ICT Policies & Procedures
Transcript of ICT Policies & Procedures
3
Contents
l Acceptable Use Policy
l Backup Policy and Procedures
l Bandwidth Use Policy
l Data Classification Policy
l Information Security Policy
l Network Access Control Policy
l OneDrive Cloud Storage Policy
l Password Policy
l ICT User Authentication Policy
l Web Hosting Policy with Third-Party Service Providers
l Core ICT Services Service Level Agreement
5 Back to Contents
Deanship of Information & Commu-
nications Technology
Posted Date: Policy Number:
ICT.2013.2
Policy: Acceptable Use Policy Approval Date: Page:
Objective: To ensure the appropriate use of the University’s Information and Com-
munication Technology (ICT) Services and define the responsibilities of users of the
University’s ICT Services and Infrastructure.
Responsible Official:
Responsible Office:
:Signature
ITC Reference Policies :
(a) Information Security Policy
(b) Password Policy
Executive Summary
University of Dammam (UOD) information and Communication technology (ICT) resources have been pro- vided to support University business and mission. These facilities are expected to be used for educational, instructional, research, professional development and administrative activities of the University. The use of these resources is a privilege that is extended to qualified members of the community. Access to com- puters, computing systems and networks owned by the University imposes certain responsibilities and obligations and subject to university policies and codes and the Kingdom’s local laws. It is important that these ICT resources are used for the purpose for which they are intended. All users of these resources must comply with specific policies and guidelines governing their use, and act responsibly while using shared computing and network resources.
The ICT Acceptable Use Policy (AUP) informs the University’s faculty, support staff, students, management and other individuals authorized to use University facilities, of the regulations relating to the use of ICT systems. The University expects users to use the ICT facilities in an appropriate and responsible manner in accordance with this policy. Anyone who abuses the privilege of the ICT resources, either directly by promoting inappropriate activities and by misusing or indirectly by inadvertently allowing unauthorized users to access for personal and professional purposes will be subject to sanctions or legal action
Introduction
The University provides ICT for its educational purposes, particularly teaching and research, as well as for reasonable personal use which is acceptable to the University environment. University of Dammam allows users to access the computing and network resources in order to facilitate them in carrying out their du- ties and the university expects these resources be used for purposes related to their jobs and not be used for unrelated purposes. These resources include all university owned, licensed, or managed hardware and software, and use of the university network via a physical or wireless connection, regardless of the own- ership of the computer or device connected to the network. The purpose of this policy is to promote the efficient, ethical and lawful use of the University of Dammam’s computer and network resources.
Acceptable Use Policy Objectives
6 Back to Contents
The following are the objectives of acceptable use policy:
1. Provide guidelines for the conditions of acceptance and the appropriate use of the com-
puting and networking resources provided for use by academic, professional and support staff and students of the University.
2. Ensure that ICT resources are used in an appropriate fashion, and support the university’s mission and institutional goals.
3. Encourage users to understand their own rights and responsibility for protecting the Uni- versity ICT resources.
4. Protect the privacy and integrity of data stored on the University network.
5. Elaborate the consequences of the inappropriate use of these resources.
Outcomes of the Policy
By enforcing the acceptable use policy, we aim to achieve the following outcomes:
1. Better informed university community regarding acceptable and unacceptable use of uni- versity ICT resources.
2. Responsible UOD community regarding the value and use of ICT resources.
Policy Rationale
There needs to be commitment to protect UOD faculty, students, staff, management and contractors from illegal or damaging action by individuals, either knowingly or unknowingly. Inappropriate use of these ICT resources exposes UOD to risks including virus attacks, compromise of network systems and services, and legal issues.
Entities affected by this Policy
This policy applies to all the community of University of Dammam using computing and network resourc- es. These include
Users (academic, professional and support staff, students and management) using either personal or University provided equipment connected locally or remotely to the network of the University.
All ICT equipment connected (locally or remotely) to University servers. ICT systems owned by and/or administered by the Deanship of ICT. All devices connected to the University network irrespective of ownership. Connections made to external networks through the University network.
All external entities that have an executed contractual agreement with the University.
Business Impact of No AUP The potential adverse business impact to the university due to lack of acceptable use policy may include:
4. University network may not be used for the creation, dissemination, storage and display
7 Back to Contents
Violations of either personal or copy righted material Security breaches Bad publicity and embarrassment to individuals or University
Identity or financial fraud
Policy Benefits
1. It will define the responsibilities of users of the University’s ICT Services and Infrastructure. 2. It will deter unacceptable ICT use by declaring the punitive actions for such an act. 3. Fair use of services.
4. Better service quality.
Section B – Policy Statement:
Acceptable Use Policy Statements: 1. This policy applies to all users of computing resources owned or managed by University
of Dammam. Individuals covered by the policy include (but are not limited to) UoD fac- ulty and visiting faculty, staff, students, alumni, guests or members of the administration, external individuals and organizations such as contractors and their employees accessing network services via UoD’s computing facilities.
2. The resources should be used for the purpose for which they are intended.
3. Users must adhere to the confidentiality rules governing the use of passwords and ac- counts, details of which must not be shared.
4. Users may use only the computers, computer accounts, and computer files for which they have authorization.
5. The university encourages and promotes using the university email for administrative, learning and professional purposes. Hence, the users must use their university email in their business communications.
6. The only way to access to the university’s network is to have a valid account, and any other way such as plugging own internet to the university network shall be considered as a vio- lation.
7. All users of the university’s network and computing resources are expected to respect the privacy and personal rights of others.
8. The University reserves the right to monitor all activities performed by the users on the internet by recording and reporting without the consent of the user.
9. The University has the right to block any site or group of sites according to its policies and will take necessary action that violates this policy.
10. The University reserves the right to make any amendments in this policy at any time.
11. Users, who discover or find security problems or suspicious activity, must immediately contact Technical Support of the DICT.
Unacceptable Use Policy 1. Users must not use the university network in any illegal manner e.g. commercial purposes
nor use it to login or browse illegal web sites or content. 2. Users must not disclose their login information and access or copy another user’s email,
data, programs, or other files. 3. Users must not attempt to violate or compromise the security standards on the University
4. University network may not be used for the creation, dissemination, storage and display
7 Back to Contents
network or any other device connected to the network or accessed through the Internet.
8 Back to Contents
of obscene or pornographic material, abusive, indecent, obscene, and defamatory or hate literature etc.
5. University users should not create illegal copies or violate copyright protected material in order to use, or save such copies on University devices or send them through the Univer- sity network. It also prevents the illegal use such as sending or downloading or publish- ing any material that violates the laws of the Kingdom of Saudi Arabia and is against the Islamic values.
6. This policy prevents users adding, deleting, or modifying any information on university network in an attempt to disrupt or mislead others.
7. Users are not allowed to indulge into any activity that may adversely affect the ability of others to use the Internet services provided by the university e.g. denial of service at- tacks, hacking, virus, or consuming gratuitously large amounts of system resources (disk space, CPU time, print quotas, and network bandwidth) or by deliberately crashing the machine(s).
8. The university prevents downloading any programs and installing in the university’s com- puters. Any such request should be done through DICT technical support.
9. Non serious, disruptive, destructive or inconsiderate conduct in computer labs or terminal areas is not permitted.
10. DICT is not responsible of the internet content that been browsed by the end user, or prob- lems that might happen to user from browsing untrusted websites.
Policy Breaches:
Anyone who breaches this policy will be subject to any or all of the following actions: a. Suspension of the university internet account/access.
b. The referral of the case to the University management along with supporting evi- dence for an appropriate action.
c. The case may be investigated by the Communication & Information Technology Commission (CITC), Saudi Arabia who may initiate criminal investigation according to the e-crimes regulations. More information regarding these regulations may be found here.
Definitions
The following terms are used in this document.
Access - Connection of University, personal or third party owned devices to ICT Infrastructure facilities via a direct or indirect connection method.
Authorized User - An individual who has been granted access to University ICT services
Device - Any computer or electronic device capable of accessing, storing and communicating data.
End Host Device - An electronic device which can be connected to a network. End Host Devices include,
but are not limited to: Desktop computers Notebook computers Workstations Servers Network Printers
Telecommunications equipment
9 Back to Contents
Wireless Devices and
Other network aware devices
ICT Facilities – All computers, terminals, telephones and communication links, end host devices, licences, centrally managed data, computing laboratories, video conference rooms, and software owned or leased by the University.
ICT Infrastructure- All electronic communication devices, networks, data storage, hardware, and network connections to external resources such as the Internet.
Information Resources - Assets and infrastructure owned by, explicitly controlled by, or in the custody of the university including but not limited to data, records, electronic services, network services, software, computers, and Information systems.
References
1. Thomas M. Thomas; Donald Stoddard (2011), Network Security First-Step
2. Mark S. Merkow; Jim Breithaupt (2014), Information Security: Principles and Practices
11 Back to Contents
Deanship of Information & Commu-
nications Technology
Posted Date: Policy Number:
ICT.2013.4
Policy: Backup Policy and Procedures Approval Date: Page:
Objective: This document outlines a set of policies and procedures for Data Backup
and Retention to facilitate restoration of applications and associated data. Also it lays
emphasis on verifying that backups and recoveries are completed without errors.
Responsible Official:
Responsible Office:
Signature:
ITC Reference Policies :
(a) Information Security Policy
(b) Operational Unit Data Center SLA
Executive Summary
University of Dammam (UOD) information and Communication technology (ICT) resources have been provided to support University business and mission. The unprecedented growth in data volumes has necessitated an efficient approach to data backup and recovery. Deanship of Information & Communica- tions Technology (DICT) recognizes that the backup and maintenance of data for servers are critical to the viability and operations of the respective departments. It is essential that certain basic standard practices be followed to ensure that data files are backed up on a regular basis.
This document defines the backup policy for computer systems within the organization which are ex- pected to have their data backed up. These systems are typically servers but are not necessarily limited to servers. The policy outlines the minimum requirements for the creation and retention of backups. The main purpose of this policy is to provide secure storage for data assets critical to the work flow of official university business, prevent loss of data in the case of accidental deletion / corruption of data, system fail- ure, or disaster and permit timely restoration of archived data in the event of a disaster or system failure.
Introduction
This document outlines a set of policies and procedures for Data Backup and Retention to facilitate resto- ration of applications and associated data. Also it lays emphasis on verifying that backups and recoveries are completed without errors.
Purpose
To ensure server and data continuity and to support the retrieval and restoration of archived information in the event of a disaster, equipment failure, and/or accidental loss of files.
Goals
12 Back to Contents
The goals of this backup policy will be as follows:
• to safeguard the information assets of University of Dammam (UoD) Community.
• to prevent the loss of data in the case of accidental deletion or corruption of data, system failure, or disaster.
• to permit timely restoration of information and business processes should such events occur.
• to manage and secure backup & restoration processes and the media employed within these processes.
Scope
The Deanship of ICT (DICT) operational Unit (OU) is responsible for providing policy-based, system level, network-based backups of server systems under its stewardship. This document outlines the policies for backup implementation that define:
• Selections: what information needs to be backed up on which systems.
• Priority: relative importance of information for purposes of the performing backup jobs.
• Type: the frequency and amount of information to be backed up within a set of backup jobs.
• Schedule: the schedule to be used for backup jobs.
• Duration: the maximum execution time a backup job may execute prior to its adversely affecting other processes.
• Retention Period: the time period for which backup images created during backup jobs are to be retained.
Backup Creation
Backups will be created using industry standard data backup software that support“enterprise lev- el” data assurance. The product, defined by the data backup standard, must support scheduled backups, full or differential or incremental backups, and centralized management.
