Menu
Home > Policies > Policy & Procedure >
Policy & Procedure
Policy Title :
Acceptable Use Policy
Policy Number :
VIII. 2
Responsible Party :
Information Technology
Effective Date :
08/01/2014
Revised Date :
_______________________

Purpose

The purpose of this Information Security Policies is to secure PMU’s Information Assets and staff. Each policy statement in this policy wherever required is supported by standards, procedures to achieve a complete security framework in the PMU.

Statement :

·       The following Executive Policy Statements govern the Responsibilities for Users Functional Policies listed in this document:

●     All relevant statutory, regulatory and contractual requirements must be explicitly defined by the HR Department and technical requirements must be explicitly defined and documented by PMU for each information system.

●     Appropriate procedures must be implemented to ensure compliance with legal restrictions on the use of material in respect of intellectual property rights and on the use of proprietary software products;

●     Important records of PMU must be protected from loss, destruction and falsification;

●     Controls must be applied to protect staff personal information in accordance with relevant legislation;

●     Management must authorize the use of information processing facilities and controls must be applied to prevent the misuse of such facilities;

●     Controls must be in place to ensure compliance of Information systems with national agreements, laws, regulations or other instruments to control the access to or use of cryptographic controls. This must be regularly reviewed;

●     Where action against a person or organization involves the law, either civil or criminal, the evidence presented must conform to the rules for evidence laid down in the relevant law;

●     This must include compliance with any published functional policy or code of practice for the production of admissible evidence.

Procedure :

Scope

●     All Information Assets (Digital Media)

●     All software assets

●     All physical assets, such as computer and network equipment.

●     All supporting services, such as network link

●     All management information systems

●     All business activities supported by ITD Group.

●     All of the above are either owned or leased by the ITD Group and under the PMU-ITD possession, custody, or control.

General Responsibilities

It is the responsibility of the different departments/offices and each employee to take necessary steps for ensuring compliance with the guidelines in this policy, and any further Policies and Procedures that may be added in due course of time.

Use of the Internet/Intranet – Internet Crime

Current Legislation

The Saudi Arabian Communications and Information Technology Commission announced the issuance of e-crimes and e-transaction acts, Both acts were issued on 27’th of March, 2007. E-crimes act was issued to combat information electronic crimes, by defining those crimes and penalties upon them. E- Transactions act was issued to regulate electronic transactions and electronic signatures in a policy frame work, and combat any misuse of them by defining responsibilities, and penalties.

University Directive

All users must comply with the following functional policies:

 

Internet/Intranet Functional Policy

Hacking and Cracking into Computer systems

 

 

●     No employees will participate or be party to any kinds of hacking or cracking into computer systems.

●     No user is allowed to gain access to PMU computer networks and systems without prior permission from the designated authority within PMU.

●     No vendor or third party is permitted to perform penetration testing on any of PMU systems and network without written approval from PMU.

●     All users are allowed to perform only authorized transactions on PMU systems and the Internet/Intranet.

 

Creating and distribution of malicious (dangerous) code

Dangerous code can be classified as any computer program (code) that causes destruction or harm to a computer system.

●     All users must ensure they have Anti-virus software enabled on their computers. If in doubt, user should contact ITD.

●     It is the users responsibility to check all external material for viruses – this includes e-mails with attachments and disks from external sources.

●     It is prohibited for employees to create and distribute dangerous code – of any form within PMU and associated parties.

 

Internet Fraud

●     Users are not permitted to use the PMU network or computer systems to perform a transaction they are not authorized to perform.

●     All transactions will be logged and will be used in the event of any illegal misconduct.

●     All users must always represent themselves as themselves when communicating and operating on PMU systems and network. Misrepresenting yourself is classified as a fraudulent event.

●     Users are not allowed to create personal web pages using PMU facilities (systems, network or computers).

●     Users must report suspected fraud to PMU\ITD immediately – this can be done anonymously.

●     Users are not permitted to operate an independent web page – running an online business for personal gain is forbidden using PMU facilities.

 

Theft of Information

●     Users must only access information which they have authorized access to.

●     No information is allowed to be given to an external party unless written permission is given by PMU management.

●     All information created and used in the course of the user’s employment remains the sole property of PMU.

●     Theft of information includes the copying of software and using it without a legal license.

●     This is forbidden at PMU and can be classified as a serious act of misconduct within the organization.

●     All users of software must strictly abide by copyright laws and restrictions detailed by the software manufacturer.  Users must not copy software from the Internet. This includes the use of freeware and shareware (certain terms and conditions normally apply). All users must contact PMU\ITD  if such software is required to perform their job.

 

Use of Electronic Mail (e-mail)

Electronic Mail (E-mail) Functional Policy

E-mail Content

●     Unacceptable e-mail content must not be acquired, possessed, sent

or shown to other employees. For definition of Unacceptable e-mail, refer to the “Expressly Prohibited Use” section in the Electronic Mail Usage Functional Policy document.

●     If users are found creating, reading or distributing such mail, they will be penalized accordingly. Refer to section 9 of this document for penalties.

●     All e-mail attachments must be scanned for viruses.

●     Misrepresentation of oneself is prohibited within PMU– employees should always represent themselves as they are.

 

Representing PMU

●     The use of email to create contracts for and on behalf of PMU is strictly prohibited. PMU Management or the HR Department of PMU must approve all contracts.

●     E-mails must not contain any information, views or opinions of the employee’s that could create a negative corporate image for PMU.

●     All employees have a disclaimer attached to each e-mail. This disclaimer must expressly disclaim the employee’s authority to act for or bind the employer.

 

Defamation

Defamation is defined as “The unprivileged publication of a statement which exposes a person to contempt, hatred, ridicule or obloquy”.

