computing policies and procedures - جامعة البحرينit policies and procedures university...
TRANSCRIPT
UNIVERSITY OF BAHRAIN
INFORMATION TECHNOLOGY CENTER
INFORMATION TECHNOLOGY POLICIES AND
PROCEDURES
Prepared by IT Center
Approved by Council of University of Bahrain with the decree no 2053/2014
IT Policies and Procedures
IT Center 2 University of Bahrain
Information Technology Policies and procedures
1.0 General.
1.1 Compliance with Standards Required for Emergency – Disaster Supports
1.2 Information Technology Disaster Recovery Plan.
1.3 Data Center Security and Access.
1.4 Confidentiality Agreements.
1.5 Procurement and Asset Management of IT Equipments.
1.6 Disaster detective approach
2.0 Information Systems.
2.1 Access to the University Information Systems.
2.2 Data Access of University Information Systems.
2.3 Protection of Information Assets.
2.4 Signed Forms Required for Issuance of IT Accounts.
2.5 User Access Privileges – Periodic Review and Reauthorization.
2.6 Use of Information systems
3.0 Network.
3.1 Network Security.
3.2 Visitors Accounts.
3.3 Internet Security.
3.4 Information Security Alert System.
4.0 Computing Facilities.
4.1 Access Computer Areas.
4.2 Computer Threats.
4.3 Computing Environment Supporting Equipment.
4.4 Conditions of Use.
4.5 Computing Equipments Borrowing Procedures – Academic staff.
5.0 Information Systems Development Methodology (ISDM).
6.0 Change Management Policy.
Appendix
IT Policies and Procedures
IT Center 3 University of Bahrain
Information Technology Policies and procedures
1.0 General.
1.1 Compliance with Standards Required for Emergency – Disaster Supports.
1.2 Information Technology Disaster Recovery Plan.
1.3 Data Center Security and Access.
1.4 Confidentiality Agreements.
1.5 Procurement and Asset Management of IT Equipments.
1.6 Disaster detective approach
IT Policies and Procedures
IT Center 4 University of Bahrain
1.1 Compliance with Standards Required for Emergency- Disaster Support
Purpose
The purpose of this policy is to adopt international standards when implementing the required strategies
for disaster support (e.g. COBIT, ISO).
Policy Statement
Faculties, Divisions and/or departments, and other University areas wishing to be supported by the
Information Technology Center on a priority basis in the event of an emergency or a disaster, must
implement hardware, software, and related procedures consistent with University of Bahrain
Information Technology policies.
Policy Content
Supporting non-standard computer systems (not comply with IT Center policies) is very difficult in the
event of an emergency and/or disaster. This policy allows the flexibility in the acquisition and
maintenance of computing environment, however, the department must put them on notice that the
Information Technology Center reserves the right to give priority to those who comply with IT policies
over those who do not in the event of emergencies and/or disasters.
Policy Area: Subject:
Title of Policy: Policy Code: IT001
Effective Date: Page Number:
Approved Date: Approved by:
Revision Date: Amendments:
Policy Owner: IT centre Policy Sponsor: UOB
IT Policies and Procedures
IT Center 5 University of Bahrain
1.2 Information Technology Disaster Recovery Plan
Purpose
The University of Bahrain needs to assign the task of developing a robust disaster recovery plan to an
IT committee. This committee must have periodical meetings to discuss the new issues of risks in IT.
Policy Statement
Information Technology Center must prepare, periodically update, and regularly test approved disaster
recovery plan that will provide for the availability of critical computer and communications systems in
the event of a major disaster such as storm, flood, earthquake, fire, and power failure.
Policy Content
Preparation, Maintenance, and periodically testing of Computer Disaster Recovery Plans requires UOB
management to financially support and diligently attend to disaster recovery planning efforts. This is
because disasters occurred so rarely, technical management may place a low priority on developing and
maintaining adequate disaster recovery processes. IT Centre shall develop a standard University wide
process for developing, maintaining, and testing computer recovery plans. This shall be documented and
distributed to relevant positions.
Policy Area: Subject:
Title of Policy: Policy Code: IT002
Effective Date: Page Number:
Approved Date: Approved by:
Revision Date: Amendments:
Policy Owner: IT centre Policy Sponsor: UOB
IT Policies and Procedures
IT Center 6 University of Bahrain
1.3 Data Center Security and Access
Purpose
The purpose of this policy is to implement the process needed to access the data centers across
University of Bahrain.
Policy Statement
All University information processing and communications areas must be protected by physical controls
appropriate for the size and complexity of the operations and the criticality or sensitivity of the systems
operated at those locations.
Policy Content
1. Passwords and lock combinations and keys to all computer room areas are granted only to
authorize IT staff that have a clear need to access the data centers.
2. Only those authorized by the Information Technology Center are to be granted access to
secured data centers. The Information Technology Center will provide the Security Officer, or
any other required departments with details of all staff granted access to secured data centers
areas.
3. Passwords and lock combinations are to be changed on a regular basis or when:
a. a staff member leaves
b. passwords or lock combination are compromised
c. a lock is serviced
d. at other times as required
e. Keys to secured areas should be held by the Security Officer for emergency access
only. Authorized visitors to these areas must complete the Visitor's Log and be
escorted at all times whilst in these areas.
4. Information Technology staff are to carry University identification cards and are required to
wear them in plain view at all times. These cards should only contain photographs, card
numbers and sufficient information to associate them with their owner. Cards should not
contain any facility identification or address to which the badges will permit access.
Policy Area: Subject:
Title of Policy: Policy Code: IT003
Effective Date: Page Number:
Approved Date: Approved by:
Revision Date: Amendments:
Policy Owner: IT centre Policy Sponsor: UOB
IT Policies and Procedures
IT Center 7 University of Bahrain
1.4 Confidentiality Agreements
Purpose
The purpose of this policy is to require all Information Technology staff, consultants and contractors to
sign confidentiality agreements in order to enhance the security over the computer systems and data.
Policy Statement
Information Technology staff, consultants and contractors required to have access to University
computing systems, data, or data centers, must sign Confidentiality agreements at the time they
commence employment at University of Bahrain.
Policy Content
Written acknowledgment that University workers agree not to disclose sensitive data is required. This
document is very important if legislative processes and/or disciplinary action processes are required to
be followed at a later date.
Policy Area: Subject:
Title of Policy: Policy Code: IT004
Effective Date: Page Number:
Approved Date: Approved by:
Revision Date: Amendments:
Policy Owner: IT centre Policy Sponsor: UOB
IT Policies and Procedures
IT Center 8 University of Bahrain
1.5 Procurement and Asset Management of IT Equipments
Purpose
The main purpose of this policy is to promote a "full service" model that will reduce the Total Cost of
Ownership of computers and IT equipments by reducing the time individuals and departments spend in
purchasing decisions, asset control, set-up, support, maintenance and disposal. By limiting its purchases
to fewer vendors the University will be able to obtain better prices ( on annual volume deals ), better
back-up and local service, consistent quality machines profiled before delivery and a considerable
improvement in overall productivity. The asset management and warranty repair aspects of the policy
are intended to provide a coordinated level of computing facilities management, which has not existed
previously at University of Bahrain.
Policy Statement
This policy will be put into practice by purchasing department with collaboration with assets &stores
department and IT Center in order to coordinate the overall procurement, asset management, warranty
repair and disposal of all future purchases/leases of computers and peripheral equipment. The policy
applies to desktop and laptop computers and all peripheral computing equipment used for normal
administrative and academic purposes. Including the specialist, high-end workstations and peripheral
equipment purchased especially for academic purposes and which utilizes specialist operating systems
and/or applications. The policy will be managed by calling for tenders to provide equipment and leasing
arrangements.. IT Center will be responsible for developing, implementing and maintaining an assets
management system to provide control over, and information about, desktop computing resources.
Revisions to this policy will be the responsibility of the Information Technology Center.
