INSPIRING BUSINESS INNOVATION
COMPLIANCE POLICY
Version: 2.0 Policy Code: DICT-QAP006
ةسايس لاثتملاا
Compliance Policy
Page 2 of 16
Table of Contents
Table of Contents ... 2
Property Information ... 3
Document Control ... 4
Information ... 4
Revision History ... 4
Distribution List ... 4
Approval ... 4
Policy Overview ... 5
Purpose ... 5
Scope ... 5
Terms and Definitions ... 5
Change, Review and Update ... 6
Enforcement / Compliance ... 7
Waiver... 7
Roles and Responsibilities (RACI Matrix) ... 7
Relevant Documents ... 9
Ownership ... 10
Policy Statements ... 11
Identification of Applicable Legislation and Contractual Requirements ... 11
Intellectual Property Rights ... 12
Protection of Records ... 13
Privacy and Protection of Personally Identifiable Information ... 13
Regulation of Cryptographic Controls ... 13
Independent Review of Information Security ... 13
Compliance with Security Policies and Standards... 14
Technical Compliance Review ... 14
ةسايس لاثتملاا
Compliance Policy
Page 3 of 16
Property Information
This document is the property information of Imam Abdulrahman bin Faisal University - ICT Deanship.
The content of this document is Confidential and intended only for the valid recipients. This document is not to be distributed, disclosed, published or copied without ICT Deanship written permission.
ةسايس لاثتملاا
Compliance Policy
Page 4 of 16
Document Control
Information
Title Classification Version Status
COMPLIANCE POLICY Public 2.0 validated
Revision History
Version Author(s) Issue Date Changes
0.1 Alaa Alaiwah November 18, 2014 Create
0.2 Nabeel Albahbooh December 1, 2014 Update
0.3 Osama Al Omari December 23, 2014 QA
1.0 Muneeb Ahmad April 21, 2017 Update
1.1 Lamia Abdullah Aljafari June 6, 2020 Update
2.0 Dr. Bashar Aldeeb September 13, 2021 Update
Distribution List
Copy # Recipients 1 Legal Affairs 2 Website
3 Quality Assurance Department - DICT 4 Information Security Department – DICT
Approval
Name Title Date Signature
Dr. Khalid Adnan Alissa Dean of ICT 17th May 2022
ةسايس لاثتملاا
Compliance Policy
Page 5 of 16
Policy Overview
This section describes and details the purpose, scope, terms and definitions, change, review and update, enforcement / compliance, wavier, roles and responsibilities, relevant documents and ownership.
Purpose
The main purpose of Cryptography Policy is to:
Avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.
Scope
The policy statements written in this document are applicable to all IAU’s resources at all levels of sensitivity; including:
All full-time, part-time and temporary staff employed by, or working for or on behalf of IAU.
Students studying at IAU.
Contractors and consultants working for or on behalf of IAU.
All other individuals and groups who have been granted access to IAU’s ICT systems and information.
This policy covers all information assets defined in the Risk Assessment Scope Document and will be used as a foundation for information security management.
Terms and Definitions
Table 1 provides definitions of the common terms used in this document.
Term Definition
Accountability A security principle indicating that individuals should be able to be identified and to be held responsible for their actions.
Asset Information that has value to the organization such as forms, media, networks, hardware, software and information system.
Availability The state of an asset or a service of being accessible and usable upon demand by an authorized entity.
ةسايس لاثتملاا
Compliance Policy
Page 6 of 16
Confidentiality An asset or a service is not made available or disclosed to unauthorized individuals, entities or processes.
Control A means of managing risk, including policies, procedures, and guidelines which can be of administrative, technical, management or legal nature.
Guideline A description that clarifies what should be done and how, to achieve the objectives set out in policies.
Information Security
The preservation of confidentiality, integrity, and availability of information.
Additionally, other properties such as authenticity, accountability, non- repudiation and reliability can also be involved.
Integrity Maintaining and assuring the accuracy and consistency of asset over its entire life- cycle.
Intellectual Property
The category of intangible (non-physical) property consisting primarily of rights related to copyrighted materials, trademark, patent and industrial design.
Owner
A person or group of people who have been identified by Management as having responsibility for the maintenance of the confidentiality, availability and integrity of an asset. The Owner may change during the lifecycle of the asset.
Policy
A plan of action to guide decisions and actions. The policy process includes the identification of different alternatives such as programs or spending priorities, and choosing among them on the basis of the impact they will have.
