Date post: | 29-Sep-2015 |
Category: |
Documents |
Upload: | abdullah-al-mamun |
View: | 42 times |
Download: | 6 times |
Policy v1.0
Information & Technology
King Fahd University of Petroleum & Minerals, KSA
Abdullah Al Mamun
To Dr. Talal AlKharobi
Preface
This paper is done as a coursework for the course computer & network security. We have learned
many important and necessary things about policy regarding information and technology. In addition, we learned, how to analysis, organization, collaboration and write up policies. We tried
best to make a complete set of security policy for ITC department of our university. Also, we tried to consider all possible cases and scenarios.
However, we enjoyed and learned during this work. We have plan to make policies for all
departments in our university as future work.
Author Abdullah Al Mamun
Co-Author Hassan Ali
Ahmad M. Shaheen
Essa Q. Shahra
Sultan Anwar
Contents
0.1 Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
0.1.1 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
0.1.2 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
0.1.3 Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
0.1.4 Roles and Responsibilities for Information Security . . . . . . . . . . . . . . . . . . . . 7
0.1.5 Sensitive Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
0.1.5.1 Top Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
0.1.5.2 Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
0.1.5.3 Confidential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
0.1.5.4 Restricted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
0.1.6 Personal Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
0.1.6.1 Staff Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
0.1.6.2 Student Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
0.1.6.2.1 Disclosure of Student Information . . . . . . . . . . . . . . . . . . . 16
0.2 Information Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
0.2.1 Email Address Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
0.2.1.1 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
0.2.1.2 Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
0.2.1.2.1 University Contact Directory . . . . . . . . . . . . . . . . . . . . . . 21
1
0.2.1.2.2 Account Closure and Deletion . . . . . . . . . . . . . . . . . . . . . 21
0.2.1.2.3 Account Withdrawal . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
0.2.1.3 Student Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
0.2.1.3.1 Account Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
0.2.1.3.2 Student Account Type . . . . . . . . . . . . . . . . . . . . . . . . . 22
0.2.1.3.3 Non-Capped Student Accounts . . . . . . . . . . . . . . . . . . . . . 23
0.2.1.3.4 Capped Student Accounts . . . . . . . . . . . . . . . . . . . . . . . 23
0.2.1.3.5 Account Closure and Deletion . . . . . . . . . . . . . . . . . . . . . 24
0.2.1.4 Administrations and Implementation Compliance . . . . . . . . . . . . . . . 25
0.2.1.5 Ownership of Email Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
0.2.1.6 Personal Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
0.2.1.7 Privacy and Right of University Access . . . . . . . . . . . . . . . . . . . . . 27
0.2.1.8 Data Purging and Record Retention . . . . . . . . . . . . . . . . . . . . . . . 27
0.2.1.9 Data Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
0.2.1.10 Expiration of Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
0.2.1.11 Appropriate Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
0.2.1.12 User Responsibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
0.2.1.13 Departmental Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
0.2.1.14 Temporary User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
0.2.1.15 Supported Mail Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
0.2.1.16 Inappropriate Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
0.2.1.16.1 The exchange of email content that: . . . . . . . . . . . . . . . . . . 33
0.2.1.16.2 Other improper uses of the email system include: . . . . . . . . . . 33
0.2.1.17 SPAM and Virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
0.3 Systems Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
0.3.1 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2
0.3.2 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
0.3.2.1 Servers and Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
0.3.2.2 Workstations and accessible systems . . . . . . . . . . . . . . . . . . . . . . . 37
0.3.3 Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
0.3.3.1 Prohibited Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
0.3.3.2 Organizational and Non-Organizational Computers . . . . . . . . . . . . . . 37
0.3.3.3 Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
0.3.3.4 Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
0.3.3.4.1 Authorization of Software . . . . . . . . . . . . . . . . . . . . . . . . 39
0.3.3.4.2 Prohibited Software . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
0.3.3.5 Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
0.3.3.6 Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
0.3.3.6.1 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
0.3.3.6.2 Printing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
0.3.4 Consequences of Misuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
0.3.5 Information Storage and Disposition . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
0.3.5.1 Electronic Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
0.3.5.2 Paper based information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
0.3.6 Release of Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
0.3.6.1 Legal Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
0.3.6.2 Requests for information from External Entities . . . . . . . . . . . . . . . . 42
0.3.7 Internal Monitoring and auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
0.3.8 Violations and misuse of Information Security . . . . . . . . . . . . . . . . . . . . . . . 43
0.4 Password Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
0.4.1 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
0.4.2 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3
0.4.3 Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
0.4.3.1 Password rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
0.4.3.2 Password Expiration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
0.4.3.3 New Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
0.4.3.4 Change Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
0.4.3.5 Forgotten Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
0.4.3.6 Administrator Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
0.4.3.7 Storing Sensitive Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
0.4.3.8 Security Awareness Training . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
0.4.3.9 Password Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
0.4.3.9.1 Storing Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
0.4.4 Responsibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
0.5 Data Backup Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
0.5.1 Preamble . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
0.5.1.1 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
0.5.1.2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
0.5.2 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
0.5.3 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
0.5.4 Backup Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
0.5.5 Statement of Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
0.5.5.1 Information to be Backed up and Schedules . . . . . . . . . . . . . . . . . . . 52
0.5.5.2 Storage of Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
0.5.5.3 Data Backup Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
0.5.5.4 Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
0.5.6 Policy Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
0.5.7 Backup procedure Flowchart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4
0.5.8 Backup Procedures Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
0.6 Internal Network and Internet Network usage . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
0.6.1 Internal Network usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
0.6.2 Internet Network usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
0.7 System administration and User access management . . . . . . . . . . . . . . . . . . . . . . . 76
0.8 User Account Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
0.8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
0.8.2 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
0.8.3 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
0.8.4 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
0.8.5 Account Management Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
0.8.6 Application and Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
0.8.7 Sponsored Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
0.8.8 Staff Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
0.8.9 Email Address and Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
0.8.10 Associate Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
5
0.1 Information Security Policy
0.1.1 Purpose
Information is a vital resource of the University and the basic purpose of this information security policy is to
make sure the safeguard of this resource. University information used for research, administration, teaching
and economic activities must be secured from threats that can result in financial losses, damage of reputation
and law exposure. This information must be saved from unauthorized, intentional and unintentional access
or damage while also preserving the open and shared information according to requirements. Information
security can be achieved by the responsibilities and controls assigned by the security companies, external
businesses and regulatory bodies. Security measures include:
Confidentiality: Protection of information from unauthorized and illegal entity must be ensured. Infor-
mation must be secured throughout its life cycle from creation to disposal.
Integrity: Protection against unauthorized modifications and amendments must be ensured. The accuracy,
purity and completeness of information must be maintained.
Availability: To make sure that only the authorized entity can have access to information, resources and
other associated services whenever desired.
Accountability: To make sure that the entitys activity can be traceable uniquely to that entity.
Legislative compliance: All of the University community members should be cognizant of and adhere
the law which applies to information processing. Personal data can only be shared, managed, disclosed,
moved, discard and copied only when all the security measures mentioned above are taken into account in
correspondence with the data managing laws.