Policy Content
Computers and peripheral equipment purchased, or leased, by the University, under normal
circumstances, should be sourced under "Preferred Supplier" arrangements that will be approved by an
IT Committee and managed by Information Technology Center. Procurement of computers and
peripherals may be by direct purchase or lease arrangement. The University will enter into a leasing
arrangement via tender with one vendor and all leases must be arranged through that vendor. The
management of asset records relating to the purchase or lease of computers and peripheral equipment
will be the responsibility of the Technical Support Team. All warranty repair and service work on
desktop computers and peripheral equipment will be carried out within University of Bahrain by trained
and, where necessary, vendor certified, computer support staff. The disposal of all computing equipment
purchased by the University will be done in accordance with the procedures used by the Finance
Department for Sale of Surplus and Redundant Equipment.
Procurement
The University represented by the purchasing department in coordination with the IT Centre will
periodically call for Tenders from Vendors who wish to be considered as a preferred supplier. There
IT Policies and Procedures
IT Center 9 University of Bahrain
will be wide consultation and within the campus, utilizing the expertise of Technical Support Staff
within the faculties as well as IT Center experts, regarding the proposals and equipment proffered by
vendors. The decision to grant "Preferred Supplier" status will be based on price, suitability, reliability
and service levels. A range of configurations will be identified for supply, and equipment will either be
supplied with fully profiled hard disks or be configured by the University before delivery to the desktop.
Equipment ordering will be standardized and simplified to enable users to order equipment via a Web
Page. Vendors will deliver new machines to the IT Center who will enter the necessary asset
management details, check the machine for functionality, install the standard software/hardware
required and either install the machine in its permanent location or pass the machine on to Faculty based
Technical Support staff. These staff will 'customize' the machine as necessary before final installation.
A handling charge for providing this service will be met by the Vendor.
Leasing
The University represented by the purchasing department in coordination with the IT Centre will
periodically call for Tenders from vendors who wish to be considered for providing a leasing
arrangement to the University for the lease of computers and IT peripheral equipment. The lease
provider will enter into arrangements with the University and the Preferred Suppliers such that the
Preferred Supplier will directly invoice the lease provider for the total cost and the lease provider will
adjust the periodic leasing invoice to the University. The lease provider may be required to provide all
or some of the following services at the request of the University:
Buy and rent back of existing equipment quarterly lease payments.
Stepped rental plans (to match depreciation of computers).
Equipment exchange/cascading during the lease term end of lease options -
continue/upgrade/buy/end.
Cost center level invoicing fire, theft, and accidental damage or loss insurance premiums
included in the rental terms.
Insurance claims management.
Disposal
The purchasing department with collaboration with assets &stores department and in coordination with
IT Center will periodically dispose computers and IT equipment used in the University as a result of
upgrading or malfunctioning. The department that wishes to dispose some of its computer systems and
IT equipment must fill up a disposal request and get it approved by the department head and send it to
the purchasing department which in turn will send a copy to the IT center which accordingly will send
their technicians to examine and test the computer systems and IT equipment specified in the request.
According to the recommendation of the IT center the computer systems and IT equipment will be
disposed and send to the university stores or remain in usage. In order to ensure that these disposed
IT Policies and Procedures
IT Center 01 University of Bahrain
computers and IT equipment does not pile up and sit in the stores well beyond their potential useful life,
one of the following actions will be taken:
Redeploy or reuse the disposed computers and IT equipment within the University. New staff
members can make use of it till new computers and IT equipment is purchased or it can serve
as backup equipment in case newer computers break down.
Sell these disposed computers and IT equipment to staff members or outsiders.
Donate these disposed computers and IT equipment to charity organizations or schools.
Therefore, the technicians and the other employees working in the University different departments must
not take or remove any internal parts ( Memory, Hard Disks, etc ) of the disposed computers and IT
equipment. Moreover, when the disposed computers and IT equipment is to be sold or donated the IT
center technicians must erase securely all the data and University licensed software from its hard disks
and this done by reformatting the hard disks and running a specialized " Disk Wiping " software to erase
the entire contents of the disks. The buyers of the disposed computers and IT equipment should be aware
that the University takes no further responsibility towards the maintenance or upkeep of the equipment.
Assets Management
The IT Center in collaboration with the assets &stores department will develop, implement and manage
an asset management system for computers and all IT peripheral equipment. The system will provide
the following services to the University:
Initial asset data capture.
Quarterly asset reconciliation.
Periodic reporting to Cost Center management.
Annual verification audit.
Warranty Repairs
The Preferred Supplier will provide full on-campus warranty service through arrangements with the
University's IT Centre.
Policy Area: Subject:
Title of Policy: Policy Code: IT005
Effective Date: Page Number:
Approved Date: Approved by:
Revision Date: Amendments:
Policy Owner: IT centre Policy Sponsor: UOB
1.6 Disaster detective approach
IT Policies and Procedures
IT Center 00 University of Bahrain
Purpose
The purpose of this policy is to implement a disaster detective approach for the data centers at University
of Bahrain.
Policy Statement
Information Technology center is required to have disaster detective approach in order to detect any
unwanted events within the information technology infrastructure, network, computing facilities,
application systems and any other IT resources.
Policy Content
Detective approaches are taken to discover the presence of any unwanted events within the IT resources.
The aim is to uncover any potential threats, unwanted events, problems or decrease on services levels
because of disasters ‘occurrences.
Policy Area: Subject:
Title of Policy: Policy Code: IT006
Effective Date: Page Number:
Approved Date: Approved by:
Revision Date: Amendments:
Policy Owner: IT centre Policy Sponsor: UOB
IT Policies and Procedures
IT Center 02 University of Bahrain
Information Technology Policies and Procedures
2.0 Information Systems.
2.1 Access to the University Information Systems.
2.2 Data Access of University Information Systems.
2.3 Protection of Information Assets.
2.4 Signed Forms Required for Issuance of IT Accounts.
2.5 User Access Privileges – Periodic Review and Reauthorization.
2.6 Use of Information systems
IT Policies and Procedures
IT Center 03 University of Bahrain
2.1 Access to University Information Systems
Purpose
The tendency of this policy is to organize the process of accessing the university information systems.
The information systems include all kinds of information systems, applications, enterprise systems
which have been developed in-house/procured by the University.
Definitions
Data Owner: Data owner normally managers or directors, who have responsibility for the integrity,
accurate reporting and use of computerized data. Their security responsibilities include authorizing
access, ensuring access rules are updated when personnel changes occur, and regularly inventorying
access rules for the data for which they are responsible.
Policy Statement
The decision as to who and at what level should be granted access to data held on the University
information systems is made by the owner of the data concerned but as a rule:
Only authorized personnel who require access as part of their normal duties are permitted
access to University information systems and networks.
Users must only be permitted to access data for which they have Authorized as their job is
required.
The level of access assigned to a user must be commensurate with the duties they perform.
Policy Content
1. Application for user System/Network Accounts
Users may request accounts on the University computer systems and networks through the
Manager/Head of their Department by completing the form – User Privileges Application Form .
Application must be approved by the users Manager/Head of Department/Division.
2. Access to Data
Requests for access to any production database or data must be made through the Manager/Head of
the Department/Division to the owner of the data and must be approved by the owner before access
can be provided. The Manager/Head of Department/Division requesting access must ensure that the
level of access being requested for a staff member is aligned with that person's duties. Development
staff normally should not have access to production data. However, under certain circumstances
(e.g. as part of diagnostic and/or maintenance activities) may be granted limited access. In such
circumstances the access must be for a pre-determined period and must be approved by the data
owner prior to access being granted. Access must be revoked as soon as the defined task is
completed. All access to production data must be logged and indicate the reasons for the access and
any changes that have been made. University top management has the right to grant access for any
employee that his duties need access to information system.
IT Policies and Procedures
IT Center 04 University of Bahrain
Computers and networks can be accessed on and off campus. Such open access provided by
information technology centre is a privilege, and requires that individual users act responsibly.
Users must respect the rights of other users, respect the integrity of the system and related
physical resources, and observe all relevant laws, regulations, and contractual obligations.
1. Account Creation Procedure.
Upon receipt of a request that has been signed by the Manager/Head of Department/Division.
Concerned and approved by the data owner, who has specified the level of access the user should
have, the system Administrator will create a system and/or network account. All amendments and
deletions of user access privileges will be handled in the same manner.