Privacy The right of an individual to be secure from unauthorized disclosure of information about oneself that is contained in documents.
Risk A combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence.
Supplier A party that provides equipment or services.
System
An equipment or interconnected system or subsystems of equipment that is used in the acquisition, storage, manipulation, management, control, display, switching, interchange, transmission or reception of data and that includes computer software, firmware and hardware.
Table 1: Terms and Definitions Change, Review and Update
This policy should be reviewed once every year unless the owner considers an earlier review necessary to ensure that the policy remains current. Changes of this policy should be exclusively performed by the Information Security Officer and approved by Management. A change log should be kept current and be updated as soon as any change has been made.
ةسايس لاثتملاا
Compliance Policy
Page 7 of 16 Enforcement / Compliance
Compliance with the statements of this policy is mandatory and it is a matter of periodic review by Information Security Officer. All IAU units (Deanship, Department, College, Section and Center) should ensure continuous compliance monitoring within their area.
In case of ignoring or violating information security directives, IAU’s environment could be harmed (e.g., loss of trust and reputation, operational disruptions or legal violations), for which the fallible persons will be made responsible resulting in disciplinary or corrective actions (e.g., dismissal) and could face legal investigations. A correct and fair treatment of employees who are under suspicion of violating security directives (e.g., disciplinary action) has to be ensured. For the treatment of policy violations, Management and Human Resources Department have to be informed and deal with the handling of policy violations.
Waiver
Information security should consider exceptions on an individual basis. For an exception to be approved, a business case outlining the logic behind the request should accompany the request.
Exceptions to the policy compliance requirement should be authorized by the Information Security Officer and approved by the ICT Director. Each waiver request should include justification and benefits attributed to the waiver.
The policy waiver period has maximum period of 4 months, and should be reassessed and re- approved, if necessary for maximum three consecutive terms. No policy should be provided waiver for more than three consecutive terms.
Roles and Responsibilities (RACI Matrix)
Roles Responsibilities
Mgt. Opr.
Mgr. ICT ISO Legal HR/
A Auditor User Performing compliance checking and
audit for verifying compliance with IAU’s information security policies.
I R,C R,A
Assisting an external independent audit team to conduct information security audits of IAU’s systems in a periodically basis.
I R,C R,A
ةسايس لاثتملاا
Compliance Policy
Page 8 of 16 Roles
Responsibilities
Mgt. Opr.
Mgr. ICT ISO Legal HR/
A Auditor User Implementing appropriate controls to
protect the confidentiality, integrity and authenticity of sensitive information.
I R,A C
Conducting an internal audit of IAU’s critical systems using appropriate audit tools.
I R,A R,C
Ensuring that information security policies are compliant with IAU’s legal and contractual requirement.
I R C R I
Providing the expert legal advice that is necessary for other departments to provide services in a manner that is fully compliant with existing laws and regulations.
I R C R
Distributing information security documents so that those who need such documents have copies or can readily locate the documents via an intranet site.
I C R,A R,C I
Adhering to information security policies, guidelines and procedures pertaining to the protection of information.
C C C R,A,I
Reporting actual or suspected security
incidents to ICT Deanship. I A,C C R
Accepting accountability for all activities associated with the use access privileges.
I A,C C R
Using the information only for the
purpose intended by IAU. I A,C C R
Managing all information security auditing activities.
Developing the annual audit plan. C, I I C, I R,A
Reporting audit findings to the ICT
Operations Manager. C, I I C, I R,A
Ensuring compliance with the information security practices, policies and procedures.
C, I I C, I R,A
Monitoring the compliance with the information security policies, procedures, guidelines and standards along with external chosen standards.
C, I I C, I R,A
ةسايس لاثتملاا
Compliance Policy
Page 9 of 16
Table 2 shows the RACI matrix1 that identifies who is responsible, accountable, consulted or informed for every task that needs to be performed.
There are a couple of roles involved in this policy respectively: Management, ICT Operations Manager, ICT Deanship, Information Security Officer (ISO), Legal Department, Human Resources Department / Administrative Unit (HR/A), Internal/External Auditor, Owner and User (Employee and Contract).
Roles Responsibilities
Mgt. Opr.
Mgr. ICT ISO Legal HR/
A Auditor User Performing compliance checking and
audit for verifying compliance with IAU’s information security policies.
I R,C R,A
Assisting an external independent audit team to conduct information security audits of IAU’s systems in a periodically basis.
I R,C R,A
Implementing appropriate controls to protect the confidentiality, integrity and authenticity of sensitive information.