System Backup Profiles
The DICT Operational Unit maintains the following type of backup profiles:
1. Standard Backup:
• The standard backup is provided for most centralized University computer systems.
• The backup could be full, differential or incremental. The frequency of backup could be daily, weekly or monthly and is dependent upon the application. The retention of these backups could vary from 1 week up to 2 months.
• For some applications backup is performed on a day and time agreed upon by the OU and application owner.
• Appendix I shows the applications along with backup type, frequency of backup and reten-
13 Back to Contents
tion period.
2. Critical System Backup:
• Certain enterprise-wide systems are deemed critical to University operations and dictate longer retention periods from 6 months up to 1 year.
• The type, frequency and retention period is different for different applications.
• Prior to a major upgrade of a production system, database, or application, a full system backup is performed and retained for 6 months.
• Appendix I shows the applications along with backup type, frequency of backup and reten- tion period.
3. Special Request Backup:
Some departments or applications may require an exception to the standard backup retention periods mentioned above. Exceptions are permitted, but must be fully documented
4. No Backup:
ICT Services is responsible for backing up data that is stored in central systems and databases. Data residing on individual workstation hard drives is the responsibility of the user to backup. Furthermore the systems that fall under this category might include development or test systems that do not contain important business or academic data. Students, faculty, staff and third parties who store data on University equipment are responsible for ensuring the data is stored in a way that will ensure it is properly backed up. However, most systems that are centrally managed by DICT are backed up on one of the schedules listed above.
Storage Locations and Retention
Period of Backups
Unless a system supporting an application or business function requires a custom retention period, DICT will maintain full and incremental backups. Backup tapes for the current weekly backup period will be stored within the DICT for purposes of current backups and restores.
Tapes representing backups from the former weekly backup period will be stored within a secured, fire- proof place until such time as the backup images stored on these tapes expire and the tapes are re-used or destroyed.
After a successful backup, it will be stored in a secure, off-site media vaulting location for an appropriate period for disaster recovery purposes.
This will ensure that no more than one week of information would be lost in the event of a disaster in which campus systems and backup images are destroyed. After the period of six months has elapsed, the tapes may ‘optionally’ be returned to DICT and re-used or destroyed.
Backup Verification
On a periodic basis, logged information generated from each backup job will be reviewed for the following purposes:
14 Back to Contents
• to check for and correct errors
• to monitor duration of the backup job
• to optimize backup performance where possible
DICT will identify problems and take corrective actions to reduce any risks associated with failed backups. Test restores from backup tapes for each system will be performed. Problems will be identified and cor- rected. This will work to ensure that both the tapes and the backup procedures work properly.
DICT will maintain records demonstrating the review of logs and test restores so as to demonstrate compli- ance with this policy for auditing purposes.
Media Management
Media will be clearly labeled and logs will be maintained identifying the location and content of backup media. Backup images on assigned media will be tracked throughout the retention period defined for each image. When all images on the backup media have expired, the media will be re-incorporated amongst unassigned (available) media until reused. Periodically and according to the recommended lifetime de- fined for the backup media utilized, DICT will retire & dispose of media so as to avoid media failures.
Storage, Access, and Security
All backup media must be stored in a secure area that is accessible only to designated OU staff or employ- ees of the contracted secure off-site media vaulting vendor used by DICT. Backup media will be stored in a physically secured, fireproof place when not in use. During transport or changes of media, media will not be left unattended.
Retirement and Disposal of Media
Prior to retirement and disposal, DICT will ensure the following:
• the media no longer contains active backup images or that any active backup images have been copied to other media
• the media’s current or former contents cannot be read or recovered by an unauthorized party.
• with all backup media, CICT will ensure the physical destruction of the media prior to disposal.
Disaster Recovery Considerations
As soon as is practical and safe post-disaster, DICT will:
• Restore existing systems to working order or obtain comparable systems in support of defined business processes and application software.
• Restore the backup system according to documented configuration so as to restore server systems.
• Obtain all necessary backup media to restore server computing systems
• Restore server computing systems according to the priority of systems and processes as out-
15 Back to Contents
lined for restoration and recovery in the Disaster Recovery Plan.
Documentation
Essential documentation is will be maintained for orderly and efficient data backup and restoration. The person-in-charge of data backup should fully document the following items for each generated data back- up:
.S. No Action Item Action
Date of data backup
(Type of data backup (incremental, differential, full
Number of generations
Responsibility for data backup
(Extent of data backup (files/directories
Data media on which the operational data are
Data media on which the backup data are stored
Data backup hardware and software (with version
(number
Storage location of backup copies
17 Back to Contents
This
Deanship of Information & Commu-
nications Technology
Posted Date: Policy Number:
ICT.2013.5
Policy: Bandwidth Use Policy Approval Date: Page:
Objective: The purpose of the bandwidth usage policy is to enhance the internet usage
of UoD users by proper management and control of bandwidth. All in all the bandwidth
usage policy shall set guidelines important to use bandwidth as a scarce resource in the
university.
Responsible Official:
Responsible Office:
Signature:
ITC Reference Policies :
(a) Acceptable Use Policy
Executive Summary
University of Dammam provides high speed internet access as a service to its management, faculty, stu- dents, researchers and administrative staff. The purpose of the bandwidth usage policy is to enhance the internet usage of UoD users caused by improper management and control of bandwidth. The bandwidth is a precious shared resource and hence ought to bed dedicated foe teaching, learning and research pur- poses. Its usage should be in line with the university mission, vision and strategy. This bandwidth policy is prepared to define the appropriate use of bandwidth in the university so that optimum gains are achieved from the network.
Bandwidth Use Policy Objectives
The following are the objectives of the policy:
1. to establish awareness and accountability for bandwidth use
2. to educate the users of the priority related to internet traffic
3. to provide guidelines for responsible use
Scope
The aim of this policy is to manage bandwidth use proactively in order to avoid degradation of network performance. This policy applies to all users of University of Dammam accessing computing and internet resources, whether initiated from a computer and/or network device located on or off campus.
Audience
policy shall be subjected to all faculty, management, staff and students of University of Dammam and
18 Back to Contents
guests who are given accesses to UoD network. All users are to be made aware of the policy and sign it as appropriate.
Section B – Policy Statement:
Bandwidth may be used for any activity supporting teaching, research and consultancy in such a way that it will not prevent other users from using the same.
DICT maintains the right to use monitoring tools that log and analyze bandwidth usage of all users of the network. However, the collected data is to be used exclusively for the purpose of enhancing proper bandwidth usage.
DICT maintains the right to block any traffic that is not inline with the university mission and vision and that wastes bandwidth.
DICT maintains the right to give priority for one type of traffic over the other based on predefined rules.
Whenever necessary, DICT maintains the right to give priority to some users more than the other by giving more accesses to bandwidth. This will be based on the relevance of the work to the university’s mission.
DICT maintains the right to enforce user authentication for using the Internet by assigning them accounts and keep the logs of usage history for analysis of user’s usage behavior. Us- ers will be responsible for all usage history registered in their account.
DICT Internet users shall use the proxy server to access the Internet for centralized band- width monitoring and management purpose.
Bandwidth may not be used for any non-educational activities or activities that consume bandwidth for a benefit of few users.
Users should not involve in activities such as hacking, cracking, spamming, streaming, web serving and p2p file sharing using the universities resource.
DICT users may not be allowed to do tasks that disturb the bandwidth management and optimization system on any machine connected to the network.
Bandwidth quotas are applied to all traffic passing between student computers and the Internet.
Excessive use of the network
To ensure that all qualified users making use of the internet resources receive a fair share of the bandwidth available, each individual’s bandwidth is limited to no more than 1GB in a rolling 24-hour period.
Individual bandwidth will be calculated as the combined network traffic from all personal computer systems used. This includes use of the wired network service, the vpn and wire- less network services. However the internal university traffic including email services and access to central file servers will be exempted.
Exceptions Users who have a genuine academic requirement for a larger quota should identify this need before exceeding their quota, and should then follow the below process:
o Obtain authorization for a higher quota from user’s respective Dean or Manager
o Present the request and supporting authorization to the DICT and be prepared for a discussion.
o Properly supported requests will normally be granted, provided that their impact on the use of the network as a whole is not disproportionate.
19 Back to Contents
Consequences of exceeding the Bandwidth usage Users will be allocated to a restricted network which will allow access to only authorized
university web based systems. This includes university website, departmental websites, VLE and SIS.
User should use this time to identify the cause of the high bandwidth usage. If user require help rectifying the problem then they should contact the ICT Service Desk.
This withdrawal of network services only applies to your personal computer. Your univer- sity account is still fully operational and you will be able to use computing facilities in your department or library.
Appeals To appeal contact the ICT Service Desk and clearly state the grounds on which your appeal is based. You should only appeal against the decision if you believe that:
o You have not exceeded the bandwidth limits for the service (1GB in any 24 hour period).
o You have mitigating circumstances to warrant a review of the penalty.
The following reasons would NOT be acceptable grounds for appeal:
o You were unaware that your actions were illegal / in breach of the Conditions of Use of the network.
o Your guest or friend made use of your connection.
o You accidentally left your computer system switched on downloading copyrighted content.
o You know of other users currently downloading similar content on the network.
Definitions
The following terms are used in this document.
Bandwidth: the transmission capacity of a computer or a communications channel stated in megabits per second (Mbps).
Monitoring tools: logging and analysis tools used to accurately determine traffic flows, utilization, and other performance indicators on a network.
Authentication: the process that validates a user’s logon information by comparing the user name and password to a list of authorized users.
Proxy server: A software package running on a server positioned between an internal network and the Internet.
Mirror site: A duplicate Web site that contains the same information as the original Web site and reduces traffic on that site by providing a local or regional alternative.
Hacking: using a computer or other technological device or system in order to gain unauthorized access to data held by another person or organization.
P2P file sharing: direct communication or sharing of resource between commercial or private users of the Internet.
Streaming: the playing of sound or video over the Internet or a computer network in real time.
21 Back to Contents
Deanship of Information & Commu-
nications Technology
Posted Date: Policy Number:
ICT.2013.3
Policy: Data Classification Approval Date: Page:
Objective: To ensure UOD’s information assets are identified, properly classified, and
protected throughout their lifecycles.
Responsible Official:
Responsible Office: Quality Unit
Signature:
ITC Reference Policies:
(a) Information Security Policy
(b) Acceptable Use Policy
Data classification is the act of placing data into categories that will dictate the level of internal controls to protect that data against theft, compromise, and inappropriate use.
University of Dammam must protect its institutional assets as the data is prepared, managed, used, or retained by one of the constituent units or an employee relating to the activities or operations of the university. This does not include individually-owned data not related to university business. The policy will help educate the university community about the importance of protecting data generated, accessed, transmitted and stored by the university, to identify procedures that should be in place to protect the confidentiality, integrity and availability of university data and to comply with privacy and confidentiality of information.
Data Classification Policy Objectives
The purpose of this policy is to establish a framework for classifying University of Dammam data based on its level of sensitivity, value and criticality to its business activities. The following are the objectives of data classification policy:
1- Assist UOD community in the assessment of data to determine the level of security, which must be implemented to protect that data whether it is in paper copy or on the in- formation system for which they are responsible.
2- Protect UOD’s data in terms of availability, confidentiality and integrity.
3- Identify who gets access to which kind of data.
4- Implement security provisions against unauthorized access.