2. Removal of Access
The Information Technology Center has the responsibility to ensure that access to University
computer systems and networks is removed from users when it is no longer required. This includes:
a. Change of Duties: The removal of access may be requested by the users Manager/Head
of Department/Division when they determine that the user no longer requires the level
of access that was originally granted. It is the responsibility of the Manager/Head of
Department/Division to regularly review the level of access granted to staff under their
supervision and to request appropriate changes.
b. Termination or Transfer: Access must be revoked when a staff member leaves the
University or is transferred to a position that requires a different level of access.
c. Leave: Whenever a staff member proceeds on leave (greater than 1 month) it is essential
that their access to the University computer systems will be restricted to a different level
of access.
Policy Area: Subject:
Title of Policy: Policy Code: IT007
Effective Date: Page Number:
Approved Date: Approved by:
Revision Date: Amendments:
Policy Owner: IT centre Policy Sponsor: UOB
2.2 Data Access of University Computer Systems
Purpose
IT Policies and Procedures
IT Center 05 University of Bahrain
The tendency of this policy is to control accessing to the data of university computer systems. The data
computer systems include all kinds of data, information, and knowledge owned by the university.
Definitions
Owner of the data: One who is considered to have rights or obligations of an owner on the data of a
particular system regardless of legal title or job position at the university.
Data: Are raw material (facts): Data need to be filtered/refined and then treated in some way (i.e. sorting,
classifying and aggregating and averaging) to become useful information.
Information: Is data that are or may be useful to managers in their job. It is the processed data or the
meaning that human beings assign or extract from data.
Knowledge: Does not refer to raw data or plain, unanalyzed information, but includes both evaluations
and conclusions. It is the outcome of the meshing and reconciliation of a set of information.
Policy Statement
Data collected and stored on University computer systems must only be used for the purpose for which
it was originally collected. The data owner, in conjunction with the custodian, (Information Technology
Centre) must determine the way in which data may be used and to whom access may be granted.
Policy Content
1. Data stored on University computers may not be shared or transferred, including downloading, to
any computer systems without prior approval of the data owner.
2. Permission to transfer raw data to any IT device should only be given in exceptional circumstances.
3. Unauthorized access, malicious or otherwise shall be prosecuted under Kingdom of Bahrain Laws.
Policy Area: Subject:
Title of Policy: Policy Code: IT008
Effective Date: Page Number:
Approved Date: Approved by:
Revision Date: Amendments:
Policy Owner: IT centre Policy Sponsor: UOB
2.3 Protection of Information Assets
Purpose
IT Policies and Procedures
IT Center 06 University of Bahrain
The purpose of this policy to ensure the integrity of the information stored on their computer systems,
preserve the confidentiality of sensitive data and ensure continued availability of their information
assets.
Policy Statement
Security policies govern the steps and procedures taken to protect business assets and confidential
information from intrusion via the use of technology or physical intervention. When considering the
possibility of transacting business over public networks, the goal should be how best to protect corporate
assets, data integrity and confidentiality. Business assets can be considered to be and include items such
as valuable and sensitive data that needs to be kept secure and confidential.
Policy Content
1. Collection Limitation Principle
There should be limits to the collection of data should be obtained by lawful and fair means and
where appropriate, with the knowledge or consent of the data subject.
2. Data Quality Principle
Data should be relevant to the purposes for which they are to be used and, to the extent
necessary for those purposes, should be accurate, complete and kept up-to-date.
3. Purpose Specification Principle
The purposes for which data is collected should be specified not later than at the time of collection
and the subsequent use limited to the fulfillment of those purposes or such others as are not
incompatible with those purposes and as are specified on each occasion of change or purpose.
4. Use Limitation Principle
Data should not be disclosed, made available or otherwise used, for purposes other than those
specified in accordance with Principle 3 except with the consent of the data subject; or by the
authority of law.
5. Openness Principle
There should be a general policy of openness about developments, practices and policies with respect
to data. Means should be readily available of establishing the existence and nature of data, and the
main purpose of their use, as well as the identity and usual residence of the data controller.
Policy Area: Subject:
Title of Policy: Policy Code: IT09
Effective Date: Page Number:
Approved Date: Approved by:
Revision Date: Amendments:
Policy Owner: IT centre Policy Sponsor: UOB
IT Policies and Procedures
IT Center 07 University of Bahrain
2.4 Signed Forms Required for Issuance of Computer Accounts
Purpose
This policy is to assure that users are conscious of the information technology regulations of the
University prior to use any IT facilities.
Policy Statement
Users of University systems and networks, must sign an agreement indicating their adherence to the
University Rules: 'Use of IT Facilities', prior to being given a user-ID allowing access to University
systems and networks.
Policy Content
Users are reminded about information security policies and their specific security related responsibilities
before they get access to University systems. Signed agreements are required for possible future referral
in respect of staff and/or student conduct regulations. Failure to sign the relevant undertaking may result
in non - granting of system and/or network user-ID.
Policy Area: Subject:
Title of Policy: Policy Code: IT010
Effective Date: Page Number:
Approved Date: Approved by:
Revision Date: Amendments:
Policy Owner: IT centre Policy Sponsor: UOB
2.5 User Access Privileges - Periodic Review and Reauthorization
Purpose
IT Policies and Procedures
IT Center 08 University of Bahrain
The main purpose of this policy is to make sure that accounts status is monitored periodically.
Additionally, this policy will strength the security strategy as it assure periodic for the authorization.
Policy Statement
System privileges granted to all University system users must be re-evaluated by system owner
management every 12 months who must report promptly, all significant changes in end-user duties or
employment status to the system security administrator handling the user-ID of the affected persons.
Policy Content
1. As user job changes so should their associated system privileges. The Information Technology
Center will issue to all managers, a ‘User Access ‘report detailing level of staff computer system
access.
2. The manager/s should reauthorize the system privileges, or make appropriate amendments, as
defined in the report.(it is also the department/division head to notify the information technology
centre with any reauthorization for any staff by completing a specific form for it)
3. The completed report must be returned within 21 days to the Information Technology Center.
4. Upon formal advice of access changes, the detailed user system accounts will be amended as
requested by University management.
Policy Area: Subject:
Title of Policy: Policy Code: IT011
Effective Date: Page Number:
Approved Date: Approved by:
Revision Date: Amendments:
Policy Owner: IT centre Policy Sponsor: UOB
2.6 Use of Information systems
IT Policies and Procedures
IT Center 09 University of Bahrain
Purpose
The main purpose of this policy is to make sure that all information system resources are used for
educational purposes only.
Policy Statement
Information system resources in university of Bahrain should only be used for educational purposes
only.
Policy Content
Information technology resources provided by University of Bahrain in all functional and academic
units must be only used for educational and academic purposes only. Any miss use of these resources
other than its educational purposes will be considered violation and will be subject to appropriate
disciplinary action (appendix).
Policy Area: Subject:
Title of Policy: Policy Code: IT012
Effective Date: Page Number:
Approved Date: Approved by:
Revision Date: Amendments:
Policy Owner: IT centre Policy Sponsor: UOB
Information Technology Policies and Procedures
IT Policies and Procedures
IT Center 21 University of Bahrain
3.0 Network.
3.1 Network Security.
3.2 Visitors Accounts.
3.3 Internet Security.
3.4 Information Security Alert System.
IT Policies and Procedures
IT Center 20 University of Bahrain
3.1 Network Security
Purpose
The purpose of this policy is to establish direction, procedures, and requirements to ensure the
appropriate protection of University information handled by University information infrastructure
networks.
This policy has two purposes:
Emphasize for all University staff and students the importance of security in the various
network environments and their role in maintaining that security.
Assign specific responsibilities for the provision of data and information security, as well
as for the security of the various network infrastructures.
Policy Scope
This policy applied to all University employees, students, contractors, including those affiliated with
third parties who access University computer networks. In the level of University IT infrastructure, this
policy is to be used for university IT backside infrastructure of hardware and software (such as servers
and network switches),as well as front side infrastructure (such as personal computers) and related
applications in the level of end users.
Policy Statement
It is the right of the University to prohibit unauthorized access, disclosure, duplication, modification,
diversion, destruction, loss, misuse, or theft of information.
Policy Content
1. Specific Security Responsibilities
1.1. Users
Users are expected to have some basic computer knowledge and should understand and adhere to
University security policies and procedures. Users ultimately are responsible for their own behavior.