Risk assessment must be performed to ensure reasonable security measures to identify security failures and
threats. These risk assessments must be accommodated with entire information handling procedure and
must be present even in normal conditions. This information security policy document is for entire informa-
tion handling which is supported by additional points, procedures, and guidelines that as a whole will define
information handling and security environment in the University.
6
0.1.2 Scope
Each type of university information related to internal or external stake holders must be protected. The
level of protection can be carried out according to sensitivity, worth and importance regardless of the type
of storage media, storage locations and data processing systems.
This policy is for all employees, students, faculty and staff who are given the rights to use of University
resources of information.
All contractors, suppliers, University partners and external researchers and visitors who may be au-
thorized access to University information.
This policy specifies all University information resources whether individually controlled or shared,
stand-alone or networked.
This policy is for all computer and communication facilities owned, leased, operated, or contracted by
the University.
This includes networking devices, telephones, wireless devices, personal computers, workstations,
servers, and any associated peripherals and software, regardless of whether used for administration,
research, teaching or other purposes.
All locations from which University information is accessed including home and offsite/remote use.
Information entrusted to the University will also be safeguarded in accordance with this policy.
0.1.3 Policy
The resources of information are critical assets just like the physical resources, facilities and equipment. Any
person or organization that is responsible to provide and use the resources of information must maintain and
protect these assets. Because computer network and systems are shared resources among several users, the
misuse of these resources can create consignee to others.
Usually problems arise where we have to ensure the confidentiality of information and at the same time we
7
encourage to share the ideas and information of several people in one group for brain storming sessions. This
problem must be avoided by recognizing that which of the information needs to be kept secure and which of
the information should be shared among several entities. It is also important to assess the information and
its resources according to their values and vulnerabilities. The balanced effort must be provided in terms of
expenditures and efforts against the worth and sensitivity of information resources. However the following
actions must be inhibit while considering this policy.
Unauthorized access to an account or computer. Password stealing or obtaining by means of illegal or
unsocial behavior without the consent of original user.
Unauthorized access to any system with the help of Universitys internal network.
Knowingly performing an act which will interfere with the normal operation of computers, peripherals,
or networks.
To install or run any malicious software or program on network or any computer system that can
damage the resources of university. These programs includes but not limited to Trojan horses, worms
or viruses that may cause extra load for a resource and restricts it to operate naturally.
Any action towards bypassing the schemes for data protection and exploit security vulnerabilities and
loopholes.
Wasting of IT resources by means of any attempt, action or activity.
Using emails for illegal, unsocial and immoral purposes.
Masquerading, spoofing and claims the identity which you dont possess.
Distribution and publishing of electronic data, resources and materials that circumvents the Universitys
code of conduct.
Attempt to snoop or tamper with the communication of others, or deleting, changing, copying and
reading of another users files or software without the knowledge and consent of its owner.
8
Faculty, students, staff and all the members of University who commit or if proven to attempt the above
mentioned prohibited acts shall be treated according to Universitys legislature code of conduct and can be
dismissed from the campus.
The University will be able to take legal and specified actions against any unaffiliated person or organization
that is responsible for any misuse of University information and its resources. The actions of authorized
IT persons responsible for maintaining the systems, networks and their resources will be not be considered
illegal or prohibited. Their authorities and job responsibilities are defined in other policies.
0.1.4 Roles and Responsibilities for Information Security
The basic purpose of information security is to protect the university resources of information from unau-
thorized access or damage. Following are the principles to achieve such objectives:
The Rector has the overall responsibility for the implementation of this policy in the KFUPM, with
day-to-day responsibility delegated to the Information Security Manager.
Managers of departments who run systems have the responsibility to implement controls and identify
risks with their individual systems, in accordance with the advice of specialist risk sections within the
University.
The Librarian and Director of IT Services is responsible for ensuring that appropriate security measures
are put in place for centrally managed IT systems.
The Information Security Manager is responsible for this and subsequent information security policies
and will provide specialist advice throughout the University on information security issues.
The Head of Security is responsible for physical aspects of security and will provide specialist advice
throughout the KFUPM on physical security issues.
All staff, students, visitors and third parties related to the University must handle information in
accordance with this policy and any relevant local legislation where ever the information or data are
being held or processed.
9
The implementation of this policy shall be reviewed independently by an agreed party at regular
intervals agreed by Internal Audit and IT Services.
The University will establish and maintain appropriate contacts with other organisations, law enforce-
ment authorities, regulatory bodies, and network and telecommunications operators in respect of its
information security policy.
Any actual or suspected breach in information security must be reported to the Information Security
Manager in a timely manner, who will take appropriate action and inform the relevant authorities.
Failure to comply with this policy, or its subsidiary regulations, may result in disciplinary action.
It is the responsibility of each and every person to protect the resources and information he is assigned to. It
is his duty to make informed decisions, protect and secure personal information of others. The responsibilities
range in scope depends on the role of individuals.
All users of University information including staff, students and faculty:
Must describe their abilities for understanding the laws and practices for data protection. These abili-
ties will ultimately lead towards satisfactory responsibilities which are described in policies, guidelines
and procedures that are set up to secure the information. They should take guidance and advices from
their seniors or supervisors if any explanation is needed.
Must report any substantive, suspected or doubtful breaches for information security that can exploit
and imperil the information of University in any form.
Disobeying with this policy will be subjected towards disciplinary procedures of University for staff, students
and other members.
Individuals such as Head of business unit, chairmen of departments, deans of colleges and managers having
administrative responsibilities for universitys organizational units must:
Analyze the resources for electronic information resources within their controlling fields.
10
Define the purpose and function of the resources and ensure that requisite education and documentation
are provided to the concerned personnel as needed.
Establish acceptable levels of security risk for resources by assessing factors such as:
1. What is the level of sensitivity of data, such as research data or information protected by policy.
2. The level of criticality or overall importance to the continuing operation of the campus as whole,
individual departments, research projects, or other essential activities.
3. How negatively the operations of one or more units would be affected by unavailability or reduced
availability of the resources.
4. How likely it is that a resource could be used as a platform for inappropriate acts towards other
entities.
5. Limits of available technology, cost, and staff support.
6. Ensure that requisite security measures are implemented for the resources.
Providers (individuals who design, manage, and operate campus electronic information resources, e.g. IT
managers, application programmers, or system administrators) must:
Become knowledgeable regarding relevant security requirements and guidelines.
Analyze potential threats and the feasibility of various security measures in order to provide recom-
mendations to administrative officials.
Implement security measures that mitigate threats, consistent with the level of acceptable risk estab-
lished by administrative officials.
Establish procedures to ensure that privileged accounts are kept to a minimum and that privileged
users comply with privileged access agreements.
Users (individuals who access and use campus electronic information resources) must:
Become knowledgeable about relevant security requirements and guidelines.
11
Protect the resources under their control, such as access passwords, computers, and data they download.
Ultimately the community depends on a well-balanced security program and the ethical and knowledgeable
behavior of all who use and provide information resources.
0.1.5 Sensitive Information
The information must be given a security level according to its sensitiveness. Following are the definitions
of certain kind of sensitive information.
