Inspiring Innovation & Market Leadership - Payroll, HR and ...
INSPIRING BUSINESS INNOVATION
Transcript of INSPIRING BUSINESS INNOVATION
INSPIRING BUSINESS INNOVATION
October 2020
Acceptable Use Policy
Version: 2.0
Policy Code: DICT-QAP-001
الاستخدام المقبولسياسة
Acceptable Use Policy
Page 2 of 12
Table of Contents
Property Information ................................................................................... 3
Document Control ........................................................................................ 4
Information .......................................................................................................................... 4
Revision History ................................................................................................................... 4
Distribution List ................................................................................................................... 4
Approval .............................................................................................................................. 4
Policy Overview ........................................................................................... 5
Purpose ................................................................................................................................ 5
Scope .................................................................................................................................... 5
Terms and Definitions ......................................................................................................... 5
Change, Review and Update ............................................................................................... 6
Enforcement / Compliance ................................................................................................. 6
Waiver .................................................................................................................................. 7
Roles and Responsibilities (RACI Matrix) ........................................................................... 7
Relevant Documents ........................................................................................................... 8
Ownership ........................................................................................................................... 8
Policy Statements ........................................................................................ 9
Confidentiality of Information ............................................................................................ 9
Computer Usage ................................................................................................................ 10
E-mail Usage ...................................................................................................................... 10
Internet Usage ................................................................................................................... 11
Password Usage................................................................................................................. 11
Network and Systems Usage ............................................................................................ 12
الاستخدام المقبولسياسة
Acceptable Use Policy
Page 3 of 12
Property Information
This document is the property information of Imam Abdulrahman bin Faisal University - ICT Deanship.
The content of this document intended only for the valid recipients. This document is not to be
distributed, disclosed, published or copied without ICT Deanship written permission.
الاستخدام المقبولسياسة
Acceptable Use Policy
Page 4 of 12
Document Control
Information
Title Classification Version Status
ACCEPTABLE USE POLICY Public 2.0 validated
Revision History
Version Author(s) Issue Date Changes
0.1 Alaa Alaiwah - Devoteam November 18, 2014 Creation
0.2 Nabeel Albahbooh - Devoteam November 30, 2014 Update
0.3 Osama Al Omari - Devoteam December 23, 2014 QA
1.0 Nabeel Albahbooh - Devoteam December 31, 2014 Update
1.1 Muneeb Ahmad – ICT, IAU 21 April 2017 Update
1.2 Lamia Abdullah Aljafari 6 June 2020 Update
2.0 Dr. Bashar Aldeeb 31 August 2020 Update
Distribution List
# Recipients
1 Legal Affairs
2 Website
3 Quality Assurance Department – DICT
4 Information Security Department - DICT
Approval
Name Title Date Signature
Dr. Khalid Adnan Alissa Dean of DICT 8th October 2020
الاستخدام المقبولسياسة
Acceptable Use Policy
Page 5 of 12
Policy Overview
This section describes and details the purpose, scope, terms and definitions, change, review and
update, enforcement / compliance, wavier, roles and responsibilities, relevant documents and
ownership.
Purpose
The main purpose of Acceptable Use Policy is to:
Define a set of rules that govern the ways in which computer, network, email and internet services
may be used by users. In addition to minimizing the potential risks such as virus attacks, compromise
of network systems and services, and further consequent legal issues.
Scope
The policy statements written in this document are applicable to all IAU’s resources at all levels of
sensitivity; including:
All full-time, part-time and temporary staff employed by, or working for or on behalf of IAU.
Students studying at IAU.
Contractors and consultants working for or on behalf of IAU.
All other individuals and groups who have been granted access to IAU’s ICT systems and
information.
This policy covers all information assets defined in the Risk Assessment Scope Document and will be
used as a foundation for information security management.
Terms and Definitions
Table 1 provides definitions of the common terms used in this document.
Term Definition
Accountability A security principle indicating that individuals shall be able to be identified and
to be held responsible for their actions.
Asset Information that has value to the organization such as forms, media, networks,
hardware, software and information system.
Availability The state of an asset or a service of being accessible and usable upon demand
by an authorized entity.
الاستخدام المقبولسياسة
Acceptable Use Policy
Page 6 of 12
Confidentiality An asset or a service is not made available or disclosed to unauthorized
individuals, entities or processes.
Control A means of managing risk, including policies, procedures, and guidelines which
can be of administrative, technical, management or legal nature.
Guideline A description that clarifies what shall be done and how, to achieve the
objectives set out in policies.
Information Security
The preservation of confidentiality, integrity, and availability of information.
Additionally, other properties such as authenticity, accountability, non-
repudiation and reliability can also be involved.
Integrity Maintaining and assuring the accuracy and consistency of asset over its entire
life-cycle.