Users’ responsibilities are:
a. Employing available security mechanisms for protecting the confidentiality and integrity of
their own information when required.
b. Must select and maintain strong passwords.
c. Notifying the local administrator or management if a security violation or failure is observed
or detected.
d. Users must not exploit system weaknesses is exists and must report it to IT Center immediately.
e. Users should provide the correct identity and authentication information when requested and
not attempt to assume another party's identity.
f. Users are responsible of protecting their data and information by performing a regular back up
on their PCs.
IT Policies and Procedures
IT Center 22 University of Bahrain
g. Users are responsible for knowing how to monitor specific systems and software to detect signs
of abnormal activity and for knowing what to do or whom to contact for more information.
h. Users must not test, or attempt to compromise computer or communication system security
measures unless specifically approved in advance and in writing by the Information
Technology Center.
i. Users should utilize available tools to secure access to their machine's hard disk drive, such as
locking the screen or logging off the user profile.
j. Advising others who fail to properly employ available security mechanisms. Users must help
to protect the property of other individuals and notify them of resources (such as files and
accounts) left unprotected.
1.2. Functional Managers
a. Managers are responsible for ensuring computer and communication system security measures
are observed in their area and that all staff within the workplace area is made aware of this
policy and are responsible for incorporating it into staff briefings and training programs.
b. Managers with the help of HR department are responsible for informing the IT Center of the
change of status, access rights and upon position change or a termination from University
employment.
c. Management must promptly report all significant changes in worker duties or employment
status to the IT Center responsible for user-IDs associated with the involved persons.
1.3. Network Management
These individuals are responsible for enforcing local University security policies as they relate
to technical controls in hardware and software, to archive critical programs and data, and to
control access and protect network physical facilities. Specific responsibilities are:
a. Securing the network environment within the site and interfaces to outside networks.
b. Responding to emergency events in a timely and effective manner.
c. Employing generally approved and available auditing tools to aid in the detection of security
violations.
d. Conducting timely audits of network logs, as well as monitoring and reporting various logs.
e. Develop appropriate procedures and issuing instructions for the prevention, detection, and
removal of malicious software.
f. Backing up all data and software on the systems/networks on a timely basis.
g. Promptly notifying the Information Technology Center of all computer security incidents.
h. Conduct periodic reviews to ensure that proper security procedures are followed.
1.4. System Administrators
IT Policies and Procedures
IT Center 23 University of Bahrain
Local administrators are expected to utilize, on their assigned IT infrastructure, the available
network security services and mechanisms to support and enforce applicable security policies
and procedures. They are responsible for:
a. Managing all users' access privileges to data, programs and functions.
b. Monitoring all security related events and following up on any actual or suspected
violations where appropriate.
c. Notify network management if a penetration has occurred or in progress and must assist
other administrators in responding to security violations.
d. Notifying the Information Technology Center of all computer security incidents.
e. Maintaining and protecting server software and relevant files using available and
approved security mechanisms and procedures.
f. Must assign a unique User-ID and initial password to each authorized user after proper
documentation has been completed.
1.5. The Information Technology Center
The main responsibility is to manage the IT security direction for the university, this direction
should be up to date and compliance to the IT security appropriate circumstances available in
marketplace. Moreover, the Information Technology Center responsible for conducting
investigations into any alleged computer or network security compromises, incidents and/or
problems. All computer security compromises or potential security compromises must be
reported to the Information Technology Center.
2. Access Controls
2.1. Log-In/Log-Off Process
a. All authorized persons must be positively identified prior to being able to use any multi-
user computer or any information system resources. Positive identification for
University networks involves both a user-ID and a password.
b. The initial log-in process for network-connected University devices or information
systems must simply ask the user to log-in with a username and password and log off
once there is no usage.
2.2. Password Controls
a. All computers permanently or intermittently connected to University networks must
have password access controls.
b. Whenever system/network security has been compromised, or even if there is a
convincing reason to believe that it has been compromised, the relevant system
administrator should immediately:
reassign all relevant passwords, and
inform all concerned parties to change their passwords.
2.3. User Passwords
IT Policies and Procedures
IT Center 24 University of Bahrain
Passwords are by far the most common authentication technique used on computer systems
today. The following password measures should be implemented on all University systems
and networks:
o There should not be any critical IT hardware/software without an authenticated user
name and password.
o Only one user may use an account; passwords may not be shared or revealed to anyone
else.
o There should not be any accounts that do not require a password.
o All vendors supplied and default passwords should be immediately changed.
o Choose passwords which are difficult-to-guess. Personal names should not be used as
passwords.
o Passwords must not be a word found in the dictionary or some other part of speech. For
example, proper names, places, technical terms, and slang must not be used.
o Passwords should be no shorter than 8 characters.
o Passwords are to be changed every 90 days. University systems will enforce password
changes.
o Different passwords should be used for different systems and no password used at the
University should be used on any outside computers.
o Passwords must not be written down and left in a place where unauthorized persons
might discover them. However, should you have passwords which are not easily
remembered, you may write them down and must keep them secured at all times.
o All passwords must be immediately changed if they are suspected of being disclosed,
or known to have been disclosed to anyone.
2.4. Process for Granting System Privileges
a. Requests for user-IDs. access privileges and email system access must be granted only
by a clear chain of authority delegation. Management approval must be obtained from
the user's manager before a local administrator grants network privileges.
b. System and network privileges of all users, systems and programs must be restricted
based on the need-to-know. Excessive privileges granted to users, must be avoided.
c. Individuals who are not University employees must not be granted a user-ID or
otherwise be given privileges to use University computers or communications systems
unless the advance written approval of a Department head has first been obtained.
d. All users wishing to use University networks, or multi-user systems that are connected
to University networks, must sign a compliance statement prior to being issued a user-
ID.
IT Policies and Procedures
IT Center 25 University of Bahrain
e. A signature on this compliance statement indicates the involved user understands and
agrees to abide by University policies and procedures related to computers and
networks (including the instructions contained in this policy).
f. All original staff account documentation must be forwarded to the Information
Technology Center for records retention in the event of possible legal and/or law
enforcement matters.
2.5. Process for Revoking System Access
All user-IDs must automatically have the associated privileges revoked after a certain period
of inactivity. This period should be determined by Information Technology Center based
on the matter of functionality and security.
3. Information System Threats (Viruses, Worms, And Trojan Horses)
Information System Threats (Such as virus, worms and Trojan horses) are unauthorized
programs that may negatively affect the IT infrastructure or any related components.
Threats control
a. To assure continued uninterrupted service for both computers and networks, all user
machines must keep approved threats screening software enabled on all University devices.
This is particularly important for University computer laboratories. Privately owned
computers that are used for official University work purposes are also included.
b. This screening software must be used to scan all software coming from either third parties
or other University departments; the scanning must take place before the new software is
executed.
c. Although users are responsible for eradicating viruses from their systems whenever they
have been detected, they must immediately contact the Information Technology Center’s
"Help Desk" whenever they believe that a system has been infected. This will allow steps
to promptly be taken to assure that no further infection takes place and that experts needed
to eradicate the virus are promptly engaged.
d. Software available on the Internet and electronic bulletin boards, shareware, public domain
software, and other software from untrusted sources must not be downloaded or used unless
it has first been subjected to a rigorous testing approved by Information Technology Center.
4. Data And Back-Ups
a. To protect University information resources from loss or damage, microcomputer users are
responsible for backing-up the information on their machines.
b. Specialist computer staff will install, or provide technical assistance for the installation of
back-up hardware and/or software when it is requested from a user side.
c. All sensitive or "confidential", valuable, or critical information residents on University
computers systems and networks must be regularly backed-up and stored on the centralized
university’s sttorage.
IT Policies and Procedures
IT Center 26 University of Bahrain
d. Department managers must define which information and which machines are to be backed-
up, the frequency of back-up, and the method of back-up based on the following guidelines:
If the system supports more than one individual and contains data that is critical to the
day-to-day operation within the University, then back-up is required daily and retained
for at least seven years.
If the system is used to support job related functions and contains key data critical to
the day-to-day operation of that job, then back-up is required weekly.
