Policy v1.0

Policy v1.0

Information & Technology

King Fahd University of Petroleum & Minerals, KSA

Abdullah Al Mamun

To Dr. Talal AlKharobi

Preface

This paper is done as a coursework for the course computer & network security. We have learned

many important and necessary things about policy regarding information and technology. In addition, we learned, how to analysis, organization, collaboration and write up policies. We tried

best to make a complete set of security policy for ITC department of our university. Also, we tried to consider all possible cases and scenarios.

However, we enjoyed and learned during this work. We have plan to make policies for all

departments in our university as future work.

Author Abdullah Al Mamun

Co-Author Hassan Ali

Ahmad M. Shaheen

Essa Q. Shahra

Sultan Anwar

Contents

0.1 Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

0.1.1 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

0.1.2 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

0.1.3 Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

0.1.4 Roles and Responsibilities for Information Security . . . . . . . . . . . . . . . . . . . . 7

0.1.5 Sensitive Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

0.1.5.1 Top Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

0.1.5.2 Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

0.1.5.3 Confidential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

0.1.5.4 Restricted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

0.1.6 Personal Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

0.1.6.1 Staff Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

0.1.6.2 Student Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

0.1.6.2.1 Disclosure of Student Information . . . . . . . . . . . . . . . . . . . 16

0.2 Information Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

0.2.1 Email Address Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

0.2.1.1 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

0.2.1.2 Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

0.2.1.2.1 University Contact Directory . . . . . . . . . . . . . . . . . . . . . . 21

1

0.2.1.2.2 Account Closure and Deletion . . . . . . . . . . . . . . . . . . . . . 21

0.2.1.2.3 Account Withdrawal . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

0.2.1.3 Student Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

0.2.1.3.1 Account Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

0.2.1.3.2 Student Account Type . . . . . . . . . . . . . . . . . . . . . . . . . 22

0.2.1.3.3 Non-Capped Student Accounts . . . . . . . . . . . . . . . . . . . . . 23

0.2.1.3.4 Capped Student Accounts . . . . . . . . . . . . . . . . . . . . . . . 23

0.2.1.3.5 Account Closure and Deletion . . . . . . . . . . . . . . . . . . . . . 24

0.2.1.4 Administrations and Implementation Compliance . . . . . . . . . . . . . . . 25

0.2.1.5 Ownership of Email Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

0.2.1.6 Personal Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

0.2.1.7 Privacy and Right of University Access . . . . . . . . . . . . . . . . . . . . . 27

0.2.1.8 Data Purging and Record Retention . . . . . . . . . . . . . . . . . . . . . . . 27

0.2.1.9 Data Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

0.2.1.10 Expiration of Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

0.2.1.11 Appropriate Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

0.2.1.12 User Responsibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

0.2.1.13 Departmental Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

0.2.1.14 Temporary User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

0.2.1.15 Supported Mail Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

0.2.1.16 Inappropriate Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

0.2.1.16.1 The exchange of email content that: . . . . . . . . . . . . . . . . . . 33

0.2.1.16.2 Other improper uses of the email system include: . . . . . . . . . . 33

0.2.1.17 SPAM and Virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

0.3 Systems Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

0.3.1 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

2

0.3.2 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

0.3.2.1 Servers and Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

0.3.2.2 Workstations and accessible systems . . . . . . . . . . . . . . . . . . . . . . . 37

0.3.3 Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

0.3.3.1 Prohibited Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

0.3.3.2 Organizational and Non-Organizational Computers . . . . . . . . . . . . . . 37

0.3.3.3 Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

0.3.3.4 Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

0.3.3.4.1 Authorization of Software . . . . . . . . . . . . . . . . . . . . . . . . 39

0.3.3.4.2 Prohibited Software . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

0.3.3.5 Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

0.3.3.6 Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

0.3.3.6.1 Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

0.3.3.6.2 Printing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

0.3.4 Consequences of Misuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

0.3.5 Information Storage and Disposition . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

0.3.5.1 Electronic Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

0.3.5.2 Paper based information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

0.3.6 Release of Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

0.3.6.1 Legal Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

0.3.6.2 Requests for information from External Entities . . . . . . . . . . . . . . . . 42

0.3.7 Internal Monitoring and auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

0.3.8 Violations and misuse of Information Security . . . . . . . . . . . . . . . . . . . . . . . 43

0.4 Password Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

0.4.1 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

0.4.2 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

3

0.4.3 Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

0.4.3.1 Password rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

0.4.3.2 Password Expiration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

0.4.3.3 New Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

0.4.3.4 Change Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

0.4.3.5 Forgotten Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

0.4.3.6 Administrator Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

0.4.3.7 Storing Sensitive Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

0.4.3.8 Security Awareness Training . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

0.4.3.9 Password Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

0.4.3.9.1 Storing Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

0.4.4 Responsibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

0.5 Data Backup Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

0.5.1 Preamble . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

0.5.1.1 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

0.5.1.2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

0.5.2 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

0.5.3 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

0.5.4 Backup Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

0.5.5 Statement of Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

0.5.5.1 Information to be Backed up and Schedules . . . . . . . . . . . . . . . . . . . 52

0.5.5.2 Storage of Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

0.5.5.3 Data Backup Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

0.5.5.4 Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

0.5.6 Policy Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

0.5.7 Backup procedure Flowchart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

4

0.5.8 Backup Procedures Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

0.6 Internal Network and Internet Network usage . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

0.6.1 Internal Network usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

0.6.2 Internet Network usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

0.7 System administration and User access management . . . . . . . . . . . . . . . . . . . . . . . 76

0.8 User Account Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

0.8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

0.8.2 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

0.8.3 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

0.8.4 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

0.8.5 Account Management Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

0.8.6 Application and Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

0.8.7 Sponsored Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

0.8.8 Staff Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

0.8.9 Email Address and Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

0.8.10 Associate Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

5

0.1 Information Security Policy

0.1.1 Purpose

Information is a vital resource of the University and the basic purpose of this information security policy is to

make sure the safeguard of this resource. University information used for research, administration, teaching

and economic activities must be secured from threats that can result in financial losses, damage of reputation

and law exposure. This information must be saved from unauthorized, intentional and unintentional access

or damage while also preserving the open and shared information according to requirements. Information

security can be achieved by the responsibilities and controls assigned by the security companies, external

businesses and regulatory bodies. Security measures include:

Confidentiality: Protection of information from unauthorized and illegal entity must be ensured. Infor-

mation must be secured throughout its life cycle from creation to disposal.

Integrity: Protection against unauthorized modifications and amendments must be ensured. The accuracy,

purity and completeness of information must be maintained.

Availability: To make sure that only the authorized entity can have access to information, resources and

other associated services whenever desired.

Accountability: To make sure that the entitys activity can be traceable uniquely to that entity.

Legislative compliance: All of the University community members should be cognizant of and adhere

the law which applies to information processing. Personal data can only be shared, managed, disclosed,

moved, discard and copied only when all the security measures mentioned above are taken into account in

correspondence with the data managing laws.

Risk assessment must be performed to ensure reasonable security measures to identify security failures and

threats. These risk assessments must be accommodated with entire information handling procedure and

must be present even in normal conditions. This information security policy document is for entire informa-

tion handling which is supported by additional points, procedures, and guidelines that as a whole will define

information handling and security environment in the University.

