This policy provides guidelines for website hosting with third-party service

providers for the affiliated colleges and units.


Responsible Office:

Signature:



Executive Summary

The Deanship of |Information and Communications Technology (DICT) seeks to provide up-to-date, accurate, and meaningful information on university-related websites. Likewise, the university’s integrity and reputation rely on consistent and strong content on the www.uod.edu.sa domain and on any websites that relate to, refer to, or could be perceived as representing the university. It is therefore important that all such websites conform to minimum university standards and comply with the guidelines provided in this policy.

In general, all university Internet services and all information about the university available from accessing the Internet, including any of its colleges, departments, deanships, affiliated institutes, centers, management units, faculty, staff and students, must use only the www.uod.edu.sa domain. In certain exceptional cases, affiliated colleges of the university may find it necessary to hire third-party service providers for website hosting or other applications. This policy addresses these exceptional cases.

Introduction

Creation, publication and maintenance of web pages and other web materials at the University of Dam- mam is a prime way to providing critical information and services to members of the University commum- nity, prospective students, and the general public, playing a vital role in helping the University fulfill its mission. This policy statement is intended to protect the interests of the University and all of its students, faculty and staff. It is designed to provide guidance to those individual affiliated units of the University that wish to host websites with third party service providers. It outlines minimum security requirements to be observed when content owner wishes to host their web material with external service providers.

Scope

This policy governs any electronic documents made available via standard web protocols which represent an official unit or activity of the University, bearing marks, logos, domain or symbols that might imply en- dorsement by the University hosted by third party service providers.

http://www.uod.edu.sa/

http://www.uod.edu.sa/

54 Back to Contents

Non-Compliance Ministry of Information and communication Technology and, Ministry of Interior, Kingdom of Saudi Arabia

monitors and reports any security breaches to the University. Any non-compliance with these recommended guidelines may result in legal action or otherwise by the relevant authorities.


The web content owner and content publisher intending to host web pages with third party service should consider the following security issues relevant for third party hosts and the level of service required from them.

1. Physical Security:

The service provider must comply with physical security requirements such as

Facility Security Procedures that ensure facilities containing these confidential systems are safeguarded from unauthorized physical access.

Access Control to must be logged and audited at least ever six months, and must include 1 or more of the following: multi-factor authentication (e.g. token and pin number), key-card access, biometric access controls.

Caged or shared racks for physical security and depends on the requirements.

2. Perimeter Security:

IP Reputation Filtering against malicious IP addresses.

Monitor & mitigate DoS/DDoS attacks directed toward customers and their infrastructure.

3. Network Security:

The service provider must have hardware and software in place to ensure

Intrusion detection/prevention systems to monitor all inbound and outbound network activity and identify any suspicious patterns that may indicate a compromised network or system and prevent intrusion signatures.

Established Isolated Security Zones for reducing security risks. Vulnerability Monitoring tools for protection against spyware, spam, viruses etc.

Vulnerability Auditing to determine which network assets are at the most risk of being successfully attacked and its impact.

4. Server Security:

Hardened operating systems for more secure server operating environment.

Managed OS patches and updates to create a consistently configured environment that is secure against known vulnerabilities in operating system and application software.

5. Hardened VMware hypervisor

The service provider must adhere to the following best practices Password security policies Malware protection Resource availability monitoring

Network event logging

6. Application Security:

The service provider must employ the following Web application firewall Intelligent WAF policies for common attacks

Application specific and custom WAF policies if needed

55 Back to Contents

HTTP DoS application attack mitigation Application performance monitoring

SSL certificates highly recommended for important services

7. Administrative Security:

Secure portal for user management Log Management

Two-Factor authentication

Content Owner Responsibilities

For the Application or website, we recommend the following:

Source Code review to be carried out. Vulnerability testing at least once a month to be done. Penetration Testing services once every three months to be considered. SSL Certificate for Authentication services to be ensured. Two factor authentications to be employed.

Reliable/reputed Hosting Company to be sought.

