ICT - Imam Abdulrahman Bin Faisal University · ICT Infrastructure-All electronic communication devices, networks, data storage, hardware, and network connections to external resources

ICTPolicies & Procedures

2

3

Contentsl Acceptable Use Policy

l Backup Policy and Procedures

l Bandwidth Use Policy

l Data Classification Policy

l Information Security Policy

l Network Access Control Policy

l OneDrive Cloud Storage Policy

l Password Policy

l ICT User Authentication Policy

l Web Hosting Policy with Third-Party Service Providers

l Core ICT Services Service Level Agreement

4 Back to Contents

Acceptable Use Policy

5 Back to Contents

Deanship of Information & Commu-nications Technology

Posted Date: Policy Number:

ICT.2013.2Policy: Acceptable Use Policy Approval Date: Page:

Objective: To ensure the appropriate use of the University’s Information and Com-munication Technology (ICT) Services and define the responsibilities of users of the University’s ICT Services and Infrastructure.Responsible Official: Responsible Office: :SignatureITC Reference Policies :

(a) Information Security Policy

(b) Password Policy

Executive SummaryUniversity of Dammam (UOD) information and Communication technology (ICT) resources have been pro-vided to support University business and mission. These facilities are expected to be used for educational, instructional, research, professional development and administrative activities of the University. The use of these resources is a privilege that is extended to qualified members of the community. Access to com-puters, computing systems and networks owned by the University imposes certain responsibilities and obligations and subject to university policies and codes and the Kingdom’s local laws. It is important that these ICT resources are used for the purpose for which they are intended. All users of these resources must comply with specific policies and guidelines governing their use, and act responsibly while using shared computing and network resources.

The ICT Acceptable Use Policy (AUP) informs the University’s faculty, support staff, students, management and other individuals authorized to use University facilities, of the regulations relating to the use of ICT systems. The University expects users to use the ICT facilities in an appropriate and responsible manner in accordance with this policy. Anyone who abuses the privilege of the ICT resources, either directly by promoting inappropriate activities and by misusing or indirectly by inadvertently allowing unauthorized users to access for personal and professional purposes will be subject to sanctions or legal action

IntroductionThe University provides ICT for its educational purposes, particularly teaching and research, as well as for reasonable personal use which is acceptable to the University environment. University of Dammam allows users to access the computing and network resources in order to facilitate them in carrying out their du-ties and the university expects these resources be used for purposes related to their jobs and not be used for unrelated purposes. These resources include all university owned, licensed, or managed hardware and software, and use of the university network via a physical or wireless connection, regardless of the own-ership of the computer or device connected to the network. The purpose of this policy is to promote the efficient, ethical and lawful use of the University of Dammam’s computer and network resources.

Acceptable Use Policy Objectives

6 Back to Contents

The following are the objectives of acceptable use policy:

1. Provide guidelines for the conditions of acceptance and the appropriate use of the com-puting and networking resources provided for use by academic, professional and support staff and students of the University.

2. Ensure that ICT resources are used in an appropriate fashion, and support the university’s mission and institutional goals.

3. Encourage users to understand their own rights and responsibility for protecting the Uni-versity ICT resources.

4. Protect the privacy and integrity of data stored on the University network.

5. Elaborate the consequences of the inappropriate use of these resources.

Outcomes of the Policy

By enforcing the acceptable use policy, we aim to achieve the following outcomes:

1. Better informed university community regarding acceptable and unacceptable use of uni-versity ICT resources.

2. Responsible UOD community regarding the value and use of ICT resources.

Policy RationaleThere needs to be commitment to protect UOD faculty, students, staff, management and contractors from illegal or damaging action by individuals, either knowingly or unknowingly. Inappropriate use of these ICT resources exposes UOD to risks including virus attacks, compromise of network systems and services, and legal issues.

Entities affected by this PolicyThis policy applies to all the community of University of Dammam using computing and network resourc-es. These include

• Users (academic, professional and support staff, students and management) using either personal or University provided equipment connected locally or remotely to the network of the University.

• All ICT equipment connected (locally or remotely) to University servers.• ICT systems owned by and/or administered by the Deanship of ICT.• All devices connected to the University network irrespective of ownership.• Connections made to external networks through the University network.• All external entities that have an executed contractual agreement with the University.

Business Impact of No AUPThe potential adverse business impact to the university due to lack of acceptable use policy may include:

7 Back to Contents

• Violations of either personal or copy righted material• Security breaches• Bad publicity and embarrassment to individuals or University• Identity or financial fraud

Policy Benefits

1. It will define the responsibilities of users of the University’s ICT Services and Infrastructure.2. It will deter unacceptable ICT use by declaring the punitive actions for such an act.3. Fair use of services.4. Better service quality.

Section B – Policy Statement:

Acceptable Use Policy Statements: 1. This policy applies to all users of computing resources owned or managed by University

of Dammam. Individuals covered by the policy include (but are not limited to) UoD fac-ulty and visiting faculty, staff, students, alumni, guests or members of the administration, external individuals and organizations such as contractors and their employees accessing network services via UoD’s computing facilities.

2. The resources should be used for the purpose for which they are intended.3. Users must adhere to the confidentiality rules governing the use of passwords and ac-

counts, details of which must not be shared.4. Users may use only the computers, computer accounts, and computer files for which they

have authorization.5. The university encourages and promotes using the university email for administrative,

learning and professional purposes. Hence, the users must use their university email in their business communications.

6. The only way to access to the university’s network is to have a valid account, and any other way such as plugging own internet to the university network shall be considered as a vio-lation.

7. All users of the university’s network and computing resources are expected to respect the privacy and personal rights of others.

8. The University reserves the right to monitor all activities performed by the users on the internet by recording and reporting without the consent of the user.

9. The University has the right to block any site or group of sites according to its policies and will take necessary action that violates this policy.

10. The University reserves the right to make any amendments in this policy at any time.11. Users, who discover or find security problems or suspicious activity, must immediately

contact Technical Support of the DICT.

Unacceptable Use Policy1. Users must not use the university network in any illegal manner e.g. commercial purposes

nor use it to login or browse illegal web sites or content.2. Users must not disclose their login information and access or copy another user’s email,

data, programs, or other files.3. Users must not attempt to violate or compromise the security standards on the University

network or any other device connected to the network or accessed through the Internet. 4. University network may not be used for the creation, dissemination, storage and display

8 Back to Contents

of obscene or pornographic material, abusive, indecent, obscene, and defamatory or hate literature etc.

5. University users should not create illegal copies or violate copyright protected material in order to use, or save such copies on University devices or send them through the Univer-sity network. It also prevents the illegal use such as sending or downloading or publish-ing any material that violates the laws of the Kingdom of Saudi Arabia and is against the Islamic values.

6. This policy prevents users adding, deleting, or modifying any information on university network in an attempt to disrupt or mislead others.

7. Users are not allowed to indulge into any activity that may adversely affect the ability of others to use the Internet services provided by the university e.g. denial of service at-tacks, hacking, virus, or consuming gratuitously large amounts of system resources (disk space, CPU time, print quotas, and network bandwidth) or by deliberately crashing the machine(s).

8. The university prevents downloading any programs and installing in the university’s com-puters. Any such request should be done through DICT technical support.

9. Non serious, disruptive, destructive or inconsiderate conduct in computer labs or terminal areas is not permitted.

10. DICT is not responsible of the internet content that been browsed by the end user, or prob-lems that might happen to user from browsing untrusted websites.

Policy Breaches:

Anyone who breaches this policy will be subject to any or all of the following actions: a. Suspension of the university internet account/access.b. The referral of the case to the University management along with supporting evi-

dence for an appropriate action.c. The case may be investigated by the Communication & Information Technology

Commission (CITC), Saudi Arabia who may initiate criminal investigation according to the e-crimes regulations. More information regarding these regulations may be found here.

Definitions

The following terms are used in this document.

Access - Connection of University, personal or third party owned devices to ICT Infrastructure facilities via a direct or indirect connection method.

Authorized User - An individual who has been granted access to University ICT services

Device - Any computer or electronic device capable of accessing, storing and communicating data.

End Host Device - An electronic device which can be connected to a network. End Host Devices include, but are not limited to:

• Desktop computers• Notebook computers• Workstations• Servers• Network Printers• Telecommunications equipment

http://www.citc.gov.sa/English/RulesandSystems/CITCSyste/Documents/LA_004_%20E_%20Anti-Cyber%20Crime%20Law.pdf

9 Back to Contents

• Wireless Devices and• Other network aware devices

ICT Facilities – All computers, terminals, telephones and communication links, end host devices, licences, centrally managed data, computing laboratories, video conference rooms, and software owned or leased by the University.

ICT Infrastructure- All electronic communication devices, networks, data storage, hardware, and network connections to external resources such as the Internet.

Information Resources - Assets and infrastructure owned by, explicitly controlled by, or in the custody of the university including but not limited to data, records, electronic services, network services, software, computers, and Information systems.

References1. Thomas M. Thomas; Donald Stoddard (2011), Network Security First-Step2. Mark S. Merkow; Jim Breithaupt (2014), Information Security: Principles and Practices

10 Back to Contents

Backup Policy and Procedures

11 Back to Contents



ICT.2013.4Policy: Backup Policy and Procedures Approval Date: Page:

Objective: This document outlines a set of policies and procedures for Data Backup and Retention to facilitate restoration of applications and associated data. Also it lays emphasis on verifying that backups and recoveries are completed without errors.Responsible Official: Responsible Office: Signature:ITC Reference Policies :


(b) Operational Unit Data Center SLA

Executive SummaryUniversity of Dammam (UOD) information and Communication technology (ICT) resources have been provided to support University business and mission. The unprecedented growth in data volumes has necessitated an efficient approach to data backup and recovery. Deanship of Information & Communica-tions Technology (DICT) recognizes that the backup and maintenance of data for servers are critical to the viability and operations of the respective departments. It is essential that certain basic standard practices be followed to ensure that data files are backed up on a regular basis.

This document defines the backup policy for computer systems within the organization which are ex-pected to have their data backed up. These systems are typically servers but are not necessarily limited to servers. The policy outlines the minimum requirements for the creation and retention of backups. The main purpose of this policy is to provide secure storage for data assets critical to the work flow of official university business, prevent loss of data in the case of accidental deletion / corruption of data, system fail-ure, or disaster and permit timely restoration of archived data in the event of a disaster or system failure.

IntroductionThis document outlines a set of policies and procedures for Data Backup and Retention to facilitate resto-ration of applications and associated data. Also it lays emphasis on verifying that backups and recoveries are completed without errors.

PurposeTo ensure server and data continuity and to support the retrieval and restoration of archived information in the event of a disaster, equipment failure, and/or accidental loss of files.

Goals

12 Back to Contents

The goals of this backup policy will be as follows:

• to safeguard the information assets of University of Dammam (UoD) Community.

• to prevent the loss of data in the case of accidental deletion or corruption of data, system failure, or disaster.

• to permit timely restoration of information and business processes should such events occur.

• to manage and secure backup & restoration processes and the media employed within these processes.