Defamation usually consists of written or spoken works but can also include graphics – cartoons or pictures, voice or video conferencing facilities where word is not used.

 

●     Defamation of any person, whether they are employed by PMU or not, is strictly prohibited. This includes written, spoken or graphically representation – unacceptable e-mail content.

●     Defamation will lead to a severe disciplinary action.

 

Copyright

Current Legislation

●     In Saudi Arabia, copyright protection is afforded solely under the Copyright Act. The Copyright Act recognizes the following types of work, which are eligible for protection:

○     Literary, musical and artistic work;

○     Sound recordings, cinematographic films, sound and television broadcasts and programme-carrying signals;

○     Published editions; and

○     Computer Programs.

●     Computer databases (tables and the data) are protected as literary works.

●     Internet web sites are multimedia products containing written texts, photographs, pictures, etc. and all should be assumed a copyright.  Web sites can also be seen as computer programs.

●     Infringement of the Copyright Act falls into the following categories:

○     Infringement by reproduction;

○     Infringement by publication;

○     Infringement by public performance;

 

Software Management Functional Policy

Software Copyright

●     All users must be aware of and understand the software copyright and acquisition standards, and non-compliance to the software and standards will cause PMU to take the required disciplinary action against staff who breach them.

●     PMU must maintain proof and evidence of ownership of licenses, master disks, policy's, etc.

●     PMU must implement controls to ensure that any maximum number of users permitted is not exceeded.

●     All users must comply with the terms and conditions for software and information obtained from the networks.

●     All employees must conform to the Copyright Act as described above.

●     Employees are not permitted to load an illegal copy of software on any PMU computer or related facilities.

●     The viewing, discussion or distribution of pornography material either by using the facilities of PMU, being on or off the University premises, or during work hours is forbidden.

●     PMU will monitor Internet web site access and logs will be maintained for 3 months.

 

Safeguarding of Organizational Records

●     Important records of organization are protected against loss, destruction and falsification.

●     Some records may need to be securely retained to meet statutory or regulatory requirements, as well as to support essential business activities. Examples of this are records, which may include evidence that PMU operates within statutory or regulatory rules, or to confirm the financial status of an organization with respect to shareholders, partners and auditors.

●     The time period and data content for national law or regulation may set information retention.

●     Records are categorized into record types, e.g. accounting records, database records, transaction logs, audit logs and operational procedures, each with details.

●     Considerations are given to the possibility of degradation of media used for storage of records.

All of the above are either owned or leased by the PMU and under the PMU possession, custody, or control.

 

General Responsibilities

It is the responsibility of the different departments/offices and each employee to take necessary steps for ensuring compliance with the guidelines in this policy, and any further Policies and Procedures that may be added in due course of time.

 

Governing Policy

The following Executive Policy statements govern the Computer, Network and Telephone Usage Functional Policies:

●     Independent review of information security in the organization must be done on a regular basis;

●     The security requirements of an organization outsourcing the management and control of all or some of PMU's information systems, networks and/or desktop environments must be addressed in a contract agreed between the parties;

●     Relevant information security roles and responsibilities must be documented in job definitions where appropriate;

●     All Employees and third parties such as contractors, consultants, business partners and outsourced staff must sign a confidentiality agreement as part of their initial terms and conditions of employment;

●     Aspects related to information security must be addressed in the Organization’s standard employee’s terms and conditions of employment and for third parties, with a formal contract with the PMU;

●     Users of information services must be required to note and report any observed or suspected security weaknesses in or threats to systems or services;

●     The violation of organizational security policies, functional policies and procedures by employees must be dealt with through a formal disciplinary process;

●     Capacity demands must be monitored and projections of future capacity requirements made to ensure that adequate processing power and storage is available;

●     ITD must implement detection and preventive controls to protect information and information processing facilities against malicious software and appropriate user awareness procedures;

●     Authorized PMU employees must be provided with Internet access for academic and business use;

●     Content scanning must only be enforced in checking for malicious software, viruses, etc.;

●     Functional policies for the use of the Internet and intranet must be implemented and controls put in place to reduce security risks created by the Internet and intranet usage;

●     The implementation of the E-mail, Internet and Intranet policy is aimed at ensuring that all employees and independent contractors are made aware of the disciplinary sanctions that PMU must impose on any unauthorized and/or unacceptable use of these services;

●     Employees of and independent contractors to PMU are specifically warned that personal criminal and/or civil action may be taken by PMU in the event of their breach of this policy;

●     The allocation of passwords must be controlled through a formal management process;

●     An intrusion detection system must be in place to detect unauthorized use of PMU networks;

 

All users must have a unique identifier (user ID) for their personal and sole use so that activities can be traced to the responsible individual.

 

Internet and Intranet Usage Functional Policies

●     Access to the Internet: Access to the Internet is provided to all employees and students.  Guests of the university will be provided Internet access at the discretion of the university.

●     Acceptable and Unacceptable Use of the Internet/Intranet

●     In an open plan office users must be aware of unauthorized users reading information displayed on their screen.

 

University Use

PMU sees the Internet/Intranet as significant tools for business benefit and for achieving required business objectives, i.e. The Internet can be used to access a wealth of information and resources, while the Intranet is one of the most effective ways of making PMU information available internally to the organization.

 

These services do however offer the opportunity for abuse of resources and inappropriate use of these mediums could expose PMU to significant risks. Therefore Internet/Intranet facilities will only be available to users after formal contracting of the Internet/Intranet functional policy.  Any exceptions will be filed.

●     Unauthorized attempts to break into any computer;

●     Theft or copying of electronic files without permission; and

●     Sending or posting company files outside the company or inside the company to unauthorized personnel.