If the system is primarily used as a personal productivity tool and contains no data that
would be classified as job or departmental in nature, then back-up is at the discretion of
the individual user.
e. Storage of back-up media is the responsibility of the microcomputer user or multi-user
machine systems administrator involved in the back-up process. Back-ups should be stored
on site for quick recovery from data or network problems. Back-ups for critical business
functions should also be stored off-site. Recovery procedures must be documented and
tested.
f. Media should be stored in fireproof security container at a separate location at least 100
meters away from the system being backed-up.
g. Implement a data library that provides safe storage for the off-line data files, those files
could be back up or current data files.
5. Portable Computers
a. Portable, laptop, notebook, palmtop, and other transportable computers containing
"confidential" University information, must not be left unattended at any time unless the
information is stored in encrypted form.
b. To prevent unauthorized disclosure, workers in the possession of transportable computers
containing unencrypted "confidential" University information must not check these
computers in airline luggage systems, with hotel porters, etc. These computers must remain
in the possession of the traveler as hand luggage.
c. Whenever "confidential" information is written to a floppy disk, magnetic tape, smart card,
or other storage media, the storage media must be suitably marked with the highest relevant
sensitivity classification. When not in use, this media must be stored in a secured container
and/or location.
6. Remote Printing
7. Printers must not be left unattended if confidential information is being printed or will soon be
printed.
8. Privacy
Unless contractual agreements dictate otherwise, electronic information sent over University
computer and communications systems are the property of University of Bahrain. To properly
IT Policies and Procedures
IT Center 27 University of Bahrain
protect and manage this property, University management reserves the right to examine all data
stored in or transmitted by these systems.
9. Internet Security
Refer to: Internet Security Policy
10. Software Copyright
a. Users shall only use legally obtained software on University computing equipment. Users
shall be held liable for any breach of copyright. The University shall not be liable for any
breaches of copyright made by users.
b. Third party software in the possession of the University must not be copied unless such
copying is consistent with relevant license agreements and either management has
previously approved of such copying or copies are being made for contingency planning
purposes.
c. All University small systems must use approved software license management software.
Besides detecting unauthorized copies of third-party software, these license management
systems must be configured to detect new and/or modified application programs developed
by end-users.
d. All computer programs and program documentation owned by the University must include
appropriate copyright notices.
11. Network Logs And Other Security Tools
a. All University computer or communications systems must include sufficient automated
tools to assist the administrator in verifying the systems' security status. These tools must
include mechanisms for the recording, detection, and correction of commonly-encountered
security problems.
b. To the extent that systems software permits, computer and communications systems
handling sensitive, valuable, or critical University information must securely log all
significant security relevant events.
c. Logs containing computer or communications system security relevant events/incidents
must be retained for at least three (3) months. During this period, logs must be secured with
the Information Technology Center because they should not be modified and read only by
authorized persons.
d. Incident logs are important for error correction, auditing, security breach recovery, and
related efforts. Logs must support audit events which should provide sufficient data to
support comprehensive audits of the effectiveness of, and compliance with formal approved
measures.
12. Reporting Security Information
IT Policies and Procedures
IT Center 28 University of Bahrain
a. All staff and students must promptly report any suspected information security problem
including intrusions and out-of-compliance situations to the Manager, and Information
Technology Center
b. Computer threats can spread quickly and need to be eradicated as soon as possible to limit
serious damage to computers, networks and data. All University staff and students are
encouraged to report a computer threats infestation immediately after it is noticed. All
network or systems software malfunctions must be immediately reported to the Help Desk.
13. Release Of Information
Information about security measures for all University computer and communication systems
is confidential and should not be released to people who are not authorized users of the involved
systems unless the permission of the Manager, Information Security has first been obtained.
14. Physical Security Of Computer And Communications Equipment
a. All University network equipment must be physically secured. Local area servers must be
placed in locked cabinets, closed closets or locked computer rooms.
b. Access to computer rooms, network switching rooms and other work areas containing
sensitive or confidential information must be physically restricted.
15. Exceptions
Under rare circumstances, certain persons will need to employ systems that are not compliant
with this policy. All such instances must be approved in writing and in advance by the Faculty
Dean or the Divisional Director and from the Information Technology Center.
16. Enforcement
The failure to comply with this policy may expose University information to the unacceptable
risk of the loss of confidentiality, integrity or availability while stored, processed or transmitted
on University networks. University staff must be notified that this policy exists and that they
are expected to comply with the policy.
Policy Area: Subject:
Title of Policy: Policy Code: IT013
Effective Date: Page Number:
Approved Date: Approved by:
Revision Date: Amendments:
Policy Owner: IT centre Policy Sponsor: UOB
3.2 Visitors Accounts
Purpose
The main purpose of the visitor accounts policy is to adopt standards and limitations to issue and create
these accounts to approved University visitors and for limited time only.
Policy Statement
IT Policies and Procedures
IT Center 29 University of Bahrain
It is the policy of this University to grant authorized access to students as well as staff of University of
Bahrain. However, there are some users who have temporary tasks or requirements to use the computing
facilities including the university’s network such as visitor students or visitors professors. These users
will be only granted limited access.
Policy Content
1. Visitor accounts are created by the network supervisor for a limited time only.
2. Visitor accounts are not to be issued for access to the University Administrative systems.
3. Visitor accounts must only be issued once an application for an account has been completed and
approved by the Director of Information Technology Center.
4. Application forms are available from Information Technology Center.
5. Applicants must complete ‘Application for Information System and Services Account’ and sign the
declaration.
6. Rules: Computing Facilities.
a. Completed forms are to be forwarded to the Information Technology Center.
b. User-IDs must be unique and clearly identify the user.
c. Account expiry will be as approved by the Director of Information Technology Center but must
not exceed 14 days after which a new application must be made.
d. In addition to system start-up and shut-down times, audit transaction histories should log the
following information:
date, time, location of visitor account activity
user identification
sign-on and sign-off activity.
Policy Area: Subject:
Title of Policy: Policy Code: IT014
Effective Date: Page Number:
Approved Date: Approved by:
Revision Date: Amendments:
Policy Owner: IT centre Policy Sponsor: UOB
3.3 Internet Security
Purpose
The main purpose of this policy is to establish direction, procedures, and requirements to ensure the
appropriate protection for the usage of the internet at the university.
This policy has two purposes:
IT Policies and Procedures
IT Center 31 University of Bahrain
Emphasize for all University staff and students the importance of security when using the
internet inside the university’s laboratory or any computing facilities.
Attempt to minimize the risks from the internet by describing the prohibited actions.
Policy Statement
The new resources, new services, and inter-connectivity available via the Internet all introduce new
opportunities and new risks. In response to the risks, this policy describes University of Bahrain official
policy regarding Internet security. It applies to all University employees - academic/Administrative,
contractors, temporaries, who use the Internet with University computing or networking resources, as
well as those who represent themselves as being connected with University of Bahrain.
Policy Content
All Internet users are expected to be familiar with and comply with these policies.
Transmission of Information
1. Downloading
All software downloaded from non-University sources via the Internet must be screened with
threats detection software prior to being invoked. Whenever the provider of the software is not
trusted, downloaded software should be tested on a stand-alone non-production machine. If this
software contains threats, then the damage will be restricted to the involved machine.
2. Suspect Information
All information taken off the Internet should be considered suspect until confirmed by separate
information from another authenticated source. There is no quality control process on the
Internet, and a considerable amount of its information is outdated or inaccurate.
3. Information Security
Wiretapping and message interception is straightforward and frequently encountered on the
Internet. Accordingly, University, proprietary, or private information must not be sent over the
Internet unless it has first been encrypted by approved methods.
Moreover, credit card numbers, log-in passwords, and other parameters that can be used to gain
access to University systems, networks and services, must not be sent over the Internet in
readable form.
Software Security
5. University computer software, documentation, and all other types of internal information must
not be sold or otherwise transferred to any non-university party for any purposes other than
University purposes expressly authorized by Faculty Deans or Divisional Directors.
6. Exchanges of software and/or data between University and any third party may not proceed unless
a written agreement has first been signed. Such an agreement must specify the terms of the
exchange, as well as the ways in which the software and/or data is to be handled and protected.
IT Policies and Procedures
IT Center 30 University of Bahrain
Regular business practices--such as shipment of software in response to a customer purchase
order--need not involve such a specific agreement since the terms are implied.
7. The University strongly supports strict adherence to software vendors' license agreements. When
University computing or networking resources are employed, copying of software in a manner
that is not consistent with the vendor's license is strictly forbidden.