A Recommended checklist when hosting with third party service providers

Read the terms and conditions of use of the service - what sort of intellec-

tual property rights do the terms of use of the service grant to the service

?provider? What rights are you signing away

What measures does the service provider take to keep information confiden-

?tial

Is it possible to take down and delete information easily, quickly and per-

?manently from the site? Are you locked in to the service

Security - What are the service provider’s arrangements for protecting your

data from unauthorized access, unauthorized amendment or deletion? Do

?the guidelines provided in this policy adhere to

Do unauthorized exposures of university data shall result in the service pro-

?vider notifying within mutually agreed time of discovery

Performance - Does the service provider make any performance guaran-

?tees? Are they adequate for your needs

Does the external service provider have arrangements in place to ensure the

?long-term survival of the data

?What cookies or monitoring of usage does the service provider use

Have both disaster recovery and business continuity plans been developed

?and are there plans to regularly test and review them

Does the service provider comply with data retention and protection regula-

?tions and policies

56 Back to Contents

Definitions


Domain: A unique name that identifies an Internet site.

ISP: Internet Services Provider; a company that provides access to the Internet, Information Services & Technol- ogy.

Web Host: A company that maintains a client’s website and provides a computing environment for the website that is accessible through the Internet.

References

Tugberk Ugurlu; Alexander Zeitler; Ali Kheyrollahi (2013), Pro ASP.NET Web API: HTTP Web Services in ASP.NET

57 Back to Contents

Core ICT Services Service Level Agreement

58 Back to Contents

PURPOSE OF THE SLA The purpose of this service level agreement (SLA) is to establish a cooperative partnership between the Deanship of Information & Communications Technology (DICT) and its users. It aims to ensure that services support the core business of University of Dammam. This Sla aims to:

• identify clear and consistent expectations • outline agreed roles and responsibilities

• deliver services that are measured, monitored, reported and reviewed for continuous improve- ment

• provide mechanisms for resolving problems

• provide a platform to enable changes in response to new technologies, user requirements and other opportunities

PARTIES TO THE SLA This SLA has been outlined between the Deanship of ICT as service provider, and the University community referred hereafter as ‘users’

DURATION This SLA has been enforced with immediate effect and remains effective for a period of one year after which it may be reviewed. Services are provided on an ongoing basis. As required, this SLA may be modi- fied and any changes will be published for user interest and information.

SERVICES INCLUDED The following services are included in this SLA defined as core ICT services. These ICT services meet all or most of the following criteria.

They support the core business of teaching, learning, research and administration. They are widely used across UOD without requiring specialized content knowledge. They need to be reliable and available. For the most part, they are provided to the user free of charge.

Accountability for their provision rests with DICT

FUNDAMENTAL EXTERNAL CONSTRAINTS The deanship of ICT may be prevented to provide any service mentioned in this SLA due to constraints over which it may have little or no control. These include:

• power and air conditioning outages • physical damage, including but not limited to fires, floods, and contractors • products or services received from vendors to DICT

• unpredictable and significant changes in activity levels (e.g. ICT Helpdesk calls, number of email messages sent , number of users for a system, etc)

59 Back to Contents

FUNDAMENTAL USER RESPONSIBILITIES The end users are expected to observe the following:

– report incidents or log service requests by logging calls with the ICT Helpdesk – abide by the applicable policies listed for each service – have the prerequisite hardware or software

– make reasonable attempts to co-operate with ICT to resolve incidents, including providing information, performing

troubleshooting steps, and ensuring ICT’ access to physical space

– acquire training in the use of their system (as necessary to do their jobs) by attending training classes, keeping available and reading instructions, manuals, etc.

– perform routine backups of important data and files

– be able to understand and perform basic computer tasks such as copying files, installing some software, etc.

– use their systems responsibly and ethically as University assets to do their jobs.

60 Back to Contents

eFax

Service Service level targets User responsibilities

eFax service provides web management interface

for user to manage or maintain their contacts, in-

coming or outgoing fax documents.

Description

The eFax service provides outgoing fax and incom-

ing fax. Outgoing fax service is best suited for us-

ers who occasionally need to fax out computer files.

For incoming fax service, fax document sent to a

particular fax number will appear as a message in a

designated email account.

Applicable to (subject to approval)

– Management

– Faculty

– Staff

Exclusions

– students

– visitors

Availability

eFax service is available 98% of the time 24 hours a day, 7 days a week

excluding planned/unplanned official maintenance windows.

Service level

target

Service request (working days)

Response Time Resolution Time

(business days)

Installing software hours 1-2 1-2

to send faxes from a

computer

setting up a personal hours 1-2 1-2

fax number

fixing a fault hours 1-2 1-2

Constraints

– Fundamental external constraints – Existing fax number cannot be changed

– Supported document format is pdf only

To Request this service

Fill out the ‘Service Request Form’ to avail this service.

