Ict Policies Procedures - v6.0

ICT
Policies & Procedures

2
Contents
 Acceptable Use Policy  Backup Policy and Procedures
 Bandwidth Use Policy  Data Classification Policy 
Information Security Policy  Network Access Control
Policy  OneDrive Cloud Storage Policy  Password
Policy  ICT User Authentication Policy  Web Hosting
Policy with Third-Party Service Providers  Core ICT
Services Service Level Agreement
4
Acceptable Use Policy
Deanship of Information & Posted Date: Policy Number:
Communications Technology ICT.2013.2
Policy: Acceptable Use Policy Approval Date: Page:
Objective: To ensure the appropriate use of the University’s Information and

Communication Technology (ICT) Services and define the responsibilities of users of
the University’s ICT Services and Infrastructure.
Responsible Official:
Responsible Office:
:Signature
ITC Reference Policies :
(a) Information Security Policy
(b) Password Policy
Executive Summary
University of Dammam (UOD) information and Communication technology (ICT) resources have been
provided to support University business and mission. These facilities are expected to be used for
educational, instructional, research, professional development and administrative activities of the
University. The use of these resources is a privilege that is extended to qualified members of the
community. Access to computers, computing systems and networks owned by the University imposes
certain responsibilities and obligations and subject to university policies and codes and the Kingdom’s local
laws. It is important that these ICT resources are used for the purpose for which they are intended. All
users of these resources must comply with specific policies and guidelines governing their use, and act
responsibly while using shared computing and network resources.
The ICT Acceptable Use Policy (AUP) informs the University’s faculty, support staff, students, management
and other individuals authorized to use University facilities, of the regulations relating to the use of ICT
systems. The University expects users to use the ICT facilities in an appropriate and responsible manner in
accordance with this policy. Anyone who abuses the privilege of the ICT resources, either directly by
promoting inappropriate activities and by misusing or indirectly by inadvertently allowing unauthorized
users to access for personal and professional purposes will be subject to sanctions or legal action
Back to Contents
Introduction
The University provides ICT for its educational purposes, particularly teaching and research, as well as for
reasonable personal use which is acceptable to the University environment. University of Dammam allows
users to access the computing and network resources in order to facilitate them in carrying out their duties
and the university expects these resources be used for purposes related to their jobs and not be used for
unrelated purposes. These resources include all university owned, licensed, or managed hardware and
software, and use of the university network via a physical or wireless connection, regardless of the
ownership of the computer or device connected to the network. The purpose of this policy is to promote
the efficient, ethical and lawful use of the University of Dammam’s computer and network resources.
Acceptable Use Policy Objectives

The following are the objectives of acceptable use policy:
1. Provide guidelines for the conditions of acceptance and the appropriate use of the computing and
networking resources provided for use by academic, professional and support staff and students
of the University.
2. Ensure that ICT resources are used in an appropriate fashion, and support the university’s mission
and institutional goals.
3. Encourage users to understand their own rights and responsibility for protecting the University
ICT resources.
4. Protect the privacy and integrity of data stored on the University network.
5. Elaborate the consequences of the inappropriate use of these resources.
Outcomes of the Policy

By enforcing the acceptable use policy, we aim to achieve the following outcomes:
1. Better informed university community regarding acceptable and unacceptable use of university
ICT resources.
2. Responsible UOD community regarding the value and use of ICT resources .
Policy Rationale
There needs to be commitment to protect UOD faculty, students, staff, management and contractors from
illegal or damaging action by individuals, either knowingly or unknowingly. Inappropriate use of these ICT
resources exposes UOD to risks including virus attacks, compromise of network systems and services, and
legal issues.
Entities affected by this Policy
This policy applies to all the community of University of Dammam using computing and network resources.
These include
• Users (academic, professional and support staff, students and management) using either personal
or University provided equipment connected locally or remotely to the network of the University.
• All ICT equipment connected (locally or remotely) to University servers.
• ICT systems owned by and/or administered by the Deanship of ICT.
• All devices connected to the University network irrespective of ownership.
• Connections made to external networks through the University network.
• All external entities that have an executed contractual agreement with the University.
Business Impact of No AUP

