PDF Communications Security Policy - Imam Abdulrahman Bin Faisal University

(1)

INSPIRING BUSINESS INNOVATION

Communications Security Policy

Version: 2.0 Policy Code: DICT-QAP-005

(2)

ةسايس تلااصتلاا نمأ

Communications Security Policy

Page 2 of 14

Table of Contents

Table of Contents ... 2

Property Information ... 3

Document Control ... 4

Information ... 4

Revision History ... 4

Distribution List ... 4

Approval ... 4

Policy Overview ... 5

Purpose ... 5

Scope ... 5

Terms and Definitions ... 5

Change, Review and Update ... 6

Enforcement / Compliance ... 7

Waiver... 7

Roles and Responsibilities (RACI Matrix) ... 7

Relevant Documents ... 8

Ownership ... 8

Policy Statements ... 9

Security of Network Services ... 10

Segregation in Networks ... 10

Network Security... 11

Information Transfer Policies and Procedures ... 13

Agreements on Information Transfer ... 13

Electronic Messaging ... 14

Confidentiality or Non-Disclosure Agreement ... 14

(3)

Page 3 of 14

Property Information

This document is the property information of Imam Abdulrahman bin Faisal University - ICT Deanship.

The content of this document intended only for the valid recipients. This document is not to be distributed, disclosed, published or copied without ICT Deanship written permission.

(4)

Communications Security Policy

Page 4 of 14

Document Control

Information

Title Classification Version Status

COMMUNICATIONS SECURITY POLICY Public 2.0 validated

Revision History

Version Author(s) Issue Date Changes

0.1 Alaa Alaiwah – Devoteam November 18, 2014 Creation

0.2 Nabeel Albahbooh – Devoteam December 1, 2014 Update

0.3 Osama Al Omari – Devoteam December 23, 2014 QA

1.0 Nabeel Albahbooh – Devoteam December 31, 2014 Update

1.1 Muneeb Ahmad – ICT, IAU 24 DEC 2017 Update

1.2 Lamia Abdullah Aljafari 6 JAN 2019 Update

1.3 Gamil Radman 12 JAN 2020 Update

2.0 Dr. Bashar Aldeeb 13 FEB 2021 Update

2.0 Mohammad Younes 27 FEB 2022 Update

Distribution List

Copy # Recipients 1 Legal Affairs 2 Website

3 Quality Assurance Department - DICT 4 Network Department - DICT

Approval

Name Title Date Signature

Dr. Khalid Adnan Alissa Dean of ICT 28-6-2022

(5)

Communications Security Policy

Page 5 of 14

Policy Overview

This section describes and details the purpose, scope, terms and definitions, change, review and update, enforcement / compliance, wavier, roles and responsibilities, relevant documents and ownership.

Purpose

The main purpose of Communications Security Policy is to:

Ensure the protection of information in networks and its supporting information processing facilities, and maintain the security of information transferred within IAU and with any external entity.

Scope

The policy statements written in this document are applicable to all IAU’s resources at all levels of sensitivity, including:

All full-time, part-time and temporary staff employed by, or working for or on behalf of IAU.

Students studying at IAU.

Contractors and consultants working for or on behalf of IAU.

All other individuals and groups who have been granted access to IAU’s ICT systems and information.

This policy covers all information assets defined in the Risk Assessment Scope Document and will be used as a foundation for information security management.

Terms and Definitions

Table 11 provides definitions of the common terms used in this document.

Term Definition

Accountability A security principle indicating that individuals shall be able to be identified and to be held responsible for their actions.

Asset Information that has value to the organization such as forms, media, networks, hardware, software and information system.

Availability The state of an asset or a service of being accessible and usable upon

(6)

Communications Security Policy

Page 6 of 14 demand by an authorized entity.

Confidentiality An asset or a service is not made available or disclosed to unauthorized individuals, entities or processes.

Control A means of managing risk, including policies, procedures, and guidelines which can be of administrative, technical, management or legal nature.

Guideline A description that clarifies what shall be done and how, to achieve the objectives set out in policies.

Information Security

The preservation of confidentiality, integrity, and availability of information. Additionally, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved.

Integrity Maintaining and assuring the accuracy and consistency of asset over its entire life-cycle.

Owner

A person or group of people who have been identified by Management as having responsibility for the maintenance of the confidentiality, availability and integrity of an asset. The Owner may change during the lifecycle of the asset.

Policy

A plan of action to guide decisions and actions. The policy process includes the identification of different alternatives such as programs or spending priorities, and choosing among them on the basis of the impact they will have.

Risk A combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence.

System

An equipment or interconnected system or subsystems of equipment that is used in the acquisition, storage, manipulation, management, control, display, switching, interchange, transmission or reception of data and that includes computer software, firmware and hardware.

Table 1: Terms and Definitions Change, Review and Update

This policy shall be reviewed once every year unless the owner considers an earlier review necessary to ensure that the policy remains current. Changes of this policy shall be exclusively performed by the Information Security Officer and approved by Management. A change log shall be kept current and be updated as soon as any change has been made.