 

Personal Use

PMU understands that many users work at non-traditional times, for example outside working hours and that these activities infringe on “personal time”. PMU therefore allows incidental and infrequent personal use of the Internet/Intranet within the Constraints on Personal Use noted below.

 

Constraints on Personal Use

Incidental and infrequent personal use of PMU's Internet/Intranet during or outside normal work hours are allowed on condition that:

●     It does not consume significant amounts of the user’s workday.

●     It does not consume substantial amounts of PMU bandwidth in such a way that it negatively impacts upon PMU systems, either directly or indirectly. PMU bandwidth could be impacted by distribution of for example the following:

○     Attachment types such as JPEG, JPG, AVI, etc; or

○     Chain letters, jokes, bitmaps, etc.

●     It does not expose PMU to a noticeable increase in costs.

●     It does not expose PMU to reputation or financial risks.

 

 

Expressly Prohibited Use

In order to prevent loss and the possibility of PMU being in violation of regulatory and statutory requirements the following Internet/Intranet related activities are prohibited within PMU:

●     Carrying of any obscene, defamatory or discriminatory material.

●     Material containing derogatory racial, gender, religious or hate-oriented comments;

●     Libelous remarks about products or other companies,

●     Defamatory remarks, including defamation of character; or

●     Discriminatory language or remarks that would constitute harassment of any type.

 

Password Management

 

Internet/Intranet access to General Support systems and Public data shall require a password. All password creation and usage must be in accordance with those stated in PMU General Security Guidelines Functional Policy.

 

Downloading content

Users are permitted to download content from the Internet/Intranet. The downloading of content from the Internet/Intranet must however be in accordance with the following:

 

●     Users downloading large volumes should consider scheduling these for transmission after normal working hours.

●     When non-text files (databases, software object code, spreadsheets, formatted word-processing package files, etc.) are downloaded from non- PMU sources via the Internet, the following conditions must be adhered to:

○     Files must be screened with approved virus detection software prior to being used (opened);

○     Whenever an external provider of the software is not trusted, downloaded software should be tested on a stand-alone non- production machine that has been recently backed up. If this software contains a virus, worm, or Trojan horse, then the damage will be restricted to the involved machine;

○     Downloaded files must be decrypted and decompressed before being screened for viruses;

○     The use of digital signatures to verify that unauthorized parties have not altered a file is recommended, but this does not assure freedom from viruses.

 

 

Representing PMU

 

Vicarious Liability:

 

Users must be aware that in using PMU Internet/Intranet facilities they are representing PMU.  It is therefore important that the use of Internet/Intranet must be in accordance with the following:

●     Users should consciously build and preserve PMU image when using the Internet/Intranet.

●     Users may indicate their affiliation with PMU in mailing lists (list servers), chat sessions, and other offerings on the Internet. This may be done by explicitly adding certain

words, or it may be implied, for instance via an electronic mail address. In either case, whenever users provide an affiliation, they must also clearly indicate the opinions expressed are their own, and not necessarily those of PMU.

●     Users can indicate that opinions expressed are their own by the use of a disclaimer stating the following:

“Any opinions, presented explicitly or implied, are solely those of the author’s and do not necessarily represent those of the Organization’s.”

 

●     Wiretapping and message interception is straightforward and frequently encountered on the Internet. Accordingly, PMU proprietary information must not be sent over the Internet unless it has first been encrypted by approved methods.

●     User IDs and passwords, and other parameters that can be used to gain access to PMU information must not be sent over the Internet in readable form.

●     PMU software, documentation, and all other types of internal information must not be sold or otherwise transferred to any non-PMU party for any purposes other than business purposes expressly authorized by management.

●     Users should not allow others to use their user IDs and passwords when connecting to Internet sites requiring authentication (e.g. Gartner research database). If a user has no option but to allow this, the user must understand that he/she is the responsible party.

 

 

Expectation of Privacy

 

●     Individual Practices: On the Web, one of the real dangers is a possible loss of privacy or leakage of information about user activities.  Employees should be aware of the following issues relating to their privacy when surfing the web:

●     When you visit a Web site, the site you are visiting can identify where your Internet connection originates.  For example, if you use the Web from work, your activities can be identified as coming from PMU.

●     Web sites can log all of your activity including any personal data you provide. The web site owner can associate you with this data on future visits.  They may want to use this information to give you a better web experience, or they may be collecting competitive information, or both. Some web sites do not respect data privacy laws and may make the information collected from you available to other organizations. Should any of the events mentioned takes place, the Legal Department must be informed immediately.

●     PMU Practices: The Internet connection provided to employees is a PMU resource. Activities may be subject to monitoring, recording, and periodic audits to ensure they are functioning properly and to protect against unauthorized use. Users must therefore note the following:

●     PMU reserves the right to monitor sites (e.g. duration and content) visited by users and to detect security violations.

●     PMU reserves the right to examine and access all information, created, stored or communicated using PMU information systems whenever warranted by business need or requirements.

●     PMU will disclose information obtained through such examinations to appropriate third parties, including law enforcement agencies.

●     Internet users expressly consent to such monitoring, recording and examination.

 

Internet Integrity

When using the Internet all users must comply with the following:

●     All information taken off the Internet should be considered suspect until confirmed by separate information from another source.

●     Before users release any internal PMU information, enter into any contracts, or order any products via public networks, the identity of the individuals and organizations contacted must be confirmed.

 

 

Electronic Fraud

●     Impersonation: Misrepresenting, obscuring, suppressing, or replacing a user's identity on the Internet or any PMU electronic communications system is forbidden.

