Introduction

Safeguarding privacy and term of use information and technology assets are imperative for the success of the IAU. To this end, the Cybersecurity Management is dedicated to developing information security governance and overseeing the necessary security operations to protect privacy and put terms of use. This is crucial for the sustained success of the IAU. This document outlines the privacy policy and terms of use, following global best practices, standards, and regulations.

This policy is incorporated within the framework of the IAU's policies and under the authority granted by the owner, effective from the date of its adoption.

Objective of the Policy

The aim of the privacy Policy and Terms of use is to ensure the IAU's adherence to regulatory and contractual obligations concerning cybersecurity, intellectual property rights, and copyright for theprivacy and use of information technology systems, all types of data, and the IAU's technology assets.

Applicability and Scope

The provisions of this policy apply to all affiliates or contractors working within the IAU, whether on a permanent or temporary basis, and whether directly or indirectly involved. This includes suppliers, external contractors, and any individuals with permanent or temporary access rights to the IAU's data, regardless of its source, form, nature, and to the IAU's systems, devices, and databases.

Policy

This policy sets out the usage and publication guidelines upon visiting the website (www.iau.edu.sa) and other subsidiary sites owned and managed by the university. Therefore, please read carefully this Privacy Policy and Terms of Use before using the website.

Your access to and use of the site is conditioned on your acceptance of this Privacy Policy and Terms of Use and compliance with them. These policies and terms apply to all visitors and users of the university's website, and if you do not agree to these Privacy Policy and Terms of Use, please refrain from using the website.

Imam Abdulrahman Bin Faisal University reserves the right, at its sole discretion, to change these Privacy Policy and Terms of Use at any time as necessary or in the event of any violation of the site's publishing and content management policies, without the need for prior notice. The university also reserves the right to restrict access to any part or the entire website without prior notice.

Imam Abdulrahman Bin Faisal University implements a comprehensive and strict information security policy, and access to personally identifiable information is only permitted to authorized employees who are committed to maintaining the confidentiality of this information in accordance with the applicable regulations in the Kingdom of Saudi Arabia.

Imam Abdulrahman Bin Faisal University has the right to take all necessary measures to protect against any loss or misuse of the website or the information contained therein. The university does not assume any legal responsibility for any damage suffered by any party or user of the website as a result of violating the Privacy Policy and Terms of Use. The laws of the Kingdom of Saudi Arabia shall be the applicable laws in any disputes arising from the violation of these policies and terms of use.

Acceptable Use Policy

Upon entering and using the university's website, you agree and commit to:

  • Not engaging in illegal activities.
  • Not distorting or using the university's identity in any offensive content or materials.
  • Not using the website as a means for unauthorized access to the university's information technology systems.
  • Using the university's website for work-related purposes only.
  • Not downloading non-work-related media such as:
    • Peer-to-peer software and file-sharing software.
    • Movies, games, music, software, scripts, etc.
  • Not using unlicensed software or other intellectual properties.
  • Not using techniques allowing bypassing proxies or firewalls to access the Internet.
  • Not downloading or installing software/tools on the university's website without prior permission from the Cybersecurity Administration.
  • Not conducting any security scans to discover vulnerabilities, including penetration testing, monitoring the university's networks and systems, or external networks and systems, without prior permission from the Cybersecurity Administration.
  • Not using any robots, spiders, deep links, scrapers, or other automated means, methodologies, algorithms, devices, or any manual process to monitor or copy the university's website or any of its web pages without written permission from the relevant authorities at Imam Abdulrahman Bin Faisal University.
  • Not framing, squeezing back, overlaying, or using other techniques to insert or display the website, or any trademarks, logos, content, or other proprietary information (including images, text, page layout, or form) embedded on the website, using any third-party software or content.
  • Not using any descriptive marks or any other "hidden text" or using names or trademarks of Imam Abdulrahman Bin Faisal University without prior written consent.
  • Not using any device or program that interferes with the normal functions of the website, or engaging in any suspicious activity that imposes excessive or disproportionate load on the website's infrastructure as determined by the university at its discretion.