(7)

Communications Security Policy

Page 7 of 14 Enforcement / Compliance

Compliance with this policy is mandatory and it is to be reviewed periodically by the Information Security Officer. All IAU units (Deanship, Department, College, Section and Center) shall ensure continuous compliance monitoring within their area.

In case of ignoring or infringing the information security directives, IAU’s environment could be harmed (e.g., loss of trust and reputation, operational disruptions or legal violations), and the fallible persons will be made responsible resulting in disciplinary or corrective actions (e.g., dismissal) and could face legal investigations.

A correct and fair treatment of employees who are under suspicion of violating security directives (e.g., disciplinary action) has to be ensured. For the treatment of policy violations, Management and Human Resources Department have to be informed and deal with the handling of policy violations

Waiver

Information security shall consider exceptions on an individual basis. For an exception to be approved, a business case outlining the logic behind the request shall accompany the request. Exceptions to the policy compliance requirement shall be authorized by the Information Security Officer and approved by the ICT Deanship. Each waiver request shall include justification and benefits attributed to the waiver.

The policy waiver period has maximum period of 4 months, and shall be reassessed and re-approved, if necessary for maximum three consecutive terms. No policy shall be provided waiver for more than three consecutive terms.

Roles and Responsibilities (RACI Matrix)

Table 2 shows the RACI matrix¹ that identifies who is responsible, accountable, consulted or informed for every task that needs to be performed. There are a couple of roles involved in this policy respectively: ICT Deanship, Information Security Officer (ISO), Human Resources Department / Administrative Unit (HR/A), Legal Department, Project Management Officer (PMO), Owner and User (Employee and Contract).

1 The responsibility assignment RACI matrix describes the participation by various roles in completing tasks for a business process. It is especially useful in clarifying roles and responsibilities in cross-functional/departmental processes. R stands for Responsible who performs a task, A stands for Accountable (or Approver) who sings off (approves) on a task that a responsible performs, C stands for Consulted (or Consul) who provide opinions, and I stands for Informed who is kept up-to-date on task progress.

(8)

Communications Security Policy

Page 8 of 14 Roles

Responsibilities

ICT ISO Legal HR

/A PMO Owner User Defining non-disclosure agreements for IAU’s

employees and third parties. R C C C R,A I

Implementing appropriate controls to protect the confidentiality, integrity, availability and authenticity of sensitive information.

R,A C I

Adhering to information security policies and procedures pertaining to the protection of information.

C C R,A

Administering network security infrastructures

(e.g., routers, switches and firewalls). R,A C I

Table 2: Assigned Roles and Responsibilities based on RACI Matrix Relevant Documents

The followings are all relevant policies and procedures to this policy:

Information Security Policy Asset Management Policy Access Control Policy

Information Security Incident Management Policy Compliance Policy

Risk Management Policy

Backup and Restoration Procedure Change Management Procedure Patch Management Procedure

Physical and Logical Access Management Procedure

System Acquisition, Development and Maintenance Procedure

Ownership

This document is owned and maintained by the ICT Deanship of University of Imam Abdulrahman bin Faisal.

(9)

Communications Security Policy

Page 9 of 14

Policy Statements

The following subsections present the policy statements in 7 main aspects:

Network Controls

Security of Network Services Segregation in Networks

Information Transfer Policies and Procedures Agreements on Information Transfer

Electronic Messaging

Confidentiality or Non-Disclosure Agreement Network Controls

1. ICT Deanship shall identify and implement appropriate countermeasures to:

a. Control the confidentiality and integrity of sensitive information passing over public networks.

b. Protect the connected systems and applications.

c. Maintain the availability of the network services and computers connected.

2. All IAU’s employees and visitors shall not be allowed to connect any device (e.g., personal computer, laptop or network equipment) to IAU’s network, without a proper permission and approval from ICT Department.

3. ICT Deanship shall authorize all routing traffic based on IAU’s business communications requirements.

4. ICT Deanship shall implement appropriate routing control mechanisms to restrict information flows to designated network paths.

5. ICT Deanship shall ensure proper management and technical oversight are performed over security perimeter structure (e.g., firewall) and current configuration. The following shall be covered, but not be limited to:

a. Documenting the security perimeter rules and reviewing them in a regular basis.

b. Documenting configuration changes and getting management approval.

(10)

Communications Security Policy

Page 10 of 14

c. Getting management approval prior applying any changes to security perimeter rules.

d. Taking an adequate care while applying changes on the security perimeter rules to ensure minimal distortion to IAU’s environment.

6. The connection capability of users shall be restricted through network gateways that filter traffic by means of pre-defined tables or rules. The restrictions shall include, but not be limited to:

a. Messaging (e.g., electronic mail).

b. File transfer.

c. Interactive access.

d. Application access.

REF: [ISO/IEC 27001: A.9.1.1]

Security of Network Services

1. ICT Deanship shall protect IAU’s network infrastructure by implementing proper network security measures and features. Security features of network services shall include, but not be limited to:

a. Technology applied for security of network services such as authentication, encryption, and network connection controls.

b. Technical parameters required for secured connection with the network services in accordance with the security and network connection rules such as firewall, VPN and IDS/IPS.

c. Procedures for the network service usage to restrict access to network services or applications, where necessary.