●     Disclaimer of Liability: PMU is not responsible for material viewed or downloaded by users from the Internet or other public communications networks. Users are cautioned that web pages may include offensive, sexually explicit, and/or other inappropriate material. Users accessing the Internet and other public communications networks do so at their own risk.

 

General Information on Wireless Networks:

●     Wireless Networking now provides easy, Inexpensive, high bandwidth network services for any organizations which selects this Latest Network technology.

●     Approved by IEEE Standards committee the 802.11 further enhanced to 802.11b/g/n specification detailed the frame work necessary for a standard method of wireless network communication.

●     Connectivity previously had to creep up with the monopoly held” Wires”

,now the data can Fly thru the walls ,significantly increasing the Network Bandwidth & Performance.

●     A recent survey by a leading Security Consulting Company has revealed that Wireless Networking has indeed increased in the current technology Savvy market by 30% and Wireless Networking is the Future Networking. But as Every Technology has its own loopholes, Security is a real cause of Concern for Wireless networks,.

●     Access Points communicate with the data freely flowing in the Air vulnerable to penetrate by any unauthorized user.

●     Placement of the access points is equally important, as you do your site survey for access point deployment, think about locating the access points toward the center of your building rather than near the windows. Plan your coverage to radiate out to the windows, but not beyond. If the access points are located near the windows, a stronger signal will be radiated outside your building making it easier for people to find you.

Objective

The objective of this Information Security Policies is to secure PMU's Information Assets and staff.

Each policy statement in this policy wherever required is supported by standards, procedures  to achieve a complete security framework in the PMU

 

 

Purpose and Scope

●            All Information Assets

●            All software assets

●            All physical assets, such as computer and network equipment.

●            All supporting services, such as power and network link

●            All business activities supported by PMU.

All of the above are either owned or leased by the PMU and under the PMU possession, custody, or control.

 

General Responsibilities

It is the responsibility of the different departments/offices and each employee to take necessary steps for ensuring compliance with the guidelines in this policy, and any further Policies and Procedures that may be added in due course of time.

 

Governing Policy

The following Executive Policy statements govern the Computer, Network and Telephone Usage Functional Policies listed in this document:

 

●     Both the wired and wireless networks will be monitored for unauthorized use or devices.

Wireless Network (Wi-Fi) Functional Policy

Authentication

●     All wireless stations (users/devices) must be authenticated to access a WLAN.

●     If username and password authentication is used, users/devices must use strong passwords (alphanumeric and special character string at least eight characters in length).

●     If a central authentication server or VPN gateway is used in the WLAN architecture, each wireless client must uniquely and successfully authenticate to the WLAN. Strong passwords must be used in this situation

●     All wireless device users must be authenticated to access wireless devices and/or the desktop PC synchronization software.

●     Wireless handheld devices and synchronization software must require a strong password, or both to authenticate access to the device or software. Users are required to authenticate when operating locally and remotely.

●     Wireless device authentication must not be disabled.

 

 

Encryption

●     All WLAN traffic must be encrypted to limit eavesdropping and ensure confidentiality.

●     Wired Equivalent Privacy (WEP) must be enabled using 128-bit key or the strongest encryption available in the 802.11 b/g/n compliant product used.

 

Access Control

●     All access to the WLAN system, including its data and resources, shall be restricted unless authorized by the PMU -ITD. Data traversing wireless networks and data accessible via wireless entry must be protected from unauthorized access, use, modification, or deletion using access control methods.

●     Non-PMU employees, excluding approved vendors and contractors, must not have access to WLANs that connect to the PMU Enterprise data network.

●     Service Set IDs (SSIDs) must be changed from the factory default to something that is meaningless to outsiders. SSID character strings must not reflect Member or Committee name, location, or product being used.

●     Broadcast mode of SSIDs must be disabled in products that permit it so that the client SSID must match that of the access point.

●     The authentication server, firewall, and/or VPN gateway must enforce access control mechanisms.

 

Anti-Virus Software

●     Antivirus software at the perimeter will provide protection for handheld devices by scanning all entry ports (i.e, synchronizing, email, and Internet downloading) as data is imported into the device, provide online signature update capabilities, and prompt the user before it deletes any suspicious files.

 

Personal Firewalls

●     It is highly recommended that WLAN client and handheld devices utilize personal firewall software.

●     Users that access public wireless networks (e.g., in airports, conference centers, coffee shops) should install personal firewall software on all WLAN client and handheld devices. A personal firewall protects against wireless network attacks and rogue access points (e.g., Ad hoc networks, accidental or malicious association, soft access points) that can be easily installed in public areas.

 

 

Physical Security

●     Access points must be physically secured upon proper configuration to prevent tampering and reprogramming (i.e., to prevent unauthorized physical access).

●     Access points must be placed in secure areas, such as high on a wall, in a wiring closet, or in a locked enclosure to prevent unauthorized physical access and user manipulation. Devices must not be placed in easily accessible public locations.

●     To mitigate eavesdropping, access points shall be placed strategically within the building so that the range does not exceed the physical perimeter of PMU-controlled facilities and allow unauthorized users to eavesdrop near the perimeter. Access points shall be placed to minimize or prevent the distance that the signal can travel outside the area that is under the control of the organization, including buildings, court yards, adjacent parking areas, etc.

●     The transmission power of WLAN access points must be restricted to the lowest power required for coverage.

●     In the event that the reset function of an access point is used, the device must be restored to the latest security settings.

 

Logical Security

●     All access points shall be logically separated and isolated from the House Enterprise data network, such as on a different segment, in a demilitarized zone (DMZ), or in a virtual LAN (VLAN).

●     WLANs must be treated as insecure counterparts to their wired associates. Access to resources on the wired network must be restricted.