22 Back to Contents
Outcomes of the Policy
By enforcing the data classification policy, we aim to achieve the following outcomes:
1. Better aware and informed university community regarding data and its value.
2. Mapped data protection methods with the university policies.
3. Accountability of the management and use of data.
4. Appropriate levels of confidentiality, integrity and availability in place.
Policy Rationale
The classification of data, information, and documents is essential to differentiate between non- sensitive and sensitive / confidential information. When data is stored, created, amended or trans- mitted, it should be appropriately classified and protected in accordance to the sensitivity level.
The privacy, security, and integrity of data are critical to the university business. It is also neces- sary to evaluate the impact to the university should that data be disclosed, altered or destroyed without authorization. Classification of data will aid in determining baseline security controls for the protection of data.
Data classification provides several benefits by providing an inventory to university information assets. In many cases, information asset owners aren’t aware of all of the different types of data they hold. It will also allow ICT to work with departments to develop specific security requirements that can be readily utilized.
Entities affected by this Policy
This policy applies to all University administrative data, all user-developed data sets and systems that may access this data, regardless of the environment where the data reside (including systems, servers, personal computers, laptops, portable devices, etc.). The policy applies regardless of the media on which data reside (including electronic, microfiche, printouts, CD, etc.) or the form they may take (text, graphics, video, voice, etc.).
Audience
All faculty, management, staff, students, employees as well as third-party contractors, consultants and guests should abide by this policy.
Business Impact of no data classification The potential adverse business impact to the university due to lack of data classification policy may in- clude:
Loss of critical campus operations
Loss of opportunities or value of the data
23 Back to Contents
Damage to the reputation of the campus Lack of corrective actions or repairs
Violation of University mission and policies
Policy Benefits 1. The university community will become familiar with this data classification policy and will
consistently use it in their daily business activities. 2. Consistent use of data classification reinforces with users the expected level of protection
of data assets. 3. It will address risks associated with the unauthorized disclosure, use, modification, and
deletion of university data. 4. Improved and appropriate security measures for the data.
Policy Relevance for UOD Community
Category High Medium Low Notes
The organization
Administration
Staff
Faculty
Students
Other(s)
Section B – Policy Statement:
The UOD data classification policy provides a framework for assessing data sensitivity measured by the ad- verse business impact a breach of data would have on the campus from risks including, but not limited to, unauthorized use, access, modification, disclosure, destruction and removal. Thus all members of the uni- versity community have a responsibility to understand data classification and protect university data. This policy outlines measures and establishes protection profile requirements for each class of data. Violations of this policy can lead to disciplinary action up to and including dismissal, expulsion, and/or legal action.
Data Classification
The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. Reasonable precautions and protections should be taken, regardless of classification. All UOD institutional data has been classified into four levels or classifications:
Tier1- High Confidential Data
Data is classified as Confidential when an unauthorized disclosure, alteration or destruction of that data will cause a significant level of risk to the University. Access to Confidential data must be individually re- quested and then authorized by the Data Owner who is responsible for the data. The assessment of risk and access approval will be determined by the data owner or risk committee.
Tier2- Confidential Data
Confidential or sensitive information that would not necessarily expose the University to significant loss,
24 Back to Contents
but the data owner has determined security measures are needed to protect from unauthorized access, modifications, or disclosure.
Tier 3-Internal Data
Data is classified as Internal/Private for all the information assets that are not explicitly classified as Confi- dential or Public data A reasonable level of security controls should be applied to internal data.
Tier 4-Public Data
Data will be classified as Public when the unauthorized disclosure, alteration or destruction of that data would results in little or no risk to the University and its affiliates.
Data Classification and Handling
Definition Public Internal Confidential High Confidential
Information that is widely
available to the public through
publications, pamphlets, web
content, and other distribution
methods and disclosure,
alteration or modifications will
cause no risk to the university
Routine or daily operational
information requiring no special
measures to protect from
unauthorized access, modifications,
or disclosure, but these are not
widely available to the public
Confidential or sensitive information that
would not necessarily expose the
University to significant loss,
but the data owner has determined
security measures are needed to protect
from unauthorized access,
modifications, or disclosure
Information requiring the
highest levels of protection
because disclosure is likely to
result in significant adverse
impact to
the university (embarrassment,
financial loss, etc.)
Examples brochures, news releases,
pamphlets, web sites,
internal phone directories,
marketing materials
Routine correspondence,employee
newsletters, inter-office memoranda,
internal policies & procedures
Intellectual property licensed and/or
under development, records, purchasing
information, vendor contracts, system
configurations, system logs, risk reports,
RFP, RFI etc.
Protected Health Information
(PHI), Student Identifiable
Information, department financial
data, personnel information, credit
or bank details. contract research
protocols Transmissions 1. E-mail within the 1. No special handling required 1. No special handling required, but 1. Use of e-mail to transfer confidential 1. Use of e-mail to transfer confidential
organization reasonable precautions should be information is discouraged. Forwarding information is discouraged. .
taken only allowed by data owner Forwarding onlyallowed by data owner
2. E-mail outside of the organization 2. No special handling required 2. No special handling required, 2. Use of e-mail strongly discouraged. 2. Encryption is required.
but reasonable precautions Consider using encryption. Broadcast to should be taken distribution lists is prohibited. Forwarding 3.Data transfers only allowed by data owner (file 3. No special precautions are 3. Encryption is recommended 3. Encryption is required 3. Encryption is required
transmissions, required but not required website, etc.)
4. Data print and 4. No restrictions 4. printer to be located in an area 4. Monitoring required and removal of 4. Monitoring required and removal of
printer location not accessible by general public the printed material immediately the printed material immediately
Backup
and
Recovery
Should be backed up
monthly and incrementally
based on content change
- Should be backed up monthly
and incrementally based on
information recovery
requirements by data owners and
business operational needs
- Backups Should be tested
regularly to ensure
reliability
- Should be backed up monthly
and incrementally based on
information recovery
requirements by data owners and
business operational needs
- Backups Should be tested
regularly to ensure
reliability
- Should be backed up monthly
and incrementally based on
information recovery
requirements by data owners and
business operational needs
- Backups Should be tested
regularly to ensure
reliability
- Never overwrite the most
recent backups
25 Back to Contents
Definition Public Internal Confidential High Confidential
Storage 1. Printed materials 1. No special precautions required 1. Reasonable precautions to 1. Storage in a secure manner, e.g. 1. Storage in a lockable
prevent access by nonemployees. secure area, lockable enclosure. Must be enclosure. Must be locked when
locked when unattended not in use
2. Electronic 2. Storage on all drives allowed but 2. Storage on all drives allowed but 2. Store on secure drives or secure 2. Storage on secure drives only.
documents access controls must be enforced access controls must be enforced shared drives only. Data should be Password protection of document
stored on an internally accessible server, preferred.
and cannot be stored on a server directly accessible from the Internet.
3. emails 3. No special precautions required 3. Reasonable precautions to 3. Store in a secure manner, e.g. 3. Store in a secure manner, e.g.
prevent access by non-staff & password access or reduce to printed password access or reduce to printed
employees format, delete electronic form, and store format, delete electronic form, and store
in accordance with storage of print in accordance with storage of print
materials materials
4. portable devices 4. No special precautions required 4. Use lockable containers or 4. Use lockable containers or devices. 4. Use lockable containers or devices.
devices 5. storage by third 5. No special precautions required 5. Secured with lockable enclosures 5. Secured with lockable enclosures and 5. Secured with lockable enclosures and
party and access controls required access controls required access controls required
Marking
1. Documents
No restrictions
“Internal Use Only” note at the bottom
“Confidential” note at the top
“Confidential” at the top and bottom
Physical Security Password protected screen-saver Password protected screen-saver to Password protected screen-saver to Password protected screen-saver to
1. Workstations to be used when not in use. Sign off be used when not in use. Sign off when be used when not in use. Sign off when
be used when not in use. Sign off when not in use for long time. not in use for long time. not in use for long time.
when not in use for long time.
2. Se rve rs
Secured area location and limited
Secured area location and limited access
Secured area location and limited
Not permitted access based on the job based on the job responsibilities access based on the job responsibilities
responsibilities
3. Printing
No restrictions
Printouts to be collected immediately
Minimize the prints and collect
Print only when necessary and do not
immediately leave unattended
4. Office access
No restrictions No restrictions
Access to the sensitive area must be
Access to the sensitive area must be
restricted using access control restricted using access control.
Confidential information must be kept
5. Portable Devices must not be left Devices must not be left unattended under lock.
devices unattended at any time at any time Devices must not be left unattended at Devices must not be left unattended at
any time. Consider using lock and access any time aznd must be placed under
control lock and access control
Access Control Content changes by only authorized
persons
Password access control Password access control
Content changes based on the data
owner and business needs
Password/Biometric/ Authentication
based access control
Content changes based on the data
owner and business needs
26 Back to Contents
Responsibilities
Data owners are responsible for appropriately classifying data.
Data custodians are responsible for labeling data with the appropriate classification and applying required and suggested safeguards.
Data users are responsible for complying with data use requirements and must report immediately any breach of the policy to the data owner.
Data users are responsible for immediately referring requests for public records to the University Relations Division – Office of Public Affairs or to the Office of the Vice President and General Counsel.
Disciplinary Actions Violation of this policy may result in disciplinary action, which may include suspension or termination from UOD or legal action as determined by the legal department.
Definitions
The following terms are used in this document.
Availability - The assurance that information and services are delivered when needed. Certain data must be available on demand or on a timely basis.
Confidential - Sensitive data that must be protected from unauthorized disclosure or public release
Confidentiality - The assurance that information is disclosed only to those systems or persons who are intended to receive the information.
Data custodian – Individual or group responsible for classifying data and generating guidelines for its lifecycle management.
Data owner - Senior leadership, typically at the dean, director or department chair level, with the ultimate responsibility for the use and protection of university data.
Data user - Any member of the university community who has access to university data, and thus is en- trusted with the protection of that data.
Impact – A combination of data confidentiality, integrity and availability.
Integrity - The assurance that information is not changed by accident or through a malicious or otherwise criminal act.
Public - Data for which there is no expectation for privacy or confidentiality.
References:
1. Robert Johnson; Mark Merkow (2010), Security Policies and Implementation Issues
2. Woody, Aaron (2013), Enterprise Security: A Data-Centric Approach to Securing the Enterprise
29 Back to Contents
Deanship of Information & Commu-
nications Technology
Posted Date: Policy Number:
ICT.2013.1
Policy: Information Security Policy Approval Date: Page:
Objective:
To establish the policy of the University for the use, protection, and preservation of
computer-based information generated by, owned by, or otherwise in the possession of
University of Dammam, including all academic, administrative, and research data.
Responsible Official: Information Security Officer
Responsible Office: Operational Unit
Signature:
ITC Reference Policies :
(a) Data Classification Policy
Executive Summary
Information is a vital asset to any organization and this is especially so in a knowledge-driven organization such as the University of Dammam (UOD), where information will relate to learning and teaching, research, administration and management. It is imperative that computer data, hardware, networks and software be adequately protected against alteration, damage, theft or unauthorized access.
University of Dammam is committed to protecting information resources that are critical to its academic and research mission. These information assets, including its networks, will be protected by controlling authorized access, creating logical and physical barriers to unauthorized access, configuring hardware and software to protect networks and applications. An effective Information Security Policy will provide a sound basis for defining and regulating the management of institutional information assets as well as the information systems that store, process and transmit institutional data. Such a policy will ensure that infor- mation is appropriately secured against the adverse effects of breaches in confidentiality, integrity, avail- ability and compliance which would otherwise occur. This policy sets forth requirements for incorporation of information security practices into daily usage of university systems.