I R,A C
Conducting an internal audit of IAU’s critical systems using appropriate audit tools.
I R,A R,C
Ensuring that information security policies are compliant with IAU’s legal and contractual requirement.
I R C R I
Providing the expert legal advice that is necessary for other departments to provide services in a manner that is fully compliant with existing laws and regulations.
I R C R
Distributing information security documents so that those who need such documents have copies or can readily locate the documents via an intranet site.
I C R,A R,C I
Adhering to information security policies, guidelines and procedures pertaining to the protection of information.
C C C R,A,I
1 The responsibility assignment RACI matrix describes the participation by various roles in completing tasks for a business process. It is especially useful in clarifying roles and responsibilities in cross-functional/departmental processes. R stands for Responsible who performs a task, A stands for Accountable (or Approver) who sings off (approves) on a task that a responsible performs, C stands for Consulted (or Consul) who provide opinions, and I stands for Informed who is kept up-to-date on task progress.
ةسايس لاثتملاا
Compliance Policy
Page 10 of 16 Roles
Responsibilities
Mgt. Opr.
Mgr. ICT ISO Legal HR/
A Auditor User Reporting actual or suspected security
incidents to ICT Deanship. I A,C C R
Accepting accountability for all activities associated with the use access privileges.
I A,C C R
Using the information only for the
purpose intended by IAU. I A,C C R
Managing all information security auditing activities.
Developing the annual audit plan. C, I I C, I R,A
Reporting audit findings to the ICT
Operations Manager. C, I I C, I R,A
Ensuring compliance with the information security practices, policies and procedures.
C, I I C, I R,A
Monitoring the compliance with the information security policies, procedures, guidelines and standards along with external chosen standards.
C, I I C, I R,A
Table 2: Assigned Roles and Responsibilities based on RACI Matrix Relevant Documents
The followings are all relevant policies and procedures to this policy:
Information Security Policy
Organization of Information Security Policy Human Resource Security Policy
Asset Management Policy Access Control Policy Cryptography Policy
Physical and Environmental Security Policy Operations Security Policy
Communications Security Policy
System Acquisition, Development and Maintenance Policy Supplier Relationships Policy
ةسايس لاثتملاا
Compliance Policy
Page 11 of 16 Information Security Incident Management Policy
Information Security Aspects of Business Continuity Policy Risk Management Policy
Acceptable Usage Policy Asset Classification Procedure Change Management Procedure Patch Management Procedure Risk Management Procedure
Information Security Incident Handling Procedure Physical and Logical Access Control Procedure Human Resource Security Procedure
Backup and Restoration Procedure
System Acquisition, Development and Maintenance Procedure
Ownership
This document is owned and maintained by the ICT Deanship of University of Imam Abdulrahman bin Faisal.
ةسايس لاثتملاا
Compliance Policy
Page 12 of 16
Policy Statements
The following subsections present the policy statements in 8 main aspects:
Identification of Applicable Legislation and Contractual Requirements Intellectual Property Rights
Protection of Records
Privacy and Protection of Personally Identifiable Information Regulation of Cryptographic Controls
Independent Review of Information Security Compliance with Security Policies and Standards Technical Compliance Review
Identification of Applicable Legislation and Contractual Requirements
1. ICT Deanship in cooperation with Human Resources Department / Administrative Unit should identify and analyze all applicable statutory, regulatory, legal and contractual requirements applied, and take the appropriate measures to comply with them. The following areas should be covered:
a. Relevant standards and guidelines pertaining to IAU’s systems.
b. Relevant government and/or external requirements (i.e., laws, legislation, guidelines, regulations and standards) pertaining to external relationships and external requirements reviews.
c. Labour laws, especially addressing information technology related safety and health requirements.
d. Intellectual property rights/software copyright laws.
e. Systems security requirements, especially relating to use of cryptographic data and transmission of data.
f. Audit reports from external auditors, third-party service providers and government agencies.
ةسايس لاثتملاا
Compliance Policy
Page 13 of 16
2. The design, operation, management and use of systems and related facilities should be carried out in compliance with all applicable legal, regulatory or contractual security requirements.
REF:[ISO/IEC 27001: A.18.1.1]
Intellectual Property Rights
1. ICT Deanship should recognize and respect intellectual property rights (that include software or document copyright, design rights, trademarks, patents and source code licenses) associated with its systems.
2. Appropriate procedures should be implemented to ensure compliance with legislative, regulatory, and contractual requirements on the use of material in respect of which there may be intellectual property rights and on the use of proprietary software products such as copyright, design rights and trademarks.