Personnel Security
8. Privacy
Staff using University information systems and/or the Internet should realize that their
communications are not automatically protected from viewing by third parties. Unless
encryption is used, workers should not send information over the Internet if they consider it to
be private.
9. Right to Examine
At any time and without prior notice, University management reserves the right to examine e-
mail, personal file directories, and other information stored on University IT infrastructure. This
examination assures compliance with internal policies, supports the performance of internal
investigations, and assists with the management of University information systems.
10. Resource Usage
University of Bahrain encourages staff to explore the Internet, but if this exploration is for
personal purposes, it should be done on personal, not University time. Likewise, games, news
groups, and other non-University activities must be performed on personal, not University time.
Use of University computing resources for these personal purposes is permissible so long as the
incremental cost of the usage is negligible, and so long as no University activity is pre-empted
by personal use.
11. Public Representations
Staff may indicate their affiliation with the University in bulletin board discussions and other
offerings on the Internet. This may be done by explicitly adding certain words, or it may be
implied, for instance via an e-mail address. In either case, whenever staff provide an affiliation,
they must also clearly indicate that the opinions expressed are their own, and not necessarily
those of University of Bahrain. All external representations on behalf of the University must
first be cleared with the Faculty Dean or Divisional Director. Additionally, to avoid libel
problems, whenever any affiliation with the University is included with an Internet message or
posting, "flaming" or similar written attacks are strictly prohibited.
12. All staff must not publicly disclose internal University information via the Internet that may
adversely affect the University's relations or public image.
13. Care must be taken to properly structure comments and questions posted to mailing lists, public
news groups, and related public postings on the Internet. If a user is working on a research
IT Policies and Procedures
IT Center 32 University of Bahrain
and/or development project, or related University matters, all related postings must be cleared
with Faculty Deans and Directors prior to being placed in a public spot on the Internet.
Access Control
14. All users wishing to establish a connection with University computers via the Internet must
authenticate themselves at a firewall before gaining access to University internal network.
15. Unless the prior approval of the IT Center has been obtained, staff may not establish modems,
Internet or other external network connections that could allow non-University users to gain
access to University systems and/or networks and University information.
16. Likewise, unless the IT Center has approved in advance, users are prohibited from using new or
existing Internet connections to establish new communication channels. These channels include
electronic data interchange (EDI) arrangements, electronic malls with on-line shopping, on-line
database services.
Reporting Security Problems
17. The Information Technology Center must be notified immediately when:
Sensitive University information is lost, disclosed to unauthorized parties, or suspected
of being lost or disclosed to unauthorized parties.
Unauthorized use of University information systems has taken place, or is suspected of
taking place.
When passwords or other system access control mechanisms are lost, stolen, or disclosed,
or are suspected of being lost, stolen, or disclosed.
All unusual systems behavior, such as missing files, frequent system crashes, misrouted
messages.
Security problems should not be discussed widely but should instead be shared on a need-
to-know basis.
Users must not attempt to probe computer security mechanisms at University of Bahrain
campuses or other Internet sites. If users probe security mechanisms, alarms will be
triggered and University resources will needlessly be spent tracking the activity.
Violations of these computer security policies can lead to withdrawal and/or suspension
of system/network privileges and/or disciplinary action.
Violations of these computer security policies may exposed for legal action according to
university of Bahrain laws, or the kingdom laws
Policy Area: Subject:
Title of Policy: Policy Code: IT015
IT Policies and Procedures
IT Center 33 University of Bahrain
Effective Date: Page Number:
Approved Date: Approved by:
Revision Date: Amendments:
Policy Owner: IT centre Policy Sponsor: UOB
3.4 Information Security Alert System
Purpose
This policy recommends an implementation of robust Alert System in order to inform the users about
the possible threats, security issues, failure of systems, or any other problems within the IT field.
Policy Statement
IT Policies and Procedures
IT Center 34 University of Bahrain
Information Technology Center management must establish, maintain, and periodically test the method
by which staff and students notify appropriate staff about suspected information security problems. This
is to ensure that all suspected information security incidents are reported promptly through correct
channels.
Policy Content
An Information Security Alert System includes reports of problems involving computer threats
infestations, hacker break-ins, improper disclosures of University information, system service
interruptions, and other events with serious information security implications.
University staffs have a duty to report all information security transgressions and problems to the
Information Technology Center staff on a timely basis so that prompt remedial action may be taken.
Reports must not be made anonymously the user has to identify himself/herself.
Information describing all reported information security problems must be retained for a period of three
(3) years. Copies of Staff and/or student transgression reports must be placed on the reported persons
staff or student file.
Policy Area: Subject:
Title of Policy: Policy Code: IT016
Effective Date: Page Number:
Approved Date: Approved by:
Revision Date: Amendments:
Policy Owner: IT centre Policy Sponsor: UOB
IT Policies and Procedures
IT Center 35 University of Bahrain
Information Technology Policies and Procedures
4.0 Computing Facilities.
4.1 Access Computer Areas.
4.2 Computer Threats.
4.3 Computing Environment Supporting Equipment.
4.4 Conditions of Use.
4.5 Computing Equipments Borrowing Procedures – Academic staff.
IT Policies and Procedures
IT Center 36 University of Bahrain
4.1 Access Computer Areas
Purpose
The tendency of this policy is to rule the process of accessing all areas which have computing facilities
(e.g. Laboratory, library, etc.) this will strength the security over the university’s computing equipments
Policy Statement
Information Technology working areas have been identified on all campuses at University of Bahrain.
These computer facility working areas are to be maintained by implementing appropriate security
measures that ensure the facilities are always available and secure for staff and students.
Policy Content
Staff and Student Access - After-hours access to computer areas is granted to those University staff and
student members who require access to computer work areas. Staff and students may obtain permission
from the Security Officer on each campus, the Information Technology Center and the Head of the
department. Relevant documentation is to be completed prior to issue of permissions. Records are
retained on each campus for inspection. Building access is provided to legitimate University staff and
student members and must only be used for activities which are directly related to the University.
Policy Area: Subject:
Title of Policy: Policy Code: IT017
Effective Date: Page Number:
Approved Date: Approved by:
Revision Date: Amendments:
Policy Owner: IT centre Policy Sponsor: UOB
4.2 Computer Threats
Purpose
IT Policies and Procedures
IT Center 37 University of Bahrain
This policy is to prevent users not to down-load software from electronic systems outside the University.
This prohibition is necessary because such software may contain threats and software programs which
may damage University information and systems.
Definition
Threats: Computer programs designed to disrupt the normal operation of a computer and causes an
increasing threat to the security of data and programs stored on it.
These threats could be; and not limited to, the following:
1-Viruses. 2-Worms.
3-Logic bombs. 4-Back doors.
5-Trojan horses. 6-Breaches.
Policy Content
1. To reduce the risk of ‘threats’ the Information Technology Center has arranged for a University-
wide license for threat scanning software and copies are available from the Information Technology
Center.
2. All diskettes should be scanned by this software before they are placed in any microcomputer that
is attached to the University networks.
3. Users of microcomputers attached to the University networks must not:
a. Use public domain software without first having it checked for threats, to ensure that
the program itself does not cause damage to data stored on the microcomputer or the
network.
b. Place ‘foreign’ diskettes or any hardware into their microcomputer without first
checking for the presence of ‘threats’.
c. Connect up to remote computers and down-load programs using University
microcomputers.
d. Down-load software via the Internet which may contain a threats or similar rogue
program.
Policy Area: Subject:
Title of Policy: Policy Code: IT018
Effective Date: Page Number:
Approved Date: Approved by:
Revision Date: Amendments:
Policy Owner: IT centre Policy Sponsor: UOB
4.3 Computing Environment Supporting Equipment
Purpose
IT Policies and Procedures
IT Center 38 University of Bahrain
Information Technology Center must provide and maintain all the appropriate computing environment
protection systems necessary to assure continued service for critical University computer systems.
Policy Statement
Information Technology Management must provide and maintain fire detection/suppression, power
conditioning, air conditioning, and other computing environment protection systems necessary to assure
continued service for critical University computer systems.
Policy Content
These environmental support systems are critical to continuous computer and communications support.
The intention of this policy is to ensure that IT management provide and maintain the necessary support
facilities needed for ensuring the continued operation of University systems handling critical
information.