Publishing Rights and Responsibilities

The website and its content are protected under copyright laws in the Kingdom of Saudi Arabia. You may not reproduce, modify, or distribute any texts, graphics, videos, audio, or any other content on the website without prior written permission from the university.

The website may contain links to other websites of third parties not under the control of the university, and the university does not assume any responsibility for the content of any third-party website. Inclusion of any link is for convenience purposes only and does not imply any endorsement or support by the university for any of the ideas or orientations found on the websites or any connection or relationship with their operators. The university disclaims any responsibility regarding your access to any links listed on the website, and you must comply with the guidelines regarding the inclusion of university links unless otherwise provided in an agreement between you and the university. The link or its position or other features should not give the false impression that your institution or entity is sponsored by or affiliated with or associated with the university. Accordingly, the university reserves the full right to revoke its approval of the link at any time at its discretion.

Additional Policies

When using the university's website, you confirm and agree to comply with the university's Privacy Policy and Terms of Use and any other policies governing the use of this website by the university and its various departments.
To view the policies governing the university's website, click here.

The university's website relies on a set of security standards to ensure the confidentiality of all information displayed, stored, or exchanged with users. These standards include the encryption of stored information, the imposition of strict password restrictions to ensure the use of appropriately complex passwords, as well as the imposition of high security standards on all equipment and servers of the university's website at the Deanship of Information and Communication Technology at the university, where the Deanship is equipped with the latest protection devices in addition to deploying the best types of antivirus software on all available servers at the Deanship.

Personal Data Protection Policy

Collection of Personal Data:

Imam Abdulrahman bin Faisal University collects personal data from users with their knowledge and consent when registering on the university's official channels using mobile phone applications or various services affiliated with the university, or when communicating with customer service channels, or when providing the university with data through the parties with which the university has signed agreements for sharing and exchanging data, and includes various personal data such as the person's name, ID or residence number, contact numbers, address, social information, job and educational data, electronic account data such as username and email, etc.

The legal basis for collecting personal data and the purpose of collecting it:

Data is collected in accordance with the provisions of the Personal Data Protection System issued by Royal Decree No. (M/19) dated 02/09/1443 AH, and its amendments. The collection and processing of personal data is considered necessary to perform services that achieve the public interest, as it is collected for the following purposes:

  • Enabling and providing the services of Imam Abdulrahman bin Faisal University and meeting its requirements.
  • Issuing policies and preparing studies that serve work requirements.
  • Resolving and addressing inquiries and complaints from beneficiaries of university services.
  • Raising the level of service performance and developing it, improving the beneficiary experience, and ensuring the continuity of providing services with the required quality.
  • Authenticating the user's identity when registering for the university's various services.
  • Meeting some legal and regulatory requirements.
Sharing Personal Data:
  • In accordance with the data sharing policy issued by the National Data Management Office, the university will not share the beneficiary's personal data with non-governmental entities unless they are authorized to perform specific government services. Or after obtaining the data owner's consent to do so, and within the limits of the data that may be disclosed by law.
  • The university may share the beneficiary's necessary personal data with government entities for specific purposes based on a regulatory basis or justified practical need aimed at achieving a public interest without causing any harm to national interests, the activities of entities, the privacy of individuals, or the safety of the environment, with the exception of data and entities exempted by royal orders, without prejudice to the rights of the personal data owner.
  • When sharing the beneficiary's personal data, the university is keen to share it through a secure and reliable environment in accordance with the relevant systems, regulations and policies. We may take additional steps to ensure the protection of your data by signing a data sharing agreement between the university and other entities in accordance with specific terms and conditions consistent with the data sharing principles.
Transfer of personal data outside the geographical borders of the Kingdom:
  • According to the applicable regulations, the storage and processing of the beneficiary’s personal data shall be in a secure manner within the geographical borders of the Kingdom of Saudi Arabia, in order to ensure the preservation of the national digital sovereignty of this data, unless it is one of the cases of transferring or processing data outside the geographical borders of the Kingdom, as specified in Article (Twenty-Nine) of the Personal Data Protection Law.
Personal Data Protection
  • Imam Abdulrahman Bin Faisal University is committed to protecting personal data from leakage, damage, loss, misappropriation, misuse, alteration, unauthorized access, as well as preserving the privacy of users' data in its systems and website, and maintaining the confidentiality of users' information in its various systems in order to provide high-quality service to all users.
  • The university applies appropriate security measures to protect data and share it in a safe and reliable environment in accordance with relevant regulations and legislation, and in accordance with what is issued by the National Cybersecurity Authority, and adheres to ethical practices during the data sharing process to ensure its use within a framework of justice, integrity, honesty, and respect.
Do you have a question or complaint regarding the Privacy Notice?