Prerequisites

– Fundamental user responsibilities

– An email address

– Software client installed on a Windows

computer

To report a fault or problem with the service

Contact the ICT Helpdesk by phone (Ext: 31111), by email

or via the ICT web site.

http://www.uod.edu.sa/sites/default/files/resources/service_req_form_en.pdf

http://www.uod.edu.sa/en/administration/deanships/deanship-of-information-and-communication-technology

61 Back to Contents

WebEx


UOD free web conferencing service, WebEx, provides on-demand,

real-time, collaborative web meetings and conferencing. WebEx

can be used to host online meetings and interactive sessions

with individuals inside and outside of UOD.

Description

Faculty can use WebEx to record/capture class lectures and

facilitate student discussions for distance education. While

students use WebEx to watch and attend class lectures,

communicate with the instructor and collaborate with oth-

er students in the class. The staff can use WebEx to share

documents, hold online meetings, and collaborate on team

projects.

Applicable to

– Management

– Faculty

– Staff (attendees only)

– students

Exclusions

– visitors

Availability

WebEx service is available 98% of the time 24 hours a day, 7 days a

week excluding planned/unplanned official maintenance windows.

Service level

target

Service quest (working days)


(business days)

Request to enable hours 2-24 1-2

WebEx facility

fixing a fault hours 1-2 2-3

Constraints

– Fundamental external constraints – Account changes are not allowed



Prerequisites


– An email address

– WebEx enablement


Contact the ICT Helpdesk by phone (Ext: 31111), by

email or via the ICT web site.



62 Back to Contents

Cisco IP Telephone


UOD offers voice over IP as an enterprise communication

solution.

Description

Internet Protocol (IP) or Voice over IP (VoIP) telephony is

technology which enables telephone messages to be trans-

mitted and received via the internet rather than the tradi-

tional analogue telephone system.

Applicable to

– Management

– Faculty

– Staff

Exclusions

– students

– visitors

Availability

IP Telephony service is available 98% of the time 24 hours a day, 7 days

a week excluding planned/unplanned official maintenance windows.

Service level

target

Service request (working days)


(hours) (business days)

IP Telephone request 1-2 3

process

setting up an 1-2 3

IP telephone

Move, Add and 1-2 5

Change

fixing a fault 1-2 3

New wiring 1-2 15

IP telephone features 1-2 1-2

Constraints

– Fundamental external constraints



Prerequisites


– Cisco CallManager Administration

– Windows 2000 Terminal Services


Contact the ICT Helpdesk by phone (Ext: 31111),

by email or via the ICT web site.



63 Back to Contents

New SoftPhone


A softphone is a software program for making telephone

calls over the internet or University Data Network using a

computer or laptop, rather than a deskphone or landline.

Description

The Deanship has implemented Cisco Unified Personal

Communicator (CUPC) to enhance the voice communica-

tion experience by enabling Presence functionality. It pro-

vides real-time status for coworkers, integrating with calen-

dars for meeting notifications and allowing real-time chat,

voice or video communication.

Applicable to

– Management

– Faculty

– Staff

Exclusions

– students

– visitors

Availability

The SoftPhone service is available 98% of the time 24 hours a day, 7

days a week excluding planned/unplanned official maintenance win-

dows.

Service level target (working days)

Service request Response Time Resolution Time

(business days)

Delivery of hardware hours 1-2 1-2

Client Installation hours 1-2 1-2

Fixing a fault hours 1-2 1-2

Constraints




Prerequisites


– Laptop or desktop

– UOD valid email address






64 Back to Contents

Request Database Services


The Deanship provides a wide range of database consulting

and hosting options for your application. The hosting services

feature high availability and disaster recovery options in a se-

cure environment. The service includes the following:

– Database Schema creation

– Database users

– Database consultation

– Database backup

– Database user permissions

Description

The Deanship offers two environment: application and testing.

Using the database hosting is tailored to the requester require-

ments and gives you control as well.

Applicable to

– Management

– Faculty

Exclusions

– Staff

– students

– visitors

Availability

The service is available 98% of the time from 8:00 a.m. to 4:00 p.m.,

5 business days a week excluding planned/unplanned official mainte-

nance windows.


Fill out the ‘Service Request Form’ to avail this service.