0.1.5.1 Top Secret
Top secret is the highest level of sensitive information of the University. This information can be accessed
by providing a code word or RFID cards etc. The information includes student files data base system to
which only deanship of admissions has access.
0.1.5.2 Secret
Secret information if publicly available can cause serious damage to University and its reputation. Appro-
priate actions and systems are developed to ensure the protection of such information.
0.1.5.3 Confidential
Confidential information is itself can be classified according to upper bounds and lower bounds. It is as-
sociated to the personnel of University whom personal information must remain confidential against other
University employees. For example certain information of University faculty can be disclosed into their
students but not all. So it is necessary to identify and describe the sort of information that needs to be
confidential by the University policy.
0.1.5.4 Restricted
Restricted Information sometimes known as private information which is mentioned above must be protected
against unauthorized entities. It can be disclosed only after the consent of owner.
12
0.1.6 Personal Information
Information related to any university member, student, faculty or staff. This sensitive information could
be like national number, drivers license numbers, phone number, personal contact information, birth date,
home address.
Privacy of Personal Information
Latest and previous information about individual students, faculty, and staff must be maintained for
educational, research, and other institutional purposes, it is Universitys policy that such information
be collected, maintained, and used by the Institute only for appropriate, necessary, and clearly defined
purposes, and that such information be controlled and safeguarded in order to ensure the protection
of personal privacy to the extent permitted by law. The following associate points are essentials to be
considered while describing personal information.
Security responsibility
Responsible persons should ensure accuracy and completeness against accidental or intentional misuse
or improper disclosure within or outside University.
Use of Personal Information
Whenever anyones information is asked by someone than he must be informed the consequence and
should ask about reasons. Such information should not be used or exchanged within the Institute for
purposes other than those stated, for legitimate purposes.
Reviewing Personal Information
One can see his information maintained by the university in accordance with University and state laws
while respecting the privacy of others. University personnel can see and review his information and
can have legitimate copies, modification and updates.
Disclosure of Personal Information outside to University
Information other than directory information about students and standard personnel information
13
should not be released to anyone outside university without the permission of the owner, except in
connection with court orders or other legal process.
Foreign Nationals information
Information about individual foreign nationals, other than directory information about students and
standard personnel information, should be directed to the information manager. The manager can
deliver this to senior government official, national security or law enforcement for assessment purposes.
Records of Personal Information
When records are no longer actively needed, they should be retired and maintained in accordance with
the Institute database record policy. The database holder may grant researchers access to records that
have been inactive for so long. Students educational records should be maintained according to all of
the rights and restrictions.
0.1.6.1 Staff Information
Information includes employee ID, salary and benefits information, previous work experience, education and
training, job description, health records, performance and disciplinary reviews.
1. Staff directory Information
Staff information can be used by other employees who have responsibilities to manage the information
and job description of whole staff such as HR department. This information can be used by high ups
without their consent to assign and evaluate job responsibilities.
Staff directory information includes:
Full Name,
Permanent and Resident address,
University office address,
Phone number,
14
Electronic mail address,
Year and registration type,
Qualification,
Date of birth,
Date of employment.
2. Service Information
Previous and current Experience
Field of expertise
Department
Job Description
Employment status and designation
Audit and accountability report
Service plan and funding information
3. Medical Records
Medical department is responsible for maintaining the medical record of each employee. Medical
department will be expected to adhere the University policies upon medical information usage and dis-
closures. Medical records may be available for inspection and checking upon patient or other legitimate
authority demands.
4. Employment Records
Job contract
Service agreement
Period of employment
Assets (Provided by University) record
15
5. Information Disclosure
Staff information is not allowed to exchange within the Institute other than the stated purposes
by Institute officials.
Personal staff information should not be disclosed to persons outside of the Institute without his
written consent, with certain exceptions.
Institute officials who have a legitimate interest can access the staff information without any
notification to fulfill their professional responsibilities.
Staff information can be transfer to other departments and offices with their consent for training
purposes or to exchange certain expertise.
All inquiries for information made by law enforcement agents in conjunction with an investigation
require a subpoena for that information.
Information can be made available for officials for institutional surveys or to check the overall
staff performance.
0.1.6.2 Student Information
1. Student Directory Information
Certain information of students is designated by the University as directory information and may be
released without the students knowledge and consent. This information includes:
Name,
Term and permanent home address,
University office/Hostel address
Phone number,
Electronic mail address,
Course,
16
Year and registration type,
Degrees received,
Date of birth,
Dates of attendance,
Any distinction and awards received,
Extra curriculum activities, weight and height.
Students have the right to withhold directory information from disclosure, including disclosure in
printed and online publications of the directory, except to Institute officials who have a need to know
it. Using or facilitating the use of other Student Directory or similar listings for non-Institute purposes
is a violation of Institute policy. In making the student directory available online and accessible through
the World Wide Web, University will take precautions to minimize prohibited uses of this information.
2. Faculty and staff data
Notes and similar records regarding a student that are made for, and restricted to, the personal use of
a faculty or staff member are not subject to review by the student.
3. Campus Police records
The students can only see the daily log of the Campus Police Department that is open to public
inspection under University procedure. Such records regarding students are not subject to review by
students or others. The Campus Police Department, however, can deliver such records to other public
safety agencies for law enforcement purposes.
4. Medical records
Medical records are to be maintained by the medical department that is subjected to separate provisions
of University procedures that protect their confidentiality. Medical department is allowed to make such
medical records available for inspection and copying by patients.
17
5. Records of students as staff
Student employment records that relate to jobs that students hold being students at University must
be kept secured by the Employment and training department. These records can be reviewed by the
department or can be provided on request by the student.
6. Library records
Library circulation records are not allowed to be disclosed to others, including Institute faculty and
staff, except as necessary for enforcement of library rules such as fines and returning of books and stuff
that library provides.
7. Alumni records
Information about former students that pertain to the time period after they have left the Institute
may be used for general purposes determined by the Institute.
0.1.6.2.1 Disclosure of Student Information When access to student information is granted to in-
dividuals, other than the students themselves, the following principles apply:
1. Disclosure of information to insiders
Student information is not allowed to exchange within the Institute other than the stated purposes by
Institute officials. A person who is given access to student information cannot transmit the information
to another person unless that person has such permission as well.
2. Disclosure of information to outsiders
Personal student information should not be disclosed to persons outside of the Institute without the
students written consent, with certain exceptions. The written consent must be signed, dated and
should state the purpose of the disclosure, and the party to whom the disclosure is made. Upon request,
the student shall be provided with a copy of a record that is disclosed. In emergencies, Institute officials
can disclose student information necessary to protect the health or safety of the student or others.
3. Disclosure of Student Information To Officials
18
Institute officials who have a legitimate educational interest can access the student information without
any notification to fulfill their professional responsibilities. It should be understood that access will be
limited to the records of those specific students and categories of information to which it is needed.
The following are examples of assigned responsibilities that constitute a legitimate need to know:
Provide academic or personal advice and counsel to students,
Administer academic programs,
Create and maintain student educational records,
Award and administer financial aid,
Assess and collect fees,
Supervise and certify student educational progress for Institute or government purposes,
Enforce student conduct and discipline,
Administer the residential system,
Plan, conduct and review research related to the Institutes educational programs,
Conduct individual research projects provided that the privacy of the students is protected.