If you have any question, complaint or request regarding your rights related to the processing of your personal data or regarding what is stated in the Privacy Notice in general, you can contact the Data Management and Governance Office at Imam Abdulrahman bin Faisal University via email dmo@iau.edu.sa

Relevant legislation includes:

Compliance with the Law

  • It is necessary to carefully read the Privacy Policy and Terms of Use before entering or participating in any transactions on the university's website and its affiliated sites. Your use or participation in these sites implies your reading of these policies and terms of use and your agreement to comply with them.
  • Adherence to these policies and terms of use is mandatory, and access to the website is prohibited from any party or entity where such access or the content of the site is illegal. Those who choose to access the website do so on their own initiative and are responsible for complying with all applicable laws. Any violation of these policies and terms of use will result in the coordination of the Deanship of Information and Communication Technology at the university with other relevant entities within the university or specialized security authorities to take corrective actions. The level of measures applied will be commensurate with the level of violation determined by the investigations, and these measures may include, but are not limited to, preventing the publication of content on the website or terminating, restricting, or suspending the user's right to access and use the website.

General and Limited Disclaimer

The university provides the website, including all information, materials, programs, and services, without any warranty of any kind to the maximum extent permitted by applicable law. The university does not provide any guarantees regarding the website, including without limitation all content on the university's website or through it, in addition to all implied warranties of merchantability, fitness for a particular purpose, title, or non-infringement of rights. While the content available through the website is accurate at the time of preparation, the university does not provide any warranty regarding the accuracy, completeness, or timeliness of any such content, and the university and the operators and managers of the website shall not be liable for any resulting consequences, loss, or damage that may occur to the user or any third party due to the use of the university's websites and services. Therefore, you should verify any content before relying on it. The university does not provide any warranties that the use of the website is complete or error-free.

Violations

The university reserves the right, at its sole discretion, to take necessary actions in accordance with the law and fairly regarding violations of these policies and terms of use, including the right to terminate access to the entire website or a specific internet address at any time without prior notice for any reason.

Updating the Policy

  • The last update to this policy was made on february26, 2024 AD.
  • The use of the university's website includes several terms and conditions subject to continuous updates and changes as needed, as the university reserves the right to change the terms from time to time as it deems appropriate. Any modification or update to any of these terms and conditions becomes effective immediately upon adoption by the competent authority, requiring users to continuously review the terms of use and disclaimers to know of any updates. These changes, modifications, additions, or deletions take effect immediately upon publication unless otherwise stated. The university does not assume any duty or obligation to notify previous users of the website of any changes made, regardless of the scope or importance of the changes. You are responsible for regularly reviewing the terms of use. Your continued use of the website after the publication of changes constitutes your agreement to these changes.

Roles and Responsibilities

The Cybersecurity Management responsibilities:

  • 16.1.1 The Head of the Cybersecurity Management shall approve the policy on behalf of the authorized entity and work on its implementation.
  • 16.1.2 The Head of the Cybersecurity Management shall approve standards, procedures, and guidelines to ensure necessary compliance with the security requirements of the university operations.
  • 16.1.3 The Head of the Cybersecurity Management shall ensure alignment between this policy and the operations of the university.
  • 16.1.4 The Head of the Cybersecurity Management shall resolve any conflicts arising from this policy.
  • 16.1.5 The Head of the Cybersecurity Management shall provide necessary resources to identify, acquire, and implement technical solutions, if feasible, to meet the policy requirements.
  • 16.1.6 Staffs of the Cybersecurity Management shall ensure the dissemination of the Cybersecurity Compliance Policy to all departments, staff, and users authorized to access technical and information assets within the university or those who will be granted access.
  • 16.1.7 Staffs of the Cybersecurity Management shall coordinate with relevant departments to monitor compliance and implementation.
  • 16.1.8 Staffs of the Cybersecurity Management shall periodically review the policy according to the established timeline.
The Director of Legal Affairs responsibilities:
  • 16.1.9 In the event of a violation of compliance with this policy based on the investigation by the Cybersecurity Management, take necessary actions.
The Director of Quality Assurance Department shall:
  • 16.1.10 Review the cybersecurity controls, audit their implementation according to accepted general audit standards, and relevant legislative and regulatory requirements.
Top Management, Heads of Departments, Heads of Units, and Advisers shall:
  • 16.1.11 Ensure the dissemination of this policy to all affiliates within the university or unit.
  • 16.1.12 Report any breaches or non-compliance with this policy to the Cybersecurity Management.
University Affiliates shall:
  • 16.1.13 Comply with the provisions of this policy and report any security incidents or non-compliance with any provisions of this policy to the Head of Cybersecurity Management
Ownership of the Policy

The Head of Cybersecurity Management within the university is responsible for this policy.

Changes to the Policy

The policy should be reviewed at least annually or when there are changes in legislative and regulatory requirements. Changes should be documented and approved by the authorized entity within the university.

Compliance

All affiliates within the university and external parties/contractors must comply with the provisions of this policy. The Head of Cybersecurity Management within the university is responsible for continuous monitoring of compliance and for regularly reporting on this matter to the authorized entity.

Necessary actions must be taken to ensure compliance with the policy. The Cybersecurity Management or relevant departments should conduct periodic reviews and corrective actions should be taken by the authorized entity within the university, based on recommendations from the Head of Cybersecurity Management, regarding any violations of this policy. Disciplinary actions should be proportionate to the severity of the incident, as determined by the investigation. Disciplinary measures may include, but are not limited to, the following:

  • Revoking access privileges to data, IT assets, and connected systems of the university.
  • Issuing a written warning or terminating the employment of the affiliate, or taking appropriate measures as deemed fit by the university.

Non-compliance with any provisions of this policy without obtaining prior exception from the Cybersecurity Management requires taking appropriate actions according to the policies and regulations in place within the university, or as deemed appropriate, and in accordance with contractual terms with any individuals or entities contracted with.