Information Security Policy Objectives
The University recognizes the role of information security in ensuring that users have access to the infor- mation they require in order to carry out their work. Computer and information systems underpin all the University’s activities, and are essential to its research, learning, teaching and administrative functions.
The university is committed to protecting the security of its information and information systems. The fol- lowing are the objectives of information security policy:
1. to protect academic, administrative and personal information from threats.
2. to maintain the confidentiality, integrity and availability of the UOD information assets.
3. to prevent data loss, modification and disclosure, including research and teaching data from un- authorized access and use.
30 Back to Contents
4. to protect information security incidents that might have an adverse impact on UOD business, reputation and professional standing.
5. to establish responsibilities and accountability for information security.
Information Security Principles
Enforcing an appropriate information security policy involves knowing university information assets, per- mitting access to all authorized users and ensuring the proper and appropriate handling of information. The University has adopted the following principles, which underpin this policy:
• Information is an asset and like any other business asset it has a value and must be protected.
• The systems that are used to store, process and communicate this information must also be pro- tected.
• Information should be made available to all authorized users.
• Information must be classified according to an appropriate level of sensitivity, value and criticality as presented in the ‘data classification policy’.
• Integrity of information must be maintained; information must be accurate, complete, timely and consistent with other information.
• All members of the University community who have access to information have a responsibility to handle it appropriately, according to its classification.
• Information will be protected against unauthorized access.
• Compliance with this policy is compulsory for UOD community.
Outcomes of the Policy
By enforcing the data classification policy, we aim to achieve the following outcomes:
1. Mitigation of the dangers and potential cost of UOD computer and information assets misuse.
2. Improved credibility with the UOD community and partner organizations.
3. Protected information at rest and in transit.
Policy Rationale
University of Dammam possesses information that is sensitive and valuable, ranging from personally iden- tifiable information, research, and other information considered sensitive to financial data. This informa- tion needs to be protected from unauthorized use, modification, disclosure or destruction. The exposure of sensitive information to unauthorized individuals could cause irreparable harm to the University or University community. Additionally, if University information were tampered with or made unavailable,
31 Back to Contents
it could impair the University’s ability to do business. The University therefore requires all employees to diligently protect information as appropriate for its sensitivity level.
The information security policy has been laid down in accordance with the principles and guideline de- fined and enforced by the‘Communications & Information Technology Commission’in the document titled “Information Security Policies and Procedures Development Framework for Government Agencies”.
Entities affected by this Policy
• All full-time, part-time and temporary staff employed by, or working for or on behalf of the Uni- versity.
• Students studying at the University. • Contractors and consultants working for or on behalf of the University.
• All other individuals and groups who have been granted access to the University’s ICT systems and information.
Business Impact of no Information Security
The potential adverse business impact to the university due to lack of information security policy may include:
• Loss of critical campus information • Higher costs due to waste of resources • Damage to the reputation of the UOD • Lack of corrective actions or repairs
• Violation of University and government regulatory policies and procedures
Policy Benefits
1. It will address risks associated with the unauthorized disclosure, use, modification and deletion of
university data.
2. Improved and appropriate security measures for the data.
3. Protect UOD information assets.
32 Back to Contents
Section B – Policy Statement: Information is fundamental to the effective operation of the University and is an important business as- set. The purpose of this Information Security Policy is to ensure that the information managed by the University is appropriately secured in order to protect against the possible consequences of breaches of confidentiality, failures of integrity or interruptions to the availability of that information. Any reduction in the confidentiality, integrity or availability of information could prevent the University from functioning effectively and efficiently.
A. Applicability
• All full-time, part-time and temporary staff employed by, or working for or on behalf of the University. • Students studying at the University. • Contractors and consultants working for or on behalf of the University.
• All other individuals and groups who have been granted access to the University’s ICT systems and information.
B. Security Roles and Responsibilities
All members of the University have direct individual and shared responsibilities for handling infor- mation or using university information resources to abide by this policy and other related policies. In order to fulfill these responsibilities, members of the University must:
• be aware of this policy and comply with it, • understand which information they have a right of access to, • know the information, for which they are owners,
• know the information systems and computer hardware for which they are responsible.
Information Users
Every member of the university community, who has a legitimate access to the university ICT resources, is responsible to abide by this policy. No individual should be able to access information to which they do not have a legitimate access right. Information users should neither violate this policy nor allow others to do so. Information users must be aware of the nature of the information to which they have been granted access and must handle information carefully according to its classification. They should protect the con- fidentiality of information and do not give access to other illegitimate individuals knowingly or unknow- ingly. For the purpose of information security, access to all emails servers other than University of Dammam email server will be blocked through University network resources.
Information Owners
The information owners have responsibility to maintain the confidentiality, integrity and availability of information. In particular
• Each university unit (Deanship, Department, College, Section and Center) will identify its sensitive and critical information assets and classify it according to the University‘Data Classification Policy’.
• Heads of departments, departmental administrators and IT support staff are responsible for the confidentiality, integrity and availability of information maintained by members of their depart- ment, such as students’ academic records. They are also responsible for the security of all depart- mentally operated information systems.
• Data and systems managers in support services are responsible for the confidentiality, integrity and availability of information, such as student, personnel and financial data.
• Project managers leading projects for the development or modification of information systems,
33 Back to Contents
are responsible for ensuring that projects take account of the needs of information access and security and that appropriate and effective control mechanisms are instituted, so that the confi- dentiality, integrity and availability of information is guaranteed.
• Information owners will conduct risk assessment of their information assets and may recommend the mitigation strategies.
• Any information security incident will be reported to the chief security officer.
Definitions
The following terms are used in this document.
Availability - The assurance that information and services are delivered when needed. Certain data must be available on demand or on a timely basis.
Confidentiality - The assurance that information is disclosed only to those systems or persons who are intended to receive the information.
Data Custodian – Individual or group responsible for classifying data and generating guidelines for its lifecycle management.
Data Owner - Senior leadership, typically at the dean, director or department chair level, with the ultimate responsibility for the use and protection of university data.
Data User - Any member of the university community who has access to university data, and thus is en- trusted with the protection of that data.
ICT Infrastructure- All electronic communication devices, networks, data storage, hardware, and network connections to external resources such as the Internet.
Impact – A combination of data confidentiality, integrity and availability.
Information Resources - Assets and infrastructure owned by, explicitly controlled by, or in the custody of the university including but not limited to data, records, electronic services, network services, software, computers, and Information systems. Information System - Any tangible item such as hardware, software, communications facilities and net- works, used to store, process and transmit Information Assets owned, controlled, or hosted by the Univer- sity.
Integrity - The assurance that information is not changed by accident or through a malicious or otherwise criminal act.
Reference
1. Alan Calder; Steve G. Watkins (2010), ISO27000 and Information Security: A Combined Glossary
2. Mark Rhodes-Ousley (2013), Information Security The Complete Reference
35 Back to Contents
Deanship of Information & Commu-
nications Technology
Posted Date: Policy Number:
ICT.2014.1
Policy: Network Access Control Approval Date: Page:
Objective: The purpose of the Network Access Policy is to establish the rules for the access and use of the
network infrastructure. These rules are necessary to preserve the integrity, availability and confidentiality
of UOD information.
Responsible Official:
Responsible Office:
Signature:
ITC Reference Policies :
(a) Acceptable Use Policy
(b) Information Security Policy
Executive Summary
In order to comply with information security policy and data classification policy, the Deanship of ICT has implemented a network access control (NAC) policy that will challenge computers and devices that try to access network resources. The policy lays down the principles used to secure the campus wired and wireless networks through user authentication. It ascertain that only authorized students, faculty and staff gain access to our network by checking that computer systems meet established policy configuration re- quirements. The purpose of the NAC is to ensure that computers and devices trying to gain access to the network resources have a minimum requirement of both Operating System versions and patches and Anti- Virus software. If a computer and/or device meets the minimum requirements, it is granted access to the network. If a computer does not meet the requirements, then it will be given limited access to the Internet in order to update and/or install Operating System updates/Anti-Virus software.
Introduction
Network access control (NAC) is a method of assessing devices and computers that try to use network resources (file shares, printers, web pages, etc) to see if they meet certain criteria, as defined by the Univer- sity, such as requiring anti-virus software and the most recent operating system patches.
Network access control policies will define who is allowed access to which physical locations and logical resources. The policy enforcement will ensure that all computers that use network resources have both updated anti-virus software and updated operating system (Windows 7, etc) patches applied. NAC allows us to grant access to computers that meet these requirements, and deny access while still allowing tem- porary Internet access to address the requirements that are not met.
To provide a more stable and secure network, UOD employs a Network Access Control (NAC) system assur- ing that devices connected to the network meet these minimum security requirements:
▪ Each desktop computer or other listed device must be authenticated using UOD ID and password and joined to domain.
▪ Must be running Microsoft Windows 7 with SP1 operating System.
36 Back to Contents
▪ Must have Symantec Endpoint Protection AntiVirus software with current definitions.
▪ Firewall feature is installed and enabled.
Rationale:
The need to respond to security incidents on campus, and an obligation to protect our valuable network resources, UOD must be able to identify every individual who connects to the campus network. For these reasons, UOD has implemented a network access control to be used by all students, employees and others to authenticate for campus network use. This will also provide a single point for collecting and reporting on user access to information for security incident investigations.
NAC Policy Objectives
The following are the objectives of the policy:
1. Prevent unauthorized physical and logical access
2. Use appropriate and robust identification and authentication techniques to control access
3. Use unique identifiers for all users
4. Ensure good password policies are implemented
5. Implement measures to prevent and trace misuse of general access machines
Outcomes of the Policy
By enforcing the NAC policy, we aim to achieve the following outcomes:
1. Access to systems by default and explicitly authorize access.
2. Network access to confidential information is secured with appropriate encryption and authentication
Entities affected by this Policy
This policy applies to all persons who have, or are responsible for, an account on any system accessed on the University network or computer systems.
Supported Operating Systems and Browsers for endpoints
37 Back to Contents
OS Support (Genuine OS only) Supported Browser
Windows 8 (x64, Professional, Professional x64,Enterprise, Enterprisex64) Microsoft IE 10
Windows 7 (x64, Professional, Professional x64,Enterprise, Enterprisex64) Microsoft IE 9 and later
Google Chrome 11 and later
Mozilla Firefox 5 and later
Apple iOS 6.1, 6, 5.1, 5.0.1, 5.0 Safari 5,6,7, Firefox 5
Apple Mac OS X 10.6, 10.7, 10.8 Mozilla Firefox 3.6, 4, 5, 9, 14, 16
Safari 4, 5, 6
Google Chrome 11 Google Android 4.1.2, 4.0.4, 4.0.3, 4.0, 3.2.1, 3.2, 2.3.6, 2.3.3, 2.2.1, 2.2 Native browser
Mozilla Firefox 5 VMware ESX 4.x, ESXi 4.x, ESXi 5.x
NAC Process:
1. Once you join/register your computer or device, an agent software will run automatically to scan your computer for compliance with OS, antivirus and firewall.
2. If you FAIL the scan, you must contact the ICT help desk for an appropriate update
3. If you PASS the scan, your computer will be allowed FULL access to all network resources and the Internet
Wired Access:
NAC for employees:
• Check for anti-virus Symantec endpoint, Antispyware and Antivirus definitions for an up- date not older than 5 days.
• Compliant machines will get access to UoD network based on the agreed policy – Full Ac- cess based on the Port VLAN membership.
• Non-compliant Domain PC/users will be denied access to the corporate network including the Internet connection
NAC for Students:
• Check for anti-virus Symantec endpoint, Antispyware and Antivirus definitions for an up- date not older than 5 days.