4. Student work disclosure within and outside the Institute
University schools, academic departments, laboratories, and centers should make students attentive
in advance the kinds of academic work of the students have that will be made publicly available.
5. Record of disclosures
Information about all disclosures of records containing student information and identity to which
disclosure was made, must be maintained as part of the students record.
6. Disclosure Of Student Information To Students
Students have a right, subject to the need to protect the privacy of other students. Students can view
records, files, and data, held about them on an official basis by the Institute. Students also have the
19
right to challenge the content of those records, files, and data that they believe are inaccurate and
misleading.
7. Disclosure of information for institutional research
The professionals who have the administrative responsibilities to carry out institutional research such as
the analysis of data, including information about students that supports the evaluation of educational
programs and more broadly, the planning and decision-making by the University faculty and staff.
Institutional research also includes the reporting and analysis required by government and other outside
agencies.
8. Disclosure of information for disciplinary charges and proceedings
Information concerning student disciplinary charges and proceedings, including the outcome of the
proceedings and therefore may not be disclosed except in accordance with policy. Victims of crimes
of violence will be informed of the outcomes of disciplinary proceedings about those incidents. In
addition, other schools with legitimate educational interests may be informed of disciplinary actions
taken against students on account of behavior that posed a risk to the students.
9. Grades
Lists of grades with any form of potentially personal identification must not be posted in electronic or
paper form. Graded student work (problem sets, exams, papers) should be returned to students in a
manner that will protect the privacy of graded materials and minimize access by others.
10. Disclosure of student information to parents and guardians
University policy is made to provide confidentially to student information with respect to their aca-
demic, health and advising matters, but encourages the students themselves to share such information
with their parents or guardians. In extraordinary cases including emergency health and safety, the
Dean may consult with parents, guardians, individuals designated by the student or others as appro-
priate. Individuals contacting the Institute for information about a specific student should be referred
to the Office of the Dean of Students and Undergraduate Education or the Graduate Students Office.
20
11. Background checks
Faculty and staff may provide information to law enforcement agents, or their representatives, who are
conducting background checks only when they can present a form signed by the student authorizing
the investigation.
12. Other investigations
All other inquiries for information about students made by law enforcement agents in conjunction with
an investigation require a subpoena for that information.
13. Disclosure of student information to the media
Requests from the media about current and former students should be directed to the News Office.
Permission to release information, other than directory information, must be obtained from the student.
0.2 Information Transmission
Electronic communication has transformed both academic and administrative activities and will continue to
facilitate greater communication among faculty, students, and staff. With the ongoing benefits, precautions
must also be taken to protect personal privacy and the confidentiality of student information. All members
of the University community are expected to abide the policies on the use of information technologies.
1. E-Mail
As email has become an integral part of the academic process, confidential information about students
is being transmitted, including evaluations and grades. Faculty, staff and students must recognize that
although there is an expectation of privacy, unencrypted email is not a secure means of transmitting
information. Federal law and Institute policy make it clear that the unauthorized interception of email
is a serious offense. In light of those legal and policy rules, this policy does not prohibit student
information from being transmitted by email. However, caution must be exercised about the content
of messages and the access to email files and machines in which confidential information resides. The
ITC department of University has always done its best to secure the email system.
21
0.2.1 Email Address Policy
0.2.1.1 Purpose
The purpose of this policy is to ensure the proper use of KFUPMs email system located on the
Universitys server and used by faculty, staff and graduate students (the University Email Accounts)
and the email accounts for undergraduate students and alumni using the Universitys domain name
pursuant to an agreement between the University and Google, Inc. Electronic Mail is a tool provided
by the University to complement traditional methods of communication and to improve education and
administrative efficiency. Users have the responsibility to use this resource in an efficient, effective,
ethical and lawful manner. Violations of the policy may result in restriction of access to the University
Email Accounts and or other appropriate disciplinary action. In the event a University employee holds
both a University Email Account, the more stringent rules of this policy for University Email Accounts
shall apply.
0.2.1.2 Policies
The email address of a user account takes the form of [email protected] e.g. [email protected].
An alias is created for each account based on a preferred standard of firstname-lastname e.g.
[email protected]. ITS contacts the applicant for selection of a suitable alternative if
duplicates are encountered. Given this, the use of firstname-lastname as an assumption for the
email address is limited, and may result in emails being sent to an unintended recipient. Mail
users are encouraged to access the Online Contact Directory (http://www.KFUPM.edu.au/cgi-
bin/contactdir) and the University Address book (accessible via individual mail clients) to deter-
mine email addresses.
Users are advised of their alias on account collection but can also look up their aliases online via
the check aliases option on http://www.KFUPM.edu.au/its/services/manage-mail/.
22
Because of the changing nature of an alias, under no circumstances should they be recorded in
any subsidiary systems.
0.2.1.2.1 University Contact Directory The name and contact details of an individual appear
in the KFUPM Contact Directory for each associate account holder. The entry is removed from the
directory at the point the account is closed.
0.2.1.2.2 Account Closure and Deletion
Associate accounts remain active at the discretion of the sponsor and can be closed (deactivated)
at anytime.
Revoking access to an account in advance of the accounts official closure is covered below under
Account Withdrawal.
Closure of an account means the account is frozen, i.e. the password is revoked, until such time
as the account is reinstated or has been deactivated for 1 year, at which time it is deleted.
Account holders who wish to be contactable on their account following its closure should ensure
that they record an automatic reply or forwarding prior to the closure of their account. The
automatic reply/forward will continue to operate until the account is deleted.
At this stage associate account usernames are not reused.
ITS reserves the right to undertake a periodic audit of associate accounts for the purpose of
validating active accounts.
0.2.1.2.3 Account Withdrawal
A users access to their associate account can be withdrawn in advance of their accounts official
closure given a written request from an appropriate staff member of the sponsoring organization.
Account access may also be temporarily withdrawn by ITS in response to a suspected policy
violation.
23
A user whose access has been withdrawn may request reconsideration of the decision by the Chief
Technology Officer, or delegated person, who shall consider the withdrawal with the relevant Senior
Executive, Executive Dean, Faculty Executive Manager or Director. Following this, the Chief
Technology Officer, or delegated person, shall confirm the withdrawal or reinstate the account.
For further information on account withdrawal, refer to the section titled Compliance below.
0.2.1.3 Student Accounts
0.2.1.3.1 Account Creation
An individual may hold only one student account at any point in time.
Students create their student account, using the electronic account creation process within SMP
Student Online Services (SOLS). To create a student account, a student must be recognized as a
current student in the Student Management Package, which is defined as:
An undergraduate, postgraduate research or postgraduate coursework student who has an
active course; or
A non-award or KFUPM College student with a current or future subject enrolment; or
A miscellaneous student attached to a current miscellaneous student group.