  • DICT.I.06-08.CS.E. V2.0 - Patch and Update Management Policy
  • DICT.I.06-26.CS.E. V2.0 - Clear Desk and Clear Screen Policy
  • DICT.I.06-04.CS.E. V2.0 - Asset Management Policy
  • DICT.I.06-06.CS.E. V2.0 - Change Management Policy
  • DICT.I.06-27.CS.E. V2.0 - Acceptable Use of Assets Policy
  • DICT.I.06-33.CS.E. V2.0 - Access Control Policy
  • DICT.I.06-44.CS.E. V2.0 - Email Security Policy
  • DICT.I.06-15.CS.E. V2.0 - Password Management policy
  • DICT.I.06-14.CS.E. V2.0 - Web Application Security Policy
  • DICT.I.06-12.CS.E. V2.0 - Cookie Policy
  • DICT.I.06-38.CS.E. V2.0 - Configuration and Hardening Policy
  • DICT.I.06-34.CS.E. V2.0 - Cybersecurity Policy for Project Management
  • DICT.I.06-11.CS.E. V2.0 - Data Sharing Policy
  • DICT.I.06-37.CS.E. V2.0 - Cybersecurity Policy for Teleworking
  • DICT.I.06-40.CS.E. V2.0 - Operations Security Policy
  • DICT.I.06-39s.CS.E. V2.0 - Network Security policy
  • DICT.I.06-35.CS.E. V2.0 - Cybersecurity Policy for Social Media Accounts and Media
  • DICT.I.06-36.CS.E. V2.0 - Cybersecurity Policy to Protect Printers, Scanners and Photocopiers
  • DICT.I.06-45.CS.E.V2.0 Cybersecurity assessment and audit policy
  • DICT.I.06-46.CS.E.V2.0 Storage Media Security Policy
  • DICT.I.06-47.CS.E.V2.0 Secure Systems Development Life Cycle policy
  • DICT.I.06-48.CS.E.V2.0 Privileged Access Workstations Standards
  • DICT.I.06-49.CS.E.V2.0 Identity And Access Management Standards
  • DICT.I.06-50.CS.E.V2.0 Physical Security Standards
  • DICT.I.06-51.CS.E.V2.0 Secure Coding Standard
  • DICT.I.06-52.CS.E.V2.0 Advanced Persistent Threats (APT) Standards
  • DICT.I.06-53.CS.E.V2.0 Data Loss Prevention Standards
  • DICT.I.06-54.CS.E.V2.0 Network Detection and Response Standards
  • DICT.I.06-55.CS.E.V2.0 Email Protection Standards
  • DICT.I.06-56.CS.E.V2.0 Data Cybersecurity Standards
  • DICT.I.06-57.CS.E.V2.0 Standard Virtualization Security
  • DICT.I.06-58.CS.E.V2.0 Database Security Standards
  • DICT.I.06-59.CS.E.V2.0 Social Media Security Standard
  • DICT.I.06-60.CS.E.V2.0 Asset Classification Standards
  • DICT.I.06-61.CS.E.V2.0 Data Protection Standards
  • DICT.I.06-62.CS.E.V2.0 Asset Management Standards
  • DICT.I.06-63.CS.E.V2.0 Vulnerability Management and Penetration Testing Standards
  • DICT.I.06-64.CS.E.V2.0 Change Management Standards
  • DICT.I.06-65.CS.E.V2.0 Backup and Restoration Standards
  • DICT.I.06-66.CS.E.V2.0 Patch Management Standards
  • DICT.I.06-67.CS.E.V2.0 Cybersecurity Incident Management Standards
  • DICT.I.06-68.CS.E.V2.0 Cybersecurity Events Logs and Monitoring Management standards
  • DICT.I.06-69.CS.E.V2.0 Password Management standards
  • DICT.I.06-70.CS.E.V2.0 System Acquisition, Development and Maintenance Standards
  • DICT.I.06-71.CS.E.V2.0 Encryption Standards
  • DICT.I.06-72.CS.E.V2.0 Anti-Malware Standards
  • DICT.I.06-73.CS.E.V2.0 Web Application Security Standards
  • DICT.I.06-74.CS.E.V2.0 Cybersecurity Policy for Project Management Standards
  • DICT.I.06-75.CS.E.V2.0 Configuration and Hardening Standards
  • DICT.I.06-76.CS.E.V2.0 Server Security Standards
  • DICT.I.06-77.CS.E.V2.0 Network Security Standards
  • DICT.I.06-78.CS.E.V2.0 Third Party and Suppliers Security Standards
  • DICT.I.06-79.CS.E.V2.0 Workstations, Mobile Devices and BYOD Security Standards
  • DICT.I.06-80.CS.E.V2.0 Proxy Security Standards
  • DICT.I.06-81.CS.E.V2.0 Key Management Standards
  • DICT.I.06-82.CS.E.V2.0 Protection against Distributed Denial of Service (DDOS) attacks
  • DICT.I.06-83.CS.E.V2.0 Data Diode Standards
  • DICT.I.04-34.CS.E.V2.0 Change Management Procedures
  • DICT.I.04-35.CS.E.V2.0 Backup and Restoration Procedures
  • DICT.I.04-36.CS.E.V2.0 System Acquisition, Development and Maintenance Procedures
  • DICT.I.04-37.CS.E.V2.0 Anti-Malware Procedures
  • DICT.I.04-38.CS.E.V2.0 Cybersecurity Audit Procedures
  • DICT.I.04-39.CS.E.V2.0 Vulnerabilities Assessment Procedures
  • DICT.I.04-41.CS.E.V2.0 Cybersecurity Documents Development Procedures
Published on: 25 April 2022
Last update on: 09 October 2024
Page views: 160724