ScopeThe Deanship of ICT (DICT) operational Unit (OU) is responsible for providing policy-based, system level, network-based backups of server systems under its stewardship. This document outlines the policies for backup implementation that define:

• Selections: what information needs to be backed up on which systems.

• Priority: relative importance of information for purposes of the performing backup jobs.

• Type: the frequency and amount of information to be backed up within a set of backup jobs.

• Schedule: the schedule to be used for backup jobs.

• Duration: the maximum execution time a backup job may execute prior to its adversely affecting other processes.

• Retention Period: the time period for which backup images created during backup jobs are to be retained.

Backup CreationBackups will be created using industry standard data backup software that support “enterprise lev-

el” data assurance. The product, defined by the data backup standard, must support scheduled backups, full or differential or incremental backups, and centralized management.

System Backup ProfilesThe DICT Operational Unit maintains the following type of backup profiles:

1. Standard Backup:

• The standard backup is provided for most centralized University computer systems.

• The backup could be full, differential or incremental. The frequency of backup could be daily, weekly or monthly and is dependent upon the application. The retention of these backups could vary from 1 week up to 2 months.

• For some applications backup is performed on a day and time agreed upon by the OU and application owner.

• Appendix I shows the applications along with backup type, frequency of backup and reten-

13 Back to Contents

tion period.

2. Critical System Backup:

• Certain enterprise-wide systems are deemed critical to University operations and dictate longer retention periods from 6 months up to 1 year.

• The type, frequency and retention period is different for different applications.

• Prior to a major upgrade of a production system, database, or application, a full system backup is performed and retained for 6 months.

• Appendix I shows the applications along with backup type, frequency of backup and reten-tion period.

3. Special Request Backup:

Some departments or applications may require an exception to the standard backup retention periods mentioned above. Exceptions are permitted, but must be fully documented

4. No Backup:

ICT Services is responsible for backing up data that is stored in central systems and databases. Data residing on individual workstation hard drives is the responsibility of the user to backup. Furthermore the systems that fall under this category might include development or test systems that do not contain important business or academic data. Students, faculty, staff and third parties who store data on University equipment are responsible for ensuring the data is stored in a way that will ensure it is properly backed up. However, most systems that are centrally managed by DICT are backed up on one of the schedules listed above.

Storage Locations and Retention

Period of Backups

Unless a system supporting an application or business function requires a custom retention period, DICT will maintain full and incremental backups. Backup tapes for the current weekly backup period will be stored within the DICT for purposes of current backups and restores.

Tapes representing backups from the former weekly backup period will be stored within a secured, fire-proof place until such time as the backup images stored on these tapes expire and the tapes are re-used or destroyed.

After a successful backup, it will be stored in a secure, off-site media vaulting location for an appropriate period for disaster recovery purposes.

This will ensure that no more than one week of information would be lost in the event of a disaster in which campus systems and backup images are destroyed. After the period of six months has elapsed, the tapes may ‘optionally’ be returned to DICT and re-used or destroyed.

Backup Verification

On a periodic basis, logged information generated from each backup job will be reviewed for the following purposes:

14 Back to Contents

• to check for and correct errors

• to monitor duration of the backup job

• to optimize backup performance where possible

DICT will identify problems and take corrective actions to reduce any risks associated with failed backups. Test restores from backup tapes for each system will be performed. Problems will be identified and cor-rected. This will work to ensure that both the tapes and the backup procedures work properly.

DICT will maintain records demonstrating the review of logs and test restores so as to demonstrate compli-ance with this policy for auditing purposes.

Media Management

Media will be clearly labeled and logs will be maintained identifying the location and content of backup media. Backup images on assigned media will be tracked throughout the retention period defined for each image. When all images on the backup media have expired, the media will be re-incorporated amongst unassigned (available) media until reused. Periodically and according to the recommended lifetime de-fined for the backup media utilized, DICT will retire & dispose of media so as to avoid media failures.

Storage, Access, and Security

All backup media must be stored in a secure area that is accessible only to designated OU staff or employ-ees of the contracted secure off-site media vaulting vendor used by DICT. Backup media will be stored in a physically secured, fireproof place when not in use. During transport or changes of media, media will not be left unattended.

Retirement and Disposal of Media

Prior to retirement and disposal, DICT will ensure the following:

• the media no longer contains active backup images or that any active backup images have been copied to other media

• the media’s current or former contents cannot be read or recovered by an unauthorized party.

• with all backup media, CICT will ensure the physical destruction of the media prior to disposal.

Disaster Recovery Considerations

As soon as is practical and safe post-disaster, DICT will:

• Restore existing systems to working order or obtain comparable systems in support of defined business processes and application software.

• Restore the backup system according to documented configuration so as to restore server systems.

• Obtain all necessary backup media to restore server computing systems

• Restore server computing systems according to the priority of systems and processes as out-

15 Back to Contents

lined for restoration and recovery in the Disaster Recovery Plan.

DocumentationEssential documentation is will be maintained for orderly and efficient data backup and restoration. The person-in-charge of data backup should fully document the following items for each generated data back-up:

.S. No Action Item Action

Date of data backup

(Type of data backup (incremental, differential, full

Number of generations

Responsibility for data backup

(Extent of data backup (files/directories

Data media on which the operational data are

Data media on which the backup data are stored

Data backup hardware and software (with version(numberStorage location of backup copies

16 Back to Contents

Bandwidth Use Policy

17 Back to Contents



ICT.2013.5Policy: Bandwidth Use Policy Approval Date: Page:

Objective: The purpose of the bandwidth usage policy is to enhance the internet usage of UoD users by proper management and control of bandwidth. All in all the bandwidth usage policy shall set guidelines important to use bandwidth as a scarce resource in the university.Responsible Official: Responsible Office: Signature:ITC Reference Policies :

(a) Acceptable Use Policy

Executive Summary

University of Dammam provides high speed internet access as a service to its management, faculty, stu-dents, researchers and administrative staff. The purpose of the bandwidth usage policy is to enhance the internet usage of UoD users caused by improper management and control of bandwidth. The bandwidth is a precious shared resource and hence ought to bed dedicated foe teaching, learning and research pur-poses. Its usage should be in line with the university mission, vision and strategy. This bandwidth policy is prepared to define the appropriate use of bandwidth in the university so that optimum gains are achieved from the network.

Bandwidth Use Policy ObjectivesThe following are the objectives of the policy:

1. to establish awareness and accountability for bandwidth use

2. to educate the users of the priority related to internet traffic

3. to provide guidelines for responsible use

Scope

The aim of this policy is to manage bandwidth use proactively in order to avoid degradation of network performance. This policy applies to all users of University of Dammam accessing computing and internet resources, whether initiated from a computer and/or network device located on or off campus.

Audience

This policy shall be subjected to all faculty, management, staff and students of University of Dammam and

18 Back to Contents

guests who are given accesses to UoD network. All users are to be made aware of the policy and sign it as appropriate.


• Bandwidth may be used for any activity supporting teaching, research and consultancy in such a way that it will not prevent other users from using the same.

• DICT maintains the right to use monitoring tools that log and analyze bandwidth usage of all users of the network. However, the collected data is to be used exclusively for the purpose of enhancing proper bandwidth usage.

• DICT maintains the right to block any traffic that is not inline with the university mission and vision and that wastes bandwidth.

• DICT maintains the right to give priority for one type of traffic over the other based on predefined rules.

• Whenever necessary, DICT maintains the right to give priority to some users more than the other by giving more accesses to bandwidth. This will be based on the relevance of the work to the university’s mission.

• DICT maintains the right to enforce user authentication for using the Internet by assigning them accounts and keep the logs of usage history for analysis of user’s usage behavior. Us-ers will be responsible for all usage history registered in their account.

• DICT Internet users shall use the proxy server to access the Internet for centralized band-width monitoring and management purpose.

• Bandwidth may not be used for any non-educational activities or activities that consume bandwidth for a benefit of few users.

• Users should not involve in activities such as hacking, cracking, spamming, streaming, web serving and p2p file sharing using the universities resource.

• DICT users may not be allowed to do tasks that disturb the bandwidth management and optimization system on any machine connected to the network.

• Bandwidth quotas are applied to all traffic passing between student computers and the Internet.

Excessive use of the network

• To ensure that all qualified users making use of the internet resources receive a fair share of the bandwidth available, each individual’s bandwidth is limited to no more than 1GB in a rolling 24-hour period.

• Individual bandwidth will be calculated as the combined network traffic from all personal computer systems used. This includes use of the wired network service, the vpn and wire-less network services. However the internal university traffic including email services and access to central file servers will be exempted.

Exceptions• Users who have a genuine academic requirement for a larger quota should identify this need before exceeding their quota, and should then follow the below process:

o Obtain authorization for a higher quota from user’s respective Dean or Managero Present the request and supporting authorization to the DICT and be prepared for

a discussion.o Properly supported requests will normally be granted, provided that their impact

on the use of the network as a whole is not disproportionate.

19 Back to Contents

Consequences of exceeding the Bandwidth usage• Users will be allocated to a restricted network which will allow access to only authorized

university web based systems. This includes university website, departmental websites, VLE and SIS.

• User should use this time to identify the cause of the high bandwidth usage. If user require help rectifying the problem then they should contact the ICT Service Desk.

• This withdrawal of network services only applies to your personal computer. Your univer-sity account is still fully operational and you will be able to use computing facilities in your department or library.

AppealsTo appeal contact the ICT Service Desk and clearly state the grounds on which your appeal is based.You should only appeal against the decision if you believe that:

o You have not exceeded the bandwidth limits for the service (1GB in any 24 hour period).

o You have mitigating circumstances to warrant a review of the penalty.

The following reasons would NOT be acceptable grounds for appeal:

o You were unaware that your actions were illegal / in breach of the Conditions of Use of the network.

o Your guest or friend made use of your connection.o You accidentally left your computer system switched on downloading copyrighted

content.o You know of other users currently downloading similar content on the network.

Definitions


Bandwidth: the transmission capacity of a computer or a communications channel stated in megabits per second (Mbps).

Monitoring tools: logging and analysis tools used to accurately determine traffic flows, utilization, and other performance indicators on a network.

Authentication: the process that validates a user’s logon information by comparing the user name and password to a list of authorized users.

Proxy server: A software package running on a server positioned between an internal network and the Internet.

Mirror site: A duplicate Web site that contains the same information as the original Web site and reduces traffic on that site by providing a local or regional alternative.

Hacking: using a computer or other technological device or system in order to gain unauthorized access to data held by another person or organization.

P2P file sharing: direct communication or sharing of resource between commercial or private users of the Internet.

Streaming: the playing of sound or video over the Internet or a computer network in real time.

20 Back to Contents

Data Classification Policy

21 Back to Contents



ICT.2013.3Policy: Data Classification Approval Date: Page:

Objective: To ensure UOD’s information assets are identified, properly classified, and protected throughout their lifecycles.Responsible Official: Responsible Office: Quality UnitSignature:ITC Reference Policies:


(b) Acceptable Use Policy

Data classification is the act of placing data into categories that will dictate the level of internal controls to protect that data against theft, compromise, and inappropriate use.