6

0.1.2 Scope

Each type of university information related to internal or external stake holders must be protected. The

level of protection can be carried out according to sensitivity, worth and importance regardless of the type

of storage media, storage locations and data processing systems.

This policy is for all employees, students, faculty and staff who are given the rights to use of University

resources of information.

All contractors, suppliers, University partners and external researchers and visitors who may be au-

thorized access to University information.

This policy specifies all University information resources whether individually controlled or shared,

stand-alone or networked.

This policy is for all computer and communication facilities owned, leased, operated, or contracted by

the University.

This includes networking devices, telephones, wireless devices, personal computers, workstations,

servers, and any associated peripherals and software, regardless of whether used for administration,

research, teaching or other purposes.

All locations from which University information is accessed including home and offsite/remote use.

Information entrusted to the University will also be safeguarded in accordance with this policy.

0.1.3 Policy

The resources of information are critical assets just like the physical resources, facilities and equipment. Any

person or organization that is responsible to provide and use the resources of information must maintain and

protect these assets. Because computer network and systems are shared resources among several users, the

misuse of these resources can create consignee to others.

Usually problems arise where we have to ensure the confidentiality of information and at the same time we

7

encourage to share the ideas and information of several people in one group for brain storming sessions. This

problem must be avoided by recognizing that which of the information needs to be kept secure and which of

the information should be shared among several entities. It is also important to assess the information and

its resources according to their values and vulnerabilities. The balanced effort must be provided in terms of

expenditures and efforts against the worth and sensitivity of information resources. However the following

actions must be inhibit while considering this policy.

Unauthorized access to an account or computer. Password stealing or obtaining by means of illegal or

unsocial behavior without the consent of original user.

Unauthorized access to any system with the help of Universitys internal network.

Knowingly performing an act which will interfere with the normal operation of computers, peripherals,

or networks.

To install or run any malicious software or program on network or any computer system that can

damage the resources of university. These programs includes but not limited to Trojan horses, worms

or viruses that may cause extra load for a resource and restricts it to operate naturally.

Any action towards bypassing the schemes for data protection and exploit security vulnerabilities and

loopholes.

Wasting of IT resources by means of any attempt, action or activity.

Using emails for illegal, unsocial and immoral purposes.

Masquerading, spoofing and claims the identity which you dont possess.

Distribution and publishing of electronic data, resources and materials that circumvents the Universitys

code of conduct.

Attempt to snoop or tamper with the communication of others, or deleting, changing, copying and

reading of another users files or software without the knowledge and consent of its owner.

8

Faculty, students, staff and all the members of University who commit or if proven to attempt the above

mentioned prohibited acts shall be treated according to Universitys legislature code of conduct and can be

dismissed from the campus.

The University will be able to take legal and specified actions against any unaffiliated person or organization

that is responsible for any misuse of University information and its resources. The actions of authorized

IT persons responsible for maintaining the systems, networks and their resources will be not be considered

illegal or prohibited. Their authorities and job responsibilities are defined in other policies.

0.1.4 Roles and Responsibilities for Information Security

The basic purpose of information security is to protect the university resources of information from unau-

thorized access or damage. Following are the principles to achieve such objectives:

The Rector has the overall responsibility for the implementation of this policy in the KFUPM, with

day-to-day responsibility delegated to the Information Security Manager.

Managers of departments who run systems have the responsibility to implement controls and identify

risks with their individual systems, in accordance with the advice of specialist risk sections within the

University.

The Librarian and Director of IT Services is responsible for ensuring that appropriate security measures

are put in place for centrally managed IT systems.

The Information Security Manager is responsible for this and subsequent information security policies

and will provide specialist advice throughout the University on information security issues.

The Head of Security is responsible for physical aspects of security and will provide specialist advice

throughout the KFUPM on physical security issues.

All staff, students, visitors and third parties related to the University must handle information in

accordance with this policy and any relevant local legislation where ever the information or data are

being held or processed.

9

The implementation of this policy shall be reviewed independently by an agreed party at regular

intervals agreed by Internal Audit and IT Services.

The University will establish and maintain appropriate contacts with other organisations, law enforce-

ment authorities, regulatory bodies, and network and telecommunications operators in respect of its

information security policy.

Any actual or suspected breach in information security must be reported to the Information Security

Manager in a timely manner, who will take appropriate action and inform the relevant authorities.

Failure to comply with this policy, or its subsidiary regulations, may result in disciplinary action.

It is the responsibility of each and every person to protect the resources and information he is assigned to. It

is his duty to make informed decisions, protect and secure personal information of others. The responsibilities

range in scope depends on the role of individuals.

All users of University information including staff, students and faculty:

Must describe their abilities for understanding the laws and practices for data protection. These abili-

ties will ultimately lead towards satisfactory responsibilities which are described in policies, guidelines

and procedures that are set up to secure the information. They should take guidance and advices from

their seniors or supervisors if any explanation is needed.

Must report any substantive, suspected or doubtful breaches for information security that can exploit

and imperil the information of University in any form.

Disobeying with this policy will be subjected towards disciplinary procedures of University for staff, students

and other members.

Individuals such as Head of business unit, chairmen of departments, deans of colleges and managers having

administrative responsibilities for universitys organizational units must:

Analyze the resources for electronic information resources within their controlling fields.

10

Define the purpose and function of the resources and ensure that requisite education and documentation

are provided to the concerned personnel as needed.

Establish acceptable levels of security risk for resources by assessing factors such as:

1. What is the level of sensitivity of data, such as research data or information protected by policy.

2. The level of criticality or overall importance to the continuing operation of the campus as whole,

individual departments, research projects, or other essential activities.

3. How negatively the operations of one or more units would be affected by unavailability or reduced

availability of the resources.

4. How likely it is that a resource could be used as a platform for inappropriate acts towards other

entities.

5. Limits of available technology, cost, and staff support.

6. Ensure that requisite security measures are implemented for the resources.

Providers (individuals who design, manage, and operate campus electronic information resources, e.g. IT

managers, application programmers, or system administrators) must:

Become knowledgeable regarding relevant security requirements and guidelines.

Analyze potential threats and the feasibility of various security measures in order to provide recom-

mendations to administrative officials.

Implement security measures that mitigate threats, consistent with the level of acceptable risk estab-

lished by administrative officials.

Establish procedures to ensure that privileged accounts are kept to a minimum and that privileged

users comply with privileged access agreements.

Users (individuals who access and use campus electronic information resources) must:

Become knowledgeable about relevant security requirements and guidelines.

11

Protect the resources under their control, such as access passwords, computers, and data they download.

Ultimately the community depends on a well-balanced security program and the ethical and knowledgeable

behavior of all who use and provide information resources.

0.1.5 Sensitive Information

The information must be given a security level according to its sensitiveness. Following are the definitions

of certain kind of sensitive information.

0.1.5.1 Top Secret

Top secret is the highest level of sensitive information of the University. This information can be accessed

by providing a code word or RFID cards etc. The information includes student files data base system to

which only deanship of admissions has access.