●     Access points shall be physically situated so that authorized users can connect, yet away from sources of interference such as microwave ovens and Blue-tooth devices.

●     To keep interference to a minimum, access point channels shall be at least five channels different from all other nearby access points on different WLANs. Some coordination may be required if multiple WLANs are to be used within close proximity.

●     All insecure and nonessential management protocols (Hypertext Transport Protocol (HTTP) and Simple Network Management Protocol (SNMP)) shall be disabled if not used

●      SNMP settings must be set to least privilege (read only).

●     Web-based management of access points shall be from pre-defined management stations controlled by access lists on the access point.

SNMP requests shall only be accepted from specified management devices.

●     SNMPv3 products or equivalent cryptographically protected protocol shall be used since they include mechanisms to provide strong security.

Monitoring & Audit

●     All wireless LANs and handheld devices must be routinely monitored and security audits performed to verify that security configurations comply with this policy, access points and wireless devices are authorized, and to identify unauthorized activity.

●     If DHCP is used in the environment, logs shall be reviewed for static addresses to determine if rogue access points have been installed.

●     Access logs and system audit trails shall be routinely monitored.

●     The ITD will conduct routine controlled penetration tests or packet sniffing/wireless traffic analysis on WLANs and within the coverage area

●     All access points must have Intrusion Detection Systems (IDS) at designated areas on House property to detect unauthorized access or attack.

 

Systems Administrators/Vendors/Users Responsibilities.

●     System Administrators / Vendors are required to operate Wireless LANs and devices in a secure manner.

●     System Administrator / Vendors job includes proper authorization and termination of access, proper configuration and placement of wireless components and associated security technologies, routine, random, and event-driven maintenance, support monitoring and audit functions, etc.

●     System Administrators / Vendors are required to change factory default settings and use strong administrative passwords on all wireless devices to ensure a higher level of security. (On some wireless devices, the factor default password is blank.) All insecure and nonessential management protocols must be disabled.

●     To the extent possible, System Administrators / Vendors shall ensure that their wireless implementation and associated security technologies are up- to-date with evolving standards and best practices.

●     System Administrators / Vendors are required to maintain a list of authorized wireless device users to enable them to perform periodic inventory checks and security audits.

●     Wireless users must only access information systems using approved wireless device hardware, software, solutions, and connections.

●     Wireless users must act appropriately to protect information, network access, passwords, cryptographic keys, and wireless equipment.

●     Wireless users are required to report any misuse, loss, or theft of wireless devices or systems immediately to the IT Department. (Planning & Control)

 

 

 

Minimum Security Requirements

There will further addition to the checklist in case of new release, Version or change in Technology. Each point in the section has a check box which needs to be filled  with “Y” for available and “N” for not available. Please read the points carefully before filling the check boxes.

 

Reduce your WLAN transmitter power

This feature not on all and access points, but some allow you lower the power of your WLAN transmitter and thus reduce the range of the signal. Although it's usually impossible to fine-tune a signal so precisely that it won't leak outside your home or business, with some trial-and-error you can often limit how far outside your premises the signal reaches, minimizing the opportunity for outsiders to access your WLAN.

 

Authentication

Consider using an additional level of authentication, such as RADIUS, before you permit an association with your access points. Cisco access points, for example, can enforce RADIUS authentication of MAC addresses to an external RADIUS server.

Supplement on Email Accounts

 

Policy Statement

This functional policy covers PMU's E-mail usage. Communications and operational management of information resources and systems are essential to maintaining a high level of service to PMU Users. Therefore, security requirements will be developed and implemented to maintain control over Electronic Mail Usage.

 

It is each user’s responsibility and obligation to ensure that all IT resources are used only for its intended business purpose and that information contained or

transmitted via these resources are protected from unauthorized use, appropriation, or corruption.

 

Objective

The objective of these Information Security Policies is to secure PMU’s Information Assets and staff.

Each policy statement in this policy wherever required is supported by standards, procedures  to achieve a complete security framework in the PMU which includes

 

 

Purpose and Scope

To make a easy and secure policies for electronic mails being used by all PMU personals, to have a organized and professional method to follow in PMU, where it limits the usage, controls the email behaviors etc….

 

General Responsibilities

It is the responsibility of the different departments/offices and each employee to take necessary steps for ensuring compliance with the guidelines in this policy, and any further Policies and Procedures that may be added in due course of time.

 

Governing Policy

The following Executive Policy statements govern the email usage

●      Email Domain of PMU: <user>@pmu.edu.sa

( i.e. First letter of the first name then the last name / family name )

●     E-mail must only be available to PMU employees and students.

●     No offensive material must be sent using E-mail.

●     Functional policies for the use of E-mail must be developed and controls put in place to reduce security risks created by electronic mail.

●     Content scanning must only be enforced in checking for malicious software, viruses or violations.

●     Formal agreements must be established for the electronic or policy exchange of information and software between organizations.

●     PMU’s policy on Internet, Intranet and E-mail services access and use provides that usage of these services by PMU employees must be compatible with the organisations objectives.

●     The implementation of the E-mail, Internet and Intranet policy is aimed at ensuring that all employees and independent contractors are made aware of the disciplinary sanctions that PMU must impose on any unauthorized and/or unacceptable use of these services.

●     The policy is also implemented to minimize the risk of civil and/or criminal liability to the organization through the unauthorized and/or unacceptable use of the E-mail, Internet and Intranet services

●     Every Outgoing email from PMU should have disclaimer

 

Electronic Mail Functional Policies

Access to E-mail: All requests for e-mail access must be forwarded by HR  to ITD Helpdesk for account creation.

 

 

Acceptable and Unacceptable Use of E-mail Business Use

E-mail communication enables PMU employees and other types of workers to send messages and memorandum between workers within PMU, and also between PMU, business partners, vendors and required domains, more effectively.