University of Dammam must protect its institutional assets as the data is prepared, managed, used, or retained by one of the constituent units or an employee relating to the activities or operations of the university. This does not include individually-owned data not related to university business. The policy will help educate the university community about the importance of protecting data generated, accessed, transmitted and stored by the university, to identify procedures that should be in place to protect the confidentiality, integrity and availability of university data and to comply with privacy and confidentiality of information.

Data Classification Policy Objectives

The purpose of this policy is to establish a framework for classifying University of Dammam data based on its level of sensitivity, value and criticality to its business activities. The following are the objectives of data classification policy:

1- Assist UOD community in the assessment of data to determine the level of security, which must be implemented to protect that data whether it is in paper copy or on the in-formation system for which they are responsible.

2- Protect UOD’s data in terms of availability, confidentiality and integrity.

3- Identify who gets access to which kind of data.

4- Implement security provisions against unauthorized access.

22 Back to Contents

Outcomes of the Policy

By enforcing the data classification policy, we aim to achieve the following outcomes:

1. Better aware and informed university community regarding data and its value.

2. Mapped data protection methods with the university policies.

3. Accountability of the management and use of data.

4. Appropriate levels of confidentiality, integrity and availability in place.

Policy Rationale

The classification of data, information, and documents is essential to differentiate between non-sensitive and sensitive / confidential information. When data is stored, created, amended or trans-mitted, it should be appropriately classified and protected in accordance to the sensitivity level.

The privacy, security, and integrity of data are critical to the university business. It is also neces-sary to evaluate the impact to the university should that data be disclosed, altered or destroyed without authorization. Classification of data will aid in determining baseline security controls for the protection of data.

Data classification provides several benefits by providing an inventory to university information assets. In many cases, information asset owners aren’t aware of all of the different types of data they hold. It will also allow ICT to work with departments to develop specific security requirements that can be readily utilized.

Entities affected by this Policy

This policy applies to all University administrative data, all user-developed data sets and systems that may access this data, regardless of the environment where the data reside (including systems, servers, personal computers, laptops, portable devices, etc.). The policy applies regardless of the media on which data reside (including electronic, microfiche, printouts, CD, etc.) or the form they may take (text, graphics, video, voice, etc.).

Audience

All faculty, management, staff, students, employees as well as third-party contractors, consultants and guests should abide by this policy.

Business Impact of no data classificationThe potential adverse business impact to the university due to lack of data classification policy may in-clude:

• Loss of critical campus operations• Loss of opportunities or value of the data

23 Back to Contents

• Damage to the reputation of the campus• Lack of corrective actions or repairs• Violation of University mission and policies

Policy Benefits1. The university community will become familiar with this data classification policy and will

consistently use it in their daily business activities.2. Consistent use of data classification reinforces with users the expected level of protection

of data assets.3. It will address risks associated with the unauthorized disclosure, use, modification, and

deletion of university data.4. Improved and appropriate security measures for the data.

Policy Relevance for UOD Community

Category High Medium Low NotesThe organization √ AdministrationStaff

√

Faculty √Students √Other(s) √

Section B – Policy Statement:The UOD data classification policy provides a framework for assessing data sensitivity measured by the ad-verse business impact a breach of data would have on the campus from risks including, but not limited to, unauthorized use, access, modification, disclosure, destruction and removal. Thus all members of the uni-versity community have a responsibility to understand data classification and protect university data. This policy outlines measures and establishes protection profile requirements for each class of data. Violations of this policy can lead to disciplinary action up to and including dismissal, expulsion, and/or legal action.

Data ClassificationThe classification of data helps determine what baseline security controls are appropriate for safeguarding that data. Reasonable precautions and protections should be taken, regardless of classification. All UOD institutional data has been classified into four levels or classifications:

Tier1- High Confidential DataData is classified as Confidential when an unauthorized disclosure, alteration or destruction of that data will cause a significant level of risk to the University. Access to Confidential data must be individually re-quested and then authorized by the Data Owner who is responsible for the data. The assessment of risk and access approval will be determined by the data owner or risk committee.

Tier2- Confidential DataConfidential or sensitive information that would not necessarily expose the University to significant loss,

24 Back to Contents

but the data owner has determined security measures are needed to protect from unauthorized access, modifications, or disclosure.

Tier 3-Internal DataData is classified as Internal/Private for all the information assets that are not explicitly classified as Confi-dential or Public data A reasonable level of security controls should be applied to internal data.

Tier 4-Public DataData will be classified as Public when the unauthorized disclosure, alteration or destruction of that data would results in little or no risk to the University and its affiliates.

Data Classification and Handling

Definition Public Internal Confidential High Confidential

Information that is widelyavailable to the public throughpublications, pamphlets, webcontent, and other distributionmethods and disclosure, alteration or modifications will cause no risk to the university

Routine or daily operational information requiring no special measures to protect from unauthorized access, modifications, or disclosure, but these are not widely available to the public

Confidential or sensitive information that would not necessarily expose the University to significant loss,but the data owner has determined security measures are needed to protect from unauthorized access,modifications, or disclosure

Information requiring the highestlevels of protection becausedisclosure is likely to result insignificant adverse impact tothe university (embarrassment,financial loss, etc.)

Examples brochures, news releases, pamphlets, web sites, internal phone directories,marketing materials

Routine correspondence,employee newsletters, inter-office memoranda, internal policies & procedures

Intellectual property licensed and/or under development, records, purchasing information, vendor contracts, system configurations, system logs, risk reports, RFP, RFI etc.

Protected Health Information (PHI), Student Identifiable Information, department financial data, personnel information, credit or bank details. contract research protocols

Transmissions1. E-mail within theorganization

2. E-mail outside of the organization

3.Data transfers (filetransmissions, website, etc.)

4. Data print and printer location

1. No special handling required


3. No special precautions arerequired

4. No restrictions

1. No special handling required, but reasonable precautions should be taken

2. No special handling required,but reasonable precautionsshould be taken

3. Encryption is recommendedbut not required

4. printer to be located in an area not accessible by general public

1. Use of e-mail to transfer confidential information is discouraged. Forwarding only allowed by data owner

2. Use of e-mail strongly discouraged. Consider using encryption. Broadcast to distribution lists is prohibited. Forwarding only allowed by data owner3. Encryption is required

4. Monitoring required and removal of the printed material immediately

1. Use of e-mail to transfer confidential information is discouraged. . Forwarding onlyallowed by data owner

2. Encryption is required.

3. Encryption is required


Backup and Recovery

Should be backed upmonthly and incrementallybased on content change

- Should be backed up monthly and incrementally based on information recovery requirements by data owners and business operational needs- Backups Should be tested regularly to ensure reliability


- Should be backed up monthly and incrementally based on information recovery requirements by data owners and business operational needs- Backups Should be tested regularly to ensure reliability- Never overwrite the most recent backups


Storage1. Printed materials

2. Electronic documents

3. emails

4. portable devices

5. storage by third party

1. No special precautions required

2. Storage on all drives allowed but access controls must be enforced




1. Reasonable precautions toprevent access by nonemployees.


3. Reasonable precautions to prevent access by non-staff & employees

4. Use lockable containers or devices5. Secured with lockable enclosures and access controls required

1. Storage in a secure manner, e.g. secure area, lockable enclosure. Must be locked when unattended2. Store on secure drives or secure shared drives only. Data should be stored on an internally accessible server, and cannot be stored on a server directlyaccessible from the Internet.

3. Store in a secure manner, e.g. password access or reduce to printed format, delete electronic form, and store in accordance with storage of printmaterials

4. Use lockable containers or devices.

5. Secured with lockable enclosures and access controls required

1. Storage in a lockableenclosure. Must be locked whennot in use2. Storage on secure drives only. Password protection of document preferred.

3. Store in a secure manner, e.g. password access or reduce to printed format, delete electronic form, and store in accordance with storage of print materials



Marking1. Documents

No restrictions “Internal Use Only” note at the bottom “Confidential” note at the top “Confidential” at the top and bottomPhysical Security1. Workstations

2. Servers

3. Printing

4. Office access

5. Portable devices

Password protected screen-saver tobe used when not in use. Sign off when not in use for long time.

Not permitted

No restrictions

No restrictions

Devices must not be left unattended at any time


Secured area location and limited access based on the job responsibilities

Printouts to be collected immediately

No restrictions




Minimize the prints and collect immediately

Access to the sensitive area must be restricted using access control

Devices must not be left unattended at any time. Consider using lock and access control



Print only when necessary and do not leave unattended

Access to the sensitive area must be restricted using access control. Confidential information must be kept under lock.Devices must not be left unattended at any time aznd must be placed under lock and access control

Access Control Content changes by only authorized persons

Password access control Password access controlContent changes based on the data owner and business needs

Password/Biometric/ Authentication based access controlContent changes based on the data owner and business needs

25 Back to Contents

but the data owner has determined security measures are needed to protect from unauthorized access, modifications, or disclosure.

Tier 3-Internal DataData is classified as Internal/Private for all the information assets that are not explicitly classified as Confi-dential or Public data A reasonable level of security controls should be applied to internal data.

Tier 4-Public DataData will be classified as Public when the unauthorized disclosure, alteration or destruction of that data would results in little or no risk to the University and its affiliates.

Data Classification and Handling


Information that is widelyavailable to the public throughpublications, pamphlets, webcontent, and other distributionmethods and disclosure, alteration or modifications will cause no risk to the university

Routine or daily operational information requiring no special measures to protect from unauthorized access, modifications, or disclosure, but these are not widely available to the public

Confidential or sensitive information that would not necessarily expose the University to significant loss,but the data owner has determined security measures are needed to protect from unauthorized access,modifications, or disclosure

Information requiring the highestlevels of protection becausedisclosure is likely to result insignificant adverse impact tothe university (embarrassment,financial loss, etc.)

Examples brochures, news releases, pamphlets, web sites, internal phone directories,marketing materials

Routine correspondence,employee newsletters, inter-office memoranda, internal policies & procedures

Intellectual property licensed and/or under development, records, purchasing information, vendor contracts, system configurations, system logs, risk reports, RFP, RFI etc.

Protected Health Information (PHI), Student Identifiable Information, department financial data, personnel information, credit or bank details. contract research protocols

Transmissions1. E-mail within theorganization

2. E-mail outside of the organization

3.Data transfers (filetransmissions, website, etc.)

4. Data print and printer location



3. No special precautions arerequired

4. No restrictions

1. No special handling required, but reasonable precautions should be taken

2. No special handling required,but reasonable precautionsshould be taken

3. Encryption is recommendedbut not required

4. printer to be located in an area not accessible by general public

1. Use of e-mail to transfer confidential information is discouraged. Forwarding only allowed by data owner

2. Use of e-mail strongly discouraged. Consider using encryption. Broadcast to distribution lists is prohibited. Forwarding only allowed by data owner3. Encryption is required


1. Use of e-mail to transfer confidential information is discouraged. . Forwarding onlyallowed by data owner

2. Encryption is required.

3. Encryption is required


Backup and Recovery

Should be backed upmonthly and incrementallybased on content change



- Should be backed up monthly and incrementally based on information recovery requirements by data owners and business operational needs- Backups Should be tested regularly to ensure reliability- Never overwrite the most recent backups


Storage1. Printed materials

2. Electronic documents

3. emails

4. portable devices

5. storage by third party






1. Reasonable precautions toprevent access by nonemployees.


3. Reasonable precautions to prevent access by non-staff & employees

4. Use lockable containers or devices5. Secured with lockable enclosures and access controls required

1. Storage in a secure manner, e.g. secure area, lockable enclosure. Must be locked when unattended2. Store on secure drives or secure shared drives only. Data should be stored on an internally accessible server, and cannot be stored on a server directlyaccessible from the Internet.