REF: [ISO/IEC 27001: A.9.1.2]

Segregation in Networks

1. ICT Deanship shall split IAU’s network into logical segments, zones or domains based on the following criteria, but not be limited to:

(11)

Page 11 of 14

a. Access requirements (e.g., Management, Department, Academic, Employees, IT, Students, Third Parties).

b. Relative cost and performance impact of incorporating suitable technology.

c. Value and classification of information stored or processed in the network (e.g., Critical, Sensitive).

d. Levels of trust (e.g., Trusted, Internet, DMZ).

e. Lines of business (e.g., Service, Support).

2. Internal network shall be segregated from the external network with different perimeter security controls on each of the networks.

REF:[ISO/IEC 27001: A.9.2.1]

Network Security

1. The networks must be physically and logically isolated and divided using the firewall and the principle of multi-stage security defence (Defence-in-Depth).

2. Application of logical isolation to the sensitive systems network (VLAN).

3. Apply logical isolation between the production environment network, the test environment network, and other networks.

4. It is forbidden to connect sensitive systems to the Internet if these systems provide an internal service to Imam Abdul Rahman bin Faisal University, and there is not necessarily need to access the service from outside the university.

5. Applying logical isolation between the Voice Over IP “VOIP” network and the data network.

(12)

Communications Security Policy

Page 12 of 14

6. Restricting the use of physical network ports in all Imam Abdul Rahman bin Faisal University facilities, using the Port Security feature or Port-Based Authentication technology to protect the network from the possibility of connecting unauthorized devices or suspicious devices without are revealed.

7. Providing protection systems in the Internet browsing channel to protect against advanced persistent threats (APT Protection) that usually use viruses and previously unexpected malware (Zero-Day Malware) and manage them securely.

8. It is forbidden to connect the internal network to the Internet directly, and the connection is using a proxy for Internet connections (Proxy) to analyse and filter the data transmitted to and from the university.

9. Adjust the settings of the firewall menus so that all types of communication between network segments are automatically prohibited (Explicitly), and the firewall menus are made available based on the user's request and business requirements.

10. The technologies necessary for the security of the Domain Name System (DNS) must be provided.

11. Advanced protection systems must be provided to detect and prevent intrusions (Intrusion Prevention Systems) on all parts of the network and update them periodically.

12. Network APT systems must be provided on the network of sensitive systems.

13. Mechanisms to protect the Internet browsing channel from Advanced Persistent Threats (APTs) and previously unknown malware must be implemented and managed securely.

14. Protection against Distributed Denial of Service Attack “DDoS” attacks must be provided on sensitive external systems.

(13)

Communications Security Policy

Page 13 of 14 Information Transfer Policies and Procedures

1. Formal controls based on the criticality of information shall be defined to protect the transfer of information through the use of communication facilities. Transfer of confidential information shall be appropriately protected.

2. All users shall manage the creation, storage, amendment, copying and deletion or destruction of data (in electronic and paper form) in a manner which is consistent with IAU’s policies, and which control and protect the confidentiality, integrity and availability of such data.

3. Asset Owners shall ensure appropriate mechanisms are implemented and followed to protect transfer of their information.

REF:[ISO/IEC 27001: A.9.2.2]

Agreements on Information Transfer

1. Prior to the transfer of information with external organization, a formal and an appropriate SLA with an adequate level of security controls shall be defined. This agreement shall cover, but not be limited to:

a. Management responsibilities.

b. Manual and electronic exchanges.

c. Sensitivity of the critical information being exchanged.

d. Protection requirements.

e. Notification requirements.

f. Packaging and transmission standards.

g. Courier identification.

h. Responsibilities and liabilities.

i. Data and software ownership.

j. Protection responsibilities and measures.

k. Encryption requirements.

REF:[ISO/IEC 27001: A.9.2.3]

(14)

Page 14 of 14 Electronic Messaging

1. Security controls shall be established to protect electronic messaging (e.g., e-mail) from unauthorized access, modifications or denial of service.

REF:[ISO/IEC 27001: A.9.2.4]

Confidentiality or Non-Disclosure Agreement

1. Requirements relating to confidentiality and non-disclosure commitments (i.e., for IAU’s employees and third parties) shall be identified and regularly reviewed. As such, ICT Deanship in cooperation with various support departments (e.g., Information Security Officer, Project Management Office, Human Resources Department / Administrative Unit and Legal Department) shall:

a. Define the information to be protected and required levels of sensitivity.

b. Indicate the expected length of the commitment.

c. Specify the terms for the return or destruction of information upon termination of the commitment.

d. Specify the responsibilities and requirements concerning signatories in order to prevent unauthorized disclosure of information.

e. Publish the penalties applicable in the event a user fails to respect the commitment.

2. Confidentiality and non-disclosure commitments shall consider IAU’s legal enforceable terms in order to address the requirement to protect IAU’s assets.

REF: [ISO/IEC 27001: A.9.2.5]

--- End of Document ---