A miscellaneous student is not formally a student of the KFUPM. A miscellaneous students
affiliation with the University is recorded in SMP for the purpose of managing their access to
University facilities, as opposed to recording information for any formal recognition of studies.
item Each student account is created with a unique username based on the students initials
followed by a number.
Each account is created with a maximum disk and email quota.
The Internet quota applied to the account is dependent on the account type as detailed below.
0.2.1.3.2 Student Account Type
24
Student accounts may be one of two types: non-capped or capped.
The type of a student account is maintained automatically based on records in the University
Student Management Package. For the purposes of defining the type of the student account the
following business rules apply:
an account is defined, as a non-capped account where a student is a Postgraduate Research
student of the KFUPM;
in the absence of a postgraduate research enrolment, a student account is a capped account.
0.2.1.3.3 Non-Capped Student Accounts
Only postgraduate research students of the KFUPM are provided with a non-capped student
account.
An Internet quota does not apply to non-capped student accounts. Charges for usage apply to
cost centre based on the students enrolment records.
Refer to the Internet Access Policy for more information on Internet quotas.
0.2.1.3.4 Capped Student Accounts
Capped student accounts apply to all but Postgraduate research students of the KFUPM. This
covers:
Undergraduate and postgraduate coursework students of the KFUPM;
Non-award students of the KFUPM;
KFUPM College students; or
Miscellaneous students i.e. students attached to a Miscellaneous Student Group which pro-
vides for the management of students within SMP where students fall outside of the Univer-
sities mainstream student management processes.
25
A capped student account has an imposed Internet quota as per the KFUPM Internet Access
Policy. The Internet quota allocated to each account is based on a set six monthly allocation of
quota, which is the same for all capped student accounts.
Regardless of when the account is established, the accounts quota is reset to the six monthly
allocations at the beginning of each year and midyear.
Internet quota on an account is set to zero during periods when a student does not have an active
course or is not attached to a Miscellaneous Student Group. This also applies when the student
is on leave of absence.
Charges for usage apply to cost centre based on the students enrolment records.
The quota assigned to an account can be increased on an individual basis as outlined in IT Internet
Access Policy.
Refer to the Internet Access Policy for more information on Internet access.
0.2.1.3.5 Account Closure and Deletion
Continued access to the account is maintained automatically based on records in the University
Student Management Package. For the purposes of managing the official closure of a student
account, an account remains open while ever:
An undergraduate, postgraduate coursework or postgraduate research student has an active
course. A retention period of three months is accommodated; as such the account closes three
months after the course is completed. Where a course is closed for reasons other than completion,
e.g. where the course is lapsed, given exclusion due to minimum rate of progress, a retention
period of 14 days applies,
A non-award or KFUPM College student has a current or future subject enrolment. A retention
period of 21 days is accommodated i.e. accounts in this category close 21 days after the end date
of the students most recent subject enrolment.
26
A miscellaneous student is attached to a current miscellaneous student group. A retention period
of 7 days is accommodated i.e. accounts in this category close one week after the end date of the
students most recent miscellaneous student group enrolment.
The University reserves the right to revise the above criteria.
Closure of an account means the account is frozen, i.e. the password is revoked, until such
time as the individual resumes study, at which point the account is reactivated. Accounts are
automatically reactivated under the original username and password if the account still exists.
Students receive an email indicating the pending closure of their account in the 14 days leading
up to the closure of their account.
Accounts that have been closed for a period of nine months are deleted.
Account holders who wish to be contactable on their account following its closure should ensure
that they record an automatic reply or forwarding prior to the closure of their account. The
automatic reply/forward will continue to operate until the account is deleted.
At this stage student account usernames are not reused.
A student may request an extension to access their account past their official closure date. Such
extensions must be applied for in writing, to the Academic Registrar, and will only be granted in
exceptional circumstances.
0.2.1.4 Administrations and Implementation Compliance
User accounts are issued on the basis that a user agrees to abide by the Universitys terms and
conditions for acceptable use of ITC facilities as detailed in the ITC Acceptable Use Policy.
The University treats misuse of its IT facilities seriously. Violations of the conditions of use of IT
facilities may result in temporary or indefinite withdrawal of access, disciplinary action under the
Universitys, or relevant entities, discipline procedures, and/or reimbursement to the University.
27
IT misconduct by students will be dealt with under the Student Conduct Rules. The Chief
Technology Officer or their nominee will be the Primary Investigation Officer of allegations of IT
misconduct by students. Detailed investigation procedures and the penalties that may be awarded
to students engaging in IT misconduct can be found in the Student Conduct Rules.
A users access will be withdrawn given a written request from an appropriate staff member of the
sponsoring organization. Access may also be withdrawn by ITC in response to a suspected policy
violation.
A student whose IT access has been withdrawn as a result of an investigation under the Student
Conduct Rules can appeal the decision or the penalty to the Student Conduct Committee. Other-
wise, a user whose access has been withdrawn may request reconsideration of the decision by the
Chief Technology Officer who shall consider the withdrawal with the relevant Senior Executive,
Executive Dean, Faculty Executive Manager or Director. Following this the Chief Technology
Officer shall confirm the withdrawal or reinstate access.
Misuse or unauthorized use of University IT facilities may constitute an offence under the Crimes
Act and/or other pieces of legislation. Nothing in this policy or the Requirements Governing the
Use of IT Facilities may be taken as in any way diminishing or removing a persons obligations to
comply with the law, or their liability to prosecution and punishment under law.
Users are encouraged to report any misuse and any reports will be treated as confidential.
0.2.1.5 Ownership of Email Data
The University owns both the University Email Accounts. Subject to underlying copyright and other
intellectual property rights under applicable laws and University policies, the University also owns data
transmitted or stored using the University Email Accounts.
28
0.2.1.6 Personal Use
While incidental personal use of a University Email Account is acceptable, conducting business for
profit using a University Email Account is forbidden. Use of a University Email Account for political
activities (supporting the nomination of any person for political office or attempting to influence the
vote in any election or referendum) is forbidden. Any use of a University Email Account to represent
the interests of a non-University group must be authorized by an appropriate University official.
0.2.1.7 Privacy and Right of University Access
While the University will make every attempt to keep email messages secure, privacy is not guaranteed
and users should have no general expectation of privacy in email messages sent through a University
Email Account. Under certain circumstances, it may be necessary for the ITC staff or other appropriate
University officials to access University Email Accounts; these circumstances may include, but are not
limited to, maintaining the system, investigating security or abuse incidents or investigating violations
of this or other University policies, and KFUPM staff or University officials may also require access
to a University Email Account in order to continue University business where the University Email
Account holder will not or can no longer access the University Email Account for any reason (such as
death, disability, illness or separation from the University for a period of time or permanently). Such
access will be on an as-needed basis and any email accessed will only be disclosed to those individuals
with a need to know or as required by law.
0.2.1.8 Data Purging and Record Retention
Individuals are responsible for saving email messages as they deem appropriate. Unless a legal hold
has been placed on an account, messages in University Email Accounts are automatically purged from
folders as follows:
Sent / Sent Items - 60 days
29
Trash / Deleted Items - 15 days
Junk / Junk Email - 30 days
Due to finite resources, the University has the right to restrict the amount of user space on the Univer-
sity Email Accounts as necessary, to revise the above purge policies with appropriate IT Committee
approval and advance notice, and to purge and remove University Email Accounts of any students
remaining on the Universitys email system who have not registered for a semester or more.