3. Store in a secure manner, e.g. password access or reduce to printed format, delete electronic form, and store in accordance with storage of printmaterials



1. Storage in a lockableenclosure. Must be locked whennot in use2. Storage on secure drives only. Password protection of document preferred.

3. Store in a secure manner, e.g. password access or reduce to printed format, delete electronic form, and store in accordance with storage of print materials



Marking1. Documents

No restrictions “Internal Use Only” note at the bottom “Confidential” note at the top “Confidential” at the top and bottomPhysical Security1. Workstations

2. Servers

3. Printing

4. Office access

5. Portable devices


Not permitted

No restrictions

No restrictions




Printouts to be collected immediately

No restrictions




Minimize the prints and collect immediately

Access to the sensitive area must be restricted using access control

Devices must not be left unattended at any time. Consider using lock and access control



Print only when necessary and do not leave unattended

Access to the sensitive area must be restricted using access control. Confidential information must be kept under lock.Devices must not be left unattended at any time aznd must be placed under lock and access control

Access Control Content changes by only authorized persons

Password access control Password access controlContent changes based on the data owner and business needs

Password/Biometric/ Authentication based access controlContent changes based on the data owner and business needs

26 Back to Contents

Responsibilities

Data owners are responsible for appropriately classifying data.

Data custodians are responsible for labeling data with the appropriate classification and applying required and suggested safeguards.

Data users are responsible for complying with data use requirements and must report immediately any breach of the policy to the data owner.

Data users are responsible for immediately referring requests for public records to the University Relations Division – Office of Public Affairs or to the Office of the Vice President and General Counsel.

Disciplinary Actions Violation of this policy may result in disciplinary action, which may include suspension or termination from UOD or legal action as determined by the legal department.

Definitions


Availability - The assurance that information and services are delivered when needed. Certain data must be available on demand or on a timely basis.

Confidential - Sensitive data that must be protected from unauthorized disclosure or public release

Confidentiality - The assurance that information is disclosed only to those systems or persons who are intended to receive the information.

Data custodian – Individual or group responsible for classifying data and generating guidelines for its lifecycle management.

Data owner - Senior leadership, typically at the dean, director or department chair level, with the ultimate responsibility for the use and protection of university data.

Data user - Any member of the university community who has access to university data, and thus is en-trusted with the protection of that data.

Impact – A combination of data confidentiality, integrity and availability.

Integrity - The assurance that information is not changed by accident or through a malicious or otherwise criminal act.

Public - Data for which there is no expectation for privacy or confidentiality.

References:1. Robert Johnson; Mark Merkow (2010), Security Policies and Implementation Issues2. Woody, Aaron (2013), Enterprise Security: A Data-Centric Approach to Securing the Enterprise

27 Back to Contents

28 Back to Contents

Information Security Policy

29 Back to Contents



ICT.2013.1Policy: Information Security Policy Approval Date: Page:

Objective:

To establish the policy of the University for the use, protection, and preservation of computer-based information generated by, owned by, or otherwise in the possession of University of Dammam, including all academic, administrative, and research data.Responsible Official: Information Security OfficerResponsible Office: Operational UnitSignature:ITC Reference Policies :

(a) Data Classification Policy

Executive Summary

Information is a vital asset to any organization and this is especially so in a knowledge-driven organization such as the University of Dammam (UOD), where information will relate to learning and teaching, research, administration and management. It is imperative that computer data, hardware, networks and software be adequately protected against alteration, damage, theft or unauthorized access.

University of Dammam is committed to protecting information resources that are critical to its academic and research mission. These information assets, including its networks, will be protected by controlling authorized access, creating logical and physical barriers to unauthorized access, configuring hardware and software to protect networks and applications. An effective Information Security Policy will provide a sound basis for defining and regulating the management of institutional information assets as well as the information systems that store, process and transmit institutional data. Such a policy will ensure that infor-mation is appropriately secured against the adverse effects of breaches in confidentiality, integrity, avail-ability and compliance which would otherwise occur. This policy sets forth requirements for incorporation of information security practices into daily usage of university systems.

Information Security Policy Objectives

The University recognizes the role of information security in ensuring that users have access to the infor-mation they require in order to carry out their work. Computer and information systems underpin all the University’s activities, and are essential to its research, learning, teaching and administrative functions.

The university is committed to protecting the security of its information and information systems. The fol-lowing are the objectives of information security policy:

1. to protect academic, administrative and personal information from threats.

2. to maintain the confidentiality, integrity and availability of the UOD information assets.

3. to prevent data loss, modification and disclosure, including research and teaching data from un-authorized access and use.

30 Back to Contents

4. to protect information security incidents that might have an adverse impact on UOD business, reputation and professional standing.

5. to establish responsibilities and accountability for information security.

Information Security Principles

Enforcing an appropriate information security policy involves knowing university information assets, per-mitting access to all authorized users and ensuring the proper and appropriate handling of information. The University has adopted the following principles, which underpin this policy:

• Information is an asset and like any other business asset it has a value and must be protected.

• The systems that are used to store, process and communicate this information must also be pro-tected.

• Information should be made available to all authorized users.

• Information must be classified according to an appropriate level of sensitivity, value and criticality as presented in the ‘data classification policy’.

• Integrity of information must be maintained; information must be accurate, complete, timely and consistent with other information.

• All members of the University community who have access to information have a responsibility to handle it appropriately, according to its classification.

• Information will be protected against unauthorized access.

• Compliance with this policy is compulsory for UOD community.

Outcomes of the PolicyBy enforcing the data classification policy, we aim to achieve the following outcomes:

1. Mitigation of the dangers and potential cost of UOD computer and information assets misuse.

2. Improved credibility with the UOD community and partner organizations.

3. Protected information at rest and in transit.

Policy Rationale

University of Dammam possesses information that is sensitive and valuable, ranging from personally iden-tifiable information, research, and other information considered sensitive to financial data. This informa-tion needs to be protected from unauthorized use, modification, disclosure or destruction. The exposure of sensitive information to unauthorized individuals could cause irreparable harm to the University or University community. Additionally, if University information were tampered with or made unavailable,

31 Back to Contents

it could impair the University’s ability to do business. The University therefore requires all employees to diligently protect information as appropriate for its sensitivity level.

The information security policy has been laid down in accordance with the principles and guideline de-fined and enforced by the ‘Communications & Information Technology Commission’ in the document titled “Information Security Policies and Procedures Development Framework for Government Agencies”.

Entities affected by this Policy• All full-time, part-time and temporary staff employed by, or working for or on behalf of the Uni-

versity.• Students studying at the University.• Contractors and consultants working for or on behalf of the University. • All other individuals and groups who have been granted access to the University’s ICT systems

and information.

Business Impact of no Information Security

The potential adverse business impact to the university due to lack of information security policy may include:

• Loss of critical campus information• Higher costs due to waste of resources• Damage to the reputation of the UOD• Lack of corrective actions or repairs• Violation of University and government regulatory policies and procedures

Policy Benefits

1. It will address risks associated with the unauthorized disclosure, use, modification and deletion of university data.

2. Improved and appropriate security measures for the data.

3. Protect UOD information assets.

32 Back to Contents

Section B – Policy Statement:Information is fundamental to the effective operation of the University and is an important business as-set. The purpose of this Information Security Policy is to ensure that the information managed by the University is appropriately secured in order to protect against the possible consequences of breaches of confidentiality, failures of integrity or interruptions to the availability of that information. Any reduction in the confidentiality, integrity or availability of information could prevent the University from functioning effectively and efficiently.

A. Applicability

• All full-time, part-time and temporary staff employed by, or working for or on behalf of the University.• Students studying at the University.• Contractors and consultants working for or on behalf of the University. • All other individuals and groups who have been granted access to the University’s ICT systems and

information.

B. Security Roles and Responsibilities

All members of the University have direct individual and shared responsibilities for handling infor-mation or using university information resources to abide by this policy and other related policies. In order to fulfill these responsibilities, members of the University must:

• be aware of this policy and comply with it, • understand which information they have a right of access to, • know the information, for which they are owners, • know the information systems and computer hardware for which they are responsible.

Information Users Every member of the university community, who has a legitimate access to the university ICT resources, is responsible to abide by this policy. No individual should be able to access information to which they do not have a legitimate access right. Information users should neither violate this policy nor allow others to do so. Information users must be aware of the nature of the information to which they have been granted access and must handle information carefully according to its classification. They should protect the con-fidentiality of information and do not give access to other illegitimate individuals knowingly or unknow-ingly.For the purpose of information security, access to all emails servers other than University of Dammam email server will be blocked through University network resources.

Information Owners The information owners have responsibility to maintain the confidentiality, integrity and availability of information. In particular

• Each university unit (Deanship, Department, College, Section and Center) will identify its sensitive and critical information assets and classify it according to the University ‘Data Classification Policy’.

• Heads of departments, departmental administrators and IT support staff are responsible for the confidentiality, integrity and availability of information maintained by members of their depart-ment, such as students’ academic records. They are also responsible for the security of all depart-mentally operated information systems.

• Data and systems managers in support services are responsible for the confidentiality, integrity and availability of information, such as student, personnel and financial data.

• Project managers leading projects for the development or modification of information systems,

33 Back to Contents

are responsible for ensuring that projects take account of the needs of information access and security and that appropriate and effective control mechanisms are instituted, so that the confi-dentiality, integrity and availability of information is guaranteed.

• Information owners will conduct risk assessment of their information assets and may recommend the mitigation strategies.

• Any information security incident will be reported to the chief security officer.

Definitions


Availability - The assurance that information and services are delivered when needed. Certain data must be available on demand or on a timely basis.

Confidentiality - The assurance that information is disclosed only to those systems or persons who are intended to receive the information.

Data Custodian – Individual or group responsible for classifying data and generating guidelines for its lifecycle management.

Data Owner - Senior leadership, typically at the dean, director or department chair level, with the ultimate responsibility for the use and protection of university data.

Data User - Any member of the university community who has access to university data, and thus is en-trusted with the protection of that data.

ICT Infrastructure- All electronic communication devices, networks, data storage, hardware, and network connections to external resources such as the Internet.

Impact – A combination of data confidentiality, integrity and availability.

Information Resources - Assets and infrastructure owned by, explicitly controlled by, or in the custody of the university including but not limited to data, records, electronic services, network services, software, computers, and Information systems. Information System - Any tangible item such as hardware, software, communications facilities and net-works, used to store, process and transmit Information Assets owned, controlled, or hosted by the Univer-sity.

Integrity - The assurance that information is not changed by accident or through a malicious or otherwise criminal act.