0.1.5.2 Secret

Secret information if publicly available can cause serious damage to University and its reputation. Appro-

priate actions and systems are developed to ensure the protection of such information.

0.1.5.3 Confidential

Confidential information is itself can be classified according to upper bounds and lower bounds. It is as-

sociated to the personnel of University whom personal information must remain confidential against other

University employees. For example certain information of University faculty can be disclosed into their

students but not all. So it is necessary to identify and describe the sort of information that needs to be

confidential by the University policy.

0.1.5.4 Restricted

Restricted Information sometimes known as private information which is mentioned above must be protected

against unauthorized entities. It can be disclosed only after the consent of owner.

12

0.1.6 Personal Information

Information related to any university member, student, faculty or staff. This sensitive information could

be like national number, drivers license numbers, phone number, personal contact information, birth date,

home address.

Privacy of Personal Information

Latest and previous information about individual students, faculty, and staff must be maintained for

educational, research, and other institutional purposes, it is Universitys policy that such information

be collected, maintained, and used by the Institute only for appropriate, necessary, and clearly defined

purposes, and that such information be controlled and safeguarded in order to ensure the protection

of personal privacy to the extent permitted by law. The following associate points are essentials to be

considered while describing personal information.

Security responsibility

Responsible persons should ensure accuracy and completeness against accidental or intentional misuse

or improper disclosure within or outside University.

Use of Personal Information

Whenever anyones information is asked by someone than he must be informed the consequence and

should ask about reasons. Such information should not be used or exchanged within the Institute for

purposes other than those stated, for legitimate purposes.

Reviewing Personal Information

One can see his information maintained by the university in accordance with University and state laws

while respecting the privacy of others. University personnel can see and review his information and

can have legitimate copies, modification and updates.

Disclosure of Personal Information outside to University

Information other than directory information about students and standard personnel information

13

should not be released to anyone outside university without the permission of the owner, except in

connection with court orders or other legal process.

Foreign Nationals information

Information about individual foreign nationals, other than directory information about students and

standard personnel information, should be directed to the information manager. The manager can

deliver this to senior government official, national security or law enforcement for assessment purposes.

Records of Personal Information

When records are no longer actively needed, they should be retired and maintained in accordance with

the Institute database record policy. The database holder may grant researchers access to records that

have been inactive for so long. Students educational records should be maintained according to all of

the rights and restrictions.

0.1.6.1 Staff Information

Information includes employee ID, salary and benefits information, previous work experience, education and

training, job description, health records, performance and disciplinary reviews.

1. Staff directory Information

Staff information can be used by other employees who have responsibilities to manage the information

and job description of whole staff such as HR department. This information can be used by high ups

without their consent to assign and evaluate job responsibilities.

Staff directory information includes:

Full Name,

Permanent and Resident address,

University office address,

Phone number,

14

Electronic mail address,

Year and registration type,

Qualification,

Date of birth,

Date of employment.

2. Service Information

Previous and current Experience

Field of expertise

Department

Job Description

Employment status and designation

Audit and accountability report

Service plan and funding information

3. Medical Records

Medical department is responsible for maintaining the medical record of each employee. Medical

department will be expected to adhere the University policies upon medical information usage and dis-

closures. Medical records may be available for inspection and checking upon patient or other legitimate

authority demands.

4. Employment Records

Job contract

Service agreement

Period of employment

Assets (Provided by University) record

15

5. Information Disclosure

Staff information is not allowed to exchange within the Institute other than the stated purposes

by Institute officials.

Personal staff information should not be disclosed to persons outside of the Institute without his

written consent, with certain exceptions.

Institute officials who have a legitimate interest can access the staff information without any

notification to fulfill their professional responsibilities.

Staff information can be transfer to other departments and offices with their consent for training

purposes or to exchange certain expertise.

All inquiries for information made by law enforcement agents in conjunction with an investigation

require a subpoena for that information.

Information can be made available for officials for institutional surveys or to check the overall

staff performance.

0.1.6.2 Student Information

1. Student Directory Information

Certain information of students is designated by the University as directory information and may be

released without the students knowledge and consent. This information includes:

Name,

Term and permanent home address,

University office/Hostel address

Phone number,

Electronic mail address,

Course,

16

Year and registration type,

Degrees received,

Date of birth,

Dates of attendance,

Any distinction and awards received,

Extra curriculum activities, weight and height.

Students have the right to withhold directory information from disclosure, including disclosure in

printed and online publications of the directory, except to Institute officials who have a need to know

it. Using or facilitating the use of other Student Directory or similar listings for non-Institute purposes

is a violation of Institute policy. In making the student directory available online and accessible through

the World Wide Web, University will take precautions to minimize prohibited uses of this information.

2. Faculty and staff data

Notes and similar records regarding a student that are made for, and restricted to, the personal use of

a faculty or staff member are not subject to review by the student.

3. Campus Police records

The students can only see the daily log of the Campus Police Department that is open to public

inspection under University procedure. Such records regarding students are not subject to review by

students or others. The Campus Police Department, however, can deliver such records to other public

safety agencies for law enforcement purposes.

4. Medical records

Medical records are to be maintained by the medical department that is subjected to separate provisions

of University procedures that protect their confidentiality. Medical department is allowed to make such

medical records available for inspection and copying by patients.

17

5. Records of students as staff

Student employment records that relate to jobs that students hold being students at University must

be kept secured by the Employment and training department. These records can be reviewed by the

department or can be provided on request by the student.

6. Library records

Library circulation records are not allowed to be disclosed to others, including Institute faculty and

staff, except as necessary for enforcement of library rules such as fines and returning of books and stuff

that library provides.

7. Alumni records

Information about former students that pertain to the time period after they have left the Institute

may be used for general purposes determined by the Institute.

0.1.6.2.1 Disclosure of Student Information When access to student information is granted to in-

dividuals, other than the students themselves, the following principles apply:

1. Disclosure of information to insiders

Student information is not allowed to exchange within the Institute other than the stated purposes by

Institute officials. A person who is given access to student information cannot transmit the information

to another person unless that person has such permission as well.

2. Disclosure of information to outsiders

Personal student information should not be disclosed to persons outside of the Institute without the

students written consent, with certain exceptions. The written consent must be signed, dated and

should state the purpose of the disclosure, and the party to whom the disclosure is made. Upon request,

the student shall be provided with a copy of a record that is disclosed. In emergencies, Institute officials

can disclose student information necessary to protect the health or safety of the student or others.

3. Disclosure of Student Information To Officials

18

Institute officials who have a legitimate educational interest can access the student information without

any notification to fulfill their professional responsibilities. It should be understood that access will be

limited to the records of those specific students and categories of information to which it is needed.

The following are examples of assigned responsibilities that constitute a legitimate need to know:

Provide academic or personal advice and counsel to students,

Administer academic programs,

Create and maintain student educational records,

Award and administer financial aid,

Assess and collect fees,

Supervise and certify student educational progress for Institute or government purposes,

Enforce student conduct and discipline,

Administer the residential system,

Plan, conduct and review research related to the Institutes educational programs,

Conduct individual research projects provided that the privacy of the students is protected.

