inspiring business innovation

INSPIRING BUSINESS INNOVATION

October 2020

Acceptable Use Policy

Version: 2.0

Policy Code: DICT-QAP-001

الاستخدام المقبولسياسة


of 12

Table of Contents

Property Information ................................................................................... 3

Document Control ........................................................................................ 4

Information .......................................................................................................................... 4

Revision History ................................................................................................................... 4

Distribution List ................................................................................................................... 4

Approval .............................................................................................................................. 4

Policy Overview ........................................................................................... 5

Purpose ................................................................................................................................ 5

Scope .................................................................................................................................... 5

Terms and Definitions ......................................................................................................... 5

Change, Review and Update ............................................................................................... 6

Enforcement / Compliance ................................................................................................. 6

Waiver .................................................................................................................................. 7

Roles and Responsibilities (RACI Matrix) ........................................................................... 7

Relevant Documents ........................................................................................................... 8

Ownership ........................................................................................................................... 8

Policy Statements ........................................................................................ 9

Confidentiality of Information ............................................................................................ 9

Computer Usage ................................................................................................................ 10

E-mail Usage ...................................................................................................................... 10

Internet Usage ................................................................................................................... 11

Password Usage................................................................................................................. 11

Network and Systems Usage ............................................................................................ 12



of 12

Property Information

This document is the property information of Imam Abdulrahman bin Faisal University - ICT Deanship.

The content of this document intended only for the valid recipients. This document is not to be

distributed, disclosed, published or copied without ICT Deanship written permission.



of 12

Document Control

Information

Title Classification Version Status

ACCEPTABLE USE POLICY Public 2.0 validated

Revision History

Version Author(s) Issue Date Changes

0.1 Alaa Alaiwah - Devoteam November 18, 2014 Creation

0.2 Nabeel Albahbooh - Devoteam November 30, 2014 Update

0.3 Osama Al Omari - Devoteam December 23, 2014 QA

1.0 Nabeel Albahbooh - Devoteam December 31, 2014 Update

1.1 Muneeb Ahmad – ICT, IAU 21 April 2017 Update

1.2 Lamia Abdullah Aljafari 6 June 2020 Update

2.0 Dr. Bashar Aldeeb 31 August 2020 Update

Distribution List

# Recipients

1 Legal Affairs

2 Website

3 Quality Assurance Department – DICT

4 Information Security Department - DICT

Approval

Name Title Date Signature

Dr. Khalid Adnan Alissa Dean of DICT 8th October 2020



of 12

Policy Overview

This section describes and details the purpose, scope, terms and definitions, change, review and

update, enforcement / compliance, wavier, roles and responsibilities, relevant documents and

ownership.

Purpose

The main purpose of Acceptable Use Policy is to:

Define a set of rules that govern the ways in which computer, network, email and internet services

may be used by users. In addition to minimizing the potential risks such as virus attacks, compromise

of network systems and services, and further consequent legal issues.

Scope

The policy statements written in this document are applicable to all IAU’s resources at all levels of

sensitivity; including:

All full-time, part-time and temporary staff employed by, or working for or on behalf of IAU.

Students studying at IAU.

Contractors and consultants working for or on behalf of IAU.

All other individuals and groups who have been granted access to IAU’s ICT systems and

information.

This policy covers all information assets defined in the Risk Assessment Scope Document and will be

used as a foundation for information security management.

Terms and Definitions

Table 1 provides definitions of the common terms used in this document.

Term Definition

Accountability A security principle indicating that individuals shall be able to be identified and

to be held responsible for their actions.

Asset Information that has value to the organization such as forms, media, networks,

hardware, software and information system.

Availability The state of an asset or a service of being accessible and usable upon demand

by an authorized entity.



of 12

Confidentiality An asset or a service is not made available or disclosed to unauthorized

individuals, entities or processes.

Control A means of managing risk, including policies, procedures, and guidelines which

can be of administrative, technical, management or legal nature.

Guideline A description that clarifies what shall be done and how, to achieve the

objectives set out in policies.

Information Security

The preservation of confidentiality, integrity, and availability of information.

Additionally, other properties such as authenticity, accountability, non-

repudiation and reliability can also be involved.

Integrity Maintaining and assuring the accuracy and consistency of asset over its entire

life-cycle.

Malware (Malicious) Software designed to disrupt computer operation, gather sensitive information,

or gain access to private computer systems (e.g., virus or Trojan horse).

Policy

A plan of action to guide decisions and actions. The policy process includes the

identification of different alternatives such as programs or spending priorities,

and choosing among them on the basis of the impact they will have.