Employees who have actual knowledge of matters in which it can be reasonably anticipated that a
court action will be filed, a subpoena has been served or notice of sale has been given, or records are
sought pursuant to an audit, a government investigation or in similar circumstances preserve University
records, including emails or instant messages.
0.2.1.9 Data Backup
The University Email Accounts are backed up on a regular basis as a way of recovering from a systematic
loss impacting the entire email system. User files and folders are not backed up individually, and the
ITC staff cannot accommodate requests to restore these files or folders. While in some cases it may
be possible to recover from the accidental deletion of files by a user, this is generally not feasible, and
therefore each email user is responsible for backing up individual messages and folders as appropriate.
0.2.1.10 Expiration of Accounts
Individuals may leave the University to take other employment, retire, transfer to another college, or
simply go on to other activities. There are many situations at the University where the length of
email privileges or expiration of accounts will differ, as set forth below. Notwithstanding the guidelines
below, the University (KFUPM, RI, Student Life, or General Counsel) reserves the right to remove
email privileges at any time, both for a University Email Account.
30
Faculty who leave before retirement: Faculty who leave before retirement may keep their
email account for one year from the end of the last term in which they taught. If such separation
is for cause, email privileges may be immediately suspended indefinitely without notice.
Staffs that leave before retirement: Staff members who leave the University will have email
privileges removed effective on their last worked day. If such separation is for cause, email privi-
leges may be immediately suspended indefinitely without notice.
Retired Faculty: Faculty who has retired from the University will retain their email privileges
indefinitely; however, if there is no usage for a period of one year, email privileges will be removed.
Retired Staff: Staff who has retired from the University will have email privileges removed
effective on their last worked day.
Adjunct Faculty: will maintain email privileges for 3 academic years from the last term in
which they taught, unless informed otherwise by the Registers office.
Students who leave before graduation: Students who leave the University without comple-
tion of their degree or other program may keep their email privileges for one academic year from
the last term when they were registered.
A student who is expelled: If a student is expelled from the University, email privileges will
be terminated immediately upon the directive of the Dean of Students Office.
For alumni who do not wish to participate in the opt in service, the University will hold the email
address for 2 years. At the end of the 2 years, the available email address will be reused.
0.2.1.11 Appropriate Use
When using email as an official means of communication, students, faculty and staff should apply the
same professionalism, discretion, and standards that they would use in written business communication.
Furthermore, students, faculty and staff should not communicate anything via email that would not
be prepared to say publicly. Users of email shall not disclose information about students or employees
31
in violation of University policies or laws protecting the confidentiality of such information.
No private personally identifiable information about University faculty, staff, students, alumni or other
University members should be transmitted via email or stored in an unencrypted format. This includes
but is not limited to Social Security number, bank account information, tax forms or other sensitive
data.
No technical data with potential for military defense application or otherwise subject to export control
or other international trade control laws may be transmitted or stored in an unencrypted format.
Users who use email communications with persons in other countries should be aware that they may
be subject to the laws of those other countries and the rules and policies on others systems and
networks. Users are responsible for ascertaining, understanding and complying with the laws, rules,
policies, contracts and licenses applicable to their particular uses. Students who are employed by the
University may not store information relating to their employment on their Email Account.
Approval and transmission of email containing essential University announcements to students, faculty,
and /or staff must be obtained from the responsible University official noted as follows:
for sending to all faculty, approval from the Vice President of Academic Affairs is required,
for sending to all staff, approval from the Senior Vice President of Administration is required,
And sending to all students, approval from the Vice President of Student Life is required.
Use of distribution lists or reply all features of email should be carefully considered and only used
for legitimate purposes as per these guidelines. In some cases where email messages generate a high
number of responses due to the subject matter, it may be appropriate to utilize KFUPM discussion
boards in lieu of email.
0.2.1.12 User Responsibility
KFUPM maintains the Universitys official email system; faculty, staff and students are expected to
read email on a regular basis and manage their accounts appropriately. An email message regarding
32
University matters sent from an administrative office, faculty, or staff member is considered to be an
official notice. Faculty, staff, or students who choose to use another email system are responsible for
receiving University-wide broadcast messages and personal mail by checking the Universitys official
email system, newsgroups, and the Universitys World Wide Web Homepage. An alternate method of
checking University email is to utilize the Forwarding Feature, which can be set to forward mail to an
individuals personal email account.
Sharing of passwords is strictly prohibited. Each individual is responsible for his/her account, including
the safeguarding of access to the account. All email originating from an account is deemed to be
authored by the account holder, and it is the responsibility of that holder to ensure compliance with
these guidelines.
0.2.1.13 Departmental Accounts
Requests for shared departmental accounts will be accommodated, but require a designation of an
account holder, who will administer the addition, deletion, or modification of names within the account,
as well as manage the account as per these guidelines. These accounts will be created with an expiration
date of 1 year, at which time the holder can request a renewal, which will be granted pending verification
of identity and the member list. Shorter expiration dates will be given where appropriate, such as to
accommodate specific time-sensitive needs. Supported types of shared accounts are designated as:
Type 1: This id will be able to receive mail from anywhere on the Internet, but will have no direct
reply capability. The group/organization utilizing this type of generic id will have to utilize their own
personal mail id to respond to the originators of any mail received by this generic id. These accounts
will only be granted for Register or Faculty/Staff recognized activities or organizations with approval
for the faculty advisor of the organization.
Type 2: This id will be able to receive mail from anywhere on the Internet, and will be able to respond
directly to the sender. The generic id will be unable to access any of the predefined mailing groups that
exist within the campus environment. Members of the group/organization utilizing this type of generic
33
id will have to utilize WEB mail to read and respond to any mail sent to the generic id. The WEB
interface will allow users to sign in to the generic id utilizing the generic id and their own personal
LDAP password. Mail sent from the generic id will not reflect the identity of the responder, but will
instead carry the identity of the generic id. Due to security concerns given the anonymous nature of
email originating from these types of ids, no students will be allowed access to Type 2 accounts. If a
student is found to have access to these accounts the holder will be notified of the impending removal
of the student account. Repeated violations will result in deletion of the type 2 account.
0.2.1.14 Temporary User
Faculty, staff, or departments can request temporary email privileges for users outside of the University.
Full time Faculty or Staff requesting these types of accounts will be required to submit user information,
rationale for account, expiration date, and sponsor information. Such requests shall be approved by the
appropriate Dean or Vice President. A mandatory one year re-sponsorship is required to maintain the
account. Those accounts that are not re-sponsored after one year will have email privileges removed.
0.2.1.15 Supported Mail Clients
University-supported email clients are office 365 and Outlook Web Access (OWA). If a problem is
encountered with the use of an alternate method, Helpdesk personnel will work with the individual
to access email via the supported methods and will verify functionality of the supported environment.