4. Student work disclosure within and outside the Institute

University schools, academic departments, laboratories, and centers should make students attentive

in advance the kinds of academic work of the students have that will be made publicly available.

5. Record of disclosures

Information about all disclosures of records containing student information and identity to which

disclosure was made, must be maintained as part of the students record.

6. Disclosure Of Student Information To Students

Students have a right, subject to the need to protect the privacy of other students. Students can view

records, files, and data, held about them on an official basis by the Institute. Students also have the

19

right to challenge the content of those records, files, and data that they believe are inaccurate and

misleading.

7. Disclosure of information for institutional research

The professionals who have the administrative responsibilities to carry out institutional research such as

the analysis of data, including information about students that supports the evaluation of educational

programs and more broadly, the planning and decision-making by the University faculty and staff.

Institutional research also includes the reporting and analysis required by government and other outside

agencies.

8. Disclosure of information for disciplinary charges and proceedings

Information concerning student disciplinary charges and proceedings, including the outcome of the

proceedings and therefore may not be disclosed except in accordance with policy. Victims of crimes

of violence will be informed of the outcomes of disciplinary proceedings about those incidents. In

addition, other schools with legitimate educational interests may be informed of disciplinary actions

taken against students on account of behavior that posed a risk to the students.

9. Grades

Lists of grades with any form of potentially personal identification must not be posted in electronic or

paper form. Graded student work (problem sets, exams, papers) should be returned to students in a

manner that will protect the privacy of graded materials and minimize access by others.

10. Disclosure of student information to parents and guardians

University policy is made to provide confidentially to student information with respect to their aca-

demic, health and advising matters, but encourages the students themselves to share such information

with their parents or guardians. In extraordinary cases including emergency health and safety, the

Dean may consult with parents, guardians, individuals designated by the student or others as appro-

priate. Individuals contacting the Institute for information about a specific student should be referred

to the Office of the Dean of Students and Undergraduate Education or the Graduate Students Office.

20

11. Background checks

Faculty and staff may provide information to law enforcement agents, or their representatives, who are

conducting background checks only when they can present a form signed by the student authorizing

the investigation.

12. Other investigations

All other inquiries for information about students made by law enforcement agents in conjunction with

an investigation require a subpoena for that information.

13. Disclosure of student information to the media

Requests from the media about current and former students should be directed to the News Office.

Permission to release information, other than directory information, must be obtained from the student.

0.2 Information Transmission

Electronic communication has transformed both academic and administrative activities and will continue to

facilitate greater communication among faculty, students, and staff. With the ongoing benefits, precautions

must also be taken to protect personal privacy and the confidentiality of student information. All members

of the University community are expected to abide the policies on the use of information technologies.

1. E-Mail

As email has become an integral part of the academic process, confidential information about students

is being transmitted, including evaluations and grades. Faculty, staff and students must recognize that

although there is an expectation of privacy, unencrypted email is not a secure means of transmitting

information. Federal law and Institute policy make it clear that the unauthorized interception of email

is a serious offense. In light of those legal and policy rules, this policy does not prohibit student

information from being transmitted by email. However, caution must be exercised about the content

of messages and the access to email files and machines in which confidential information resides. The

ITC department of University has always done its best to secure the email system.

21

0.2.1 Email Address Policy

0.2.1.1 Purpose

The purpose of this policy is to ensure the proper use of KFUPMs email system located on the

Universitys server and used by faculty, staff and graduate students (the University Email Accounts)

and the email accounts for undergraduate students and alumni using the Universitys domain name

pursuant to an agreement between the University and Google, Inc. Electronic Mail is a tool provided

by the University to complement traditional methods of communication and to improve education and

administrative efficiency. Users have the responsibility to use this resource in an efficient, effective,

ethical and lawful manner. Violations of the policy may result in restriction of access to the University

Email Accounts and or other appropriate disciplinary action. In the event a University employee holds

both a University Email Account, the more stringent rules of this policy for University Email Accounts

shall apply.

0.2.1.2 Policies

The email address of a user account takes the form of [email protected] e.g. [email protected].

An alias is created for each account based on a preferred standard of firstname-lastname e.g.

[email protected]. ITS contacts the applicant for selection of a suitable alternative if

duplicates are encountered. Given this, the use of firstname-lastname as an assumption for the

email address is limited, and may result in emails being sent to an unintended recipient. Mail

users are encouraged to access the Online Contact Directory (http://www.KFUPM.edu.au/cgi-

bin/contactdir) and the University Address book (accessible via individual mail clients) to deter-

mine email addresses.

Users are advised of their alias on account collection but can also look up their aliases online via

the check aliases option on http://www.KFUPM.edu.au/its/services/manage-mail/.

22

Because of the changing nature of an alias, under no circumstances should they be recorded in

any subsidiary systems.

0.2.1.2.1 University Contact Directory The name and contact details of an individual appear

in the KFUPM Contact Directory for each associate account holder. The entry is removed from the

directory at the point the account is closed.

0.2.1.2.2 Account Closure and Deletion

Associate accounts remain active at the discretion of the sponsor and can be closed (deactivated)

at anytime.

Revoking access to an account in advance of the accounts official closure is covered below under

Account Withdrawal.

Closure of an account means the account is frozen, i.e. the password is revoked, until such time

as the account is reinstated or has been deactivated for 1 year, at which time it is deleted.

Account holders who wish to be contactable on their account following its closure should ensure

that they record an automatic reply or forwarding prior to the closure of their account. The

automatic reply/forward will continue to operate until the account is deleted.

At this stage associate account usernames are not reused.

ITS reserves the right to undertake a periodic audit of associate accounts for the purpose of

validating active accounts.

0.2.1.2.3 Account Withdrawal

A users access to their associate account can be withdrawn in advance of their accounts official

closure given a written request from an appropriate staff member of the sponsoring organization.

Account access may also be temporarily withdrawn by ITS in response to a suspected policy

violation.

23

A user whose access has been withdrawn may request reconsideration of the decision by the Chief

Technology Officer, or delegated person, who shall consider the withdrawal with the relevant Senior

Executive, Executive Dean, Faculty Executive Manager or Director. Following this, the Chief

Technology Officer, or delegated person, shall confirm the withdrawal or reinstate the account.

For further information on account withdrawal, refer to the section titled Compliance below.

0.2.1.3 Student Accounts

0.2.1.3.1 Account Creation

An individual may hold only one student account at any point in time.

Students create their student account, using the electronic account creation process within SMP

Student Online Services (SOLS). To create a student account, a student must be recognized as a

current student in the Student Management Package, which is defined as:

An undergraduate, postgraduate research or postgraduate coursework student who has an

active course; or

A non-award or KFUPM College student with a current or future subject enrolment; or

A miscellaneous student attached to a current miscellaneous student group.

A miscellaneous student is not formally a student of the KFUPM. A miscellaneous students

affiliation with the University is recorded in SMP for the purpose of managing their access to

University facilities, as opposed to recording information for any formal recognition of studies.

item Each student account is created with a unique username based on the students initials

followed by a number.