Policy Area: Subject:
Title of Policy: Policy Code: IT019
Effective Date: Page Number:
Approved Date: Approved by:
Revision Date: Amendments:
Policy Owner: IT centre Policy Sponsor: UOB
4.4 Condition of Use
Purpose
IT Policies and Procedures
IT Center 39 University of Bahrain
Computing facilities are provided to facilitate and enhance the academic program of the University.
Therefore, this policy is designed to keep the computing equipment operating, and generate a productive
academic environment.
Policy Statement
The University reserves the right to examine all computer data and software on its facilities, and to
monitor usage, in order to ensure conformance with these conditions and to ensure that the facilities
function in a secure, efficient and effective manner. These conditions apply to all University computer
systems and all other computing systems that can be accessed via University networks.
The authority to use University computing facilities normally expires at the end of each semester but
may be extended under certain circumstances.
Policy Content
1. Authorized Users
Persons authorized to use University computing resources are:
• students enrolled in the University.
• staff employed by the University.
• other persons having special authorization from the University’s authority.
2. Proof of Status
• Your personal University identification card is proof of your authorized status. Failure to produce
the card when requested by security may result in your being requested to leave. Students are
strongly advised to carry their University identification card at all times when they are using
computer laboratory facilities.
3. Access Cards
• Access cards are for personal use only and may not be used by other persons. Only one person
is permitted to enter the computing facilities per access card. For security reasons, details of
all access card use are automatically recorded.
4. Use of Facilities
• You may use only those facilities for which you have been authorized.
• Facilities may only be used for the purposes for which they have been provided and not be
used for other projects, games, 'hobby computing', private or consulting work.
• Facilities must not be wasted or consumed by inappropriate or irresponsible use.
• You must not attempt to tamper with any facility in any way which might alter or impede its
use by others.
• You must not harass others, including using computing facilities to send obscene, abusive,
fraudulent, threatening or unnecessarily repetitive messages.
5. Proper Conduct
• Computer laboratories are work places. In the interest of other users, noise should therefore be
kept to a minimum.
IT Policies and Procedures
IT Center 41 University of Bahrain
Computer laboratories are used for its educational purposes only.
• Eating and drinking is not permitted in computer laboratories as spilt fluids can damage the
equipment, particularly keyboards and circuitry.
• For safety reasons' children are not permitted in computer laboratories.
6. Data Security and Privacy
• Passwords, when used, must not be divulged to any other person.
• You should take every reasonable precaution to ensure that your passwords, accounts and data
are adequately secured.
• You must not attempt to find out another user's password, or to gain access to another user's
account.
• Any computer account allocated to you is for your exclusive use. You must not allow another
person to use it.
• Regardless of the prevailing level of security, you must not access any data or software except
that which belongs to you or has been provided for your use.
• You must not:
• attempt to examine, disclose, copy, rename, delete or modify another user's data
without their express written permission.
• attempt to recover deleted data, that does not belong to you.
• attempt to subvert any restrictions imposed on your use of any facility.
7. Software Copyright Regulations
• Only legally obtained software is to be used on University computing equipment - the penalties
for breaching copyright are very high. All users of University equipment are warned that any
such breach is the liability of the user. The University will not be liable for any breaches made
by users.
• Software provided for use in laboratories must not be copied from computers without prior
authorization. Users must not violate copyright law and must respect licenses to copyrighted
materials. For the avoidance of doubt, unlawful file-sharing using the University's information
resources is a violation of this policy.
8. Breaches of Conditions
• Failure to adhere to the above conditions will be considered an act of grave misconduct and
cancellation of enrolment may result.
• Breaches which involve security and/or access violations may be referred to the Interior
ministry and may lead to expose for legal action in court.
• It is a criminal offence to:
• Obtain access to data without permission.
• Damage, delete, alter or insert data without permission.
IT Policies and Procedures
IT Center 40 University of Bahrain
Policy Area: Subject:
Title of Policy: Policy Code: IT020
Effective Date: Page Number:
Approved Date: Approved by:
Revision Date: Amendments:
Policy Owner: IT centre Policy Sponsor: UOB
4.5 Computing Equipments Borrowing Procedures– Academic Staff
Purpose
IT Policies and Procedures
IT Center 42 University of Bahrain
This policy allow staff members to borrow computing equipments which have been specifically
designated for staff use off campus for any purpose by seeking approval from Head of Department.
Policy Statement
Where a staff member is using computing equipments in the teaching or learning program, it is
recognized that there may be a need for that staff member to borrow these equipments for one or more
of the following purposes:
a. evaluation of software having potential application in a course;
b. preparation of lectures involving the use of certain software;
c. marking of student work where this is submitted on a diskette;
d. other University related work including University funded research.
Policy Content
1. The Head of Department will be responsible for managing the borrowing system and verifying that
a borrowed computing equipment is in working order when it is returned.
2. In borrowing equipment staff are required to:
i. Take full responsibility for returning the equipment in good working order;
ii. Ensure that a temporary asset transfer form has been completed and handed to the Head of
Department (a copy to IT Center).
iii. Ensure that only licensed software is loaded and used on the machine. In this respect staff
borrowing equipment are liable for any breach of copyright law involving the use of
unlicensed software on borrowed equipment;
iv. Ensure that the equipment is properly maintained;
v. Ensure that the equipment is not taken out of Kingdom of Bahrain without a permission from;
- The Head of Department where the equipment has been acquired
- The IT Center.
Policy Area: Subject:
Title of Policy: Policy Code: IT022
Effective Date: Page Number:
Approved Date: Approved by:
Revision Date: Amendments:
Policy Owner: IT centre Policy Sponsor: UOB
Information Technology Policies and Procedures
5.0 Information System Development Policy
5.0 Information System Development Policy
IT Policies and Procedures
IT Center 43 University of Bahrain
Purpose
the purpose of the Information System Development Policy is to describe the requirements in
particular security and control requirements for developing, implementing, and acquisition of new
systems or modification, upgrading and maintain existing software at University of Bahrain.
Policy Statement
The frequent requests to develop and acquire new information systems or modify and upgrade existing
systems continue to escalate. Therefore, implementing solid information systems policy that secure
and control these actions at all stages of system development life cycle is required. This will
a) ensure conformance with all appropriate security requirements.
b) protect sensitive information throughout its life cycle.
c) facilitate efficient implementation of security controls.
d) prevent the introduction of new risks when the system is modified.
e) ensure proper removal of data when the system is retired.
Policy Content
1. Information Technology Center is responsible for developing, maintaining, and participating
in a System Development Life Cycle at university of Bahrain.
2. All software developed in-house which runs on production systems must be developed
according to the SDLC. At a minimum, this plan should address the areas of preliminary
analysis or feasibility study; risk identification and mitigation; systems analysis; general
design; detail design; development; quality assurance and acceptance testing;
implementation; and post-implementation maintenance and review. This methodology
ensures that the software will be adequately documented
and tested before it is used for critical information.
3. All production systems must have designated Owners and Custodians for the critical
information they process. IT Center must perform annual risk assessments of production
systems to determine whether the controls employed are adequate.
4. All production systems must have an access control system to restrict who can access the
system as well as restrict the privileges available to these Users. A designated access control
administrator (who is not a regular User on the system in question) must be assigned for all
production systems.
5. Where resources permit, there should be a separation between the production, development,
and test environments. This will ensure that security is rigorously maintained for the
production system, while the development and test environments can maximize productivity
IT Policies and Procedures
IT Center 44 University of Bahrain
with fewer security restrictions. Where these distinctions have been established,
development and test staff must not be permitted to have access to production systems.
Likewise, all production software testing must utilize
sanitized information.
6. All application-program-based access paths other than the formal user access paths must be
deleted or disabled before software is moved into production.
7. System security plans and documentation must be prepared for all information systems or
other systems under development due to the risk of harm resulting from loss, misuse, or
unauthorized access to or modification of the information therein.
8. Test data - Testing of information systems should be done with fabricated data that mimics the
characteristics of the real data, or on copies of real data with any confidential data
appropriately sanitized. Testing should not be done on live data due to the threat to its
confidentiality and/or integrity. Testing that requires the use of live data or confidential data
must have appropriate security controls employed and approval from data owners.
