INSPIRING BUSINESS INNOVATION

Personal Devices security and Acceptable Use Policy

Version: 2.0 Policy Code: DICT-QAP016

للآا بساحلل لوبقلما مادختسلاا ةسايس Personal Laptop Acceptable Use Policy

Page 2 of 12

Table of Contents

Table of Contents ... 2

Property Information ... 3

Document Control ... 4

Information ... 4

Revision History ... 4

Distribution List ... 4

Approval ... 4

Introduction ... 5

Objectives ... 5

Entities Affected by This Policy ... 5

Policy Statements ... 6

Acceptable Use Policy Statements: ... 6

Unacceptable Use Policy ... 8

Policy Violation ... 9

Cyber security requirements for the security of personal devices ... 10

Cybersecurity requirements for mobile security ... 10

Conclusion ... 11

Appendix ... 12

للآا بساحلل لوبقلما مادختسلاا ةسايس Personal Laptop Acceptable Use Policy

Page 3 of 12

Property Information

This document is the property information of Imam Abdulrahman bin Faisal University - ICT Deanship.

The content of this document is intended only for the valid recipients. This document is not to be distributed, disclosed, published or copied without ICT Deanship written permission.

للآا بساحلل لوبقلما مادختسلاا ةسايس Personal Laptop Acceptable Use Policy

Page 4 of 12

Document Control

Information

Title Classification Version Status

PERSONAL LAPTOP ACCEPTABLE USE POLICY Public 2.0 validated

Revision History

Version Author(s) Issue Date Changes

0.1 Muneeb Ahmad – ICT, IAU 21 April 2017 Draft

1.0 Muneeb Ahmad – ICT, IAU 17 January 2019 Update

1.2 Lamia Abdullah Aljafari 6 February 2020 Update

2.0 Dr. Samer Bani Awwad 13 February 2021 Update

2.1 Mohammad Younes 23 February 2022 Update

Distribution List

# Recipients

1 Legal Affairs 2 Website

3 Quality Assurance Department - DICT 4 System Management Department - DICT

Approval

Name Title Date Signature

Dr. Khalid Adnan Alissa Dean of DICT 29-6-2022

للآا بساحلل لوبقلما مادختسلاا ةسايس Personal Laptop Acceptable Use Policy

Page 5 of 12

Introduction

University allows student to access the computing and network resources to facilitate them in carrying out their duties and the university expects these resources be used for purposes related to their jobs and not be used for unrelated purposes. The university allow student to access university services via wireless connection using their university account, regardless of the ownership of the computer or device connected to the wireless network. The purpose of this policy is to promote the efficient, ethical and lawful use of the University of Imam Abdulrahman bin Faisal computer and network resources.

Objectives

The following are the objectives of acceptable use policy:

• Provide guidelines for the conditions of acceptance and the appropriate use of the computing and networking resources provided for use by the University.

• Ensure that university resources are used in an appropriate and responsible manner in accordance with this policy.

• Encourage student to support the university’s mission and institutional goals.

• Encourage student to understand their own rights and responsibility for protecting the University resources.

• Protect the privacy and integrity of data stored on the University network.

• Elaborate the consequences of the inappropriate use of these resources.

Entities Affected by This Policy

This policy applies to all the community of University of Imam Abdulrahman bin Faisal using computing and network resources. These include:

• Student using either personal or university provided computer connected locally or remotely to the network of the University.

• All resources connected (locally or remotely) to University servers.

• All devices connected to the University network irrespective of ownership.

• Connections made to external networks through the University network.

• Smartphones, smart tablets, and any personal devices for workers and students fall under the BYOD classification.

للآا بساحلل لوبقلما مادختسلاا ةسايس Personal Laptop Acceptable Use Policy

Page 6 of 12

Policy Statements

Acceptable Use Policy Statements:

1. This Policy applies to all employees and students of University of Imam Abdulrahman bin Faisal accessing university network services through computer.

2. The resources should be used for the purpose for which they are intended.

3. employees and Students must adhere to the confidentiality rules governing the use of passwords and accounts, details of which must not be shared.

4. employees and Students may use only the computers, computer accounts, and computer files for which they have authorization.

5. The university encourages and promotes using the university email for administrative, learning and professional purposes. Hence, the students must use their university email in their business communications.