Prerequisites


– Database type





Service request


Response Time

(hours)

Resolution Time

(business days)

Database Schema creation 4-6 1

Database users 4-6 1

Database consultation 4-6 1

Database backup 4-6 1

Database user permissions 4-6 1

Constraints

– Fundamental external constraints – Oracle Database hosting Only



65 Back to Contents

Request Hosting Training Material in ICT servers ( video , pdf etc)


The eligible users can request to host relevant material in au-

dio, video or text form to published for employee develop-

ment.

Description

The Deanship of ICT offers to host training mate-

rial for employee development for interested UOD

colleges/department/Centers . Applicable to

– Management

– Faculty

Exclusions

– Staff

– students

– visitors

Availability

The service is available 98% of the time from 8:00 a.m. to 4:00

p.m., 5 business days a week excluding planned/unplanned of-

ficial maintenance windows.



Prerequisites






Service request



(business days)

Request for service hours 1-2 business day 1

Constraints

– Fundamental external constraints – ICT will host the material after careful re-

view and relevant authority permission.



66 Back to Contents

Request Reset Password


Password Reset enables all users to reset their for-

gotten University password, without calling the Ser-

vice Desk.

Description

Users are now able to reset their password or change

their password 24/7 hassle-free from any computer.

Applicable to

– Management

– Faculty

– Staff

– Students

– Guests

Exclusions

– None

Availability

Password self-service is available 98% of the time 24

hours a day, 7 days a week.

Constraints


To access the service

In order to avail this service, the users must log on to the eservices.ud.edu.sa/

and provide appropriate information and follow the instructions for setting

the password.

Prerequisites


– email account


Contact the ICT Helpdesk by phone (Ext: 31111), by email or via the ICT

web site.



67 Back to Contents

Requesting/decommissioning VMWare virtual server


Users can request a Windows or Linux virtual server. Re-

quested virtual servers are subject to normal approvals

and some special provisioning tasks. A decommissioning

workflow enables a user to make a request for the deletion

of a virtual server.

Description

UOD departments or eligible users can choose to locate

virtual servers in the ICT Data Center.

Services provided include 24 hour system monitoring,

controlled power and temperature environment, a secure

facility, backup, restore and offsite storage services, and

problem management.

Applicable to

– Management

– Faculty

Exclusions

– Students

– Staff

– Visitors

Availability

Password self-service is available 98% of the time 24 hours a day, 7

days a week excluding official monthly maintenance windows.



(business days)

Standard request hours 1-2 1

Standard provisioning hours 1-2 3

Service Outage/unus- hours 1-2 2

able

Service Degraded/ hours 1-2 2

unreliable

Minor/inconvenient hours 1-2 7

Constraints




Prerequisites


– email account

– Virtual server OS, memory, storage,

CPUs and speed






68 Back to Contents

E-mail services


• Description

• This service provides personal e-mail services through Of-

fice365. The service includes the following features:

– an email address within the @ud.edu.sa domain

that complies to the email naming standard

– a mailbox with 25GB storage space for users.

– You can move messages, flag them for follow-up,

categorize messages.

– organize your messages easily by sorting them

into a hierarchy of folders.

– Built-in anti-spam message filtering. Integrated

anti-spam tools for smoother control of email fil-

tering and identification.

– Convenient web and desktop access to your email

and integrated calendar.

– Access from portable devices, including iOS and

Android-based phones and tablets.

– personal, shared and system address books

– ability to archive messages

– ability to set up filtering rules and vacation replies

• Applicable to

– Management

– Faculty

– Staff

– Students

– Officially Approved Contractors & staff

– Guests

• Exclusions

– Temporary visitors

– Only a limited set of features is available

when connecting via smartphones/mobile

devices

Availability

Password self-service is available 98% of the time 24 hours

a day, 7 days a week excluding official monthly maintenance

windows.

Service level target

(working days)

Service request


(business days)

creating an email hours 1-2 1-2

account

Allocating additional hours 1-2 1-2

mailbox space(subject

to feasibility/ap-

(proval

creating a mailing list hours 1-2 1-2

changing personal hours 1-2 1-2

details

Constraints

– Fundamental external constraints Note: No service level targets can be set for speed of access from

off campus, as this is constrained by ICT bandwidth availability

and service from the user’s ISP. Similarly, speed of email deliv-

ery and receipt cannot be guaranteed when it depends on mail

servers external to ICT. Many external mail servers restrict the

delivery of large messages during office hours.