9. If an information system or component of that system is acquired from an external vendor,
written documentation must be provided that specifies how the product meets the security
requirements of this policy and any special requirements of the system. The vendor must
allow testing of the system's security controls by the university team or an independent
third party, if needed
10. New systems, existing system upgrades/new versions will only be installed following the
definition of formal acceptance criteria. System Owners are responsible for co-ordinating the
acceptance criteria and involving the required areas of the organization. The following are
controls that should be considered:
a) Performance and capacity requirements (in terms of response times & other
capacity elements)
b) Preparation and testing of routine operating procedures (such as standard
reports etc)
c) Testing of security controls (passwords, usernames, information access
controls)
d) Training provision to all appropriate staff, including education/communication of
upgrades
e) System owners should document the acceptance criteria, both prior to and post
installation.
11. The organization will protect itself from covert channels and Trojan code that allow
unauthorized access to information by applying the following controls.
IT Policies and Procedures
IT Center 45 University of Bahrain
a) For In-house development, application developers will be bound by contract terms of
employment and job description responsibilities from inserting covert channels and Trojan
code
b) For Vendor supplied software, contractual arrangements will ensure that the vendor does
not insert covert access channels or Trojan code. Should these be found to be present in any
vendor supplied software, contracts will contain appropriate penalty or termination clauses
agreed by legal departments.
12. The endorsement of systems developed by information technology students in the college of
information technology in university of Bahrain, such as: offline systems, web based system,
and mobile application.
These systems can be classified as prototypes and will be a base line for an information
system development life cycle.
Policy Area: Subject:
Title of Policy: Policy Code: IT023
Effective Date: Page Number:
Approved Date: Approved by:
Revision Date: Amendments:
Policy Owner: IT centre Policy Sponsor: UOB
Information Technology Policies and Procedures
IT Policies and Procedures
IT Center 46 University of Bahrain
6.0 Change Management Policy
0.6 Change Management Policy
Purpose
The purpose of the Change Management Policy is to manage all changes (additions, deletions and
modifications) to an information technology resources regardless of who initiates it. The changes must
be managed in a rational and predictable manner thus staff can plan accordingly.
Policy Statement
As University of Bahrain has grown, the interdependencies between systems continues to grow and
become more complex. Therefore, it is essential that changes to infrastructure are managed carefully
to reduce negative impact on users and avoid unexpected consequences.
Policy Content
1. The policy covers all changes to the production environment which includes the University’s
IT infrastructure (e.g. hardware, software, operating systems, data, databases, voice and video
networks, applications, and information systems.)
2. The policy includes environmental facilities that support IT infrastructure such as air-
conditioning, heat, electricity and alarm systems, etc.
3. The policy does not apply to changes to test or development systems, providing they are
isolated from the live environments.
4. Any change to an information technology resource must be performed in compliance with the
University's IT Infrastructure and Systems Change Management Policy and Procedures.
5. Changes require two steps of approval : prior to commencing the development or testing of a
change (a Change Request) and prior to releasing the fully tested change into the live
environment (a Release Request).
6. An "emergency change", which is defined as a repair to a current breakage and / or a change
required to prevent an imminent breakage in the live environment, will, by necessity, proceed
through the abbreviated and more immediate form of Change Request process as documented
below.
7. Certain changes occur regularly, for example, adding a PC to the network. Once a change has
been approved once, it may be advertised as a "pre-approved change". This means that all
subsequent iterations of the change during the specified period are likewise approved,
possibly with conditions. A list of pre-approved changes is maintained by IT Center.
8. A Change Advisory Board (CAB) of relevant IT Services staff, appointed by the Director of
IT Center, will meet regularly to process Change Requests in accordance with change
IT Policies and Procedures
IT Center 47 University of Bahrain
management procedures. A representative from the work area proposing the change is invited
to attend the CAB.
9. The process of appeal for Change Requests denied by the CAB is via the Vice President of IT
Services or equivalent role.
10. Changes that do not comply with the Change Management Policy and Procedures are
classified as 'unauthorized changes.'
11. IT Center resources will not be made available or committed for an unauthorized change and
has the authority to reverse any unauthorized changes that cause, are suspected as
causing, or have the potential to cause disruption to other users of the services.
Policy Area: Subject:
Title of Policy: Policy Code: IT024
Effective Date: Page Number:
Approved Date: Approved by:
Revision Date: Amendments:
Policy Owner: IT centre Policy Sponsor: UOB
IT Policies and Procedures
IT Center 48 University of Bahrain
Acknowledgement
Published policies of the following universities were referenced during the preparation
of these policies. For academic integrity's sake we acknowledge the following sources as
contributors to the text of these policies.
University of Wales, Newport
http://lis.newport.ac.uk/computing/i/it_policies
University of North Carolina
www.uncw.edu/itsd/policies.html
University of BATH
www.bath.ac.uk/bucs/policies
University of Utah
www.it.utah.edu/plans_policies.html
Yale University
www.yale.edu/policy
University of Massachusetts
www.umassp.edu/policy
University of Colorado
www.colorado.edu/policies
Northwestern University
www.it.northwestern.edu/policies
Florida State Technology Office
http://sto.myflorida.com/isdm/
IT Policies and Procedures
IT Center 49 University of Bahrain
Appendix
Examples of Misuse
Examples of misuse include, but are not limited to, the activities in the following list.
1. Using a computer account that you are not authorized to use. Obtaining a password for
a computer account without the consent of the account owner.
2. Using the Campus Network to gain unauthorized access to any computer systems.
3. Knowingly performing an act which will interfere with the normal operation of
computers, terminals, peripherals, or networks.
4. Knowingly running or installing on any computer system or network, or giving to
another user, a program intended to damage or to place excessive load on a computer
system or network. This includes but is not limited to programs known as computer
viruses, Trojan horses, and worms.
5. Attempting to circumvent data protection schemes or uncover security loopholes.
6. Violating terms of applicable software licensing agreements or copyright laws.
7. Deliberately wasting computing resources.
8. Using electronic mail to harass others.
9. Masking the identity of an account or machine.
10. Posting materials on electronic bulletin boards that violate existing laws or the
University's codes of conduct.
11. Attempting to monitor or tamper with another user's electronic communications, or
reading, copying, changing, or deleting another user's files or software without the
explicit agreement of the owner.
12. Activities will not be considered misuse when authorized by appropriate University
officials for security or performance testing.
IT Policies and Procedures
IT Center 51 University of Bahrain
Revision Log – General
This revision log will allow you to view all changes made to this section. It will let you view
and see which collaborators made edits to any of these Policies.
Log# Date Policy Change Reference Reviewed By
IT Policies and Procedures
IT Center 50 University of Bahrain
Revision Log – Information System
This revision log will allow you to view all changes made to this section. It will let you view
and see which collaborators made edits to any of these Policies.
Log# Date Policy Change Reference Reviewed By
IT Policies and Procedures
IT Center 52 University of Bahrain
Revision Log – Network
This revision log will allow you to view all changes made to this section. It will let you view
and see which collaborators made edits to any of these Policies.
Log# Date Policy Change Reference Reviewed By
IT Policies and Procedures
IT Center 53 University of Bahrain
Revision Log – Computing Facilities
This revision log will allow you to view all changes made to this section. It will let you view
and see which collaborators made edits to any of these Policies.
Log# Date Policy Change Reference Reviewed By
IT Policies and Procedures
IT Center 54 University of Bahrain
Revision Log - Information Systems Development Methodology (ISDM)
This revision log will allow you to view all changes made to this section. It will let you view
and see which collaborators made edits to any of these Policies.
Log# Date Policy Change Reference Reviewed By
IT Policies and Procedures
IT Center 55 University of Bahrain
Revision Log - Change Management Policy
This revision log will allow you to view all changes made to this section. It will let you view
and see which collaborators made edits to any of these Policies.
Log# Date Policy Change Reference Reviewed By
IT Policies and Procedures
IT Center 56 University of Bahrain
Revision History - INFORMATION TECHNOLOGY
POLICIES AND PROCEDURES
This revision history will allow you to view at a glance all changes made to this document by
each collaborator. It will let you view and revert to earlier sections of this document, and see
which collaborators made edits to any of these sections.
Note: you can use the log number to track the changes made in a specific Policy.
Date Section Description Author/Title Log#