6. The only way to access to the university’s network is to have a valid university account, and any other way such as plugging own internet to the university network shall be considered as a violation.

7. All students of the university's network and computing resources are expected to respect the privacy and personal rights of others.

8. The University reserves the right to monitor all activities performed by the students on the internet by recording and reporting without the consent of the student.

9. The University has the right to block any site or group of sites according to its policies and will take necessary action that violates this policy.

10. The University reserves the right to make any amendments in this policy at any time.

11. Students, who discover or find security problems or suspicious activity, must immediately contact Technical Support of the ICT.

12. Data and information stored on Users Devices, Mobile Devices, and Personal Devices (BYOD) should be protected as classified by using appropriate security controls to restrict access to this information and prevent unauthorized workers from accessing or viewing it.

للآا بساحلل لوبقلما مادختسلاا ةسايس Personal Laptop Acceptable Use Policy

Page 7 of 12

13. The software of users’ devices and mobile devices, including operating systems, software, and applications, must be updated, and provided with the latest update and repair packages, in accordance with the policy of the Department of Updates and Repairs approved by the university.

14. Configuration and Hardening controls for user devices and mobile devices must be applied in accordance with cybersecurity standards.

15. Employees must not be granted important and sensitive permissions (Privileged Access) on users' devices and mobile devices, and the permissions must be granted according to the principle of minimum powers and privileges.

16. The default user accounts in operating systems and applications must be deleted or renamed.

17. Clock Synchronization must be centrally and from an accurate and reliable source for all user devices and mobile devices.

18. Users' devices and mobile devices must be equipped with a text message (Banner) to enable authorized use.

19. Only a specific list of applications should be allowed (Application Whitelisting), Data Leakage Prevention, use of data monitoring systems, etc.

20. The storage media of users' devices and important and sensitive portable devices that have advanced powers must be encrypted according to the encryption standard adopted by the university.

21. The use of external storage media must be prohibited, and prior permission must be obtained from the Cyber Security Department to have the authority to use external storage media.

22. User devices, mobile devices, and personal devices (BYODs) with outdated or expired software (including operating systems, software, and applications) must not be allowed to connect to the University network to prevent security threats arising from expired software that is not protected by update and fix packages.

23. User devices, mobile devices, and personal devices (BYOD) that are not equipped with the latest security software must be prevented from connecting to the university network to avoid cyber risks that lead to unauthorized access, malware entry or data leakage. Protection software includes mandatory programs, such as: antivirus, malware, host-based firewall, and Host-based Intrusion Detection/Prevention.

للآا بساحلل لوبقلما مادختسلاا ةسايس Personal Laptop Acceptable Use Policy

Page 8 of 12

24. Users' devices and unused mobile devices should be set to display a password-protected screen saver if the device is not used (Session Timeout) for 10 minutes.

25. User devices and mobile devices must be centrally managed through the university domain's Active Directory server or a central administrative system.

26. User and mobile device settings must be managed by the appropriate Domain Controller to apply the appropriate policies and install the necessary software settings.

Unacceptable Use Policy

1. Employees and Students should not use the university network in any illegal manner e.g.

commercial purposes nor use it to login or browse illegal web sites or content.

2. Students should not disclose their login information and access or copy another student email, data, programs, or other files.

3. Employees and Students should not attempt to violate or compromise the security standards on the University network, or any other device connected to the network or accessed through the Internet.

4. University network may not be used for the creation, dissemination, storage and display of obscene or pornographic material, abusive, indecent, obscene, and defamatory or hate literature etc.

5. University students and Employees should not create illegal copies or violate copyright protected material in order to use or save such copies on university devices or send them through the University network. It also prevents the illegal use such as sending or downloading or publishing any material that violates the laws of the Kingdom of Saudi Arabia and is against the Islamic values.

6. This policy prevents students adding, deleting, or modifying any information on university network in an attempt to disrupt or mislead others.

7. Students are not allowed to indulge into any activity that may adversely affect the ability of others to use the Internet services provided by the university e.g. denial of service attacks, hacking, virus, or consuming gratuitously large amounts of system resources (disk space, CPU time, print quotas, and network bandwidth) or by deliberately crashing the machine(s).

8. The university prevents downloading any programs and installing in the university’s computers. Any such request should be done through ICT technical support.