The potential adverse business impact to the university due to lack of acceptable use policy may include:
Back to Contents
• Violations of either personal or copy righted material
• Security breaches
• Bad publicity and embarrassment to individuals or University
• Identity or financial fraud
Policy Benefits
1. It will define the responsibilities of users of the University’s ICT Services and Infrastructure.
2. It will deter unacceptable ICT use by declaring the punitive actions for such an act.
3. Fair use of services.
4. Better service quality.
Section B – Policy Statement: Acceptable

Use Policy Statements:
1. This policy applies to all users of computing resources owned or managed by University of
Dammam. Individuals covered by the policy include (but are not limited to) UoD faculty and
visiting faculty, staff, students, alumni, guests or members of the administration, external
individuals and organizations such as contractors and their employees accessing network
services via UoD’s computing facilities.
2. The resources should be used for the purpose for which they are intended.
3. Users must adhere to the confidentiality rules governing the use of passwords and accounts,
details of which must not be shared.
4. Users may use only the computers, computer accounts, and computer files for which they have
authorization.
5. The university encourages and promotes using the university email for administrative, learning
and professional purposes. Hence, the users must use their university email in their business
communications.
6. The only way to access to the university’s network is to have a valid account, and any other way
such as plugging own internet to the university network shall be considered as a violation.
7. All users of the university’s network and computing resources are expected to respect the
privacy and personal rights of others.
8. The University reserves the right to monitor all activities performed by the users on the internet
by recording and reporting without the consent of the user.
9. The University has the right to block any site or group of sites according to its policies and will
take necessary action that violates this policy.
10. The University reserves the right to make any amendments in this policy at any time.
11. Users, who discover or find security problems or suspicious activity, must immediately contact
Technical Support of the DICT.
Unacceptable Use Policy

1. Users must not use the university network in any illegal manner e.g. commercial purposes nor
use it to login or browse illegal web sites or content.
Back to Contents
2. Users must not disclose their login information and access or copy another user’s email, data,
programs, or other files.
3. Users must not attempt to violate or compromise the security standards on the University
network or any other device connected to the network or accessed through the Internet.
. University network may not be used for the creation, dissemination, storage and display
of obscene or pornographic material, abusive, indecent, obscene, and defamatory or hate

literature etc.
5. University users should not create illegal copies or violate copyright protected material in order
to use, or save such copies on University devices or send them through the University network.
It also prevents the illegal use such as sending or downloading or publishing any material that
violates the laws of the Kingdom of Saudi Arabia and is against the Islamic values.
6. This policy prevents users adding, deleting, or modifying any information on university network
in an attempt to disrupt or mislead others.
7. Users are not allowed to indulge into any activity that may adversely affect the ability of others
to use the Internet services provided by the university e.g. denial of service attacks, hacking,
virus, or consuming gratuitously large amounts of system resources (disk space, CPU time,
print quotas, and network bandwidth) or by deliberately crashing the machine(s).
8. The university prevents downloading any programs and installing in the university’s computers.
Any such request should be done through DICT technical support.
9. Non serious, disruptive, destructive or inconsiderate conduct in computer labs or terminal
areas is not permitted.
10. DICT is not responsible of the internet content that been browsed by the end user, or problems
that might happen to user from browsing untrusted websites.
Policy Breaches:
Anyone who breaches this policy will be subject to any or all of the following actions:
a. Suspension of the university internet account/access.
b. The referral of the case to the University management along with supporting evidence for
an appropriate action.
c. The case may be investigated by the Communication & Information Technology
Commission (CITC), Saudi Arabia who may initiate criminal investigation according to the
e-crimes regulations. More information regarding these regulations may be found here.
Definitions
The following terms are used in this document.
Access - Connection of University, personal or third party owned devices to ICT Infrastructure facilities via a
direct or indirect connection method.
Authorized User - An individual who has been granted access to University ICT services
Device - Any computer or electronic device capable of accessing, storing and communicating data.
Back to Contents
End Host Device - An electronic device which can be connected to a network. End Host Devices include, but
are not limited to:
• Desktop computers
• Notebook computers
• Workstations
• Servers
• Network Printers
• Telecommunications equipment
• Wireless Devices and
• Other network aware devices
ICT Facilities – All computers, terminals, telephones and communication links, end host devices, licences,
centrally managed data, computing laboratories, video conference rooms, and software owned or leased
by the University.
ICT Infrastructure- All electronic communication devices, networks, data storage, hardware, and network
connections to external resources such as the Internet.
Information Resources - Assets and infrastructure owned by, explicitly controlled by, or in the custody of
the university including but not limited to data, records, electronic services, network services, software,
computers, and Information systems.
References
1. Thomas M. Thomas; Donald Stoddard (2011), Network Security First-Step
2. Mark S. Merkow; Jim Breithaupt (2014), Information Security: Principles and Practices
Backup Policy and Procedures
Back to Contents
Policy: Backup Policy and Approval Date: Page:
Procedures
Objective: This document outlines a set of policies and procedures for Data Backup
and Retention to facilitate restoration of applications and associated data. Also it lays
emphasis on verifying that backups and recoveries are completed without errors.
Responsible Office:
Signature:
(b) Operational Unit Data Center SLA