• Compliant machines will get access based on the agreed policy –Partial Access to SIS Serv- ers and Internet connection.
• Non-compliant Domain PC/users will be denied access to the SIS Servers including Inter- net connection.
Wireless Access
NAC for Employee:
• Web redirection to Cisco Web NAC agent to check for an anti-virus update not older than 5 days.
• Compliant users will grant access to UC services using their mobile devices after profiling.
38 Back to Contents
• Compliant users will get access to Internet but no internal network access.
• Non- compliant users will be denied access even to Internet.
NAC for students:
• Web redirection to Cisco Web NAC agent to check for an anti-virus update not older than 5 days.
• Compliant users will get access to Internet and internal SIS servers.
• Non- compliant users will be denied access even to Internet.
NAC for Guests:
• Guest will login to Open SSID.
• Enforce redirect to web page to submit required information
• Allowed for Self-registration by submitting first name, Last Name and Mobile Number.
• Will Receive an SMS.
• Login with credentials sent by SMS.
• Mapped to AD
• Will have access to Internet only.
Definitions
The following terms are used in this document.
Access - Connection of University, personal or third party owned devices to ICT Infrastructure facilities via a direct or indirect connection method.
Authorized User - An individual who has been granted access to University ICT services
Authenticate: To authenticate is to determine whether someone or something is, in fact, who or what it is declared to be through the use of an identifier and password or related means.
Campus Network: A campus network is an autonomous network that exists on a university campus con- necting local area networks in and among buildings and aggregating traffic to a wide area network.
Network Access Control system: Network access control (NAC), a method of bolstering the security of a proprietary network by restricting the availability of network resources to endpoint devices that authenti- cate. Additional features include checking for current virus protection and that operating system updates are enabled.
Network Access logs: Information captured upon network access, including identifier, time of connec- tion, network card MAC address, and time of disconnection.
Information Resources - Assets and infrastructure owned by, explicitly controlled by, or in the custody of the university including but not limited to data, records, electronic services, network services, software, computers, and Information systems.
41 Back to Contents
Deanship of Information & Commu-
nications Technology
Posted Date: Policy Number:
ICT.2013.8
Policy:OneDrive Cloud Storage Policy Approval Date: Page:
Objective: This policy provides advice and best practices for using cloud storage services to support the
processing, sharing and management of institutional data
Responsible Official:
Responsible Office:
Signature:
ICT Reference Policies :
(a) Data Classification Policy
(b) Information security policy
Executive Summary
Cloud computing services are application and infrastructure resources that users access via the internet. These services, contractually provided by companies such as Apple, Google, Microsoft, and Amazon, en- able customers to leverage powerful computing resources that would otherwise be beyond their means to purchase and support. Cloud services provide services, platforms, and infrastructure to support a wide range of business activities. These services support, among other things, online information storage. The stored data is generally easy for people to use and is accessible over the internet through a variety of platforms such as workstations, laptops, tablets, and smart phones. The purpose of this policy is to inform UOD community about the security risks associated with storing documents on the cloud and provide the guidance about the types of information which should and should not be stored in the cloud.
Introduction
Deanship of Information and Communication Technology (DICTY) is implementing cloud based storage ‘OneDrive’ provisioned by the Microsoft that will be available to its users. OneDrive is a convenient way to store files in the “cloud” and protect against hard drive failure, lost or stolen laptops. Keeping your impor- tant files in OneDrive means that you have access to them from anywhere in the world provided you have an internet connection. OneDrive also allows for easy sharing and collaboration with friends, family and colleagues. Microsoft provides OneDrive apps for your laptop, desktop, iPads, iPhones, Android devices, Windows 8 and Windows Phone.
This service is available to all students, faculty and employees at the University. To use OneDrive you use the same login and password credentials as you do for Microsoft Outlook.
It is important to keep in mind that the University does not have the ability to backup or restore the files that you keep on OneDrive. OneDrive is a service offered to the University, for free, from Microsoft in conjunction with other tools the University deploys. Microsoft maintains a “best effort” service level for OneDrive and while highly reliable you should periodically backup your important data to an external hard disk.
Use of this data storage must be in compliance with all other University policies and procedures. It is the responsibility of University community using such services to ensure that they are aware of, and are fully
42 Back to Contents
compliant with all relevant policies, procedures and legislation.
Policy Objectives
The following are the objectives of the policy:
Inform UOD community about the security risks associated with storing documents on the cloud
Provide the guidance about the types of information which should and should not be stored in the cloud.
Entities affected by this Policy
This policy applies to all the community of University of Dammam using computing and network resourc- es. These include
Users (academic, professional and support staff, students and management) using either personal or University provided equipment connected locally or remotely to the network of the University.
All ICT equipment connected (locally or remotely) to University servers. ICT systems owned by and/or administered by the Deanship of ICT. All devices connected to the University network irrespective of ownership. Connections made to external networks through the University network.
All external entities that have an executed contractual agreement with the University.
Section B – Policy Statement:
1. To use OneDrive - all users must comply with Microsoft’s Terms and Privacy conditions. On
first use, you will be prompted to accept these Microsoft terms and conditions.
2. The use of OneDrive is optional. UOD does not require you to use OneDrive to complete your studies. If you do not wish to accept Microsoft’s Terms and Privacy conditions for the use of OneDrive - that is ok - but you will not be able to utilize the Microsoft OneDrive util- ity.
3. UOD and Microsoft will not be held responsible for any and/or all data loss or corruption. Students will have to arrange their own backup or replication of their data. Microsoft pro- vides no commitment to guarantee continuous access to your files; therefore any loss of service may deny access to important files at critical times.
4. When information or data is stored in OneDrive which is not owned by the University, it is the responsibility of the staff member storing the information or data to ensure to backup important data to an external hard disk.
5. You should be aware that it is both a breach of the OneDrive contract and University terms and conditions to store any copyright material within this facility. This includes books, mu- sic or videos subject to copyright. Breach of these rules may result in your account being terminated by Microsoft without notification and result in the loss of all data within the account, which may well be irretrievable.
6. Information or data must not be stored in this storage where the University’s intellectual
43 Back to Contents
property, copyright, trademarks or patents may be compromised.
7. Use caution when storing documents and data in public cloud storage. Store only non- sensitive, non-critical, or non-confidential documents.
8. Do not use public cloud storage to store files containing sensitive information. Please refer to the University Data Classification policy for more complete data classifications.
9. Even for instances when you work with non-sensitive information, using public cloud stor- age services for institutional documents does not make a good long-term storage solution. In many cases, public cloud storage requires that files be associated with an individual›s personal account. Should that individual leave the University, the institution loses access to the data.
Definitions
The following terms are used in this document.
Cloud computing Abstraction of virtualized web-based computers, resources, and services that support scalable IT solutions.
OneDrive (officially Microsoft OneDrive, previously Windows Live OneDrive and Windows Live Folders) is a file hosting service that allows users to upload and sync files to a cloud storage and then access them from a Web browser or their local device.
References
Tom Negrino (2014), Microsoft Office for iPad: An Essential Guide to Microsoft Word, Excel, PowerPoint, an- dOneDrive
45 Back to Contents
Deanship of Information & Commu-
nications Technology
Posted Date: Policy Number:
ICT.2013.7
Policy: Password Policy Approval Date: Page:
Objective: The purpose of this policy is to establish a standard for the creation of strong passwords, the
protection of those passwords, and the frequency of change.
Responsible Official:
Responsible Office: Operation Unit
Signature:
ITC Reference Policies :
(a) Acceptable Use Policy
Executive Summary
Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in a compromise of UOD entire network. The purpose of having a password policy is to ensure a more consistent measure of security for UODs’ network and the information it contains. The implementation of this policy will better safeguard the personal and confiden- tial information of all individuals and organizations affiliated, associated, or employed by the University. Additionally, this policy establishes a standard for creation of strong passwords, the protection of those passwords, and the frequency of change of passwords.
Introduction
University of Dammam significantly provides access authentication to online information technology re- sources such as email, institutional data, University websites, library and e-learning portal, academic and personal data, cloud computing resources, and other sensitive services. In particular, passwords are the user’s ‘keys’ to gain access to University information and information systems. A compromise of these au- thentication credentials directly impacts the confidentiality, integrity, and availability of IT systems, and University as well as user information. This policy establishes minimum standards for the creation and protection of each person’s University password(s). All users accessing UOD IT resources are bound by the requirements as described in this policy, to create and secure their password(s).
Password Policy Objectives
The following are the objectives of the policy:
1. Defend against unauthorized access of UOD systems that could result in a compromise of personal or institutional data
2. Ensure that ICT resources are used in an appropriate fashion, and support the university’s mission and institutional goals.
3. Encourage users to understand their own rights and responsibilities for protecting their passwords.
46 Back to Contents
4. Protect the privacy and integrity of data stored on the University network.
Outcomes of the Policy
By enforcing the acceptable use policy, we aim to achieve the following outcomes:
1. Better informed university community regarding acceptable and unacceptable use of university ICT resources.
2. Responsible UOD community regarding the value and use of ICT resources.
Entities affected by this Policy
This policy applies to all persons who have, or are responsible for, an account on any system accessed on the University network or computer systems.
Responsibilities
Users are responsible for assisting in the protection of the network and computer systems they use. The integrity and secrecy of an individual’s password is a key element of that responsibility. Each individual has the responsibility for creating and securing an acceptable password per this policy. Failure to conform to these restrictions may lead to the suspension of rights to University systems or other action as provided by University Policy
Section B – Policy Statement:
Guidelines & Procedures
• Passwords must be changed every 90 days.
• All passwords must meet the definition of a Strong password described below
• Each successive password must be unique. Re-use of the same password will not be allowed.
• Any temporary password will expire at 23:59:59 of the date issued
• A user account will be temporarily locked for after 3 consecutive failed logins
◆ Account Lockout Duration: 15 mins.
◆ Account Lockout Threshold: 3
• The “reset password” process will be applied to users who logs in for the first time
Poor, weak passwords have the following characteristics:
• The password contains less than eight characters.
• The password is a word found in a dictionary (English or foreign)
• The password is a common usage word such as:
47 Back to Contents
* Name of family, pets, friends, co-workers, fantasy characters, etc.
* Computer terms and names, commands, sites companies, hardware, software.
* Birthdays and other personal information such as addresses and phone numbers.
* Word or number patterns like aaabbb, 111222, zyxwvts, 4654321, etc.
* Any of the above spelled backward like fesuoy, damha, etc.
* Any of the above preceded or followed by a digit (e.g., secret1, 1secret).
Strong Password Construction Guidelines
• Are at least eight alphanumeric characters long • Passwords do not contain user ID
• Contain no more than two identical characters in a row and are not made up of all numeric or alpha characters
• Contain at least three of the five following character classes: ■ Lower case characters ■ Upper case characters ■ Numbers „ “Special” characters (e.g. @#$%^&*()_+|~-=\`{}[]:”;’<>/ etc)
■ Contain at least eight alphanumeric characters.
Definitions
The following terms are used in this document.
Access - Connection of University, personal or third party owned devices to ICT Infrastructure facilities via a direct or indirect connection method.
Authorized User - An individual who has been granted access to University ICT services.
Expiration - Date at which password for access to University systems is required to be changed meeting strong password standards.
Information Resources - Assets and infrastructure owned by, explicitly controlled by, or in the custody of the university including but not limited to data, records, electronic services, network services, software, computers, and Information systems.