Reference

1. Alan Calder; Steve G. Watkins (2010), ISO27000 and Information Security: A Combined Glossary

2. Mark Rhodes-Ousley (2013), Information Security The Complete Reference

34 Back to Contents

Network Access Control Policy

35 Back to Contents



ICT.2014.1Policy: Network Access Control Approval Date: Page:

Objective: The purpose of the Network Access Policy is to establish the rules for the access and use of the network infrastructure. These rules are necessary to preserve the integrity, availability and confidentiality of UOD information.Responsible Official: Responsible Office: Signature:ITC Reference Policies :


(b) Information Security Policy

Executive SummaryIn order to comply with information security policy and data classification policy, the Deanship of ICT has implemented a network access control (NAC) policy that will challenge computers and devices that try to access network resources. The policy lays down the principles used to secure the campus wired and wireless networks through user authentication. It ascertain that only authorized students, faculty and staff gain access to our network by checking that computer systems meet established policy configuration re-quirements. The purpose of the NAC is to ensure that computers and devices trying to gain access to the network resources have a minimum requirement of both Operating System versions and patches and Anti-Virus software. If a computer and/or device meets the minimum requirements, it is granted access to the network. If a computer does not meet the requirements, then it will be given limited access to the Internet in order to update and/or install Operating System updates/Anti-Virus software.

IntroductionNetwork access control (NAC) is a method of assessing devices and computers that try to use network resources (file shares, printers, web pages, etc) to see if they meet certain criteria, as defined by the Univer-sity, such as requiring anti-virus software and the most recent operating system patches.

Network access control policies will define who is allowed access to which physical locations and logical resources. The policy enforcement will ensure that all computers that use network resources have both updated anti-virus software and updated operating system (Windows 7, etc) patches applied. NAC allows us to grant access to computers that meet these requirements, and deny access while still allowing tem-porary Internet access to address the requirements that are not met.

To provide a more stable and secure network, UOD employs a Network Access Control (NAC) system assur-ing that devices connected to the network meet these minimum security requirements:

Each desktop computer or other listed device must be authenticated using UOD ID and password and joined to domain.

Must be running Microsoft Windows 7 with SP1 operating System.

36 Back to Contents

Must have Symantec Endpoint Protection AntiVirus software with current definitions.

Firewall feature is installed and enabled.

Rationale:The need to respond to security incidents on campus, and an obligation to protect our valuable network resources, UOD must be able to identify every individual who connects to the campus network. For these reasons, UOD has implemented a network access control to be used by all students, employees and others to authenticate for campus network use. This will also provide a single point for collecting and reporting on user access to information for security incident investigations.

NAC Policy ObjectivesThe following are the objectives of the policy:

1. Prevent unauthorized physical and logical access

2. Use appropriate and robust identification and authentication techniques to control access

3. Use unique identifiers for all users

4. Ensure good password policies are implemented

5. Implement measures to prevent and trace misuse of general access machines

Outcomes of the PolicyBy enforcing the NAC policy, we aim to achieve the following outcomes:

1. Access to systems by default and explicitly authorize access.

2. Network access to confidential information is secured with appropriate encryption and authentication

Entities affected by this PolicyThis policy applies to all persons who have, or are responsible for, an account on any system accessed on the University network or computer systems.

Supported Operating Systems and Browsers for endpoints

37 Back to Contents

OS Support (Genuine OS only) Supported BrowserWindows 8 (x64, Professional, Professional x64,Enterprise, Enterprisex64) Microsoft IE 10Windows 7 (x64, Professional, Professional x64,Enterprise, Enterprisex64) Microsoft IE 9 and later

Google Chrome 11 and laterMozilla Firefox 5 and later

Apple iOS 6.1, 6, 5.1, 5.0.1, 5.0 Safari 5,6,7, Firefox 5 Apple Mac OS X 10.6, 10.7, 10.8 Mozilla Firefox 3.6, 4, 5, 9, 14, 16

Safari 4, 5, 6 Google Chrome 11

Google Android 4.1.2, 4.0.4, 4.0.3, 4.0, 3.2.1, 3.2, 2.3.6, 2.3.3, 2.2.1, 2.2 Native browserMozilla Firefox 5

VMware ESX 4.x, ESXi 4.x, ESXi 5.x

NAC Process:1. Once you join/register your computer or device, an agent software will run automatically

to scan your computer for compliance with OS, antivirus and firewall.

2. If you FAIL the scan, you must contact the ICT help desk for an appropriate update

3. If you PASS the scan, your computer will be allowed FULL access to all network resources and the Internet

Wired Access:NAC for employees:

• Check for anti-virus Symantec endpoint, Antispyware and Antivirus definitions for an up-date not older than 5 days.

• Compliant machines will get access to UoD network based on the agreed policy – Full Ac-cess based on the Port VLAN membership.

• Non-compliant Domain PC/users will be denied access to the corporate network including the Internet connection

NAC for Students:

• Check for anti-virus Symantec endpoint, Antispyware and Antivirus definitions for an up-date not older than 5 days.

• Compliant machines will get access based on the agreed policy –Partial Access to SIS Serv-ers and Internet connection.

• Non-compliant Domain PC/users will be denied access to the SIS Servers including Inter-net connection.

Wireless AccessNAC for Employee:

• Web redirection to Cisco Web NAC agent to check for an anti-virus update not older than 5 days.

• Compliant users will grant access to UC services using their mobile devices after profiling.

38 Back to Contents

• Compliant users will get access to Internet but no internal network access.

• Non- compliant users will be denied access even to Internet.

NAC for students:

• Web redirection to Cisco Web NAC agent to check for an anti-virus update not older than 5 days.

• Compliant users will get access to Internet and internal SIS servers.

• Non- compliant users will be denied access even to Internet.

NAC for Guests:

• Guest will login to Open SSID.

• Enforce redirect to web page to submit required information

• Allowed for Self-registration by submitting first name, Last Name and Mobile Number.

• Will Receive an SMS.

• Login with credentials sent by SMS.

• Mapped to AD

• Will have access to Internet only.

DefinitionsThe following terms are used in this document.


Authorized User - An individual who has been granted access to University ICT services

Authenticate: To authenticate is to determine whether someone or something is, in fact, who or what it is declared to be through the use of an identifier and password or related means.

Campus Network: A campus network is an autonomous network that exists on a university campus con-necting local area networks in and among buildings and aggregating traffic to a wide area network.

Network Access Control system: Network access control (NAC), a method of bolstering the security of a proprietary network by restricting the availability of network resources to endpoint devices that authenti-cate. Additional features include checking for current virus protection and that operating system updates are enabled.

Network Access logs: Information captured upon network access, including identifier, time of connec-tion, network card MAC address, and time of disconnection.


39 Back to Contents

40 Back to Contents

OneDrive Cloud Storage Policy

41 Back to Contents



ICT.2013.8Policy:OneDrive Cloud Storage Policy Approval Date: Page:

Objective: This policy provides advice and best practices for using cloud storage services to support the processing, sharing and management of institutional dataResponsible Official: Responsible Office: Signature:ICT Reference Policies :


(b) Information security policy

Executive SummaryCloud computing services are application and infrastructure resources that users access via the internet. These services, contractually provided by companies such as Apple, Google, Microsoft, and Amazon, en-able customers to leverage powerful computing resources that would otherwise be beyond their means to purchase and support. Cloud services provide services, platforms, and infrastructure to support a wide range of business activities. These services support, among other things, online information storage. The stored data is generally easy for people to use and is accessible over the internet through a variety of platforms such as workstations, laptops, tablets, and smart phones. The purpose of this policy is to inform UOD community about the security risks associated with storing documents on the cloud and provide the guidance about the types of information which should and should not be stored in the cloud.

IntroductionDeanship of Information and Communication Technology (DICTY) is implementing cloud based storage ‘OneDrive’ provisioned by the Microsoft that will be available to its users. OneDrive is a convenient way to store files in the “cloud” and protect against hard drive failure, lost or stolen laptops. Keeping your impor-tant files in OneDrive means that you have access to them from anywhere in the world provided you have an internet connection. OneDrive also allows for easy sharing and collaboration with friends, family and colleagues. Microsoft provides OneDrive apps for your laptop, desktop, iPads, iPhones, Android devices, Windows 8 and Windows Phone.

This service is available to all students, faculty and employees at the University. To use OneDrive you use the same login and password credentials as you do for Microsoft Outlook.

It is important to keep in mind that the University does not have the ability to backup or restore the files that you keep on OneDrive. OneDrive is a service offered to the University, for free, from Microsoft in conjunction with other tools the University deploys. Microsoft maintains a “best effort” service level for OneDrive and while highly reliable you should periodically backup your important data to an external hard disk.

Use of this data storage must be in compliance with all other University policies and procedures. It is the responsibility of University community using such services to ensure that they are aware of, and are fully

42 Back to Contents

compliant with all relevant policies, procedures and legislation.

Policy ObjectivesThe following are the objectives of the policy:

• Inform UOD community about the security risks associated with storing documents on the cloud

• Provide the guidance about the types of information which should and should not be stored in the cloud.

Entities affected by this PolicyThis policy applies to all the community of University of Dammam using computing and network resourc-es. These include

• Users (academic, professional and support staff, students and management) using either personal or University provided equipment connected locally or remotely to the network of the University.

• All ICT equipment connected (locally or remotely) to University servers.• ICT systems owned by and/or administered by the Deanship of ICT.• All devices connected to the University network irrespective of ownership.• Connections made to external networks through the University network.• All external entities that have an executed contractual agreement with the University.


1. To use OneDrive - all users must comply with Microsoft’s Terms and Privacy conditions. On first use, you will be prompted to accept these Microsoft terms and conditions.

2. The use of OneDrive is optional. UOD does not require you to use OneDrive to complete your studies. If you do not wish to accept Microsoft’s Terms and Privacy conditions for the use of OneDrive - that is ok - but you will not be able to utilize the Microsoft OneDrive util-ity.

3. UOD and Microsoft will not be held responsible for any and/or all data loss or corruption. Students will have to arrange their own backup or replication of their data. Microsoft pro-vides no commitment to guarantee continuous access to your files; therefore any loss of service may deny access to important files at critical times.

4. When information or data is stored in OneDrive which is not owned by the University, it is the responsibility of the staff member storing the information or data to ensure to backup important data to an external hard disk.

5. You should be aware that it is both a breach of the OneDrive contract and University terms and conditions to store any copyright material within this facility. This includes books, mu-sic or videos subject to copyright. Breach of these rules may result in your account being terminated by Microsoft without notification and result in the loss of all data within the account, which may well be irretrievable.

6. Information or data must not be stored in this storage where the University’s intellectual

43 Back to Contents

property, copyright, trademarks or patents may be compromised.

7. Use caution when storing documents and data in public cloud storage. Store only non-sensitive, non-critical, or non-confidential documents.

8. Do not use public cloud storage to store files containing sensitive information. Please refer to the University Data Classification policy for more complete data classifications.

9. Even for instances when you work with non-sensitive information, using public cloud stor-age services for institutional documents does not make a good long-term storage solution. In many cases, public cloud storage requires that files be associated with an individual›s personal account. Should that individual leave the University, the institution loses access to the data.


Cloud computing Abstraction of virtualized web-based computers, resources, and services that support scalable IT solutions.