Executive Summary
University of Dammam (UOD) information and Communication technology (ICT) resources have been
provided to support University business and mission. The unprecedented growth in data volumes has
necessitated an efficient approach to data backup and recovery. Deanship of Information &
Communications Technology (DICT) recognizes that the backup and maintenance of data for servers are
critical to the viability and operations of the respective departments. It is essential that certain basic
standard practices be followed to ensure that data files are backed up on a regular basis.
This document defines the backup policy for computer systems within the organization which are expected
to have their data backed up. These systems are typically servers but are not necessarily limited to servers.
The policy outlines the minimum requirements for the creation and retention of backups. The main
purpose of this policy is to provide secure storage for data assets critical to the work flow of official
university business, prevent loss of data in the case of accidental deletion / corruption of data, system
failure, or disaster and permit timely restoration of archived data in the event of a disaster or system
failure.
Introduction
This document outlines a set of policies and procedures for Data Backup and Retention to facilitate
restoration of applications and associated data. Also it lays emphasis on verifying that backups and
recoveries are completed without errors.
Purpose
To ensure server and data continuity and to support the retrieval and restoration of archived information
in the event of a disaster, equipment failure, and/or accidental loss of files.
Goals
The goals of this backup policy will be as follows:
• to safeguard the information assets of University of Dammam (UoD) Community.
• to prevent the loss of data in the case of accidental deletion or corruption of data, system failure,
or disaster.
• to permit timely restoration of information and business processes should such events occur.
• to manage and secure backup & restoration processes and the media employed within these
processes.
Scope
The Deanship of ICT (DICT) operational Unit (OU) is responsible for providing policy-based, system level,
network-based backups of server systems under its stewardship. This document outlines the policies for
backup implementation that define:
• Selections: what information needs to be backed up on which systems.

• Priority: relative importance of information for purposes of the performing backup jobs.
• Type: the frequency and amount of information to be backed up within a set of backup jobs.
• Schedule: the schedule to be used for backup jobs.
• Duration: the maximum execution time a backup job may execute prior to its adversely affecting
other processes.
• Retention Period: the time period for which backup images created during backup jobs are to be
retained.
Backup Creation
Backups will be created using industry standard data backup software that support “enterprise
level” data assurance. The product, defined by the data backup standard, must support scheduled backups,
full or differential or incremental backups, and centralized management.
System Backup Profiles

The DICT Operational Unit maintains the following type of backup profiles:
1. Standard Backup:
• The standard backup is provided for most centralized University computer systems.
• The backup could be full, differential or incremental. The frequency of backup could be daily,
weekly or monthly and is dependent upon the application. The retention of these backups
could vary from 1 week up to 2 months.
Back to Contents
• For some applications backup is performed on a day and time agreed upon by the OU and
application owner.
• Appendix I shows the applications along with backup type, frequency of backup and
retention period.
2. Critical System Backup:

• Certain enterprise-wide systems are deemed critical to University operations and dictate
longer retention periods from 6 months up to 1 year.
• The type, frequency and retention period is different for different applications.
• Prior to a major upgrade of a production system, database, or application, a full system
backup is performed and retained for 6 months.
• Appendix I shows the applications along with backup type, frequency of backup and
retention period.
3. Special Request Backup:

Some departments or applications may require an exception to the standard backup retention
periods mentioned above. Exceptions are permitted, but must be fully documented
4. No Backup:
ICT Services is responsible for backing up data that is stored in central systems and databases.
Data residing on individual workstation hard drives is the responsibility of the user to backup.
Furthermore, the systems that fall under this category might include development or test systems
that do not contain important business or academic data. Students, faculty, staff and third parties
who store data on University equipment are responsible for ensuring the data is stored in a way
that will ensure it is properly backed up. However, most systems that are centrally managed by
DICT are backed up on one of the schedules listed above.
Storage Locations and Retention

Period of Backups
Unless a system supporting an application or business function requires a custom retention period, DICT
will maintain full and incremental backups. Backup tapes for the current weekly backup period will be
stored within the DICT for purposes of current backups and restores.
Tapes representing backups from the former weekly backup period will be stored within a secured,
fireproof place until such time as the backup images stored on these tapes expire and the tapes are re-used
or destroyed.
After a successful backup, it will be stored in a secure, off-site media vaulting location for an appropriate
period for disaster recovery purposes.
This will ensure that no more than one week of information would be lost in the event of a disaster in
which campus systems and backup images are destroyed. After the period of six months has elapsed, the
tapes may ‘optionally’ be returned to DICT and re-used or destroyed.
Backup Verification
On a periodic basis, logged information generated from each backup job will be reviewed for the following
purposes:
• to check for and correct errors
• to monitor duration of the backup job
• to optimize backup performance where possible
DICT will identify problems and take corrective actions to reduce any risks associated with failed backups.
Test restores from backup tapes for each system will be performed. Problems will be identified and
corrected. This will work to ensure that both the tapes and the backup procedures work properly.
DICT will maintain records demonstrating the review of logs and test restores so as to demonstrate
compliance with this policy for auditing purposes.
Media Management
Media will be clearly labeled and logs will be maintained identifying the location and content of backup
media. Backup images on assigned media will be tracked throughout the retention period defined for each
image. When all images on the backup media have expired, the media will be re-incorporated amongst
unassigned (available) media until reused. Periodically and according to the recommended lifetime defined
for the backup media utilized, DICT will retire & dispose of media so as to avoid media failures.
Storage, Access, and Security

All backup media must be stored in a secure area that is accessible only to designated OU staff or
employees of the contracted secure off-site media vaulting vendor used by DICT. Backup media will be
stored in a physically secured, fireproof place when not in use. During transport or changes of media,
media will not be left unattended.
Retirement and Disposal of Media

Prior to retirement and disposal, DICT will ensure the following:
• the media no longer contains active backup images or that any active backup images have been
copied to other media
• the media’s current or former contents cannot be read or recovered by an unauthorized party. •
with all backup media, CICT will ensure the physical destruction of the media prior to
disposal.
Back to Contents
Disaster Recovery Considerations
As soon as is practical and safe post-disaster, DICT will:
• Restore existing systems to working order or obtain comparable systems in support of defined
business processes and application software.
• Restore the backup system according to documented configuration so as to restore server

systems.
• Obtain all necessary backup media to restore server computing systems

• Restore server computing systems according to the priority of systems and processes as out-
lined for restoration and recovery in the Disaster Recovery Plan.
Documentation
Essential documentation is will be maintained for orderly and efficient data backup and restoration. The
person-in-charge of data backup should fully document the following items for each generated data
backup:
.S. No Action Item Action
Date of data backup
(Type of data backup (incremental, differential, full
Number of generations
Responsibility for data backup
(Extent of data backup (files/directories
Data media on which the operational data are
Data media on which the backup data are stored
Data backup hardware and software (with version

(number
Storage location of backup copies
Bandwidth Use Policy

Policy: Bandwidth Use Policy Approval Date: Page:
Objective: The purpose of the bandwidth usage policy is to enhance the internet
usage of UoD users by proper management and control of bandwidth. All in all the
bandwidth usage policy shall set guidelines important to use bandwidth as a scarce
resource in the university.
Responsible Office:
Signature:
(a) Acceptable Use Policy
Executive Summary
University of Dammam provides high speed internet access as a service to its management, faculty,
students, researchers and administrative staff. The purpose of the bandwidth usage policy is to enhance
the internet usage of UoD users caused by improper management and control of bandwidth. The
bandwidth is a precious shared resource and hence ought to bed dedicated foe teaching, learning and
research purposes. Its usage should be in line with the university mission, vision and strategy. This
bandwidth policy is prepared to define the appropriate use of bandwidth in the university so that
optimum gains are achieved from the network.
Bandwidth Use Policy Objectives