Each account is created with a maximum disk and email quota.

The Internet quota applied to the account is dependent on the account type as detailed below.

0.2.1.3.2 Student Account Type

24

Student accounts may be one of two types: non-capped or capped.

The type of a student account is maintained automatically based on records in the University

Student Management Package. For the purposes of defining the type of the student account the

following business rules apply:

an account is defined, as a non-capped account where a student is a Postgraduate Research

student of the KFUPM;

in the absence of a postgraduate research enrolment, a student account is a capped account.

0.2.1.3.3 Non-Capped Student Accounts

Only postgraduate research students of the KFUPM are provided with a non-capped student

account.

An Internet quota does not apply to non-capped student accounts. Charges for usage apply to

cost centre based on the students enrolment records.

Refer to the Internet Access Policy for more information on Internet quotas.

0.2.1.3.4 Capped Student Accounts

Capped student accounts apply to all but Postgraduate research students of the KFUPM. This

covers:

Undergraduate and postgraduate coursework students of the KFUPM;

Non-award students of the KFUPM;

KFUPM College students; or

Miscellaneous students i.e. students attached to a Miscellaneous Student Group which pro-

vides for the management of students within SMP where students fall outside of the Univer-

sities mainstream student management processes.

25

A capped student account has an imposed Internet quota as per the KFUPM Internet Access

Policy. The Internet quota allocated to each account is based on a set six monthly allocation of

quota, which is the same for all capped student accounts.

Regardless of when the account is established, the accounts quota is reset to the six monthly

allocations at the beginning of each year and midyear.

Internet quota on an account is set to zero during periods when a student does not have an active

course or is not attached to a Miscellaneous Student Group. This also applies when the student

is on leave of absence.

Charges for usage apply to cost centre based on the students enrolment records.

The quota assigned to an account can be increased on an individual basis as outlined in IT Internet

Access Policy.

Refer to the Internet Access Policy for more information on Internet access.

0.2.1.3.5 Account Closure and Deletion

Continued access to the account is maintained automatically based on records in the University

Student Management Package. For the purposes of managing the official closure of a student

account, an account remains open while ever:

An undergraduate, postgraduate coursework or postgraduate research student has an active

course. A retention period of three months is accommodated; as such the account closes three

months after the course is completed. Where a course is closed for reasons other than completion,

e.g. where the course is lapsed, given exclusion due to minimum rate of progress, a retention

period of 14 days applies,

A non-award or KFUPM College student has a current or future subject enrolment. A retention

period of 21 days is accommodated i.e. accounts in this category close 21 days after the end date

of the students most recent subject enrolment.

26

A miscellaneous student is attached to a current miscellaneous student group. A retention period

of 7 days is accommodated i.e. accounts in this category close one week after the end date of the

students most recent miscellaneous student group enrolment.

The University reserves the right to revise the above criteria.

Closure of an account means the account is frozen, i.e. the password is revoked, until such

time as the individual resumes study, at which point the account is reactivated. Accounts are

automatically reactivated under the original username and password if the account still exists.

Students receive an email indicating the pending closure of their account in the 14 days leading

up to the closure of their account.

Accounts that have been closed for a period of nine months are deleted.

Account holders who wish to be contactable on their account following its closure should ensure

that they record an automatic reply or forwarding prior to the closure of their account. The

automatic reply/forward will continue to operate until the account is deleted.

At this stage student account usernames are not reused.

A student may request an extension to access their account past their official closure date. Such

extensions must be applied for in writing, to the Academic Registrar, and will only be granted in

exceptional circumstances.

0.2.1.4 Administrations and Implementation Compliance

User accounts are issued on the basis that a user agrees to abide by the Universitys terms and

conditions for acceptable use of ITC facilities as detailed in the ITC Acceptable Use Policy.

The University treats misuse of its IT facilities seriously. Violations of the conditions of use of IT

facilities may result in temporary or indefinite withdrawal of access, disciplinary action under the

Universitys, or relevant entities, discipline procedures, and/or reimbursement to the University.

27

IT misconduct by students will be dealt with under the Student Conduct Rules. The Chief

Technology Officer or their nominee will be the Primary Investigation Officer of allegations of IT

misconduct by students. Detailed investigation procedures and the penalties that may be awarded

to students engaging in IT misconduct can be found in the Student Conduct Rules.

A users access will be withdrawn given a written request from an appropriate staff member of the

sponsoring organization. Access may also be withdrawn by ITC in response to a suspected policy

violation.

A student whose IT access has been withdrawn as a result of an investigation under the Student

Conduct Rules can appeal the decision or the penalty to the Student Conduct Committee. Other-

wise, a user whose access has been withdrawn may request reconsideration of the decision by the

Chief Technology Officer who shall consider the withdrawal with the relevant Senior Executive,

Executive Dean, Faculty Executive Manager or Director. Following this the Chief Technology

Officer shall confirm the withdrawal or reinstate access.

Misuse or unauthorized use of University IT facilities may constitute an offence under the Crimes

Act and/or other pieces of legislation. Nothing in this policy or the Requirements Governing the

Use of IT Facilities may be taken as in any way diminishing or removing a persons obligations to

comply with the law, or their liability to prosecution and punishment under law.

Users are encouraged to report any misuse and any reports will be treated as confidential.

0.2.1.5 Ownership of Email Data

The University owns both the University Email Accounts. Subject to underlying copyright and other

intellectual property rights under applicable laws and University policies, the University also owns data

transmitted or stored using the University Email Accounts.

28

0.2.1.6 Personal Use

While incidental personal use of a University Email Account is acceptable, conducting business for

profit using a University Email Account is forbidden. Use of a University Email Account for political

activities (supporting the nomination of any person for political office or attempting to influence the

vote in any election or referendum) is forbidden. Any use of a University Email Account to represent

the interests of a non-University group must be authorized by an appropriate University official.

0.2.1.7 Privacy and Right of University Access

While the University will make every attempt to keep email messages secure, privacy is not guaranteed

and users should have no general expectation of privacy in email messages sent through a University

Email Account. Under certain circumstances, it may be necessary for the ITC staff or other appropriate

University officials to access University Email Accounts; these circumstances may include, but are not

limited to, maintaining the system, investigating security or abuse incidents or investigating violations

of this or other University policies, and KFUPM staff or University officials may also require access

to a University Email Account in order to continue University business where the University Email

Account holder will not or can no longer access the University Email Account for any reason (such as

death, disability, illness or separation from the University for a period of time or permanently). Such

access will be on an as-needed basis and any email accessed will only be disclosed to those individuals

with a need to know or as required by law.

0.2.1.8 Data Purging and Record Retention

Individuals are responsible for saving email messages as they deem appropriate. Unless a legal hold

has been placed on an account, messages in University Email Accounts are automatically purged from

folders as follows:

Sent / Sent Items - 60 days

29

Trash / Deleted Items - 15 days

Junk / Junk Email - 30 days

Due to finite resources, the University has the right to restrict the amount of user space on the Univer-

sity Email Accounts as necessary, to revise the above purge policies with appropriate IT Committee

approval and advance notice, and to purge and remove University Email Accounts of any students

remaining on the Universitys email system who have not registered for a semester or more.