OneDrive (officially Microsoft OneDrive, previously Windows Live OneDrive and Windows Live Folders) is a file hosting service that allows users to upload and sync files to a cloud storage and then access them from a Web browser or their local device.

ReferencesTom Negrino (2014), Microsoft Office for iPad: An Essential Guide to Microsoft Word, Excel, PowerPoint, an-dOneDrive

44 Back to Contents

Password Policy

45 Back to Contents



ICT.2013.7Policy: Password Policy Approval Date: Page:

Objective: The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change.Responsible Official: Responsible Office: Operation UnitSignature:ITC Reference Policies :


Executive SummaryPasswords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in a compromise of UOD entire network. The purpose of having a password policy is to ensure a more consistent measure of security for UODs’ network and the information it contains. The implementation of this policy will better safeguard the personal and confiden-tial information of all individuals and organizations affiliated, associated, or employed by the University. Additionally, this policy establishes a standard for creation of strong passwords, the protection of those passwords, and the frequency of change of passwords.

IntroductionUniversity of Dammam significantly provides access authentication to online information technology re-sources such as email, institutional data, University websites, library and e-learning portal, academic and personal data, cloud computing resources, and other sensitive services. In particular, passwords are the user’s ‘keys’ to gain access to University information and information systems. A compromise of these au-thentication credentials directly impacts the confidentiality, integrity, and availability of IT systems, and University as well as user information. This policy establishes minimum standards for the creation and protection of each person’s University password(s). All users accessing UOD IT resources are bound by the requirements as described in this policy, to create and secure their password(s).

Password Policy ObjectivesThe following are the objectives of the policy:

1. Defend against unauthorized access of UOD systems that could result in a compromise of personal or institutional data

2. Ensure that ICT resources are used in an appropriate fashion, and support the university’s mission and institutional goals.

3. Encourage users to understand their own rights and responsibilities for protecting their passwords.

46 Back to Contents

4. Protect the privacy and integrity of data stored on the University network.

Outcomes of the PolicyBy enforcing the acceptable use policy, we aim to achieve the following outcomes:

1. Better informed university community regarding acceptable and unacceptable use of university ICT resources.

2. Responsible UOD community regarding the value and use of ICT resources.

Entities affected by this PolicyThis policy applies to all persons who have, or are responsible for, an account on any system accessed on the University network or computer systems.

ResponsibilitiesUsers are responsible for assisting in the protection of the network and computer systems they use. The integrity and secrecy of an individual’s password is a key element of that responsibility. Each individual has the responsibility for creating and securing an acceptable password per this policy. Failure to conform to these restrictions may lead to the suspension of rights to University systems or other action as provided by University Policy

Section B – Policy Statement:Guidelines & Procedures

• Passwords must be changed every 90 days.

• All passwords must meet the definition of a Strong password described below

• Each successive password must be unique. Re-use of the same password will not be allowed.

• Any temporary password will expire at 23:59:59 of the date issued

• A user account will be temporarily locked for after 3 consecutive failed logins

� Account Lockout Duration: 15 mins.

� Account Lockout Threshold: 3

• The “reset password” process will be applied to users who logs in for the first time

Poor, weak passwords have the following characteristics:

• The password contains less than eight characters.

• The password is a word found in a dictionary (English or foreign)

• The password is a common usage word such as:

47 Back to Contents

* Name of family, pets, friends, co-workers, fantasy characters, etc.

* Computer terms and names, commands, sites companies, hardware, software.

* Birthdays and other personal information such as addresses and phone numbers.

* Word or number patterns like aaabbb, 111222, zyxwvts, 4654321, etc.

* Any of the above spelled backward like fesuoy, damha, etc.

* Any of the above preceded or followed by a digit (e.g., secret1, 1secret).

Strong Password Construction Guidelines• Are at least eight alphanumeric characters long• Passwords do not contain user ID• Contain no more than two identical characters in a row and are not made up of all numeric or

alpha characters • Contain at least three of the five following character classes:

� Lower case characters � Upper case characters � Numbers � “Special” characters (e.g. @#$%^&*()_+|~-=\`{}[]:”;’<>/ etc) � Contain at least eight alphanumeric characters.



Authorized User - An individual who has been granted access to University ICT services.

Expiration - Date at which password for access to University systems is required to be changed meeting strong password standards.


References1. Mark S. Merkow; Jim Breithaupt (2014), Information Security: Principles and Practices

48 Back to Contents

ICT User AuthenticationPolicy

49 Back to Contents



ICT.2013.6Policy: ICT User Authentication Pol-icy

Approval Date: Page:

Objective: The authentication and access control measures ensure appropriate access to information and information processing facilities - including servers, desktop and laptop clients, mobile devices, applications, operating systems and network services – and prevent inappropriate access to such resources.Responsible Official: Responsible Office: Signature:ICT Reference Policies :

(a) Information security policy

(b) Acceptable use policy

User Authentication PolicyPrinciple

All users should be authenticated, either by using User IDs and passwords or by stronger authentication such as smartcards or biometric devices (e.g. fingerprint recognition) before they can gain access to any information or systems within the installation.

Objective

To prevent unauthorized users from gaining access to any information or systems within the computer installation.

General

All users should be authenticated, either by using UserIDs and passwords or by stronger authentication such as smartcards or biometric devices before they can gain access to any information or systems within the organization.

1. All system-level passwords (e.g., root, enable, Windows Administrator, application adminis-tration accounts, etc.) must be changed on at least a quarterly basis.

2. All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least 4 months.

3. User accounts that have system-level privileges granted through group memberships or pro-grams must have a unique password from all other accounts held by that user.

4. Where SNMP is used, the community strings must be defined as something other than the standard defaults of “public,” “private” and “system” and must be different from the passwords used to log in interactively. A keyed hash must be used where available (e.g., SNMPv2).

5. All user-level and system-level passwords must conform to the guidelines described below.

50 Back to Contents

User IDs and Password Attributes

User authentication should be enforced by automated means that:

1. Ensures UserIDs are unique

2. Ensures passwords are not displayed on screen or on print-outs

3. Issue temporary passwords to users that must be changed on first use

4. Force new passwords to be verified before the change is accepted

5. Ensures users set their own passwords

6. Ensures passwords are changed regularly and more frequently for users with special access privileges

Account Lockout Policies

• Account Lockout Duration: 15 mins.

• Account Lockout Threshold: 3

• Reset Account Lockout Counter: 30 mins.

Password Changing Procedures

There should be a process for issuing new or changed passwords that:

a) Ensures s that passwords are not sent in the form of clear text e-mail messages

b) Directly involves the person to whom the password uniquely applies

c) Verifies the identity of the end user, such as via a special code or through independent confirmation

d) Includes notification to users that passwords will expire soon.

Acceptable Password Characteristics The acceptable user passwords should as minimal:

1. Ensures passwords are a minimum 8 number of characters in length,

2. Differ from their associated UserIDs,

3. Contain no more than two identical characters in a row and are not made up of all numeric or alpha characters

4. Restrict the re-use of passwords: 5 previous passwords (e.g. so that they cannot be used again within a set period or set number of changes).

Password Protection Awareness

Where authentication is achieved by a combination of UserIDs and passwords, users should be advised to keep passwords confidential (i.e. to avoid writing them down or disclosing them to others) and to change passwords that may have been compromised.

If an account or password compromise is suspected, report the incident to ICT Help Desk number 322322.

Users should made aware of choosing a strong password; Strong passwords have the following character-istics:

o Contain at least three of the five following character classes:

Lower case characters

51 Back to Contents

Upper case characters

Numbers

Punctuation

“Special” characters (e.g. @#$%^&*()_+|~-=\`{}[]:”;’<>/ etc)

o Contain at least fifteen alphanumeric characters.

Weak passwords have the following characteristics:

o The password contains less than fifteen characters

o The password is a word found in a dictionary (English or foreign)

o The password is a common usage word such as:

Names of family, pets, friends, co-workers, fantasy characters, etc.

Computer terms and names, commands, sites, companies, hardware, software.

Birthdays and other personal information such as addresses and phone numbers.

Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.

Any of the above spelled backwards.

Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

Single Sign-on

Single sign-on (SSO) or reduced sign on should be applied within the organization upon completing a for-mal risk assessment and in compliance with the approved Identity and Access Management Architecture.

Two Factor Authentication

Two-factor authentication (e.g. smartcards or biometric devices, such as fingerprint recognition) should be applied to users with access to critical business applications or sensitive information and to users with special access privileges or access capabilities from external locations.

52 Back to Contents

Web Hosting Policy withThird-Party Service Providers

53 Back to Contents



ICT.2014.2Policy: Web Hosting Policy with Third-Party Service Providers

Approval Date: Page:

Objective: This policy provides guidelines for website hosting with third-party service providers for the affiliated colleges and units.Responsible Official: Responsible Office: Signature:ICT Reference Policies :


Executive SummaryThe Deanship of |Information and Communications Technology (DICT) seeks to provide up-to-date, ac-curate, and meaningful information on university-related websites. Likewise, the university’s integrity and reputation rely on consistent and strong content on the www.uod.edu.sa domain and on any websites that relate to, refer to, or could be perceived as representing the university. It is therefore important that all such websites conform to minimum university standards and comply with the guidelines provided in this policy.

In general, all university Internet services and all information about the university available from accessing the Internet, including any of its colleges, departments, deanships, affiliated institutes, centers, manage-ment units, faculty, staff and students, must use only the www.uod.edu.sa domain. In certain exceptional cases, affiliated colleges of the university may find it necessary to hire third-party service providers for website hosting or other applications. This policy addresses these exceptional cases.

IntroductionCreation, publication and maintenance of web pages and other web materials at the University of Dam-mam is a prime way to providing critical information and services to members of the University commum-nity, prospective students, and the general public, playing a vital role in helping the University fulfill its mission. This policy statement is intended to protect the interests of the University and all of its students, faculty and staff. It is designed to provide guidance to those individual affiliated units of the University that wish to host websites with third party service providers. It outlines minimum security requirements to be observed when content owner wishes to host their web material with external service providers.

ScopeThis policy governs any electronic documents made available via standard web protocols which represent an official unit or activity of the University, bearing marks, logos, domain or symbols that might imply en-dorsement by the University hosted by third party service providers.

54 Back to Contents

Non-Compliance Ministry of Information and communication Technology and, Ministry of Interior, Kingdom of Saudi Arabia monitors and reports any security breaches to the University. Any non-compliance with these recom-mended guidelines may result in legal action or otherwise by the relevant authorities.

Section B – Policy Statement:The web content owner and content publisher intending to host web pages with third party service should consider the following security issues relevant for third party hosts and the level of service required from them.

1. Physical Security:The service provider must comply with physical security requirements such as • Facility Security Procedures that ensure facilities containing these confidential

systems are safeguarded from unauthorized physical access.• Access Control to must be logged and audited at least ever six months, and must

include 1 or more of the following: multi-factor authentication (e.g. token and pin number), key-card access, biometric access controls.

• Caged or shared racks for physical security and depends on the requirements.

2. Perimeter Security:• IP Reputation Filtering against malicious IP addresses.• Monitor & mitigate DoS/DDoS attacks directed toward customers and their in-

frastructure.