The University ITC department is continually evaluating tools and technologies and reserves the right
to modify the list of supported clients with appropriate notification.
0.2.1.16 Inappropriate Use
University Email Accounts of current students, any inappropriate email usage, examples of which
are described below and elsewhere in this policy, is prohibited. Users receiving such email should
immediately contact KFUPM, who in certain cases may also inform the Department of Public Safety.
34
0.2.1.16.1 The exchange of email content that:
Generates or facilitates unsolicited bulk commercial email;
Infringes on another persons copyright, trade or service mark, patent, or other property right or
is intended to assist others in defeating those protections;
Violates, or encourages the violation of, the legal rights of others or federal and state laws;
Is for any unlawful, invasive, infringing, defamatory, or fraudulent purpose;
Intentionally distributes viruses, worms, Trojan horses, malware, corrupted files, hoaxes, or other
items of a destructive or deceptive nature;
Interferes with the use of the email services, or the equipment used to provide the email services,
by customers, authorized resellers, or other authorized users;
Alters, disables, interferes with or circumvents any aspect of the email services;
Tests or reverse-engineers the email services in order to find limitations, vulnerabilities or evade
filtering capabilities;
Constitutes, fosters, or promotes pornography;
Is excessively violent, incites violence, threatens violence, or contains harassing content;
Creates a risk to a persons safety or health, creates a risk to public safety or health, compromises
national security, or interferes with a investigation by law enforcement;
Improperly exposes trade secrets or other confidential or proprietary information of another per-
son;
Misrepresents the identity of the sender of an email.
Is otherwise malicious, fraudulent or may result in retaliation against the University by offended
viewers.
0.2.1.16.2 Other improper uses of the email system include:
35
The use or attempt to use the accounts of others without their permission. Newsgroups are
provided as a service to faculty, staff, and students for posting University-related information.
These will be monitored by those responsible for their content; any posted material deemed
inappropriate may be removed without prior notification.
Collecting or using email addresses, screen names information or other identifiers without the con-
sent of the person identified (including, without limitation, phishing, Internet scamming, password
robbery, spidering, and harvesting);
Use of the service to distribute software that covertly gathers information about a user or covertly
transmits information about the user;
Any conduct that is likely to result in retaliation against the Universitys network or website, or
the Universitys employees, officers or other agents, including engaging in behavior that results in
any server being the target of a denial of service attack (DoS).
These guidelines provide some examples of permitted or prohibited use of email. This list is not
intended to be exhaustive but rather to provide some illustrative examples.
0.2.1.17 SPAM and Virus
Incoming email on the University Email Accounts is scanned for viruses and for messages deemed to
be SPAM, or unsolicited advertisements for products or services sent to a large distribution. Suspected
messages are blocked from the users inbox. Due to the complex nature of email, it is impossible to
guarantee protection against all SPAM and virus infected messages. It is therefore incumbent on each
individual to use proper care and consideration to prevent the spread of viruses. In many cases viruses
appear to be sent from a friend or coworker, therefore attachments should only be opened when the
user is sure of the nature of the message. If any doubt exists, the user should contact the Helpdesk.
DO NOT FORWARD THE MESSAGE! SPAM messages, however, can quarantined via Anti Spam
QuarantinePure Message.
36
2. School and department web pages
Faculty, staff and students must exercise caution in posting directory and other information to a web
page that is accessible to University or public. Students have the right to withhold directory and other
information from public distribution. Faculty and staff must receive permission from each student to
post personal information and identification photographs to web pages.
3. Class pages and blogs
Email and web based class work will remain central to the education process. While most of the
information related to class should be posted on web sites can be public or individual communication
with students as well as the work prepared by the students for the class are regarded as student
information. Therefore, the following three categories of information must be restricted to use by the
staff and students of that class only:
Class lists, including identification photographs
Online discussions among faculty, staff and students in which student participation is required
and the student contributors are identified, and
Student papers, reports and other work.
0.3 Systems Usage
0.3.1 Purpose
Systems can provide access to resources on campus, as well as the ability to communicate with other users
worldwide. Such open access is a privilege, and requires that individual users act responsibly. Users must
respect the rights of other users, respect the integrity of the systems and related physical resources, and
observe all relevant laws, regulations, and contractual obligations. Use of Universitys computer resources
should support the basic missions of the University in teaching, learning and research. Users of computer
resources are responsible to properly use and protect information resources and to respect the rights of
37
others. This policy provides guidelines for the appropriate use of computing resources. The aforementioned
problem statements apply to all the policy sections defined under Section 3.3 below.
0.3.2 Scope
Scope is defined for all of the policy sections defined under Section 3.3.
Applies to the use of all campus computing resources.
University systems including hardware and software are classified according to the scope by considering
level of support and university operations. The classification of systems takes into account legal
protection, agreements of contracts, ethical behaviors, and worth of information that these systems
have. Such categorization provides the basis for planning, allocation of resources, support, and security
controls and access controls appropriate for those systems.
The system classifications are as follows:
0.3.2.1 Servers and Applications
1. Enterprise Systems
These are the Systems that can be accessed or located in several departments of University. These
systems are considered as business-essential and require a high degree of availability. Examples include
PeopleSoft application systems, Black Board eLearning, One Card, and GroupWise.
2. Department Critical Systems
These are the Systems which are only accessible locally by their own departments. They are considered
to be essential for conducting business processes or academic purposes.
3. Department Servers
Servers that provide an academic and/or administrative function that may have storage of Restricted
or Sensitive Information. All systems hosting server services must be registered with the Information
Security Office.
38
0.3.2.2 Workstations and accessible systems
Users who access university systems and data with the help of workstations are responsible for exercising
proper accountability in protecting the confidential, sensitive, private, personal or institutional information
they access or use in the conduct of their job responsibilities. In order to protect university data from inap-
propriate disclosure, all workstations that store Restricted Information must encrypt the data in compliance
with Universitys data encryption guidelines. User access to university systems and information resources
will be assigned by the type of workstation used, which is as follows:
1. Managed Workstations
Workstations that access Restricted or Sensitive Information shall follow the configuration standards
and maintenance procedures. Failure to meet these requirements will be grounds for denial of system
or university network access.
2. Non Managed Workstations
Non Managed workstations may include faculty and staff workstations, personal computers, PDAs,
etc. Non Managed Workstations shall have no access or limited access critical systems as allowed by
University regulatory body.
0.3.3 Policies
0.3.3.1 Prohibited Communication
Universitys computing resources cannot be used for sending, receiving, storing (SRS) prohibited com-
munications which are discriminatory, derogatory to any individual or group, obscene, sexually explicit,
pornographic and threatening.
0.3.3.2 Organizational and Non-Organizational Computers
Non-organizational computers can be used for storing personal information.
Non-organizational computers can have internet facilities by providing username and password.
39
Universitys resources like printing, files sharing can only be accessed via organizational computers.
If the employee is expected to do some work at home, University will provide a suitable computer.
Only university-provided computers can be used to connect to the organizations internal computer
systems via a remote access system.
All computers that are owned by the university or are provided to employees are to be used in accor-
dance with their jobs within the University.