Employees who have actual knowledge of matters in which it can be reasonably anticipated that a

court action will be filed, a subpoena has been served or notice of sale has been given, or records are

sought pursuant to an audit, a government investigation or in similar circumstances preserve University

records, including emails or instant messages.

0.2.1.9 Data Backup

The University Email Accounts are backed up on a regular basis as a way of recovering from a systematic

loss impacting the entire email system. User files and folders are not backed up individually, and the

ITC staff cannot accommodate requests to restore these files or folders. While in some cases it may

be possible to recover from the accidental deletion of files by a user, this is generally not feasible, and

therefore each email user is responsible for backing up individual messages and folders as appropriate.

0.2.1.10 Expiration of Accounts

Individuals may leave the University to take other employment, retire, transfer to another college, or

simply go on to other activities. There are many situations at the University where the length of

email privileges or expiration of accounts will differ, as set forth below. Notwithstanding the guidelines

below, the University (KFUPM, RI, Student Life, or General Counsel) reserves the right to remove

email privileges at any time, both for a University Email Account.

30

Faculty who leave before retirement: Faculty who leave before retirement may keep their

email account for one year from the end of the last term in which they taught. If such separation

is for cause, email privileges may be immediately suspended indefinitely without notice.

Staffs that leave before retirement: Staff members who leave the University will have email

privileges removed effective on their last worked day. If such separation is for cause, email privi-

leges may be immediately suspended indefinitely without notice.

Retired Faculty: Faculty who has retired from the University will retain their email privileges

indefinitely; however, if there is no usage for a period of one year, email privileges will be removed.

Retired Staff: Staff who has retired from the University will have email privileges removed

effective on their last worked day.

Adjunct Faculty: will maintain email privileges for 3 academic years from the last term in

which they taught, unless informed otherwise by the Registers office.

Students who leave before graduation: Students who leave the University without comple-

tion of their degree or other program may keep their email privileges for one academic year from

the last term when they were registered.

A student who is expelled: If a student is expelled from the University, email privileges will

be terminated immediately upon the directive of the Dean of Students Office.

For alumni who do not wish to participate in the opt in service, the University will hold the email

address for 2 years. At the end of the 2 years, the available email address will be reused.

0.2.1.11 Appropriate Use

When using email as an official means of communication, students, faculty and staff should apply the

same professionalism, discretion, and standards that they would use in written business communication.

Furthermore, students, faculty and staff should not communicate anything via email that would not

be prepared to say publicly. Users of email shall not disclose information about students or employees

31

in violation of University policies or laws protecting the confidentiality of such information.

No private personally identifiable information about University faculty, staff, students, alumni or other

University members should be transmitted via email or stored in an unencrypted format. This includes

but is not limited to Social Security number, bank account information, tax forms or other sensitive

data.

No technical data with potential for military defense application or otherwise subject to export control

or other international trade control laws may be transmitted or stored in an unencrypted format.

Users who use email communications with persons in other countries should be aware that they may

be subject to the laws of those other countries and the rules and policies on others systems and

networks. Users are responsible for ascertaining, understanding and complying with the laws, rules,

policies, contracts and licenses applicable to their particular uses. Students who are employed by the

University may not store information relating to their employment on their Email Account.

Approval and transmission of email containing essential University announcements to students, faculty,

and /or staff must be obtained from the responsible University official noted as follows:

for sending to all faculty, approval from the Vice President of Academic Affairs is required,

for sending to all staff, approval from the Senior Vice President of Administration is required,

And sending to all students, approval from the Vice President of Student Life is required.

Use of distribution lists or reply all features of email should be carefully considered and only used

for legitimate purposes as per these guidelines. In some cases where email messages generate a high

number of responses due to the subject matter, it may be appropriate to utilize KFUPM discussion

boards in lieu of email.

0.2.1.12 User Responsibility

KFUPM maintains the Universitys official email system; faculty, staff and students are expected to

read email on a regular basis and manage their accounts appropriately. An email message regarding

32

University matters sent from an administrative office, faculty, or staff member is considered to be an

official notice. Faculty, staff, or students who choose to use another email system are responsible for

receiving University-wide broadcast messages and personal mail by checking the Universitys official

email system, newsgroups, and the Universitys World Wide Web Homepage. An alternate method of

checking University email is to utilize the Forwarding Feature, which can be set to forward mail to an

individuals personal email account.

Sharing of passwords is strictly prohibited. Each individual is responsible for his/her account, including

the safeguarding of access to the account. All email originating from an account is deemed to be

authored by the account holder, and it is the responsibility of that holder to ensure compliance with

these guidelines.

0.2.1.13 Departmental Accounts

Requests for shared departmental accounts will be accommodated, but require a designation of an

account holder, who will administer the addition, deletion, or modification of names within the account,

as well as manage the account as per these guidelines. These accounts will be created with an expiration

date of 1 year, at which time the holder can request a renewal, which will be granted pending verification

of identity and the member list. Shorter expiration dates will be given where appropriate, such as to

accommodate specific time-sensitive needs. Supported types of shared accounts are designated as:

Type 1: This id will be able to receive mail from anywhere on the Internet, but will have no direct

reply capability. The group/organization utilizing this type of generic id will have to utilize their own

personal mail id to respond to the originators of any mail received by this generic id. These accounts

will only be granted for Register or Faculty/Staff recognized activities or organizations with approval

for the faculty advisor of the organization.

Type 2: This id will be able to receive mail from anywhere on the Internet, and will be able to respond

directly to the sender. The generic id will be unable to access any of the predefined mailing groups that

exist within the campus environment. Members of the group/organization utilizing this type of generic

33

id will have to utilize WEB mail to read and respond to any mail sent to the generic id. The WEB

interface will allow users to sign in to the generic id utilizing the generic id and their own personal

LDAP password. Mail sent from the generic id will not reflect the identity of the responder, but will

instead carry the identity of the generic id. Due to security concerns given the anonymous nature of

email originating from these types of ids, no students will be allowed access to Type 2 accounts. If a

student is found to have access to these accounts the holder will be notified of the impending removal

of the student account. Repeated violations will result in deletion of the type 2 account.

0.2.1.14 Temporary User

Faculty, staff, or departments can request temporary email privileges for users outside of the University.

Full time Faculty or Staff requesting these types of accounts will be required to submit user information,

rationale for account, expiration date, and sponsor information. Such requests shall be approved by the

appropriate Dean or Vice President. A mandatory one year re-sponsorship is required to maintain the

account. Those accounts that are not re-sponsored after one year will have email privileges removed.

0.2.1.15 Supported Mail Clients

University-supported email clients are office 365 and Outlook Web Access (OWA). If a problem is

encountered with the use of an alternate method, Helpdesk personnel will work with the individual

to access email via the supported methods and will verify functionality of the supported environment.