To access the service

The users can access this service through UOD

website or UOD smartphone apps

Prerequisites

– Fundamental user responsi-

bilities

– Users must manage their

mailboxes to ensure that they

do not exceed space limita-

tions and risk being prevented

from sending mail.

– Users are responsible for

backing up any email data

(e.g. archived mail) stored on

their local computer.

– Users should follow the ser-

vice request procedure on ICT

service Desk if they face any

difficulty.




Applicable policies – Acceptable use policy

– Naming standard

– Service desk procedures



69 Back to Contents

Software Services


Description

Software services range from installation of printers

to lab specific software installation. The Deanship

commits to providing these services on priority basis.

Applicable to

– Management

– Faculty

– Staff

– Students (Specific cases only)

– Guests (Upon approval)

Exclusions

– visitors

Availability

Password self-service is available 98% of the time 24 hours a day, 7 days a

week excluding official monthly maintenance windows.

Service level target (working

days) Service request

Response Time Resolution

Time (BD)

Request installing printer drivers hours 1-2 * 1-2

or connect printer to the network

Request Installing Software on hours 1-2 * 1-2

Labs PCs

Request Join PC to the Domain hours 1-2 * 1

Request Share folder in servers hours 1-2 * 1-2

Request remote assistance hours 1-2 * 1-2

Request installing or activate ap- hours 1-2 * 1-2

plication license

Request Format Damage PC hours 1-2 * 1-2

Constraints


– UOD account







*Subject to the availability of software, licenses and/or ICT resources



70 Back to Contents

Request developing applications

Request Software Consultations


Description

The Deanship provides advisory and consulta-

tive service relating to software. Additionally it

may undertake application development through

its resources under certain circumstance.

Applicable to

– Management

Exclusions

– Faculty

– Staff

– students

– visitors

Availability

Subject to the availability of the ICT resources and task to be handled

Service level target (work-

ing days) Service request

Response Resolution

Time Time (busi-

ness days)

Request developing Variable variable

applications

Request Software Variable variable

Consultations

Constraints




Prerequisites

- Detailed Requirements


Contact the ICT Helpdesk by phone (Ext: 31111), by email or via

the ICT web site.



71 Back to Contents

Request remote access


Description

A secure service that enables you to remotely connect

to UOD’s network using your own Internet Service Pro-

vider (ISP).

Applicable to

– Management

– Faculty, staff (subject to approval)

Exclusions

– students

– visitors

Availability

Password self-service is available 98% of the time 24 hours a day,

7 days a week excluding official monthly maintenance



(business days)

Remote Access hours -2 1 1-2

Request

Constraints

– Fundamental external constraints – Downtime arrtibutable to UOD bandwidth

provider



Prerequisites


Contact the ICT Helpdesk by phone (Ext: 31111), by email or via

the ICT web site.


– Information security policy



72 Back to Contents

Hardware Services


Description


Service request



Request install New PCs 1-2 *3-5

Request installing or 1-2 *2-4

replace PCs peripherals (

(printer , scanner etc

Request maintenance for 1-2 *2-4

PCs peripherals ( printer ,

(scanner etc

* Subject to the availability of peripheral devices, ICT resources,

and complexity

Constraints

– Fundamental external constraints – Availability of hardware/ related software


The Deanship provides various hardware services Fill out the ‘Service Request Form’ to avail this service. for the official desktops/laptops. Prerequisites

Applicable to – Management – Faculty To report a fault or problem with the service

– Staff Contact the ICT Helpdesk by phone (Ext: 31111), by email or via

the ICT web site.

Exclusions – students – visitors



73 Back to Contents

Portal Services


Description

This service provides access permis-

sion to the portal and update for web

page contents.

Applicable to

– Management

Exclusions

– Faculty

– Staff

– students

– visitors

Availability

Portal service is available 98% of the time 24 hours a day, 7 days

a week excluding official monthly maintenance


Service request



Request Access 1-2 1

Permissions to UD›s

Portal

Request updates of 1-2 2

web page contents

Constraints

– Fundamental external constraints – Copy right material



Prerequisites


Contact the ICT Helpdesk by phone (Ext: 31111), by email or via the ICT web site.




74 Back to Contents

Video Conferencing Services


Description

The Deanship of ICT provides several video Con-

ferencing services that that you can use to meet and

collaborate with colleagues across campus or around

the world.