3. ICT Deanship should comply with following requirements:
a. Purchasing and issuing all software used in accordance with the license agreements.
b. Not engaging person or entity in any unauthorized copying of software.
c. Maintaining evidence of licenses or manuals ownership.
d. Identifying all licensing requirements limiting the usage of products, software, designs and other material acquired.
e. All employees using information systems should strictly abide by copyright laws and restrictions detailed by the software vendor;
f. Not duplicating third party materials, converting them to another format or extracting them from commercial recordings (e.g., video and audio) other than permitted by copyright policy.
g. Establishing a documented policy that defines the appropriate approach for disposing or transferring software.
REF: [ISO/IEC 27001: A.18.1.2]
ةسايس لاثتملاا
Compliance Policy
Page 14 of 16 Protection of Records
1. A documented set of procedures should be in place to define the records’ classification methods, in addition to the appropriate protection controls for these records from loss, destruction and falsification.
2. ICT Deanship should consider the followings to ensure a proper protection of records:
a. Protecting records based on the relevance and importance of the records.
b. Storing records in a manner appropriate to the media on which they are recorded.
c. Categorizing records into various types (e.g., employee records, systems records, database records, audit logs and operational procedures), each with details of retention periods and type of storage media (e.g., paper, magnetic and optical).
REF: [ISO/IEC 27001: A.18.1.3]
Privacy and Protection of Personally Identifiable Information
1. ICT Deanship should develop and implement data protection and privacy policy that defines the requirements in relevant laws, regulations and contractual requirements of IAU.
2. No employee of IAU should share confidential or proprietary of IAU or employees’ data, with other entities, agencies, third parties or business units unless they granted permission to share such information and based on IAU’s business requirements.
REF:[ISO/IEC 27001: A.18.1.4]
Regulation of Cryptographic Controls
1. Where appropriate, all cryptographic controls (e.g., restriction on import or export of computer hardware and software for performing cryptographic functions) should be used in compliance with all related regulations, laws and agreements.
REF: [ISO/IEC 27001: A.18.1.5]
Independent Review of Information Security
1. IAU’s Management should initiate and assign an internal and independent review (e.g., internal and external audit, technical compliance checking) of information security management.
ةسايس لاثتملاا
Compliance Policy
Page 15 of 16
2. An internal and independent review of should be periodically conducted (at least annually):
a. Following a review of the information security policy.
b. When significant changes have been made to IAU’s information resources or technological infrastructures.
c. In the event of a change IAU’s requirements or legal context.
3. An internal and independent review of information security should be conducted in order to verify if the approach (e.g., tracking of information security objectives, policies, procedures and processes relating to information security) retained by ICT Deanship to manage and implement its information security is adequate and effective.
REF: [ISO/IEC 27001: A.18.2.1]
Compliance with Security Policies and Standards
1. All IAU’s employees should understand and acknowledge the responsibility towards complying with IAU’s information security policies and procedures.
2. Head of Departments / Units / Managers should regularly review the compliance of systems security within their area of responsibility with the appropriate security policies, standards and any other security requirements. Results of reviews and corrective actions carried out by Managers should be recorded and maintained.
REF: [ISO/IEC 27001: A.18.2.2]
Technical Compliance Review
1. Audit requirements and activities covering checks on operational systems should be carefully planned and performed at periodic intervals (at least annually) with the knowledge of the Asset Owners to minimize the risk of disruptions to business processes.
2. Where system audits require access to the system or data that includes the use of software tools and utilities, such audits should be conducted with the knowledge, cooperation and consent of the Asset Owners and relevant precautions should be taken to protect IAU’s systems and data from damage or disruptions as a result of the audit or audit tools.
ةسايس لاثتملاا
Compliance Policy
Page 16 of 16
3. Information Security Officer in cooperation with ICT Deanship should conduct both internal and independent (external) audits of its IAU’s systems. The person(s) carrying out the audit should be independent of the activities audited. When performing the audit, any access needed should be provided to members of External Audit Team. This access may include, but not be limited to:
a. User level and/or system level access to any computing or communications device.
b. Access to information (e.g., electronic or hardcopy) that may be produced, transmitted or stored on respective department equipment or premises.
c. Access to working areas (e.g., Datacenter).
d. Access to reports / documents created during internal audit.
e. Access to interactively monitor and log traffic on networks.
REF: [ISO/IEC 27001: A.15.2.3]
--- End of Document ---