The University ITC department is continually evaluating tools and technologies and reserves the right

to modify the list of supported clients with appropriate notification.

0.2.1.16 Inappropriate Use

University Email Accounts of current students, any inappropriate email usage, examples of which

are described below and elsewhere in this policy, is prohibited. Users receiving such email should

immediately contact KFUPM, who in certain cases may also inform the Department of Public Safety.

34

0.2.1.16.1 The exchange of email content that:

Generates or facilitates unsolicited bulk commercial email;

Infringes on another persons copyright, trade or service mark, patent, or other property right or

is intended to assist others in defeating those protections;

Violates, or encourages the violation of, the legal rights of others or federal and state laws;

Is for any unlawful, invasive, infringing, defamatory, or fraudulent purpose;

Intentionally distributes viruses, worms, Trojan horses, malware, corrupted files, hoaxes, or other

items of a destructive or deceptive nature;

Interferes with the use of the email services, or the equipment used to provide the email services,

by customers, authorized resellers, or other authorized users;

Alters, disables, interferes with or circumvents any aspect of the email services;

Tests or reverse-engineers the email services in order to find limitations, vulnerabilities or evade

filtering capabilities;

Constitutes, fosters, or promotes pornography;

Is excessively violent, incites violence, threatens violence, or contains harassing content;

Creates a risk to a persons safety or health, creates a risk to public safety or health, compromises

national security, or interferes with a investigation by law enforcement;

Improperly exposes trade secrets or other confidential or proprietary information of another per-

son;

Misrepresents the identity of the sender of an email.

Is otherwise malicious, fraudulent or may result in retaliation against the University by offended

viewers.

0.2.1.16.2 Other improper uses of the email system include:

35

The use or attempt to use the accounts of others without their permission. Newsgroups are

provided as a service to faculty, staff, and students for posting University-related information.

These will be monitored by those responsible for their content; any posted material deemed

inappropriate may be removed without prior notification.

Collecting or using email addresses, screen names information or other identifiers without the con-

sent of the person identified (including, without limitation, phishing, Internet scamming, password

robbery, spidering, and harvesting);

Use of the service to distribute software that covertly gathers information about a user or covertly

transmits information about the user;

Any conduct that is likely to result in retaliation against the Universitys network or website, or

the Universitys employees, officers or other agents, including engaging in behavior that results in

any server being the target of a denial of service attack (DoS).

These guidelines provide some examples of permitted or prohibited use of email. This list is not

intended to be exhaustive but rather to provide some illustrative examples.

0.2.1.17 SPAM and Virus

Incoming email on the University Email Accounts is scanned for viruses and for messages deemed to

be SPAM, or unsolicited advertisements for products or services sent to a large distribution. Suspected

messages are blocked from the users inbox. Due to the complex nature of email, it is impossible to

guarantee protection against all SPAM and virus infected messages. It is therefore incumbent on each

individual to use proper care and consideration to prevent the spread of viruses. In many cases viruses

appear to be sent from a friend or coworker, therefore attachments should only be opened when the

user is sure of the nature of the message. If any doubt exists, the user should contact the Helpdesk.

DO NOT FORWARD THE MESSAGE! SPAM messages, however, can quarantined via Anti Spam

QuarantinePure Message.

36

2. School and department web pages

Faculty, staff and students must exercise caution in posting directory and other information to a web

page that is accessible to University or public. Students have the right to withhold directory and other

information from public distribution. Faculty and staff must receive permission from each student to

post personal information and identification photographs to web pages.

3. Class pages and blogs

Email and web based class work will remain central to the education process. While most of the

information related to class should be posted on web sites can be public or individual communication

with students as well as the work prepared by the students for the class are regarded as student

information. Therefore, the following three categories of information must be restricted to use by the

staff and students of that class only:

Class lists, including identification photographs

Online discussions among faculty, staff and students in which student participation is required

and the student contributors are identified, and

Student papers, reports and other work.

0.3 Systems Usage

0.3.1 Purpose

Systems can provide access to resources on campus, as well as the ability to communicate with other users

worldwide. Such open access is a privilege, and requires that individual users act responsibly. Users must

respect the rights of other users, respect the integrity of the systems and related physical resources, and

observe all relevant laws, regulations, and contractual obligations. Use of Universitys computer resources

should support the basic missions of the University in teaching, learning and research. Users of computer

resources are responsible to properly use and protect information resources and to respect the rights of

37

others. This policy provides guidelines for the appropriate use of computing resources. The aforementioned

problem statements apply to all the policy sections defined under Section 3.3 below.

0.3.2 Scope

Scope is defined for all of the policy sections defined under Section 3.3.

Applies to the use of all campus computing resources.

University systems including hardware and software are classified according to the scope by considering

level of support and university operations. The classification of systems takes into account legal

protection, agreements of contracts, ethical behaviors, and worth of information that these systems

have. Such categorization provides the basis for planning, allocation of resources, support, and security

controls and access controls appropriate for those systems.

The system classifications are as follows:

0.3.2.1 Servers and Applications

1. Enterprise Systems

These are the Systems that can be accessed or located in several departments of University. These

systems are considered as business-essential and require a high degree of availability. Examples include

PeopleSoft application systems, Black Board eLearning, One Card, and GroupWise.

2. Department Critical Systems

These are the Systems which are only accessible locally by their own departments. They are considered

to be essential for conducting business processes or academic purposes.

3. Department Servers

Servers that provide an academic and/or administrative function that may have storage of Restricted

or Sensitive Information. All systems hosting server services must be registered with the Information

Security Office.

38

0.3.2.2 Workstations and accessible systems

Users who access university systems and data with the help of workstations are responsible for exercising

proper accountability in protecting the confidential, sensitive, private, personal or institutional information

they access or use in the conduct of their job responsibilities. In order to protect university data from inap-

propriate disclosure, all workstations that store Restricted Information must encrypt the data in compliance

with Universitys data encryption guidelines. User access to university systems and information resources

will be assigned by the type of workstation used, which is as follows:

1. Managed Workstations

Workstations that access Restricted or Sensitive Information shall follow the configuration standards

and maintenance procedures. Failure to meet these requirements will be grounds for denial of system

or university network access.

2. Non Managed Workstations

Non Managed workstations may include faculty and staff workstations, personal computers, PDAs,

etc. Non Managed Workstations shall have no access or limited access critical systems as allowed by

University regulatory body.

0.3.3 Policies

0.3.3.1 Prohibited Communication

Universitys computing resources cannot be used for sending, receiving, storing (SRS) prohibited com-

munications which are discriminatory, derogatory to any individual or group, obscene, sexually explicit,

pornographic and threatening.

0.3.3.2 Organizational and Non-Organizational Computers

Non-organizational computers can be used for storing personal information.

Non-organizational computers can have internet facilities by providing username and password.

39

Universitys resources like printing, files sharing can only be accessed via organizational computers.

If the employee is expected to do some work at home, University will provide a suitable computer.

Only university-provided computers can be used to connect to the organizations internal computer

systems via a remote access system.

All computers that are owned by the university or are provided to employees are to be used in accor-

dance with their jobs within the University.