Malware (Malicious) Software designed to disrupt computer operation, gather sensitive information,
or gain access to private computer systems (e.g., virus or Trojan horse).
Policy
A plan of action to guide decisions and actions. The policy process includes the
identification of different alternatives such as programs or spending priorities,
and choosing among them on the basis of the impact they will have.
Risk A combination of the consequences of an event (including changes in
circumstances) and the associated likelihood of occurrence.
System
An equipment or interconnected system or subsystems of equipment that is
used in the acquisition, storage, manipulation, management, control, display,
switching, interchange, transmission or reception of data and that includes
computer software, firmware and hardware.
Table 1: Terms and Definitions
Change, Review and Update
This policy shall be reviewed once every year unless the owner considers an earlier review necessary
to ensure that the policy remains current. Changes of this policy shall be exclusively performed by the
Information Security Officer and approved by management. A change log shall be kept current and be
updated as soon as any change has been made.
Enforcement / Compliance
Compliance with this policy is mandatory and it is to be reviewed periodically by the Information
Security Officer. All IAU units (Deanship, Department, College, Section and Center) shall ensure
continuous compliance monitoring within their area.
الاستخدام المقبولسياسة
Acceptable Use Policy
Page 7 of 12
In case of ignoring or infringing the information security directives, IAU’s environment could be
harmed (e.g., loss of trust and reputation, operational disruptions or legal violations), and the fallible
persons will be made responsible resulting in disciplinary or corrective actions (e.g., dismissal) and
could face legal investigations.
A correct and fair treatment of employees who are under suspicion of violating security directives
(e.g., disciplinary action) has to be ensured. For the treatment of policy violations, Management and
Human Resources Department have to be informed and deal with the handling of policy violations.
Waiver
Information security shall consider exceptions on an individual basis. For an exception to be approved,
a business case outlining the logic behind the request shall accompany the request. Exceptions to the
policy compliance requirement shall be authorized by the Information Security Officer and approved
by the ICT Deanship. Each waiver request shall include justification and benefits attributed to the
waiver.
The policy waiver period has maximum period of 4 months, and shall be reassessed and re-approved,
if necessary for maximum three consecutive terms. No policy shall be provided waiver for more than
three consecutive terms.
Roles and Responsibilities (RACI Matrix)
Table 2 shows the RACI matrix1 that identifies who is responsible, accountable, consulted or informed
for every task that needs to be performed.
There are a few roles involved in this policy respectively: ICT Dean, ICT Deanship, Information Security
Officer (ISO) and User (Employee and Contract).
Roles
Responsibilities
ICT D
ean
ICT
ISO
Use
r
Adhering to information security policies and procedures pertaining to the protection of information.
I C C R,A
Reporting actual or suspected security incidents to ICT Deanship. I C C R,A
Using the information only for the purpose intended by IAU. C C R,A
1 The responsibility assignment RACI matrix describes the participation by various roles in completing tasks for a business process. It is especially useful in clarifying roles and responsibilities in cross-functional/departmental processes. R stands for Responsible who performs a task, A stands for Accountable (or Approver) who sings off (approves) on a task that a responsible performs, C stands for Consulted (or Consul) who provide opinions, and I stands for Informed who is kept up-to-date on task progress.
الاستخدام المقبولسياسة
Acceptable Use Policy
Page 8 of 12
Roles
Responsibilities
ICT D
ean
ICT
ISO
Use
r
Accepting accountability for all activities associated with the user access privileges.
C C R,A
Distributing information security documents so that those who need such documents have copies or can readily locate the documents via an intranet site.
I C R,A I
Table 2: Assigned Roles and Responsibilities based on RACI Matrix
Relevant Documents
The following are all relevant policies and procedures to this policy:
Information Security Policy
Human Resource Security Policy
Asset Management Policy
Access Control Policy
Information Security Incident Management Policy
Compliance Policy
Ownership
This document is owned and maintained by the ICT Deanship of University of Imam Abdulrahman bin
Faisal.
الاستخدام المقبولسياسة
Acceptable Use Policy
Page 9 of 12
Policy Statements
The following subsections present the policy statements in 6 main aspects:
Confidentiality of Information
Computer Usage
E-mail Usage
Internet Usage
Password Usage
Network and Systems Usage
Confidentiality of Information
1. Users shall strictly adhere to IAU’s information security policies and shall notify ICT Deanship
about any security breach, incidents or violations.
2. Users shall fully adhere at all times to IAU’s Non-Disclosure Agreement (NDA) in handling and
protecting confidential information relating to IAU owned information when this information
is transmitted or retained electronically.
3. Users shall not disclose or provide information related to IAU owned information to any
person (inside or outside) and/or third party without any proper management approval and
authorization.
4. Users shall exercise all necessary due care in protecting IAU’s assets. Each user shall have the
responsibility to:
a. Prevent unauthorized access, including viewing of information resources under his
responsibility or control (such as information available on laptops, desktop
computers, access terminals, printouts or tape media etc.).
b. Print confidential IAU’s information on printers with access controls provision.