3. Network Security:The service provider must have hardware and software in place to ensure • Intrusion detection/prevention systems to monitor all inbound and outbound

network activity and identify any suspicious patterns that may indicate a com-promised network or system and prevent intrusion signatures.

• Established Isolated Security Zones for reducing security risks.• Vulnerability Monitoring tools for protection against spyware, spam, viruses etc.• Vulnerability Auditing to determine which network assets are at the most risk of

being successfully attacked and its impact.

4. Server Security:• Hardened operating systems for more secure server operating environment.• Managed OS patches and updates to create a consistently configured environment

that is secure against known vulnerabilities in operating system and application soft-ware.

5. Hardened VMware hypervisorThe service provider must adhere to the following best practices• Password security policies• Malware protection• Resource availability monitoring• Network event logging

6. Application Security:The service provider must employ the following• Web application firewall• Intelligent WAF policies for common attacks• Application specific and custom WAF policies if needed

55 Back to Contents

• HTTP DoS application attack mitigation• Application performance monitoring• SSL certificates highly recommended for important services

7. Administrative Security:• Secure portal for user management• Log Management• Two-Factor authentication

Content Owner ResponsibilitiesFor the Application or website, we recommend the following:

• Source Code review to be carried out.• Vulnerability testing at least once a month to be done.• Penetration Testing services once every three months to be considered.• SSL Certificate for Authentication services to be ensured.• Two factor authentications to be employed.• Reliable/reputed Hosting Company to be sought.

A Recommended checklist when hosting with third party service providers

Read the terms and conditions of use of the service - what sort of intellectual property rights do the terms of use of the service grant to the service ?provider? What rights are you signing awayWhat measures does the service provider take to keep information confiden- ?tialIs it possible to take down and delete information easily, quickly and per-?manently from the site? Are you locked in to the service Security - What are the service provider’s arrangements for protecting your data from unauthorized access, unauthorized amendment or deletion? Do?the guidelines provided in this policy adhere toDo unauthorized exposures of university data shall result in the service pro-?vider notifying within mutually agreed time of discoveryPerformance - Does the service provider make any performance guaran- ?tees? Are they adequate for your needs Does the external service provider have arrangements in place to ensure the?long-term survival of the data ?What cookies or monitoring of usage does the service provider use Have both disaster recovery and business continuity plans been developed?and are there plans to regularly test and review themDoes the service provider comply with data retention and protection regula-?tions and policies

56 Back to Contents


Domain: A unique name that identifies an Internet site. ISP: Internet Services Provider; a company that provides access to the Internet, Information Services & Technol-ogy. Web Host: A company that maintains a client’s website and provides a computing environment for the website that is accessible through the Internet.

References Tugberk Ugurlu; Alexander Zeitler; Ali Kheyrollahi (2013), Pro ASP.NET Web API: HTTP Web Services in ASP.NET

57 Back to Contents

Core ICT Services Service Level Agreement

58 Back to Contents

PURPOSE OF THE SLAThe purpose of this service level agreement (SLA) is to establish a cooperative partnership between the Deanship of Information & Communications Technology (DICT) and its users. It aims to ensure that ser-vices support the core business of University of Dammam. This Sla aims to:

• identify clear and consistent expectations• outline agreed roles and responsibilities• deliver services that are measured, monitored, reported and reviewed for continuous improve-

ment• provide mechanisms for resolving problems• provide a platform to enable changes in response to new technologies, user requirements and

other opportunities

PARTIES TO THE SLAThis SLA has been outlined between the Deanship of ICT as service provider, and the University commu-nity referred hereafter as ‘users’

DURATIONThis SLA has been enforced with immediate effect and remains effective for a period of one year after which it may be reviewed. Services are provided on an ongoing basis. As required, this SLA may be modi-fied and any changes will be published for user interest and information.

SERVICES INCLUDEDThe following services are included in this SLA defined as core ICT services. These ICT services meet all or most of the following criteria.

• They support the core business of teaching, learning, research and administration.• They are widely used across UOD without requiring specialized content knowledge.• They need to be reliable and available.• For the most part, they are provided to the user free of charge.• Accountability for their provision rests with DICT

FUNDAMENTAL EXTERNAL CONSTRAINTSThe deanship of ICT may be prevented to provide any service mentioned in this SLA due to constraints over which it may have little or no control. These include:

• power and air conditioning outages• physical damage, including but not limited to fires, floods, and contractors• products or services received from vendors to DICT • unpredictable and significant changes in activity levels (e.g. ICT Helpdesk calls, number of email

messages sent , number of users for a system, etc)

59 Back to Contents

FUNDAMENTAL USER RESPONSIBILITIES The end users are expected to observe the following:

– report incidents or log service requests by logging calls with the ICT Helpdesk – abide by the applicable policies listed for each service– have the prerequisite hardware or software– make reasonable attempts to co-operate with ICT to resolve incidents, including providing

information, performing troubleshooting steps, and ensuring ICT’ access to physical space

– acquire training in the use of their system (as necessary to do their jobs) by attending train-ing classes, keeping available and reading instructions, manuals, etc.

– perform routine backups of important data and files– be able to understand and perform basic computer tasks such as copying files, installing

some software, etc.– use their systems responsibly and ethically as University assets to do their jobs.

60 Back to Contents

eFax

Service Service level targets User responsibilities

eFax service provides web management interface for user to manage or maintain their contacts, in-coming or outgoing fax documents.

DescriptionThe eFax service provides outgoing fax and incom-ing fax. Outgoing fax service is best suited for us-ers who occasionally need to fax out computer files. For incoming fax service, fax document sent to a particular fax number will appear as a message in a designated email account.

Applicable to (subject to approval)– Management– Faculty– Staff

Exclusions– students– visitors

Availability

eFax service is available 98% of the time 24 hours a day, 7 days a week excluding planned/unplanned official maintenance windows.

Service request

Service leveltarget

(working days)

Response Time Resolution Time(business days)

Installing software to send faxes from acomputer

hours 1-2 1-2

setting up a personalfax number

hours 1-2 1-2

fixing a fault hours 1-2 1-2Constraints

– Fundamental external constraints– Existing fax number cannot be changed– Supported document format is pdf only

To Request this serviceFill out the ‘Service Request Form’ to avail this service.

Prerequisites– Fundamental user responsibilities– An email address– Software client installed on a Windows

computer

To report a fault or problem with the serviceContact the ICT Helpdesk by phone (Ext: 31111), by email or via the ICT web site.

http://www.ud.edu.sa/sites/default/files/content-box/service_req_form_en.pdf

mailto:helpdesk%40uod.edu.sa?subject=

http://www.uod.edu.sa/en/administration/deanships/deanship-of-information-and-communication-technology

Back to Contents61

WebEx


UOD free web conferencing service, WebEx, provides on-demand, real-time, collaborative web meetings and conferencing. WebEx can be used to host online meetings and interactive sessions with individuals inside and outside of UOD.

DescriptionFaculty can use WebEx to record/capture class lectures and facilitate student discussions for distance education. While students use WebEx to watch and attend class lectures, communicate with the instructor and collaborate with oth-er students in the class. The staff can use WebEx to share documents, hold online meetings, and collaborate on team projects.

Applicable to– Management– Faculty– Staff (attendees only)– students

Exclusions– visitors

Availability

WebEx service is available 98% of the time 24 hours a day, 7 days a week excluding planned/unplanned official maintenance windows.

Service quest

Service leveltarget

(working days)


Request to enableWebEx facility

hours 2-24 1-2

fixing a fault hours 1-2 2-3Constraints

– Fundamental external constraints– Account changes are not allowed


Prerequisites– Fundamental user responsibilities– An email address– WebEx enablement





62 Back to Contents

Cisco IP Telephone


UOD offers voice over IP as an enterprise communication solution.

DescriptionInternet Protocol (IP) or Voice over IP (VoIP) telephony is technology which enables telephone messages to be trans-mitted and received via the internet rather than the tradi-tional analogue telephone system.

Applicable to– Management– Faculty– Staff


Availability

IP Telephony service is available 98% of the time 24 hours a day, 7 days a week excluding planned/unplanned official maintenance windows.

Service request

Service leveltarget

(working days)

Response Time(hours)

Resolution Time(business days)

IP Telephone requestprocess

1-2 3

setting up anIP telephone

1-2 3

Move, Add andChange

1-2 5

fixing a fault 1-2 3New wiring 1-2 15 IP telephone features 1-2 1-2Constraints

– Fundamental external constraints


Prerequisites– Fundamental user responsibilities– Cisco CallManager Administration– Windows 2000 Terminal Services





Back to Contents63

New SoftPhone

Service Service level targets User responsibilitiesA softphone is a software program for making telephone calls over the internet or University Data Network using a computer or laptop, rather than a deskphone or landline.DescriptionThe Deanship has implemented Cisco Unified Personal Communicator (CUPC) to enhance the voice communica-tion experience by enabling Presence functionality. It pro-vides real-time status for coworkers, integrating with calen-dars for meeting notifications and allowing real-time chat, voice or video communication. Applicable to

– Management– Faculty– Staff


AvailabilityThe SoftPhone service is available 98% of the time 24 hours a day, 7 days a week excluding planned/unplanned official maintenance win-dows.

Service request

Service level target (working days)

Response Time Resolution Time (business days)

Delivery of hardware hours 1-2 1-2Client Installation hours 1-2 1-2Fixing a fault hours 1-2 1-2

Constraints– Fundamental external constraints


Prerequisites– Fundamental user responsibilities– Laptop or desktop– UOD valid email address





64 Back to Contents

Request Database Services

Service Service level targets User responsibilitiesThe Deanship provides a wide range of database consulting and hosting options for your application. The hosting services feature high availability and disaster recovery options in a se-cure environment. The service includes the following:

– Database Schema creation – Database users– Database consultation– Database backup– Database user permissions

DescriptionThe Deanship offers two environment: application and testing. Using the database hosting is tailored to the requester require-ments and gives you control as well.Applicable to

– Management– Faculty

Exclusions– Staff – students– visitors

AvailabilityThe service is available 98% of the time from 8:00 a.m. to 4:00 p.m., 5 business days a week excluding planned/unplanned official mainte-nance windows.

Service request


Response Time(hours)

Resolution Time (business days)

Database Schema creation 4-6 1Database users 4-6 1Database consultation 4-6 1Database backup 4-6 1Database user permissions 4-6 1

Constraints– Fundamental external constraints– Oracle Database hosting Only

To Request this serviceFill out the ‘Service Request Form’ to avail this ser-vice.

Prerequisites– Fundamental user responsibilities– Database type– UOD valid email address





Back to Contents65

Request Hosting Training Material in ICT servers ( video , pdf etc)

Service Service level targets User responsibilitiesThe eligible users can request to host relevant material in au-dio, video or text form to published for employee develop-ment.

DescriptionThe Deanship of ICT offers to host training mate-rial for employee development for interested UOD colleges/department/Centers .Applicable to


Exclusions– Staff – students– visitors

AvailabilityThe service is available 98% of the time from 8:00 a.m. to 4:00 p.m., 5 business days a week excluding planned/unplanned of-ficial maintenance windows.

Service request



Request for service hours 1-2 business day 1

Constraints– Fundamental external constraints– ICT will host the material after careful re-

view and relevant authority permission.