This service does however will not offer the opportunity for abuse of resources and inappropriate use of this medium, which could expose PMU to significant risks.  Therefore e-mail facilities will only be available to PMU users by following the formal procedures and by accepting the policy rules.

 

Conditions on Academic and Business Use

Email usage in PMU for the academic and business use must be within, but not limited to the following conditions:

●     Employees may not use e-mail for personal or commercial purposes.

●     Access to e-mail from a PMU-owned home-based computer or through PMU-owned connections must adhere to all the same functional policies that apply to use from within PMU facilities.

●     Employees shall not allow family members or other non-employees to access PMU e-mail system via linked home computers.

●     Disciplinary action may occur after actions including or similar to those stated below of PMU e-mail facilities has occurred:

○     Unauthorized attempts to break into any computer;

○     Theft or copying of electronic files without permission; and

○     Sending PMU files outside the PMU to unauthorized personnel.

 

Personal Use

PMU understands that many users work at non-traditional times, for example outside working hours and that these activities infringe on “personal time”. PMU therefore allows incidental and infrequent personal use of e-mail

 

Conditions on Personal Use

Users may use e-mail for coincidental personal purposes on condition that:

●     It does not consume significant amounts of the user’s workday.

●     It does not consume substantial amounts of PMU bandwidth in such a way that it negatively impacts upon PMU e-mail system or other PMU users, either directly or indirectly.  PMU bandwidth could be impacted by distribution of the following:

●     Large e-mail messages. Users should consider using compression utilities such as Zip before sending large e-mail messages.

●     Large e-mail attachments can also be placed on shared documents if it is being used for local communication, and pass a hyperlink to access the required files, which will reduce the bandwidth usage drastically.

●     Attachment types such as JPEG, JPG, AVI, Chain letters, jokes, bitmaps, etc cannot be circulated using PMU infrastructure services.

 

Note: There are many free services on the Internet to share images and video files. Do not use university resources to distribute large files to large group of people.

 

Privacy of PMU E-mails.

As PMU allows the incidental and infrequent personal use of e-mail, users must be aware of the restrictions placed on the privacy of e-mail.

●     Electronic mail is private and owned by the sender and each recipient account holder.

●     The contents of e-mail will not be monitored, censored, or otherwise examined except:

●     With specific authorization from the head of the Department as part of the required system administration;

Investigations may require the examination and release of any document, including electronic files such as e-mail.  Should any PMU user be involved, the ITD Department will act only under the specific instructions from a business unit manager to ensure that individual rights, including rights to privacy and due process are maintained; and

●     A special condition exists for users who receive e-mail associated with his/her job responsibilities and where, their direct supervisor or others in the department need to have access to their e-mail. ITD will continue to maintain the privacy of mail

 

Expressly Prohibited Use

The creation, transmission, receipt or storage of certain content may be in violation of regulatory and statutory requirements and are therefore prohibited within PMU.  This content includes, but not limited to the following:

●     Unprofessional Threats;

●     Pornographic explicit material, but limited to unsolicited SPAMS being spoofed and circulated.

●     Material containing derogatory racial, gender, religious or hate-oriented comments;

●     Discriminatory language or remarks that would constitute harassment of any type.

●     Any other comments that offensively addresses someone’s age, political beliefs, national origin, or disability.

 

E-mail Manners

Any form of communication is most effective if it conforms to etiquette acceptable to both the sender and the recipient of the message. Therefore the following principles should be followed when using e-mail:

●     Are concise - long messages often lose their emphasis.

●     If you have received a message as a part of a group of recipients consider a reply to only the author rather than to the entire group.

●     As with any written form of communication, attention to proper grammar, spelling, etc. will convey your message most effectively.

●     Remember that even though the medium is electronic, the recipient of the message is another human.

 

Unsolicited E-mail

When a staff receives unwanted E-Mail (Junk Mail or SPAM), they must refrain from responding directly to the sender. Instead, they should forward such E-Mail to the IT-Help desk which will forward the case to the appropriate technical resource for remediation.

 

Representing PMU Liability

Users must be aware that in using PMU e-mail facilities they are representing PMU.  It is therefore important that the use of e-mail must be in accordance with the following:

●     Users should consciously build and preserve PMU image when they use e-mail for communication. When applicable, users should attach the official PMU headers and disclaimers to e-mail.  A disclaimer could state the following:

○     This message (including attachments) is intended for the addressee named above. It may also be confidential, privileged and/or subject to copyright.  If you wish to forward this message to other, if you are not the addressee named above, you must not disseminate copy, communicate, otherwise use, or take any action in reliance on this message. You understand that any privilege or confidentiality attached to this message is not waived, lost or destroyed because you have received this message in error. If you have received this message in error, please notify the sender and delete from any computer.

●     Unless explicitly attributed, the opinions expressed in this message do not necessarily represent the official position or opinions of PMU.

●     Whilst all care has been taken, PMU disclaims all liability for loss or damage to person or property arising from this message being infected by computer virus or other contamination.

●     The creation of business e-mail is equivalent to the creation of any other PMU document. Therefore, user must use the same degree of care and seriousness associated with the drafting of PMU documents when composing business e-mail messages.

●     The quality of written or verbal communications reflects on PMU.  Users should always strive to use good grammar, correct punctuation, and acceptable language.

●     Users are not allowed to enter into any contractual agreement for or on behalf of PMU using e-mail.

 

Disclaimer of Liability

PMU is not responsible for material viewed or received by users from the Internet or other public e-mail systems.  Users are cautioned that these communications may include offensive, sexually explicit, and/or other inappropriate material.