References
1. Mark S. Merkow; Jim Breithaupt (2014), Information Security: Principles and Practices
49 Back to Contents
Deanship of Information & Commu-
nications Technology
Posted Date: Policy Number:
ICT.2013.6
Policy: ICT User Authentication Pol-
icy
Approval Date: Page:
Objective: The authentication and access control measures ensure appropriate access
to information and information processing facilities - including servers, desktop and
laptop clients, mobile devices, applications, operating systems and network services –
and prevent inappropriate access to such resources.
Responsible Official:
Responsible Office:
Signature:
ICT Reference Policies :
(a) Information security policy
(b) Acceptable use policy
User Authentication Policy
Principle
All users should be authenticated, either by using User IDs and passwords or by stronger authentication such as smartcards or biometric devices (e.g. fingerprint recognition) before they can gain access to any information or systems within the installation.
Objective
To prevent unauthorized users from gaining access to any information or systems within the computer installation.
General
All users should be authenticated, either by using UserIDs and passwords or by stronger authentication such as smartcards or biometric devices before they can gain access to any information or systems within the organization.
1. All system-level passwords (e.g., root, enable, Windows Administrator, application adminis- tration accounts, etc.) must be changed on at least a quarterly basis.
2. All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least 4 months.
3. User accounts that have system-level privileges granted through group memberships or pro- grams must have a unique password from all other accounts held by that user.
4. Where SNMP is used, the community strings must be defined as something other than the standard defaults of“public,”“private”and“system”and must be different from the passwords used to log in interactively. A keyed hash must be used where available (e.g., SNMPv2).
5. All user-level and system-level passwords must conform to the guidelines described below.
50 Back to Contents
User IDs and Password Attributes
User authentication should be enforced by automated means that:
1. Ensures UserIDs are unique
2. Ensures passwords are not displayed on screen or on print-outs
3. Issue temporary passwords to users that must be changed on first use
4. Force new passwords to be verified before the change is accepted
5. Ensures users set their own passwords
6. Ensures passwords are changed regularly and more frequently for users with special access privileges
Account Lockout Policies
Account Lockout Duration: 15 mins.
Account Lockout Threshold: 3
Reset Account Lockout Counter: 30 mins.
Password Changing Procedures
There should be a process for issuing new or changed passwords that:
a) Ensures s that passwords are not sent in the form of clear text e-mail messages
b) Directly involves the person to whom the password uniquely applies
c) Verifies the identity of the end user, such as via a special code or through independent confirmation
d) Includes notification to users that passwords will expire soon.
Acceptable Password Characteristics
The acceptable user passwords should as minimal:
1. Ensures passwords are a minimum 8 number of characters in length,
2. Differ from their associated UserIDs,
3. Contain no more than two identical characters in a row and are not made up of all numeric or alpha characters
4. Restrict the re-use of passwords: 5 previous passwords (e.g. so that they cannot be used again within a set period or set number of changes).
Password Protection Awareness
Where authentication is achieved by a combination of UserIDs and passwords, users should be advised to keep passwords confidential (i.e. to avoid writing them down or disclosing them to others) and to change passwords that may have been compromised.
If an account or password compromise is suspected, report the incident to ICT Help Desk number 322322.
Users should made aware of choosing a strong password; Strong passwords have the following character- istics:
o Contain at least three of the five following character classes:
▪ Lower case characters
51 Back to Contents
▪ Upper case characters
▪ Numbers
▪ Punctuation
“Special” characters (e.g. @#$%^&*()_+|~-=\`{}[]:”;’<>/ etc)
o Contain at least fifteen alphanumeric characters.
Weak passwords have the following characteristics:
o The password contains less than fifteen characters
o The password is a word found in a dictionary (English or foreign)
o The password is a common usage word such as:
▪ Names of family, pets, friends, co-workers, fantasy characters, etc.
▪ Computer terms and names, commands, sites, companies, hardware, software.
▪ Birthdays and other personal information such as addresses and phone numbers.
▪ Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
▪ Any of the above spelled backwards.
▪ Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
Single Sign-on
Single sign-on (SSO) or reduced sign on should be applied within the organization upon completing a for- mal risk assessment and in compliance with the approved Identity and Access Management Architecture.
Two Factor Authentication
Two-factor authentication (e.g. smartcards or biometric devices, such as fingerprint recognition) should be applied to users with access to critical business applications or sensitive information and to users with special access privileges or access capabilities from external locations.
53 Back to Contents
Deanship of Information & Commu-
nications Technology
Posted Date: Policy Number:
ICT.2014.2
Policy: Web Hosting Policy with
Third-Party Service Providers
Approval Date: Page:
Objective: This policy provides guidelines for website hosting with third-party service
providers for the affiliated colleges and units.
Responsible Official:
Responsible Office:
Signature:
ICT Reference Policies :
(a) Data Classification Policy
Executive Summary
The Deanship of |Information and Communications Technology (DICT) seeks to provide up-to-date, ac- curate, and meaningful information on university-related websites. Likewise, the university’s integrity and reputation rely on consistent and strong content on the www.uod.edu.sa domain and on any websites that relate to, refer to, or could be perceived as representing the university. It is therefore important that all such websites conform to minimum university standards and comply with the guidelines provided in this policy.
In general, all university Internet services and all information about the university available from accessing the Internet, including any of its colleges, departments, deanships, affiliated institutes, centers, manage- ment units, faculty, staff and students, must use only the www.uod.edu.sa domain. In certain exceptional cases, affiliated colleges of the university may find it necessary to hire third-party service providers for website hosting or other applications. This policy addresses these exceptional cases.
Introduction
Creation, publication and maintenance of web pages and other web materials at the University of Dam- mam is a prime way to providing critical information and services to members of the University commum- nity, prospective students, and the general public, playing a vital role in helping the University fulfill its mission. This policy statement is intended to protect the interests of the University and all of its students, faculty and staff. It is designed to provide guidance to those individual affiliated units of the University that wish to host websites with third party service providers. It outlines minimum security requirements to be observed when content owner wishes to host their web material with external service providers.
Scope
This policy governs any electronic documents made available via standard web protocols which represent an official unit or activity of the University, bearing marks, logos, domain or symbols that might imply en- dorsement by the University hosted by third party service providers.
54 Back to Contents
Non-Compliance Ministry of Information and communication Technology and, Ministry of Interior, Kingdom of Saudi Arabia
monitors and reports any security breaches to the University. Any non-compliance with these recom- mended guidelines may result in legal action or otherwise by the relevant authorities.
Section B – Policy Statement:
The web content owner and content publisher intending to host web pages with third party service should consider the following security issues relevant for third party hosts and the level of service required from them.
1. Physical Security:
The service provider must comply with physical security requirements such as
Facility Security Procedures that ensure facilities containing these confidential systems are safeguarded from unauthorized physical access.
Access Control to must be logged and audited at least ever six months, and must include 1 or more of the following: multi-factor authentication (e.g. token and pin number), key-card access, biometric access controls.
Caged or shared racks for physical security and depends on the requirements.
2. Perimeter Security:
IP Reputation Filtering against malicious IP addresses.
Monitor & mitigate DoS/DDoS attacks directed toward customers and their in- frastructure.
3. Network Security:
The service provider must have hardware and software in place to ensure
Intrusion detection/prevention systems to monitor all inbound and outbound network activity and identify any suspicious patterns that may indicate a com- promised network or system and prevent intrusion signatures.
Established Isolated Security Zones for reducing security risks. Vulnerability Monitoring tools for protection against spyware, spam, viruses etc.
Vulnerability Auditing to determine which network assets are at the most risk of being successfully attacked and its impact.
4. Server Security:
Hardened operating systems for more secure server operating environment.
Managed OS patches and updates to create a consistently configured environment that is secure against known vulnerabilities in operating system and application soft- ware.
5. Hardened VMware hypervisor
The service provider must adhere to the following best practices Password security policies Malware protection Resource availability monitoring
Network event logging
6. Application Security:
The service provider must employ the following Web application firewall Intelligent WAF policies for common attacks
Application specific and custom WAF policies if needed
55 Back to Contents
HTTP DoS application attack mitigation Application performance monitoring
SSL certificates highly recommended for important services
7. Administrative Security:
Secure portal for user management Log Management
Two-Factor authentication
Content Owner Responsibilities
For the Application or website, we recommend the following:
Source Code review to be carried out. Vulnerability testing at least once a month to be done. Penetration Testing services once every three months to be considered. SSL Certificate for Authentication services to be ensured. Two factor authentications to be employed.
Reliable/reputed Hosting Company to be sought.
A Recommended checklist when hosting with third party service providers
Read the terms and conditions of use of the service - what sort of intellec-
tual property rights do the terms of use of the service grant to the service
?provider? What rights are you signing away
What measures does the service provider take to keep information confiden-
?tial
Is it possible to take down and delete information easily, quickly and per-
?manently from the site? Are you locked in to the service
Security - What are the service provider’s arrangements for protecting your
data from unauthorized access, unauthorized amendment or deletion? Do
?the guidelines provided in this policy adhere to
Do unauthorized exposures of university data shall result in the service pro-
?vider notifying within mutually agreed time of discovery
Performance - Does the service provider make any performance guaran-
?tees? Are they adequate for your needs
Does the external service provider have arrangements in place to ensure the
?long-term survival of the data
?What cookies or monitoring of usage does the service provider use
Have both disaster recovery and business continuity plans been developed
?and are there plans to regularly test and review them
Does the service provider comply with data retention and protection regula-
?tions and policies
56 Back to Contents
Definitions
The following terms are used in this document.
Domain: A unique name that identifies an Internet site.
ISP: Internet Services Provider; a company that provides access to the Internet, Information Services & Technol- ogy.
Web Host: A company that maintains a client’s website and provides a computing environment for the website that is accessible through the Internet.
References
Tugberk Ugurlu; Alexander Zeitler; Ali Kheyrollahi (2013), Pro ASP.NET Web API: HTTP Web Services in ASP.NET
58 Back to Contents
PURPOSE OF THE SLA The purpose of this service level agreement (SLA) is to establish a cooperative partnership between the Deanship of Information & Communications Technology (DICT) and its users. It aims to ensure that ser- vices support the core business of University of Dammam. This Sla aims to:
• identify clear and consistent expectations • outline agreed roles and responsibilities
• deliver services that are measured, monitored, reported and reviewed for continuous improve- ment
• provide mechanisms for resolving problems
• provide a platform to enable changes in response to new technologies, user requirements and other opportunities
PARTIES TO THE SLA This SLA has been outlined between the Deanship of ICT as service provider, and the University commu- nity referred hereafter as ‘users’
DURATION This SLA has been enforced with immediate effect and remains effective for a period of one year after which it may be reviewed. Services are provided on an ongoing basis. As required, this SLA may be modi- fied and any changes will be published for user interest and information.
SERVICES INCLUDED The following services are included in this SLA defined as core ICT services. These ICT services meet all or most of the following criteria.
They support the core business of teaching, learning, research and administration. They are widely used across UOD without requiring specialized content knowledge. They need to be reliable and available. For the most part, they are provided to the user free of charge.
Accountability for their provision rests with DICT
FUNDAMENTAL EXTERNAL CONSTRAINTS The deanship of ICT may be prevented to provide any service mentioned in this SLA due to constraints over which it may have little or no control. These include:
• power and air conditioning outages • physical damage, including but not limited to fires, floods, and contractors • products or services received from vendors to DICT
• unpredictable and significant changes in activity levels (e.g. ICT Helpdesk calls, number of email messages sent , number of users for a system, etc)
59 Back to Contents
FUNDAMENTAL USER RESPONSIBILITIES The end users are expected to observe the following:
– report incidents or log service requests by logging calls with the ICT Helpdesk – abide by the applicable policies listed for each service – have the prerequisite hardware or software
– make reasonable attempts to co-operate with ICT to resolve incidents, including providing information, performing
troubleshooting steps, and ensuring ICT’ access to physical space
– acquire training in the use of their system (as necessary to do their jobs) by attending train- ing classes, keeping available and reading instructions, manuals, etc.