Confidential information shall not be printed unattended.
c. Notify ICT Deanship of any virus like behaviour or suspicious activities on their
systems.
5. Users shall display their identification badges (ID cards) at all the times on IAU’s premises.
الاستخدام المقبولسياسة
Acceptable Use Policy
Page 10 of 12
6. Users shall actively contribute and participate to the information security initiatives and
activities arranged (e.g., security training and awareness) by IAU.
7. Users shall lock and/or secure any sensitive information (whether in electronic or hardcopy
formats) before leaving their respective machines/offices (i.e., servers, workstations and
laptops).
8. Users shall not leave any sensitive facsimile or printed documents.
Computer Usage
1. Users shall acknowledge that all computer data created, received or transmitted using IAU’s
systems is IAU’s property. IAU shall reserve the right to examine all data for any reason and
without notice, such as when violations of this policy or other IAU’s policies or procedures are
suspected.
2. Users shall use their computers for IAU’s business purposes only and shall not use them to
perform any malicious or illegal activities.
3. Users shall save and maintain their business-related files on the file server.
4. Computers shall not be removed from the installed location without a prior approval from ICT
Deanship and Department Manager.
5. Users shall not install any unauthorized software on IAU’s computers.
6. Users shall use appropriate and approved protection measures such as encryption, password
protection, antivirus and backup while utilizing mobile computing devices (e.g., laptops,
mobile phones, USB drives and external storage disks) for storage, transmission and
processing of information residing with them.
7. Users shall log-off or lock their computers before leaving their work place.
8. Users shall never deactivate the screen saver installed on their computers.
E-mail Usage
1. Users shall use e-mail services only for IAU’s business.
2. Users shall be responsible and accountable for appropriate use and dissemination of the
information through IAU’s e-mail services.
الاستخدام المقبولسياسة
Acceptable Use Policy
Page 11 of 12
3. Users shall not access other users e-mail accounts and/or service without a proper
authorization from ICT Deanship.
4. Users shall not use internal and external e-mail services to send IAU’s confidential business
related information without a prior approval and permission from their management.
5. Users shall not use e-mail services for unlawful activities, including sending or receiving
copyrighted materials in violation of copyright laws or license agreements.
6. Users shall not send chain letters, spam or unnecessary multiple forwarding such as mass
holiday greetings.
7. Users shall not circulate and/or send the virus alerts received by email to anyone other than
ICT Deanship.
8. Users shall not subscribe to any mailing group whether it is local or international for any
reason other than business purposes.
Internet Usage
1. Users shall only use Internet access for IAU’s business activities.
2. Users shall not use the Internet service for unlawful activities, including the sending or
receiving of copyrighted materials in violation of the applicable copyright laws or license
agreements.
3. Users shall be responsible and accountable for appropriate use and dissemination of the
information through IAU’s Internet services.
4. Users shall not use IAU’s systems for distribution of any malicious, destructive, and/or
fraudulent codes or information, or the insertion or enabling of computer virus or virus codes
or conducting any hacking activities within or outside IAU’s environment.
5. Users shall not use instant messaging services and social networks to chat with local or
international online subscribers for personal purpose.
6. Users shall not publish any IAU’s information on the Internet without a prior approval and
permission from Management and ICT Deanship.
Password Usage
1. Users shall not share or disclose their user ID and password to anyone.
الاستخدام المقبولسياسة
Acceptable Use Policy
Page 12 of 12
2. Users shall be responsible for the selection and maintenance of secure passwords according
to IAU’s Password Policy.
3. Users shall not enable auto logon options on the systems by saving the passwords.
Network and Systems Usage
1. Users shall not introduce malicious programs (e.g., viruses, worms, trojan horses, e-mail
bombs, etc.) into IAU’s systems.
2. Users shall not introduce freeware and shareware software in the organization’s network,
whether downloaded from the Internet or obtained through any other media, without ICT
Deanship authorization.
3. Users shall not use IAU’s systems to store, process, download or transmit data that can be
interpreted as biased (e.g., politically, religiously, racially, ethnically, etc.).
4. Users shall not turn off IAU approved virus detection software package, or use any other
antivirus software package without ICT Deanship written approval.
5. Users shall not perform port scanning or security scanning of IAU’s network or systems unless
it is authorized by ICT Deanship and prior notification is made to relevant employees.
6. Users shall not execute any form of network monitoring that intercepts data not intended for
the employee's host, unless this activity is a part of the employee’s authorized job/duty.
7. Users shall not circumvent user authentication or security of any host, network or account.
8. Users shall not use any program or send messages of any kind, with the intent to interfere
with, or disable, a user's terminal session, via any means, locally or externally.
-------------------------------------------------------- End of Document ------------------------------------