Having an e-mail address may lead to receipt of unsolicited messages containing offensive content.

 

Electronic Fraud

As electronic fraud may be possible via e-mail, user must adhere to the following:

●     Impersonation

 

○     Impersonation of another user when using e-mail is prohibited within PMU.

○     Users should not allow others to use their e-mail accounts. If a user has no option but to allow this, the user must understand that they will be held responsible for all actions performed on their e-mail account.

●     Anonymous E-mail: Anonymous e-mail may be used in the event of:

 

○     A user reporting an incident due to wrongdoing caused by another PMU user may send anonymous e-mail.

○     Users requesting medical information, without disclosing their identity.

 

Computer Viruses

 

A computer virus is a software program intended to damage, delete or perform other harmful actions to a user’s data. It is therefore important that users adhere to the following when receiving e-mail from an unknown source:

●     Users must ensure that all e-mail attachments are scanned for viruses before opening, using approved PMU anti-virus software.

●     Users must immediately report any malfunction that might be related to a computer virus to the IT-Helpdesk

●     When accessing public e-mail servers (e.g. hotmail) or when connecting to public SMTP servers from a workstation that is linked to the PMU network, users must ensure that any attachments are scanned for viruses on the user’s workstation.

●     User must read and comply with the Protection Against Malicious Software and Viruses Functional Policy

 

Transmitting Confidential Information

Addressing E-mail

●     When a user sends e-mail, it is the user’s responsibility to ensure that the e-mail address of the recipient is correct.

●     When a user recognizes that a mail item has been incorrectly addressed to him, the user should inform the sender by returning and deleting the mail.

●     The user must ensure that their personal information on directories and/or address books is kept up to date.

 

Information Protection

●     Prior to e-mailing or forwarding proprietary data, the e-mail options should be set to confidential. The message should be given the subject confidential.

●     Documents containing proprietary information should be individually password protected.

●     The sender and receiver should agree on the password by calling in advance. Under no circumstances should sensitive information be sent without a password.

●     The sender should also ensure that the receiver is able to retrieve the message from the e-mail address to which it is sent – in terms of the software used to create the e-mail as well as any attached documents.

●     The e-mail system should not be used to communicate details of the password.

●     The message recipient should be asked to confirm receipt of the document.

○     In this subsection, “proprietary information” refers to information that is “confidential” and/or “critical”.

 

 

E-mail Software

Only authorized email software may be used, no re-mailer (mail bomber) software will be permitted for any purpose.

 

Retention of E-mail Messages

E-mail shall be retained for periods that would normally apply to written or facsimiled transactions. Where precise retention periods need to be defined, they should be defined in conjunction with PMU IT Department.

Supplement on Software Copyright Compliance

 

Policy Statement

This functional policy covers PMU’s Software Licensing and Compliance. This is to ensure that all PMU assets must be accounted for and controlled in the proper manner, for both physical and logical assets. These assets are crucial to PMU’s success and must be protected by the proper controls to minimize any risk of harm, disruption of services or disclosure of proprietary information.

 

It is each user’s responsibility and obligation to ensure that all IT resources are used only for its intended business purpose and that information contained or transmitted via these resources are protected from unauthorized use, appropriation, or corruption.

 

 

Objective

The objective of this Information Security Policies is to secure PMU’s Information Assets and staff. Each policy statement is supported by standards and procedures to achieve  a complete security framework in the PMU.

 

 

 

Purpose and Scope

●     All Information Assets (Digital Media)

●     All software assets

●     All physical assets, such as computer and network equipment.

●     All supporting services, such as power and network link

●     All management information systems

●     All business activities supported by PMU.

●     All of the above are either owned or leased by the PMU and under the PMU possession, custody, or control.

 

General Responsibilities

It is the responsibility of the different departments/offices and each employee to take necessary steps for ensuring compliance with the guidelines in this policy, and any further Policies and Procedures that may be added in due course of time.

 

Governing Policy

The following Executive Policy Statements govern the Functional Policies on Software Licensing and Compliance listed in this document:

 

●     Arrangements involving third party access to organizational information processing facilities must be based on a formal contract that must contain all necessary security requirements accompanied with appropriate responsibility and confidentiality undertaking. Any violations thereto must be dealt with accordingly.

●     Owners must be identified for all major assets and the responsibility for the maintenance of appropriate controls must be assigned.

●     All Employees and third parties such as contractors, consultants, business partners and outsourced staff must sign a confidentiality agreement as part of their initial terms and conditions of employment.

●     Detection and preventive controls to protect information and information processing facilities against malicious software and appropriate user awareness procedures must be implemented.

●     Formal agreements must be established for the electronic or policy exchange of information and software between organizations.

●     Procedures for monitoring use of information processing facilities must be established and the result of the monitoring activities reviewed regularly.

●     Control must be applied for the implementation of software on all systems.

●     All data must be protected and controlled.

●     Strict control must be maintained over access to program source libraries.

●     The purchase, use and modification of software must be controlled and checked to protect against possible covert channels and Trojan code.

●     Controls must be applied to secure outsourced software development.

●     Appropriate procedures must be implemented to ensure compliance with legal restrictions on the use of material in respect of intellectual property rights and on the use of proprietary software products.

 

Software Licensing and Compliance Functional Policies

 

Protection of Intellectual Property

●     All software and/or applications developed for PMU by third parties is the property of PMU. This must be conveyed to all third parties, which develop software or applications for PMU use, to prevent any dispute about ownership of the software once a project is completed.

●     Software developed by PMU employees on company time becomes the property of PMU.