University computers are to be used only for teaching, learning and research facilities.
University doesnt allow employees to play games across the internal network.
0.3.3.3 Information
All information stored on or used by university computers belongs to the KFUPM.
Employees cannot use university computers to store personal information: Data which isnt related to
teaching, research or any educational purpose.
0.3.3.4 Software
KFUPM will only use legal copies of OS. Cracked versions are not allowed.
Software will be used only in accordance with its license agreement
Latest Anti-Virus Software must be installed and maintained on all systems.
Proper firewalls and proxy servers must be implemented.
Duplication of copyrighted software is a violation of copyright law except for backup and archival
purposes by the software manager or ITC Department.
No user will give administrative software to any outsiders, including clients, customers, and others.
40
Under no circumstances will university, use software that has been brought in from any unauthorized
location.
0.3.3.4.1 Authorization of Software
New software to be installed on any universities computer must be approved by respective department,
ITC and software manager.
0.3.3.4.2 Prohibited Software
BETA software which is not updated for security vulnerabilities by the vendor.
Software which has known vulnerabilities
Software versions that are no longer supported by the vendor (example: Microsoft Windows 98 and
ME, XP or MacOS 10.3)
0.3.3.5 Privacy
Employee should have no expectation of privacy for any information stored, sent, or received on any
university computers.
System administrators may access or examine files or accounts that are suspected of unauthorized use
or misuse, or that have been corrupted or damaged.
Administrators or security staff can monitor all computer-related activities, including the visiting of
Web sites. For monitoring, they can use any monitoring tools but that tool should abide by the policies
defined in Software Section.
For monitoring, they can use any monitoring tools but that tool should abide by the policies defined in
Software Section
41
0.3.3.6 Facilities
0.3.3.6.1 Lab
There must at least one 24 hour lab in every building/department to aid in learning, teaching and
researching facilities.
0.3.3.6.2 Printing
RAs, Students will get 100 pages per month.
LBs, TAs will get 250 pages per month.
Teaching Staff will be provided by separate printers.
0.3.4 Consequences of Misuse
First of all, Users are expected to cooperate with system administrators in any investigation. Misuse of
computing resources may result in the restriction of computing privileges. Users may be held accountable
for their conduct under any applicable organization policies, procedures, or collective bargaining agreements.
Complaints alleging misuse of campus computing resources will be directed to respective department head
for taking appropriate disciplinary action. Computing privileges can also be suspended or restricted during
an investigation; users may appeal and petition for reinstatement of privileges through the Dean of respective
departments.
Users misuse of computer such as unauthorized use of another persons identification or password, using the
network to send abusive messages, or using computer facilities to interfere with the work of another student
or faculty or staff member may result in rustication from the organization.
0.3.5 Information Storage and Disposition
Information and records, whether maintained in electronic files or on paper, must be stored and disposed of
securely, in accordance with the Universitys policies, laws and procedures.
42
0.3.5.1 Electronic Information
1. Restricted Information
Restricted Information access is limited to users that are assigned computer accounts by the Information
technology center. Restricted Information must be maintained within data centers which are centrally
managed and controlled. Restricted Information must be avoided to store in distributed servers, work
stations, or mobile devices such as USB drives, external drives, laptops, notebook computers, PDAs,
CDs, DVDs, etc. If it is not possible to avoid storing information on these devices then it must be
encrypted with the approval and documentation of ITC office.
2. Sensitive Information
Departments having Sensitive Information may follow the policies and practices for Restricted Infor-
mation with reasonable care, depending on the requirements of the information stakeholders.
3. General University Information
This information must be secured from unauthorized modification only.
0.3.5.2 Paper based information
1. Restricted Information
Documents must be stored in locked areas with authorized access only and disposed of according to
University and country law when no longer needed.
2. Sensitive Information
Departments having Sensitive Information may follow the policies and practices for Restricted Infor-
mation with reasonable care, depending on the requirements of the information stakeholders.
3. General University Information
Documents should be recycled when no longer needed.
43
0.3.6 Release of Information
In some cases the University has to disclose, or authorized to release information that would normally be
protected under this policy. Examples include disclosures of information for the state and federal reporting
requirements, legal processes such as writs, court orders or warrants, etc. and disclosures about certain
authorized releases of information about particular individuals like students, employees or customers.
0.3.6.1 Legal Process
Any employee or a stakeholder of the university who is given with a legal document for example, a writ,
court order, summons or warrant, etc. that refers to university records or data shall notify University Legal
Services immediately and before the release of any requested information. University Legal Services will
review the legal document to determine the validity and enforceability of the document, and to provide
guidance and assistance by responding properly. Legal documents that are addressed to a particular person
should be accepted only by that person. If an unintended recipient is given with the legal document, it
should not be accepted. The person who will serve the process should be referred to that person identified
on the document, by name, title or job description, or should be directed to University Legal Services.
0.3.6.2 Requests for information from External Entities
The university receives many requests for information and records maintained by the university from external
persons and entities. These external entities may include law enforcement agencies or attorneys etc. The
release of information about a particular person may require the consent and authorization by that person.
Publicly available information about individuals and other types of information that can be released are
available at the universitys web pages. University Legal Services are available to assist in checking the
validity and scope of any authorization provided for the release of information, as well as providing guidance
for appropriately responding to information requests given to an authorization.
Before responding to requests of information, University Legal Services and the Department of Public Safety
should be contacted to determine the authenticity of the request and the person who is requesting. All the
44
requests for information should be evaluated on a case-by-case basis for which University Legal Services are
available for assistance. In general, any request for information from any entity, whether by legal process or
not, should be immediately referred to University Legal Services.
0.3.7 Internal Monitoring and auditing
The information security management system, controls and responsibilities will be subjected to the internal
monitoring and auditing throughout the University, and the outcomes from these processes will inform and
improve practices as part of the commitment to continual improvement. The University will also undertake
appropriate benchmarking and external auditing exercises.
0.3.8 Violations and misuse of Information Security
The violations can be included:
Enabling unauthorized entities to have access to information
Disclosing information in such a way that violates restricted access and procedures of confidentiality
Handling or using of information in such a way that depict illegal regulations and procedures
Modifying and destroying of information or university records
Inadequately protecting restricted Information or Sensitive Information
Ignoring the requirements of information stakeholders for the proper management, use and protection
of information resources.
According to authorities, violations may result in network jam, access denial, by pass security schemes, uni-
versity disciplinary action and criminal pursuit. Disciplinary action should be implemented, up to dismissal
and suspension that must be taken according to applicable university policies and procedures. Authorities
will be notified about the event and action that a university office or department is found in violation of this
policy. Corrective actions and possible financial costs associated with an information security incident will be
45
coordinated accordingly. If vendors or consultants found to have breached their respective agreements with
the university may be subject to consequences such as vendor/consultant access to university information
technology resources, removal of the vendor/consultant from university facilities, termination/cancellation
of the agreement, payment of damages, and criminal or civil charges based on the nature of the violation.
The university is sometimes asked to transmit information by state or federal authorities. In this situation
university employees should transmit such information by following the