Risk A combination of the consequences of an event (including changes in

circumstances) and the associated likelihood of occurrence.

System

An equipment or interconnected system or subsystems of equipment that is

used in the acquisition, storage, manipulation, management, control, display,

switching, interchange, transmission or reception of data and that includes

computer software, firmware and hardware.

Table 1: Terms and Definitions

Change, Review and Update

This policy shall be reviewed once every year unless the owner considers an earlier review necessary

to ensure that the policy remains current. Changes of this policy shall be exclusively performed by the

Information Security Officer and approved by management. A change log shall be kept current and be

updated as soon as any change has been made.

Enforcement / Compliance

Compliance with this policy is mandatory and it is to be reviewed periodically by the Information

Security Officer. All IAU units (Deanship, Department, College, Section and Center) shall ensure

continuous compliance monitoring within their area.



of 12

In case of ignoring or infringing the information security directives, IAU’s environment could be

harmed (e.g., loss of trust and reputation, operational disruptions or legal violations), and the fallible

persons will be made responsible resulting in disciplinary or corrective actions (e.g., dismissal) and

could face legal investigations.

A correct and fair treatment of employees who are under suspicion of violating security directives

(e.g., disciplinary action) has to be ensured. For the treatment of policy violations, Management and

Human Resources Department have to be informed and deal with the handling of policy violations.

Waiver

Information security shall consider exceptions on an individual basis. For an exception to be approved,

a business case outlining the logic behind the request shall accompany the request. Exceptions to the

policy compliance requirement shall be authorized by the Information Security Officer and approved

by the ICT Deanship. Each waiver request shall include justification and benefits attributed to the

waiver.

The policy waiver period has maximum period of 4 months, and shall be reassessed and re-approved,

if necessary for maximum three consecutive terms. No policy shall be provided waiver for more than

three consecutive terms.

Roles and Responsibilities (RACI Matrix)

Table 2 shows the RACI matrix1 that identifies who is responsible, accountable, consulted or informed

for every task that needs to be performed.

There are a few roles involved in this policy respectively: ICT Dean, ICT Deanship, Information Security

Officer (ISO) and User (Employee and Contract).

Roles

Responsibilities

ICT D

ean

ICT

ISO

Use

r

Adhering to information security policies and procedures pertaining to the protection of information.

I C C R,A

Reporting actual or suspected security incidents to ICT Deanship. I C C R,A

Using the information only for the purpose intended by IAU. C C R,A

1 The responsibility assignment RACI matrix describes the participation by various roles in completing tasks for a business process. It is especially useful in clarifying roles and responsibilities in cross-functional/departmental processes. R stands for Responsible who performs a task, A stands for Accountable (or Approver) who sings off (approves) on a task that a responsible performs, C stands for Consulted (or Consul) who provide opinions, and I stands for Informed who is kept up-to-date on task progress.



of 12

Roles

Responsibilities

ICT D

ean

ICT

ISO

Use

r

Accepting accountability for all activities associated with the user access privileges.

C C R,A

Distributing information security documents so that those who need such documents have copies or can readily locate the documents via an intranet site.

I C R,A I

Table 2: Assigned Roles and Responsibilities based on RACI Matrix

Relevant Documents

The following are all relevant policies and procedures to this policy:

Information Security Policy

Human Resource Security Policy

Asset Management Policy

Access Control Policy

Information Security Incident Management Policy

Compliance Policy

Ownership

This document is owned and maintained by the ICT Deanship of University of Imam Abdulrahman bin

Faisal.



of 12

Policy Statements

The following subsections present the policy statements in 6 main aspects:

Confidentiality of Information

Computer Usage

E-mail Usage

Internet Usage

Password Usage

Network and Systems Usage

Confidentiality of Information

1. Users shall strictly adhere to IAU’s information security policies and shall notify ICT Deanship

about any security breach, incidents or violations.

2. Users shall fully adhere at all times to IAU’s Non-Disclosure Agreement (NDA) in handling and

protecting confidential information relating to IAU owned information when this information

is transmitted or retained electronically.

3. Users shall not disclose or provide information related to IAU owned information to any

person (inside or outside) and/or third party without any proper management approval and

authorization.

4. Users shall exercise all necessary due care in protecting IAU’s assets. Each user shall have the

responsibility to:

a. Prevent unauthorized access, including viewing of information resources under his

responsibility or control (such as information available on laptops, desktop

computers, access terminals, printouts or tape media etc.).

b. Print confidential IAU’s information on printers with access controls provision.