User Responsibilities regarding Software Licensing

●     Purchase and use of third party software must be in accordance with third party licensing agreements. These agreements may include specific user restrictions such as:

 

○     The number of copies allowed to be installed;

○     The number of machines the software can be installed on;

○     The number of concurrent users of the software allowed at any one time; and/or

○     The customer support levels (onsite or phone) may also be specified within the agreement.

●     Only appropriately licensed software may be placed on or used in a resource. Such software may only be for the purpose of conducting PMU business.

●     Employees are to be provided appropriately licensed copies of software necessary to perform their assigned tasks. Employees must not be asked or expected to perform tasks for which appropriately licensed software has not been provided.

●     Some software licenses allow for the user to make a copy for home use or home-based business use in conjunction with the business use of the software. A user of licensed software at work should not assume that such provision is in place. Prior to installing copies of software at home, employees must obtain confirmation of their rights in writing from relevant management.

●     Internal Audit, in conjunction with ITD, must perform periodic reviews of software usage on PMU PC's, laptops and servers to ensure that it is in compliance with licensing agreements.

●     All software found in violation must be removed immediately.  Parties responsible for loading and/or using non-compliant software will be subject to corrective actions by management.

●     The implementation of new or upgraded software must be carefully planned and managed, ensuring that the increased Information Security risks associated with such projects are mitigated using a combination of procedural and technical control techniques

 

User Responsibilities Regarding Software Copyrights

The unauthorized use, copying, or distribution of copyrighted software is not allowed.

Unauthorized acts include, but are not limited to, the following:

Making extra copies of computer based software for use on other computers unless specifically allowed through a licensing agreement;

Putting copies on a network in unprotected environments where they may be copied by others

To comply with government mandates and to ensure ongoing vendor support, the terms and conditions of all End User License Agreements are to be strictly adhered to:

●     Obtaining copies of software from others without paying the appropriate licensing fees;

●     Unauthorized distribution of software by electronic mail.

●     All users of software on PMU Information Systems must strictly abide by copyright laws and restrictions detailed by the software manufacturer and the Agreements signed therewith.

●     A copyright notice must be used to protect software or other copyrighted materials developed by or for PMU.

 

Obtaining and Using Software

Software Definitions

Software that can be obtained from sources other than ITD can be defined as follows:

 

●     Evaluation Software: Evaluation software is a limited software that has some of its features disabled. This software usually allows the use of a fair number of features in order to entice a user to purchase the full product.

○     Public Domain Software:  Public domain software is made available with no restrictions on its distribution or copying. However, unless there is a statement to the effect that the software is in the public domain, the user should assume the author retains the copyright to the software.

○     Freeware Software:  Freeware is free and was developed to provide end users with a new application. There are no license restrictions to these programs.

●     Shareware Software: Shareware is software that can be downloaded, tried and evaluated for its use, and its full-featured program can be bought at a nominal fee. If not bought, the shareware programs usually either stop functioning after a period of time or they continue working but will never have all of the features that the purchased version would have.

●     Application Software: Application software is a software containing business application programs that may have been developed in-house or by a third party or may have been purchased off-the-shelf.

Evaluation and Public Domain Software

Obtaining or downloading of evaluation and public domain software from other than PMU sources is permitted only under the following conditions:

 

Selecting Business Software Packages

 

●     The software must be required for a legitimate business purpose and approved by management.

●     Use of the software must comply with all applicable copyright and license agreements.

●     It is recommended that the software be obtained only from known vendors or suppliers, ideally those with whom PMU currently does business, or are considering doing business with.

●     At a minimum, an evaluation as to the safety and reliability of the vendor or provider of the software must be performed by the person obtaining the software.

●     The person obtaining the software should check it for viruses, trap doors, and other malicious code. A reasonable evaluation must be performed on a single system or in a test environment lab before deploying the software to others.

●     If the software is found to be creating security vulnerabilities or causing system or network problems, the problem causing the identified vulnerability must be corrected in a timely manner or the software must be removed immediately.

 

Freeware and Shareware Software

Obtaining or downloading of freeware and shareware software from other than PMU sources is permitted only if the conditions laid out by this functional policy are adhered to. In addition, the following should be noted:

●     Software distributed in this manner is often inadequately tested, e.g., Beta versions of software. The software may not work correctly, or may cause problems with other approved software.  ITD has no obligation to support this software or resolve any problems it causes, unless arrangements have been made in advance with ITD Management;

●     The supplier or vendor of such software may refuse to make modifications or provide support for the software in the future; and

●     Shareware, where required, must be licensed and users must strictly abide by copyright laws and restrictions detailed by the software manufacturer. This includes the terms and conditions when downloading the shareware or freeware.

Purchasing Software

All requests for new applications systems or software enhancements must be presented to management with a Business Case with the business requirements presented in a User Requirements Specification document

●     Proof of purchase is required for all licensed software installed on an PMU personal computing device.

●     Proof of purchase may be demonstrated by possession of one or more of the following:

●     Original purchase order (or a copy of the original purchase order);

●     Receipt or packing slip from the vendor;

●     Software right to use license; and

●     Original serialized software CD or diskette.

Proof of purchase is not required for site-licensed software obtained through authorized procedures. However, users must ensure they are in compliance with the software license before copying or loading site-licensed software.

Proof of purchase must be kept and filed for reference and audit purposes.

Protection of Software

Protection of Computing Software

●     CDs and DVDs and other removable media containing software programs must be locked in secure file cabinets when not in use.

●     CDs and DVDs and other removable media containing application software programs must be kept under the custody of ITD

 

Return of Computing Software

●     Software stored on PMU personal computing devices must be returned together with the personal computing device to PMU upon termination of employment or work contract.

●     Off-site copies, including copies stored on personally owned computers (when permitted by the license agreement) must also be returned (or erased, where appropriate) at the same time.