The following are the objectives of the policy:
1. to establish awareness and accountability for bandwidth use
2. to educate the users of the priority related to internet traffic
3. to provide guidelines for responsible use
Scope
The aim of this policy is to manage bandwidth use proactively in order to avoid degradation of network
performance. This policy applies to all users of University of Dammam accessing computing and internet
resources, whether initiated from a computer and/or network device located on or off campus.
Back to Contents
Audience
This policy shall be subjected to all faculty, management, staff and students of University of Dammam and
guests who are given accesses to UoD network. All users are to be made aware of the policy and sign it as
appropriate.
Section B – Policy Statement:

• Bandwidth may be used for any activity supporting teaching, research and consultancy in such a
way that it will not prevent other users from using the same.
• DICT maintains the right to use monitoring tools that log and analyze bandwidth usage of all
users of the network. However, the collected data is to be used exclusively for the purpose of
enhancing proper bandwidth usage.
• DICT maintains the right to block any traffic that is not inline with the university mission and
vision and that wastes bandwidth.
• DICT maintains the right to give priority for one type of traffic over the other based on
predefined rules.
• Whenever necessary, DICT maintains the right to give priority to some users more than the other
by giving more accesses to bandwidth. This will be based on the relevance of the work to the
university’s mission.
• DICT maintains the right to enforce user authentication for using the Internet by assigning them
accounts and keep the logs of usage history for analysis of user’s usage behavior. Users will be
responsible for all usage history registered in their account.
• DICT Internet users shall use the proxy server to access the Internet for centralized bandwidth
monitoring and management purpose.
• Bandwidth may not be used for any non-educational activities or activities that consume
bandwidth for a benefit of few users.
• Users should not involve in activities such as hacking, cracking, spamming, streaming, web
serving and p2p file sharing using the universities resource.
• DICT users may not be allowed to do tasks that disturb the bandwidth management and
optimization system on any machine connected to the network.
• Bandwidth quotas are applied to all traffic passing between student computers and the Internet.
Excessive use of the network

• To ensure that all qualified users making use of the internet resources receive a fair share
of the bandwidth available, each individual’s bandwidth is limited to no more than 1GB in a
rolling 24-hour period.
• Individual bandwidth will be calculated as the combined network traffic from all personal
computer systems used. This includes use of the wired network service, the vpn and
wireless network services. However the internal university traffic including email services
and access to central file servers will be exempted.
Exceptions
• Users who have a genuine academic requirement for a larger quota should identify this need
before exceeding their quota, and should then follow the below process:
o Obtain authorization for a higher quota from user’s respective Dean or Manager o
Present the request and supporting authorization to the DICT and be prepared for a
discussion.
o Properly supported requests will normally be granted, provided that their impact on
the use of the network as a whole is not disproportionate.
Consequences of exceeding the Bandwidth usage
• Users will be allocated to a restricted network which will allow access to only authorized
university web based systems. This includes university website, departmental websites,
VLE and SIS.
• User should use this time to identify the cause of the high bandwidth usage. If user require
help rectifying the problem then they should contact the ICT Service Desk.
• This withdrawal of network services only applies to your personal computer. Your
university account is still fully operational and you will be able to use computing facilities in
your department or library.
Appeals
To appeal contact the ICT Service Desk and clearly state the grounds on which your appeal is based.
You should only appeal against the decision if you believe that:
o You have not exceeded the bandwidth limits for the service (1GB in any 24 hour period).
o You have mitigating circumstances to warrant a review of the penalty.
The following reasons would NOT be acceptable grounds for appeal:
o You were unaware that your actions were illegal / in breach of the Conditions of Use of the
network.
o Your guest or friend made use of your connection. o You accidentally left your computer
system switched on downloading copyrighted content.
o You know of other users currently downloading similar content on the network.
Definitions
Bandwidth: the transmission capacity of a computer or a communications channel stated in megabits per
second (Mbps).
Monitoring tools: logging and analysis tools used to accurately determine traffic flows, utilization,
and other performance indicators on a network.
Authentication: the process that validates a user’s logon information by comparing the user
name and password to a list of authorized users.
Proxy server: A software package running on a server positioned between an internal network
and the Internet.
Back to Contents
Mirror site: A duplicate Web site that contains the same information as the original Web site and reduces
traffic on that site by providing a local or regional alternative.
Hacking: using a computer or other technological device or system in order to gain unauthorized
access to data held by another person or organization.
P2P file sharing: direct communication or sharing of resource between commercial or

private users of the Internet.
Streaming: the playing of sound or video over the Internet or a computer network in real time.
Data Classification Policy