Confidential information shall not be printed unattended.

c. Notify ICT Deanship of any virus like behaviour or suspicious activities on their

systems.

5. Users shall display their identification badges (ID cards) at all the times on IAU’s premises.



of 12

6. Users shall actively contribute and participate to the information security initiatives and

activities arranged (e.g., security training and awareness) by IAU.

7. Users shall lock and/or secure any sensitive information (whether in electronic or hardcopy

formats) before leaving their respective machines/offices (i.e., servers, workstations and

laptops).

8. Users shall not leave any sensitive facsimile or printed documents.

Computer Usage

1. Users shall acknowledge that all computer data created, received or transmitted using IAU’s

systems is IAU’s property. IAU shall reserve the right to examine all data for any reason and

without notice, such as when violations of this policy or other IAU’s policies or procedures are

suspected.

2. Users shall use their computers for IAU’s business purposes only and shall not use them to

perform any malicious or illegal activities.

3. Users shall save and maintain their business-related files on the file server.

4. Computers shall not be removed from the installed location without a prior approval from ICT

Deanship and Department Manager.

5. Users shall not install any unauthorized software on IAU’s computers.

6. Users shall use appropriate and approved protection measures such as encryption, password

protection, antivirus and backup while utilizing mobile computing devices (e.g., laptops,

mobile phones, USB drives and external storage disks) for storage, transmission and

processing of information residing with them.

7. Users shall log-off or lock their computers before leaving their work place.

8. Users shall never deactivate the screen saver installed on their computers.

E-mail Usage

1. Users shall use e-mail services only for IAU’s business.

2. Users shall be responsible and accountable for appropriate use and dissemination of the

information through IAU’s e-mail services.



of 12

3. Users shall not access other users e-mail accounts and/or service without a proper

authorization from ICT Deanship.

4. Users shall not use internal and external e-mail services to send IAU’s confidential business

related information without a prior approval and permission from their management.

5. Users shall not use e-mail services for unlawful activities, including sending or receiving

copyrighted materials in violation of copyright laws or license agreements.

6. Users shall not send chain letters, spam or unnecessary multiple forwarding such as mass

holiday greetings.

7. Users shall not circulate and/or send the virus alerts received by email to anyone other than

ICT Deanship.

8. Users shall not subscribe to any mailing group whether it is local or international for any

reason other than business purposes.

Internet Usage

1. Users shall only use Internet access for IAU’s business activities.

2. Users shall not use the Internet service for unlawful activities, including the sending or

receiving of copyrighted materials in violation of the applicable copyright laws or license

agreements.

3. Users shall be responsible and accountable for appropriate use and dissemination of the

information through IAU’s Internet services.

4. Users shall not use IAU’s systems for distribution of any malicious, destructive, and/or

fraudulent codes or information, or the insertion or enabling of computer virus or virus codes

or conducting any hacking activities within or outside IAU’s environment.

5. Users shall not use instant messaging services and social networks to chat with local or

international online subscribers for personal purpose.

6. Users shall not publish any IAU’s information on the Internet without a prior approval and

permission from Management and ICT Deanship.

Password Usage

1. Users shall not share or disclose their user ID and password to anyone.



of 12

2. Users shall be responsible for the selection and maintenance of secure passwords according

to IAU’s Password Policy.

3. Users shall not enable auto logon options on the systems by saving the passwords.

Network and Systems Usage

1. Users shall not introduce malicious programs (e.g., viruses, worms, trojan horses, e-mail

bombs, etc.) into IAU’s systems.

2. Users shall not introduce freeware and shareware software in the organization’s network,

whether downloaded from the Internet or obtained through any other media, without ICT

Deanship authorization.

3. Users shall not use IAU’s systems to store, process, download or transmit data that can be

interpreted as biased (e.g., politically, religiously, racially, ethnically, etc.).

4. Users shall not turn off IAU approved virus detection software package, or use any other

antivirus software package without ICT Deanship written approval.

5. Users shall not perform port scanning or security scanning of IAU’s network or systems unless

it is authorized by ICT Deanship and prior notification is made to relevant employees.

6. Users shall not execute any form of network monitoring that intercepts data not intended for

the employee's host, unless this activity is a part of the employee’s authorized job/duty.

7. Users shall not circumvent user authentication or security of any host, network or account.

8. Users shall not use any program or send messages of any kind, with the intent to interfere

with, or disable, a user's terminal session, via any means, locally or externally.

-------------------------------------------------------- End of Document ------------------------------------