– perform routine backups of important data and files
– be able to understand and perform basic computer tasks such as copying files, installing some software, etc.
– use their systems responsibly and ethically as University assets to do their jobs.
60 Back to Contents
eFax
Service Service level targets User responsibilities
eFax service provides web management interface
for user to manage or maintain their contacts, in-
coming or outgoing fax documents.
Description
The eFax service provides outgoing fax and incom-
ing fax. Outgoing fax service is best suited for us-
ers who occasionally need to fax out computer files.
For incoming fax service, fax document sent to a
particular fax number will appear as a message in a
designated email account.
Applicable to (subject to approval)
– Management
– Faculty
– Staff
Exclusions
– students
– visitors
Availability
eFax service is available 98% of the time 24 hours a day, 7 days a week
excluding planned/unplanned official maintenance windows.
Service level
target
Service request (working days)
Response Time Resolution Time
(business days)
Installing software hours 1-2 1-2
to send faxes from a
computer
setting up a personal hours 1-2 1-2
fax number
fixing a fault hours 1-2 1-2
Constraints
– Fundamental external constraints – Existing fax number cannot be changed
– Supported document format is pdf only
To Request this service
Fill out the ‘Service Request Form’ to avail this service.
Prerequisites
– Fundamental user responsibilities
– An email address
– Software client installed on a Windows
computer
To report a fault or problem with the service
Contact the ICT Helpdesk by phone (Ext: 31111), by email
or via the ICT web site.
61 Back to Contents
WebEx
Service Service level targets User responsibilities
UOD free web conferencing service, WebEx, provides on-demand,
real-time, collaborative web meetings and conferencing. WebEx
can be used to host online meetings and interactive sessions
with individuals inside and outside of UOD.
Description
Faculty can use WebEx to record/capture class lectures and
facilitate student discussions for distance education. While
students use WebEx to watch and attend class lectures,
communicate with the instructor and collaborate with oth-
er students in the class. The staff can use WebEx to share
documents, hold online meetings, and collaborate on team
projects.
Applicable to
– Management
– Faculty
– Staff (attendees only)
– students
Exclusions
– visitors
Availability
WebEx service is available 98% of the time 24 hours a day, 7 days a
week excluding planned/unplanned official maintenance windows.
Service level
target
Service quest (working days)
Response Time Resolution Time
(business days)
Request to enable hours 2-24 1-2
WebEx facility
fixing a fault hours 1-2 2-3
Constraints
– Fundamental external constraints – Account changes are not allowed
To Request this service
Fill out the ‘Service Request Form’ to avail this service.
Prerequisites
– Fundamental user responsibilities
– An email address
– WebEx enablement
To report a fault or problem with the service
Contact the ICT Helpdesk by phone (Ext: 31111), by
email or via the ICT web site.
62 Back to Contents
Cisco IP Telephone
Service Service level targets User responsibilities
UOD offers voice over IP as an enterprise communication
solution.
Description
Internet Protocol (IP) or Voice over IP (VoIP) telephony is
technology which enables telephone messages to be trans-
mitted and received via the internet rather than the tradi-
tional analogue telephone system.
Applicable to
– Management
– Faculty
– Staff
Exclusions
– students
– visitors
Availability
IP Telephony service is available 98% of the time 24 hours a day, 7 days
a week excluding planned/unplanned official maintenance windows.
Service level
target
Service request (working days)
Response Time Resolution Time
(hours) (business days)
IP Telephone request 1-2 3
process
setting up an 1-2 3
IP telephone
Move, Add and 1-2 5
Change
fixing a fault 1-2 3
New wiring 1-2 15
IP telephone features 1-2 1-2
Constraints
– Fundamental external constraints
To Request this service
Fill out the ‘Service Request Form’ to avail this service.
Prerequisites
– Fundamental user responsibilities
– Cisco CallManager Administration
– Windows 2000 Terminal Services
To report a fault or problem with the service
Contact the ICT Helpdesk by phone (Ext: 31111),
by email or via the ICT web site.
63 Back to Contents
New SoftPhone
Service Service level targets User responsibilities
A softphone is a software program for making telephone
calls over the internet or University Data Network using a
computer or laptop, rather than a deskphone or landline.
Description
The Deanship has implemented Cisco Unified Personal
Communicator (CUPC) to enhance the voice communica-
tion experience by enabling Presence functionality. It pro-
vides real-time status for coworkers, integrating with calen-
dars for meeting notifications and allowing real-time chat,
voice or video communication.
Applicable to
– Management
– Faculty
– Staff
Exclusions
– students
– visitors
Availability
The SoftPhone service is available 98% of the time 24 hours a day, 7
days a week excluding planned/unplanned official maintenance win-
dows.
Service level target (working days)
Service request Response Time Resolution Time
(business days)
Delivery of hardware hours 1-2 1-2
Client Installation hours 1-2 1-2
Fixing a fault hours 1-2 1-2
Constraints
– Fundamental external constraints
To Request this service
Fill out the ‘Service Request Form’ to avail this service.
Prerequisites
– Fundamental user responsibilities
– Laptop or desktop
– UOD valid email address
To report a fault or problem with the service
Contact the ICT Helpdesk by phone (Ext: 31111),
by email or via the ICT web site.
64 Back to Contents
Request Database Services
Service Service level targets User responsibilities
The Deanship provides a wide range of database consulting
and hosting options for your application. The hosting services
feature high availability and disaster recovery options in a se-
cure environment. The service includes the following:
– Database Schema creation
– Database users
– Database consultation
– Database backup
– Database user permissions
Description
The Deanship offers two environment: application and testing.
Using the database hosting is tailored to the requester require-
ments and gives you control as well.
Applicable to
– Management
– Faculty
Exclusions
– Staff
– students
– visitors
Availability
The service is available 98% of the time from 8:00 a.m. to 4:00 p.m.,
5 business days a week excluding planned/unplanned official mainte-
nance windows.
To Request this service
Fill out the ‘Service Request Form’ to avail this ser- vice.
Prerequisites
– Fundamental user responsibilities
– Database type
– UOD valid email address
To report a fault or problem with the service
Contact the ICT Helpdesk by phone (Ext: 31111), by
email or via the ICT web site.
Service request
Service level target (working days)
Response Time
(hours)
Resolution Time
(business days)
Database Schema creation 4-6 1
Database users 4-6 1
Database consultation 4-6 1
Database backup 4-6 1
Database user permissions 4-6 1
Constraints
– Fundamental external constraints – Oracle Database hosting Only
65 Back to Contents
Request Hosting Training Material in ICT servers ( video , pdf etc)
Service Service level targets User responsibilities
The eligible users can request to host relevant material in au-
dio, video or text form to published for employee develop-
ment.
Description
The Deanship of ICT offers to host training mate-
rial for employee development for interested UOD
colleges/department/Centers . Applicable to
– Management
– Faculty
Exclusions
– Staff
– students
– visitors
Availability
The service is available 98% of the time from 8:00 a.m. to 4:00
p.m., 5 business days a week excluding planned/unplanned of-
ficial maintenance windows.
To Request this service
Fill out the ‘Service Request Form’ to avail this service.
Prerequisites
– Fundamental user responsibilities
– UOD valid email address
To report a fault or problem with the service
Contact the ICT Helpdesk by phone (Ext: 31111), by email
or via the ICT web site.
Service request
Service level target (working days)
Response Time Resolution Time
(business days)
Request for service hours 1-2 business day 1
Constraints
– Fundamental external constraints – ICT will host the material after careful re-
view and relevant authority permission.
66 Back to Contents
Request Reset Password
Service Service level targets User responsibilities
Password Reset enables all users to reset their for-
gotten University password, without calling the Ser-
vice Desk.
Description
Users are now able to reset their password or change
their password 24/7 hassle-free from any computer.
Applicable to
– Management
– Faculty
– Staff
– Students
– Guests
Exclusions
– None
Availability
Password self-service is available 98% of the time 24
hours a day, 7 days a week.
Constraints
– Fundamental external constraints
To access the service
In order to avail this service, the users must log on to the eservices.ud.edu.sa/
and provide appropriate information and follow the instructions for setting
the password.
Prerequisites
– Fundamental user responsibilities
– email account
To report a fault or problem with the service
Contact the ICT Helpdesk by phone (Ext: 31111), by email or via the ICT
web site.
67 Back to Contents
Requesting/decommissioning VMWare virtual server
Service Service level targets User responsibilities
Users can request a Windows or Linux virtual server. Re-
quested virtual servers are subject to normal approvals
and some special provisioning tasks. A decommissioning
workflow enables a user to make a request for the deletion
of a virtual server.
Description
UOD departments or eligible users can choose to locate
virtual servers in the ICT Data Center.
Services provided include 24 hour system monitoring,
controlled power and temperature environment, a secure
facility, backup, restore and offsite storage services, and
problem management.
Applicable to
– Management
– Faculty
Exclusions
– Students
– Staff
– Visitors
Availability
Password self-service is available 98% of the time 24 hours a day, 7
days a week excluding official monthly maintenance windows.
Service level target (working days)
Service request Response Time Resolution Time
(business days)
Standard request hours 1-2 1
Standard provisioning hours 1-2 3
Service Outage/unus- hours 1-2 2
able
Service Degraded/ hours 1-2 2
unreliable
Minor/inconvenient hours 1-2 7
Constraints
– Fundamental external constraints
To Request this service
Fill out the ‘Service Request Form’ to avail this service.
Prerequisites
– Fundamental user responsibilities
– email account
– Virtual server OS, memory, storage,
CPUs and speed
To report a fault or problem with the service
Contact the ICT Helpdesk by phone (Ext: 31111), by email
or via the ICT web site.
68 Back to Contents
E-mail services
Service Service level targets User responsibilities
• Description
• This service provides personal e-mail services through Of-
fice365. The service includes the following features:
– an email address within the @ud.edu.sa domain
that complies to the email naming standard
– a mailbox with 25GB storage space for users.
– You can move messages, flag them for follow-up,
categorize messages.
– organize your messages easily by sorting them
into a hierarchy of folders.
– Built-in anti-spam message filtering. Integrated
anti-spam tools for smoother control of email fil-
tering and identification.
– Convenient web and desktop access to your email
and integrated calendar.
– Access from portable devices, including iOS and
Android-based phones and tablets.
– personal, shared and system address books
– ability to archive messages
– ability to set up filtering rules and vacation replies
• Applicable to
– Management
– Faculty
– Staff
– Students
– Officially Approved Contractors & staff
– Guests
• Exclusions
– Temporary visitors
– Only a limited set of features is available
when connecting via smartphones/mobile
devices
Availability
Password self-service is available 98% of the time 24 hours
a day, 7 days a week excluding official monthly maintenance
windows.
Service level target
(working days)
Service request
Response Time Resolution Time
(business days)
creating an email hours 1-2 1-2
account
Allocating additional hours 1-2 1-2
mailbox space(subject
to feasibility/ap-
(proval
creating a mailing list hours 1-2 1-2
changing personal hours 1-2 1-2
details
Constraints
– Fundamental external constraints Note: No service level targets can be set for speed of access from
off campus, as this is constrained by ICT bandwidth availability
and service from the user’s ISP. Similarly, speed of email deliv-
ery and receipt cannot be guaranteed when it depends on mail
servers external to ICT. Many external mail servers restrict the
delivery of large messages during office hours.