University computers are to be used only for teaching, learning and research facilities.

University doesnt allow employees to play games across the internal network.

0.3.3.3 Information

All information stored on or used by university computers belongs to the KFUPM.

Employees cannot use university computers to store personal information: Data which isnt related to

teaching, research or any educational purpose.

0.3.3.4 Software

KFUPM will only use legal copies of OS. Cracked versions are not allowed.

Software will be used only in accordance with its license agreement

Latest Anti-Virus Software must be installed and maintained on all systems.

Proper firewalls and proxy servers must be implemented.

Duplication of copyrighted software is a violation of copyright law except for backup and archival

purposes by the software manager or ITC Department.

No user will give administrative software to any outsiders, including clients, customers, and others.

40

Under no circumstances will university, use software that has been brought in from any unauthorized

location.

0.3.3.4.1 Authorization of Software

New software to be installed on any universities computer must be approved by respective department,

ITC and software manager.

0.3.3.4.2 Prohibited Software

BETA software which is not updated for security vulnerabilities by the vendor.

Software which has known vulnerabilities

Software versions that are no longer supported by the vendor (example: Microsoft Windows 98 and

ME, XP or MacOS 10.3)

0.3.3.5 Privacy

Employee should have no expectation of privacy for any information stored, sent, or received on any

university computers.

System administrators may access or examine files or accounts that are suspected of unauthorized use

or misuse, or that have been corrupted or damaged.

Administrators or security staff can monitor all computer-related activities, including the visiting of

Web sites. For monitoring, they can use any monitoring tools but that tool should abide by the policies

defined in Software Section.

For monitoring, they can use any monitoring tools but that tool should abide by the policies defined in

Software Section

41

0.3.3.6 Facilities

0.3.3.6.1 Lab

There must at least one 24 hour lab in every building/department to aid in learning, teaching and

researching facilities.

0.3.3.6.2 Printing

RAs, Students will get 100 pages per month.

LBs, TAs will get 250 pages per month.

Teaching Staff will be provided by separate printers.

0.3.4 Consequences of Misuse

First of all, Users are expected to cooperate with system administrators in any investigation. Misuse of

computing resources may result in the restriction of computing privileges. Users may be held accountable

for their conduct under any applicable organization policies, procedures, or collective bargaining agreements.

Complaints alleging misuse of campus computing resources will be directed to respective department head

for taking appropriate disciplinary action. Computing privileges can also be suspended or restricted during

an investigation; users may appeal and petition for reinstatement of privileges through the Dean of respective

departments.

Users misuse of computer such as unauthorized use of another persons identification or password, using the

network to send abusive messages, or using computer facilities to interfere with the work of another student

or faculty or staff member may result in rustication from the organization.

0.3.5 Information Storage and Disposition

Information and records, whether maintained in electronic files or on paper, must be stored and disposed of

securely, in accordance with the Universitys policies, laws and procedures.

42

0.3.5.1 Electronic Information

1. Restricted Information

Restricted Information access is limited to users that are assigned computer accounts by the Information

technology center. Restricted Information must be maintained within data centers which are centrally

managed and controlled. Restricted Information must be avoided to store in distributed servers, work

stations, or mobile devices such as USB drives, external drives, laptops, notebook computers, PDAs,

CDs, DVDs, etc. If it is not possible to avoid storing information on these devices then it must be

encrypted with the approval and documentation of ITC office.

2. Sensitive Information

Departments having Sensitive Information may follow the policies and practices for Restricted Infor-

mation with reasonable care, depending on the requirements of the information stakeholders.

3. General University Information

This information must be secured from unauthorized modification only.

0.3.5.2 Paper based information

1. Restricted Information

Documents must be stored in locked areas with authorized access only and disposed of according to

University and country law when no longer needed.

2. Sensitive Information

Departments having Sensitive Information may follow the policies and practices for Restricted Infor-

mation with reasonable care, depending on the requirements of the information stakeholders.

3. General University Information

Documents should be recycled when no longer needed.

43

0.3.6 Release of Information

In some cases the University has to disclose, or authorized to release information that would normally be

protected under this policy. Examples include disclosures of information for the state and federal reporting

requirements, legal processes such as writs, court orders or warrants, etc. and disclosures about certain

authorized releases of information about particular individuals like students, employees or customers.

0.3.6.1 Legal Process

Any employee or a stakeholder of the university who is given with a legal document for example, a writ,

court order, summons or warrant, etc. that refers to university records or data shall notify University Legal

Services immediately and before the release of any requested information. University Legal Services will

review the legal document to determine the validity and enforceability of the document, and to provide

guidance and assistance by responding properly. Legal documents that are addressed to a particular person

should be accepted only by that person. If an unintended recipient is given with the legal document, it

should not be accepted. The person who will serve the process should be referred to that person identified

on the document, by name, title or job description, or should be directed to University Legal Services.

0.3.6.2 Requests for information from External Entities

The university receives many requests for information and records maintained by the university from external

persons and entities. These external entities may include law enforcement agencies or attorneys etc. The

release of information about a particular person may require the consent and authorization by that person.

Publicly available information about individuals and other types of information that can be released are

available at the universitys web pages. University Legal Services are available to assist in checking the

validity and scope of any authorization provided for the release of information, as well as providing guidance

for appropriately responding to information requests given to an authorization.

Before responding to requests of information, University Legal Services and the Department of Public Safety

should be contacted to determine the authenticity of the request and the person who is requesting. All the

44

requests for information should be evaluated on a case-by-case basis for which University Legal Services are

available for assistance. In general, any request for information from any entity, whether by legal process or

not, should be immediately referred to University Legal Services.

0.3.7 Internal Monitoring and auditing

The information security management system, controls and responsibilities will be subjected to the internal

monitoring and auditing throughout the University, and the outcomes from these processes will inform and

improve practices as part of the commitment to continual improvement. The University will also undertake

appropriate benchmarking and external auditing exercises.

0.3.8 Violations and misuse of Information Security

The violations can be included:

Enabling unauthorized entities to have access to information

Disclosing information in such a way that violates restricted access and procedures of confidentiality

Handling or using of information in such a way that depict illegal regulations and procedures

Modifying and destroying of information or university records

Inadequately protecting restricted Information or Sensitive Information

Ignoring the requirements of information stakeholders for the proper management, use and protection

of information resources.

According to authorities, violations may result in network jam, access denial, by pass security schemes, uni-

versity disciplinary action and criminal pursuit. Disciplinary action should be implemented, up to dismissal

and suspension that must be taken according to applicable university policies and procedures. Authorities

will be notified about the event and action that a university office or department is found in violation of this

policy. Corrective actions and possible financial costs associated with an information security incident will be

45

coordinated accordingly. If vendors or consultants found to have breached their respective agreements with

the university may be subject to consequences such as vendor/consultant access to university information

technology resources, removal of the vendor/consultant from university facilities, termination/cancellation

of the agreement, payment of damages, and criminal or civil charges based on the nature of the violation.

The university is sometimes asked to transmit information by state or federal authorities. In this situation

university employees should transmit such information by following the