Prerequisites– Fundamental user responsibilities– UOD valid email address





66 Back to Contents

Request Reset Password

Service Service level targets User responsibilitiesPassword Reset enables all users to reset their for-gotten University password, without calling the Ser-vice Desk.

DescriptionUsers are now able to reset their password or change their password 24/7 hassle-free from any computer.Applicable to

– Management– Faculty– Staff– Students– Guests

Exclusions– None

AvailabilityPassword self-service is available 98% of the time 24 hours a day, 7 days a week.


To access the serviceIn order to avail this service, the users must log on to the eservices.ud.edu.sa/ and provide appropriate information and follow the instructions for setting the password.Prerequisites

– Fundamental user responsibilities– email account





Back to Contents67

Requesting/decommissioning VMWare virtual server

Service Service level targets User responsibilitiesUsers can request a Windows or Linux virtual server. Re-quested virtual servers are subject to normal approvals and some special provisioning tasks. A decommissioning workflow enables a user to make a request for the deletion of a virtual server.

DescriptionUOD departments or eligible users can choose to locate virtual servers in the ICT Data Center.Services provided include 24 hour system monitoring, controlled power and temperature environment, a secure facility, backup, restore and offsite storage services, and problem management.Applicable to


Exclusions– Students– Staff– Visitors

AvailabilityPassword self-service is available 98% of the time 24 hours a day, 7 days a week excluding official monthly maintenance windows.

Service request



Standard request hours 1-2 1Standard provisioning hours 1-2 3Service Outage/unus-able

hours 1-2 2

Service Degraded/unreliable

hours 1-2 2

Minor/inconvenient hours 1-2 7Constraints

– Fundamental external constraints


Prerequisites– Fundamental user responsibilities– email account– Virtual server OS, memory, storage,

CPUs and speedTo report a fault or problem with the serviceContact the ICT Helpdesk by phone (Ext: 31111), by email or via the ICT web site.




68 Back to Contents

E-mail services

Service Service level targets User responsibilities• Description• This service provides personal e-mail services through Of-

fice365. The service includes the following features:– an email address within the @ud.edu.sa domain

that complies to the email naming standard– a mailbox with 25GB storage space for users.– You can move messages, flag them for follow-up,

categorize messages.– organize your messages easily by sorting them

into a hierarchy of folders.– Built-in anti-spam message filtering. Integrated

anti-spam tools for smoother control of email fil-tering and identification.

– Convenient web and desktop access to your email and integrated calendar.

– Access from portable devices, including iOS and Android-based phones and tablets.

– personal, shared and system address books– ability to archive messages– ability to set up filtering rules and vacation replies

• Applicable to– Management– Faculty– Staff– Students– Officially Approved Contractors & staff– Guests

• Exclusions– Temporary visitors– Only a limited set of features is available

when connecting via smartphones/mobile devices

Availability

Password self-service is available 98% of the time 24 hours a day, 7 days a week excluding official monthly maintenance windows.

Service request

Service level target(working days)


creating an emailaccount

hours 1-2 1-2

Allocating additional mailbox space(subjectto feasibility/ap-(proval

hours 1-2 1-2

creating a mailing list hours 1-2 1-2changing personaldetails

hours 1-2 1-2


Note: No service level targets can be set for speed of access from off campus, as this is constrained by ICT bandwidth availability and service from the user’s ISP. Similarly, speed of email deliv-ery and receipt cannot be guaranteed when it depends on mail servers external to ICT. Many external mail servers restrict the delivery of large messages during office hours.


To access the service

The users can access this service through UOD website or UOD smartphone apps

Prerequisites– Fundamental user responsi-

bilities– Users must manage their

mailboxes to ensure that they do not exceed space limita-tions and risk being prevented from sending mail.

– Users are responsible for backing up any email data (e.g. archived mail) stored on their local computer.

– Users should follow the ser-vice request procedure on ICT service Desk if they face any difficulty.


Applicable policies– Acceptable use policy– Naming standard– Service desk procedures




Back to Contents69

Software Services

Service Service level targets User responsibilitiesDescriptionSoftware services range from installation of printers to lab specific software installation. The Deanship commits to providing these services on priority basis. Applicable to

– Management– Faculty– Staff– Students (Specific cases only)– Guests (Upon approval)

Exclusions– visitors

AvailabilityPassword self-service is available 98% of the time 24 hours a day, 7 days a week excluding official monthly maintenance windows.

Service request


Response Time Resolution Time (BD)

Request installing printer driversor connect printer to the network

hours 1-2 * 1-2

Request Installing Software onLabs PCs

hours 1-2 * 1-2

Request Join PC to the Domain hours 1-2 * 1Request Share folder in servers hours 1-2 * 1-2Request remote assistance hours 1-2 * 1-2Request installing or activate ap-plication license

hours 1-2 * 1-2

Request Format Damage PC hours 1-2 * 1-2

Constraints– Fundamental external constraints– UOD account



Applicable policies– Acceptable use policy

*Subject to the availability of software, licenses and/or ICT resources




70 Back to Contents

Request developing applications Request Software Consultations

Service Service level targets User responsibilitiesDescriptionThe Deanship provides advisory and consulta-tive service relating to software. Additionally it may undertake application development through its resources under certain circumstance.Applicable to

– Management

Exclusions– Faculty– Staff – students– visitors

AvailabilitySubject to the availability of the ICT resources and task to be handled

Service request

Service level target (work-ing days)

ResponseTime

Resolution Time (busi-ness days)

Request developing applications

Variable variable

Request SoftwareConsultations

Variable variable



Prerequisites- Detailed Requirements





Back to Contents71

Request remote access

Service Service level targets User responsibilitiesDescriptionA secure service that enables you to remotely connect to UOD’s network using your own Internet Service Pro-vider (ISP).Applicable to

– Management– Faculty, staff (subject to approval)


AvailabilityPassword self-service is available 98% of the time 24 hours a day, 7 days a week excluding official monthly maintenance

Service request



Remote AccessRequest

hours -2 1 1-2

Constraints– Fundamental external constraints– Downtime arrtibutable to UOD bandwidth

provider

To Request this serviceFill out the ‘Service Request Form’ to avail this service.Prerequisites


Applicable policies– Acceptable use policy– Information security policy




72 Back to Contents

Hardware Services

Service Service level targets User responsibilitiesDescriptionThe Deanship provides various hardware services for the official desktops/laptops.Applicable to

– Management– Faculty– Staff


Service request


Response Time (hours)


Request install New PCs 1-2 *3-5 Request installing or replace PCs peripherals ((printer , scanner etc

1-2 *2-4

Request maintenance for PCs peripherals ( printer ,(scanner etc

1-2 *2-4

* Subject to the availability of peripheral devices, ICT resources, and complexity

Constraints– Fundamental external constraints– Availability of hardware/ related software






Back to Contents73

Portal Services

Service Service level targets User responsibilitiesDescriptionThis service provides access permis-sion to the portal and update for web page contents.Applicable to

– Management

Exclusions– Faculty – Staff – students– visitors

AvailabilityPortal service is available 98% of the time 24 hours a day, 7 days a week excluding official monthly maintenance

Service request




Request Access Permissions to UD›sPortal

1-2 1

Request updates ofweb page contents

1-2 2

Constraints– Fundamental external constraints– Copy right material







74 Back to Contents

Video Conferencing Services

Service Service level targets User responsibilitiesDescriptionThe Deanship of ICT provides several video Con-ferencing services that that you can use to meet and collaborate with colleagues across campus or around the world.Applicable to

– Management– Faculty– Staff (subject to Approval )


AvailabilityVideo conferencing service is available 98% of the time 24 hours a day, 7 days a week excluding official monthly maintenance

Service request




Request installing New Video Confer-ence Device

2 3-4

Request installing Maintenance &Modification Video Conference Device

2 3-4

Request Multiple Video Service Calls((MCU Servers

2 1-2

Request Recording Video Conference(Meeting (Content Server

2 1-2

Request Scheduling Video Conference(Meeting (Internal & External Call

2 1-2

Request Video (Call, Meeting, Presenta-tion) Real Time Support

2 1-2

Constraints– Fundamental external constraints– Availability of fundamental equipment







Back to Contents75

Digital Signage Service

Service Service level targets User responsibilitiesDescriptionDigital Signage service is a centrally man-aged/locally controlled electronic sign and interactive display platform to distribute information in an engaging, interactive manner using large format displays across campus.Applicable to

– Management


AvailabilityPortal service is available 98% of the time 24 hours a day, 7 days a week excluding official monthly maintenance

Service requestService level target (working days)Response Time (hours)


Request installing digitalsignage on monitors (inter-nal advertising system

2 3-4

Request maintenance install-ing digital signage on monitors (internal advertising(system

2 1-2

Constraints– Fundamental external constraints– Copy right material

To Request this serviceFill out the ‘Service Request Form’ to avail this ser-vice.





76 Back to Contents

Wireless LAN Service

Service Service level targets User responsibilitiesDescriptionWireless technology provides secure d network access to mobile devices within buildings with consistent capa-bilities.Applicable to

– ManagementExclusions

– Faculty – Staff – students– visitors

AvailabilityThe UOD network from the central data center to the required build-ing is available 98% of the time 24 hours a day, 7 days a week exclud-ing official monthly maintenance



Request installing WirelessLAN

2 10-15

Request Maintaining ofexisting wireless LAN

2 1-2




Applicable policies– Acceptable use policy– Network Access Control Policy




Back to Contents77

Cable Nodes and Network Ports Checkup Service

Service Service level targets User responsibilitiesDescriptionThe service installs, activates and trouble-shoots an Ethernet port to allow a department to connect a device to the campus network.Applicable to



AvailabilityThis service available 98% of the time 24 hours a day, 7 days a week excluding official monthly maintenance

Service request

Service level target (work-ing days)Response Time (hours)

Resolution Time (busi-ness days)

Request New Cabling Nodes 2 1-2 Request Fix Existing CableNode

2 1-2

Request Network PortsCheckup

2 1-2

Request Network Checkup for a building (Connection, Traffic to & from the build-ing)

2 2-3








78 Back to Contents

Data Center Services

Service Service level targets User responsibilitiesDescriptionThe service provides internet and server connectivity.Applicable to






Request Data Center service(Internet & Servers Connec-(tivity

2 1-2





The primary purpose of this policy is to inform, educate and set expectations for the members of the university community of their individual and corporate responsibilities towards the use of information, products and services obtained from the internet. Internet filtering is provided to all students, faculty and staff to protect them from the unintentional or deliberate accessing of internet content that is offensive and inappropriate.




Back to Contents79

Security Services

Service Service level targets User responsibilitiesDescriptionThe primary purpose of this service is to provision the ability to block, unblock, filter the network traffic, publishing on 3rd party domain.

Applicable to– Management



Service requestService level target (working days)



Request block or unblock or filter network traffic ( website, protocol,(port

1-2 3-5

Request Publishing ServicesOutside UD

1-2 3-5

Request remote access throughVPN (Add/Modify/Delete/Trou-(bleshoot

1-2 3-5




Applicable policies– Acceptable use policy– Information security policy– Network Access Control Policy