للآا بساحلل لوبقلما مادختسلاا ةسايس Personal Laptop Acceptable Use Policy

Page 9 of 12

9. Non serious, disruptive, destructive or inconsiderate conduct in computer labs or terminal areas is not permitted.

10. ICT is not responsible of the internet content that been browsed by the student, or problems that might happen to student from browsing untrusted websites.

11. Attempts made by individuals to circumvent or defeat any mechanism put in place by the ICT Service to manage the network will result in immediate termination of their access to network services

12. The IAU network may not be used for any commercial purposes or used to provide Internet or IAU network access to anyone outside the IAU community for any purpose.

13. Faking or otherwise misrepresenting one's identity via e-mail or any other form of communication is a violation of law. This includes forging IP addresses or Ethernet adapter addresses to conceal your computer's identity.

14. Any unauthorized attempt to access another computer (on- or off-campus) is prohibited.

Attempts to access other computers will result in the immediate deactivation of the suspected network connection until the matter has been resolved.

Policy Violation

Anyone who violate this policy will be subject to any or all the following actions:

• Suspension of the university internet account/access.

• The referral of the case to the University Legal Department along with supporting evidence for an appropriate action.

• The case may be forwarded to the Communication & Information Technology Commission (CITC), Saudi Arabia who may initiate criminal investigation per the e-crimes regulations. More information regarding these regulations may be found at the following link:

English Version:

http://www.citc.gov.sa/en/RulesandSystems/CITCSystem/Pages/CybercrimesAct.aspx

Arabic Version:

http://www.citc.gov.sa/ar/RulesandSystems/CITCSystem/Pages/CybercrimesAct.aspx

للآا بساحلل لوبقلما مادختسلاا ةسايس Personal Laptop Acceptable Use Policy

Page 10 of 12

Cyber security requirements for the security of personal devices

• Mobile devices must be managed centrally using the Mobile Device Management

“MDM” system.

• The data and information of Imam Abdul Rahman bin Faisal University stored on the personal devices of employees (BYOD) must be separated and encrypted.

• Performing periodic backups of data stored on users' devices and mobile devices, in accordance with the backup policy adopted at Imam Abdul Rahman bin Faisal University.

• Imam Abdul Rahman bin Faisal University data stored on mobile devices and personal devices (BYOD) will be deleted in the following cases:

✓ Mobile device lost or stolen.

✓ The termination or termination of the functional relationship between the user and the university.

• Security awareness must be spread for employees about the mechanism of using devices and their responsibilities towards them in accordance with the acceptable use policy approved by the university, and awareness sessions should be conducted for users with important and sensitive powers.

• A Performance Measurement Index (KPI) should be used to ensure the continuous development of protection for users' devices and mobile devices.

• The security policy for users' devices, mobile devices, and personal devices must be reviewed annually, and changes should be documented and approved.

Cybersecurity requirements for mobile security

• Mobile devices must be prevented from accessing sensitive systems, except for a temporary period only, after conducting a risk assessment and obtaining the necessary approvals from the department concerned with cyber security

• The disks of portable devices that have access to sensitive systems must be fully encrypted (Full Disk Encryption).

للآا بساحلل لوبقلما مادختسلاا ةسايس Personal Laptop Acceptable Use Policy

Page 11 of 12 Conclusion

By enforcing the acceptable use policy, we aim to achieve the following outcomes:

• Responsibility of each laptop owner to use university services appropriately and in compliance with all IAU rules and regulations

• Better informed university community regarding acceptable and unacceptable use of university resources.

• Responsible IAU community regarding the value and use of university resources.

• Anyone who abuses the privilege of the university resources, either directly by promoting inappropriate activities and by misusing or indirectly by inadvertently allowing unauthorized students to access for personal and professional purposes will be subject to sanctions or legal action.

للآا بساحلل لوبقلما مادختسلاا ةسايس Personal Laptop Acceptable Use Policy

Page 12 of 12

Appendix

The following terms are used in this document.

Access - Connection of University, personal or third party owned devices to ICT Infrastructure facilities via a direct or indirect connection method.

Device - Any computer or electronic device capable of accessing, storing and communicating data.

ICT – Information and Communication Technology IAU - Imam Abdulrahman bin Faisal University

Information Resources - Assets and infrastructure owned by, explicitly controlled by, or in the custody of the university including but not limited to data, records, electronic services, network services, software, computers, and Information systems.

--- End of Document ---