To Request this service
Fill out the ‘Service Request Form’ to avail this service.
To access the service
The users can access this service through UOD
website or UOD smartphone apps
Prerequisites
– Fundamental user responsi-
bilities
– Users must manage their
mailboxes to ensure that they
do not exceed space limita-
tions and risk being prevented
from sending mail.
– Users are responsible for
backing up any email data
(e.g. archived mail) stored on
their local computer.
– Users should follow the ser-
vice request procedure on ICT
service Desk if they face any
difficulty.
To report a fault or problem with the service
Contact the ICT Helpdesk by phone (Ext: 31111),
by email or via the ICT web site.
Applicable policies – Acceptable use policy
– Naming standard
– Service desk procedures
69 Back to Contents
Software Services
Service Service level targets User responsibilities
Description
Software services range from installation of printers
to lab specific software installation. The Deanship
commits to providing these services on priority basis.
Applicable to
– Management
– Faculty
– Staff
– Students (Specific cases only)
– Guests (Upon approval)
Exclusions
– visitors
Availability
Password self-service is available 98% of the time 24 hours a day, 7 days a
week excluding official monthly maintenance windows.
Service level target (working
days) Service request
Response Time Resolution
Time (BD)
Request installing printer drivers hours 1-2 * 1-2
or connect printer to the network
Request Installing Software on hours 1-2 * 1-2
Labs PCs
Request Join PC to the Domain hours 1-2 * 1
Request Share folder in servers hours 1-2 * 1-2
Request remote assistance hours 1-2 * 1-2
Request installing or activate ap- hours 1-2 * 1-2
plication license
Request Format Damage PC hours 1-2 * 1-2
Constraints
– Fundamental external constraints
– UOD account
To Request this service
Fill out the ‘Service Request Form’ to avail this service.
To report a fault or problem with the service
Contact the ICT Helpdesk by phone (Ext: 31111), by email
or via the ICT web site.
Applicable policies – Acceptable use policy
*Subject to the availability of software, licenses and/or ICT resources
70 Back to Contents
Request developing applications
Request Software Consultations
Service Service level targets User responsibilities
Description
The Deanship provides advisory and consulta-
tive service relating to software. Additionally it
may undertake application development through
its resources under certain circumstance.
Applicable to
– Management
Exclusions
– Faculty
– Staff
– students
– visitors
Availability
Subject to the availability of the ICT resources and task to be handled
Service level target (work-
ing days) Service request
Response Resolution
Time Time (busi-
ness days)
Request developing Variable variable
applications
Request Software Variable variable
Consultations
Constraints
– Fundamental external constraints
To Request this service
Fill out the ‘Service Request Form’ to avail this service.
Prerequisites
- Detailed Requirements
To report a fault or problem with the service
Contact the ICT Helpdesk by phone (Ext: 31111), by email or via
the ICT web site.
71 Back to Contents
Request remote access
Service Service level targets User responsibilities
Description
A secure service that enables you to remotely connect
to UOD’s network using your own Internet Service Pro-
vider (ISP).
Applicable to
– Management
– Faculty, staff (subject to approval)
Exclusions
– students
– visitors
Availability
Password self-service is available 98% of the time 24 hours a day,
7 days a week excluding official monthly maintenance
Service level target (working days)
Service request Response Time Resolution Time
(business days)
Remote Access hours -2 1 1-2
Request
Constraints
– Fundamental external constraints – Downtime arrtibutable to UOD bandwidth
provider
To Request this service
Fill out the ‘Service Request Form’ to avail this service.
Prerequisites
To report a fault or problem with the service
Contact the ICT Helpdesk by phone (Ext: 31111), by email or via
the ICT web site.
Applicable policies – Acceptable use policy
– Information security policy
72 Back to Contents
Hardware Services
Service Service level targets User responsibilities
Description
Service level target (working days)
Service request
Response Time Resolution Time
(hours) (business days)
Request install New PCs 1-2 *3-5
Request installing or 1-2 *2-4
replace PCs peripherals (
(printer , scanner etc
Request maintenance for 1-2 *2-4
PCs peripherals ( printer ,
(scanner etc
* Subject to the availability of peripheral devices, ICT resources,
and complexity
Constraints
– Fundamental external constraints – Availability of hardware/ related software
To Request this service
The Deanship provides various hardware services Fill out the ‘Service Request Form’ to avail this service. for the official desktops/laptops. Prerequisites
Applicable to – Management – Faculty To report a fault or problem with the service
– Staff Contact the ICT Helpdesk by phone (Ext: 31111), by email or via
the ICT web site.
Exclusions – students – visitors
73 Back to Contents
Portal Services
Service Service level targets User responsibilities
Description
This service provides access permis-
sion to the portal and update for web
page contents.
Applicable to
– Management
Exclusions
– Faculty
– Staff
– students
– visitors
Availability
Portal service is available 98% of the time 24 hours a day, 7 days
a week excluding official monthly maintenance
Service level target (working days)
Service request
Response Time Resolution Time
(hours) (business days)
Request Access 1-2 1
Permissions to UD›s
Portal
Request updates of 1-2 2
web page contents
Constraints
– Fundamental external constraints – Copy right material
To Request this service
Fill out the ‘Service Request Form’ to avail this service.
Prerequisites
To report a fault or problem with the service
Contact the ICT Helpdesk by phone (Ext: 31111), by email or via the ICT web site.
Applicable policies – Acceptable use policy
74 Back to Contents
Video Conferencing Services
Service Service level targets User responsibilities
Description
The Deanship of ICT provides several video Con-
ferencing services that that you can use to meet and
collaborate with colleagues across campus or around
the world.
Applicable to
– Management
– Faculty
– Staff (subject to Approval )
Exclusions
– students
– visitors
Availability
Video conferencing service is available 98% of the time 24 hours a day, 7 days a
week excluding official monthly maintenance
Service level target (working
days) Service request
Response Time Resolution Time
(hours) (business days)
Request installing New Video Confer- 2 3-4
ence Device
Request installing Maintenance & 2 3-4
Modification Video Conference Device
Request Multiple Video Service Calls 2 1-2
((MCU Servers
Request Recording Video Conference 2 1-2
(Meeting (Content Server
Request Scheduling Video Conference 2 1-2
(Meeting (Internal & External Call
Request Video (Call, Meeting, Presenta- 2 1-2
tion) Real Time Support
Constraints
– Fundamental external constraints – Availability of fundamental equipment
To Request this service
Fill out the ‘Service Request Form’ to avail this service.
Prerequisites
To report a fault or problem with the service
Contact the ICT Helpdesk by phone (Ext: 31111),
by email or via the ICT web site.
Applicable policies – Acceptable use policy
75 Back to Contents
Digital Signage Service
Service Service level targets User responsibilities
Description Availability
Portal service is available 98% of the time 24 hours a day, 7 days a
week excluding official monthly maintenance
Service level target (working
Service request days)
Response Resolution Time
Time (hours) (business days)
Request installing digital 2 3-4
signage on monitors (inter-
nal advertising system
Request maintenance install- 2 1-2
ing digital signage on moni-
tors (internal advertising
(system
Constraints
– Fundamental external constraints
– Copy right material
To Request this service
Digital Signage service is a centrally man-
aged/locally controlled electronic sign and
Fill out the ‘Service Request Form’ to avail this ser- vice.
interactive display platform to distribute
information in an engaging, interactive
manner using large format displays across
To report a fault or problem with the service
Contact the ICT Helpdesk by phone (Ext: 31111), by
email or via the ICT web site.
campus.
Applicable to
– Management
Exclusions
– Faculty
– Staff
– students
– visitors
76 Back to Contents
Wireless LAN Service
Service Service level targets User responsibilities
Description
Wireless technology provides secure
d network access to mobile devices
within buildings with consistent capa-
bilities.
Applicable to
– Management
Exclusions
– Faculty
– Staff
– students
– visitors
Availability
The UOD network from the central data center to the required build-
ing is available 98% of the time 24 hours a day, 7 days a week exclud-
ing official monthly maintenance
Constraints
– Fundamental external constraints
To Request this service
Fill out the ‘Service Request Form’ to avail this service.
To report a fault or problem with the service
Contact the ICT Helpdesk by phone (Ext: 31111), by
email or via the ICT web site.
Applicable policies
– Acceptable use policy
– Network Access Control Policy
Service request
Service level target (working
days)
Response Time
(hours)
Resolution Time
(business days)
Request installing Wireless
LAN
2 10-15
Request Maintaining of
existing wireless LAN
2 1-2
77 Back to Contents
Cable Nodes and Network Ports Checkup Service
Service Service level targets User responsibilities
Description
The service installs, activates and trouble-
shoots an Ethernet port to allow a department
to connect a device to the campus network.
Applicable to
– Management
Exclusions
– Faculty
– Staff
– students
– visitors
Availability
This service available 98% of the time 24 hours a day, 7 days a
week excluding official monthly maintenance
Service level target (work-
ing days) Service request
Response Resolution
Time (hours) Time (busi-
ness days)
Request New Cabling Nodes 2 1-2
Request Fix Existing Cable 2 1-2
Node
Request Network Ports 2 1-2
Checkup
Request Network Checkup 2 2-3
for a building (Connection,
Traffic to & from the build-
ing)
Constraints
– Fundamental external constraints
To Request this service
Fill out the ‘Service Request Form’ to avail this service.
To report a fault or problem with the service
Contact the ICT Helpdesk by phone (Ext: 31111), by
email or via the ICT web site.
Applicable policies
– Acceptable use policy
– Network Access Control Policy
78 Back to Contents
Data Center Services
Service Service level targets User responsibilities
Description
The service provides internet and
server connectivity.
Applicable to
– Management
Exclusions
– Faculty
– Staff
– students
– visitors
Availability
This service available 98% of the time 24 hours a day, 7 days a
week excluding official monthly maintenance
Constraints
– Fundamental external constraints
To Request this service
Fill out the ‘Service Request Form’ to avail this service.
To report a fault or problem with the service
Contact the ICT Helpdesk by phone (Ext: 31111), by email or
via the ICT web site.
Applicable policies
– Acceptable use policy
– Network Access Control Policy
The primary purpose of this policy is to inform, educate and set expectations for the members of the university community of their individual and corporate responsibilities towards the use of information, products and services obtained from the internet. Internet filtering is provided to all students, faculty and staff to protect them from the unintentional or deliberate accessing of internet content that is offensive and inappropriate.
Service request
Service level target (working
days)
Response
Time (hours)
Resolution Time
(business days)
Request Data Center service
(Internet & Servers Connec-
(tivity
2 1-2
79 Back to Contents
Security Services
Service Service level targets User responsibilities
Description
The primary purpose of this service
is to provision the ability to block,
unblock, filter the network traffic,
publishing on 3rd party domain.
Applicable to
– Management
Exclusions
– Faculty
– Staff
– students
– visitors
Availability
This service available 98% of the time 24 hours a day, 7 days a week
excluding official monthly maintenance
Service level target (working days)
Service request
Response Time Resolution Time
(hours) (business days)
Request block or unblock or filter 1-2 3-5 network traffic ( website, protocol,
(port
Request Publishing Services 1-2 3-5 Outside UD
Request remote access through 1-2 3-5 VPN (Add/Modify/Delete/Trou-
(bleshoot
Constraints – Fundamental external constraints
To Request this service
Fill out the ‘Service Request Form’ to avail this service.
To report a fault or problem with the service
Contact the ICT Helpdesk by phone (Ext: 31111), by
email or via the ICT web site.
Applicable policies
– Acceptable use policy
– Information security policy
– Network Access Control Policy