Objective

To establish the policy of the University for the use, protection, and preservation of computer-based information generated by, owned by, or otherwise in the possession of University of Dammam, including all academic, administrative, and research data. 

Executive Summary

nformation is a vital asset to any organization and this is especially so in a knowledge-driven organization such as the University of Dammam (UOD), where information will relate to learning and teaching, research, administration and management. It is imperative that computer data, hardware, networks and software be adequately protected against alteration, damage, theft or unauthorized access.

University of Dammam is committed to protecting information resources that are critical to its academic and research mission. These information assets, including its networks, will be protected by controlling authorized access, creating logical and physical barriers to unauthorized access, con guring hardware and software to protect networks and applications. An e ective Information Security Policy will provide a sound basis for de ning and regulating the management of institutional information assets as well as the information systems that store, process and transmit institutional data. Such a policy will ensure that infor- mation is appropriately secured against the adverse e ects of breaches in con dentiality, integrity, avail- ability and compliance which would otherwise occur. This policy sets forth requirements for incorporation of information security practices into daily usage of university systems. 

Information Security Policy Objectives 

The University recognizes the role of information security in ensuring that users have access to the infor- mation they require in order to carry out their work. Computer and information systems underpin all the University’s activities, and are essential to its research, learning, teaching and administrative functions.

The university is committed to protecting the security of its information and information systems. The fol- lowing are the objectives of information security policy:

  1. to protect academic, administrative and personal information from threats.

  2. to maintain the con dentiality, integrity and availability of the UOD information assets.

  3. to prevent data loss, modi cation and disclosure, including research and teaching data from un- authorized access and use. 

  4. to protect information security incidents that might have an adverse impact on UOD business, reputation and professional standing. 
  5. to establish responsibilities and accountability for information security. 

Information Security Principles

Enforcing an appropriate information security policy involves knowing university information assets, per- mitting access to all authorized users and ensuring the proper and appropriate handling of information. The University has adopted the following principles, which underpin this policy:

  • Information is an asset and like any other business asset it has a value and must be protected.
  • The systems that are used to store, process and communicate this information must also be pro- tected.
  • Information should be made available to all authorized users.
  • Information must be classi ed according to an appropriate level of sensitivity, value and criticality as presented in the ‘data classi cation policy’.
  • Integrity of information must be maintained; information must be accurate, complete, timely and consistent with other information.
  • All members of the University community who have access to information have a responsibility to handle it appropriately, according to its classi cation.
  • Information will be protected against unauthorized access.
  • Compliance with this policy is compulsory for UOD community. 

Outcomes of the Policy

By enforcing the data classi cation policy, we aim to achieve the following outcomes:
  1. Mitigation of the dangers and potential cost of UOD computer and information assets misuse.
  2. Improved credibility with the UOD community and partner organizations.
  3. Protected information at rest and in transit. 

Policy Rationale 

University of Dammam possesses information that is sensitive and valuable, ranging from personally iden- ti able information, research, and other information considered sensitive to nancial data. This informa- tion needs to be protected from unauthorized use, modi cation, disclosure or destruction. The exposure of sensitive information to unauthorized individuals could cause irreparable harm to the University or University community. Additionally, if University information were tampered with or made unavailable,it could impair the University’s ability to do business. The University therefore requires all employees to diligently protect information as appropriate for its sensitivity level.

The information security policy has been laid down in accordance with the principles and guideline de- ned and enforced by the ‘Communications & Information Technology Commission’ in the document titled “Information Security Policies and Procedures Development Framework for Government Agencies”. 

Entities a ected by this Policy 

  • All full-time, part-time and temporary sta employed by, or working for or on behalf of the Uni- versity.
  • Students studying at the University.
  • Contractors and consultants working for or on behalf of the University.
  • All other individuals and groups who have been granted access to the University’s ICT systems
  • and information. 

Business Impact of no Information Security 

The potential adverse business impact to the university due to lack of information security policy may include:
  • Loss of critical campus information
  • Higher costs due to waste of resources
  • Damage to the reputation of the UOD
  • Lack of corrective actions or repairs
  • Violation of University and government regulatory policies and procedures

Policy Benefits

  1. It will address risks associated with the unauthorized disclosure, use, modi cation and deletion of university data.
  2. Improved and appropriate security measures for the data.
  3. Protect UOD information assets. 

Policy Statement 

Information is fundamental to the e ective operation of the University and is an important business as- set. The purpose of this Information Security Policy is to ensure that the information managed by the University is appropriately secured in order to protect against the possible consequences of breaches of con dentiality, failures of integrity or interruptions to the availability of that information. Any reduction in the con dentiality, integrity or availability of information could prevent the University from functioning e ectively and e ciently. 

Applicability 

  • All full-time, part-time and temporary sta employed by, or working for or on behalf of the University. Students studying at the University.
  • Contractors and consultants working for or on behalf of the University.
  • All other individuals and groups who have been granted access to the University’s ICT systems and information. 

Security Roles and Responsibilities 

All members of the University have direct individual and shared responsibilities for handling infor- mation or using university information resources to abide by this policy and other related policies. In order to ful ll these responsibilities, members of the University must:

  • be aware of this policy and comply with it,
  • understand which information they have a right of access to,
  • know the information, for which they are owners,
  • know the information systems and computer hardware for which they are responsible. 

Information Users 

Every member of the university community, who has a legitimate access to the university ICT resources, is responsible to abide by this policy. No individual should be able to access information to which they do not have a legitimate access right. Information users should neither violate this policy nor allow others to do so. Information users must be aware of the nature of the information to which they have been granted access and must handle information carefully according to its classi cation. They should protect the con- dentiality of information and do not give access to other illegitimate individuals knowingly or unknow- ingly.
For the purpose of information security, access to all emails servers other than University of Dammam email server will be blocked through University network resources.

Information Owners

The information owners have responsibility to maintain the con dentiality, integrity and availability of information. In particular

  • Each university unit (Deanship, Department, College, Section and Center) will identify its sensitive and critical information assets and classify it according to the University ‘Data Classi cation Policy’.
  • Heads of departments, departmental administrators and IT support sta are responsible for the con dentiality, integrity and availability of information maintained by members of their depart- ment, such as students’ academic records. They are also responsible for the security of all depart-
  • mentally operated information systems.
  • Data and systems managers in support services are responsible for the con dentiality, integrity
  • and availability of information, such as student, personnel and nancial data.
  • Project managers leading projects for the development or modi cation of information systems are responsible for ensuring that projects take account of the needs of information access and security and that appropriate and e ective control mechanisms are instituted, so that the con - dentiality, integrity and availability of information is guaranteed.
  • Information owners will conduct risk assessment of their information assets and may recommend the mitigation strategies.
  • Any information security incident will be reported to the chief security o cer.