Applicable to

– Management

– Faculty

– Staff (subject to Approval )

Exclusions

– students

– visitors

Availability

Video conferencing service is available 98% of the time 24 hours a day, 7 days a

week excluding official monthly maintenance


days) Service request



Request installing New Video Confer- 2 3-4

ence Device

Request installing Maintenance & 2 3-4

Modification Video Conference Device

Request Multiple Video Service Calls 2 1-2

((MCU Servers

Request Recording Video Conference 2 1-2

(Meeting (Content Server

Request Scheduling Video Conference 2 1-2

(Meeting (Internal & External Call

Request Video (Call, Meeting, Presenta- 2 1-2

tion) Real Time Support

Constraints

– Fundamental external constraints – Availability of fundamental equipment



Prerequisites







75 Back to Contents

Digital Signage Service


Description Availability

Portal service is available 98% of the time 24 hours a day, 7 days a



Service request days)

Response Resolution Time

Time (hours) (business days)

Request installing digital 2 3-4

signage on monitors (inter-

nal advertising system

Request maintenance install- 2 1-2

ing digital signage on moni-

tors (internal advertising

(system

Constraints


– Copy right material


Digital Signage service is a centrally man-

aged/locally controlled electronic sign and

Fill out the ‘Service Request Form’ to avail this service.

interactive display platform to distribute

information in an engaging, interactive

manner using large format displays across




campus.

Applicable to

– Management

Exclusions

– Faculty

– Staff

– students

– visitors



76 Back to Contents

Wireless LAN Service


Description

Wireless technology provides secure

d network access to mobile devices

within buildings with consistent capa-

bilities.

Applicable to

– Management

Exclusions

– Faculty

– Staff

– students

– visitors

Availability

The UOD network from the central data center to the required build-

ing is available 98% of the time 24 hours a day, 7 days a week exclud-

ing official monthly maintenance

Constraints







Applicable policies

– Acceptable use policy

– Network Access Control Policy

Service request


days)

Response Time

(hours)

Resolution Time

(business days)

Request installing Wireless

LAN

2 10-15

Request Maintaining of

existing wireless LAN

2 1-2



77 Back to Contents

Cable Nodes and Network Ports Checkup Service


Description

The service installs, activates and trouble-

shoots an Ethernet port to allow a department

to connect a device to the campus network.

Applicable to

– Management

Exclusions

– Faculty

– Staff

– students

– visitors

Availability

This service available 98% of the time 24 hours a day, 7 days a


Service level target (work-

ing days) Service request

Response Resolution

Time (hours) Time (busi-

ness days)

Request New Cabling Nodes 2 1-2

Request Fix Existing Cable 2 1-2

Node

Request Network Ports 2 1-2

Checkup

Request Network Checkup 2 2-3

for a building (Connection,

Traffic to & from the build-

ing)

Constraints







Applicable policies





78 Back to Contents

Data Center Services


Description

The service provides internet and

server connectivity.

Applicable to

– Management

Exclusions

– Faculty

– Staff

– students

– visitors

Availability

This service available 98% of the time 24 hours a day, 7 days a


Constraints





Contact the ICT Helpdesk by phone (Ext: 31111), by email or

via the ICT web site.

Applicable policies



The primary purpose of this policy is to inform, educate and set expectations for the members of the university community of their individual and corporate responsibilities towards the use of information, products and services obtained from the internet. Internet filtering is provided to all students, faculty and staff to protect them from the unintentional or deliberate accessing of internet content that is offensive and inappropriate.

Service request


days)

Response

Time (hours)

Resolution Time

(business days)

Request Data Center service

(Internet & Servers Connec-

(tivity

2 1-2



79 Back to Contents

Security Services


Description

The primary purpose of this service

is to provision the ability to block,

unblock, filter the network traffic,

publishing on 3rd party domain.

Applicable to

– Management

Exclusions

– Faculty

– Staff

– students

– visitors

Availability

This service available 98% of the time 24 hours a day, 7 days a week

excluding official monthly maintenance


Service request



Request block or unblock or filter 1-2 3-5 network traffic ( website, protocol,

(port

Request Publishing Services 1-2 3-5 Outside UD

Request remote access through 1-2 3-5 VPN (Add/Modify/Delete/Trou-

(bleshoot

Constraints – Fundamental external constraints






Applicable policies


– Information security policy




ICT Policies & Procedures

Documents

Transcript of ICT Policies & Procedures