Policy: Data Classification Approval Date: Page:
Objective: To ensure UOD’s information assets are identified, properly classified, and
protected throughout their lifecycles.
Responsible Office: Quality Unit
Signature:
ITC Reference Policies:
(b) Acceptable Use Policy

Data classification is the act of placing data into categories that will dictate the level of internal controls to
protect that data against theft, compromise, and inappropriate use.
University of Dammam must protect its institutional assets as the data is prepared, managed, used,
or retained by one of the constituent units or an employee relating to the activities or operations
of the university. This does not include individually-owned data not related to university business.
The policy will help educate the university community about the importance of protecting data
generated, accessed, transmitted and stored by the university, to identify procedures that should
be in place to protect the confidentiality, integrity and availability of university data and to comply
with privacy and confidentiality of information.
Data Classification Policy Objectives

The purpose of this policy is to establish a framework for classifying University of Dammam data
based on its level of sensitivity, value and criticality to its business activities. The following are the
objectives of data classification policy:
1- Assist UOD community in the assessment of data to determine the level of security,
which must be implemented to protect that data whether it is in paper copy or on the
information system for which they are responsible.
2- Protect UOD’s data in terms of availability, confidentiality and integrity.
3- Identify who gets access to which kind of data.
4- Implement security provisions against unauthorized access.

By enforcing the data classification policy, we aim to achieve the following outcomes:
1. Better aware and informed university community regarding data and its value.
2. Mapped data protection methods with the university policies.
3. Accountability of the management and use of data.
4. Appropriate levels of confidentiality, integrity and availability in place.
Policy Rationale
The classification of data, information, and documents is essential to differentiate between
nonsensitive and sensitive / confidential information. When data is stored, created, amended or
transmitted, it should be appropriately classified and protected in accordance to the sensitivity
level.
The privacy, security, and integrity of data are critical to the university business. It is also necessary
to evaluate the impact to the university should that data be disclosed, altered or destroyed
without authorization. Classification of data will aid in determining baseline security controls for
the protection of data.
Data classification provides several benefits by providing an inventory to university information

assets. In many cases, information asset owners aren’t aware of all of the different types of data
they hold. It will also allow ICT to work with departments to develop specific security requirements
that can be readily utilized.

This policy applies to all University administrative data, all user-developed data sets and systems
that may access this data, regardless of the environment where the data reside (including systems,
servers, personal computers, laptops, portable devices, etc.). The policy applies regardless of the
media on which data reside (including electronic, microfiche, printouts, CD, etc.) or the form they
may take (text, graphics, video, voice, etc.).
Back to Contents
Audience
All faculty, management, staff, students, employees as well as third-party contractors, consultants and
guests should abide by this policy.
Business Impact of no data classification

The potential adverse business impact to the university due to lack of data classification policy may include:
• Loss of critical campus operations
• Loss of opportunities or value of the data
• Damage to the reputation of the campus
• Lack of corrective actions or repairs
• Violation of University mission and policies
Policy Benefits
1. The university community will become familiar with this data classification policy and will
consistently use it in their daily business activities.
2. Consistent use of data classification reinforces with users the expected level of protection of data
assets.
3. It will address risks associated with the unauthorized disclosure, use, modification, and deletion of
university data.
4. Improved and appropriate security measures for the data.
Policy Relevance for UOD Community

Category High Medium Low Notes
The organization
Administration
Staff
Faculty √
Students √
Other(s) √

The UOD data classification policy provides a framework for assessing data sensitivity measured by the
adverse business impact a breach of data would have on the campus from risks including, but not limited
to, unauthorized use, access, modification, disclosure, destruction and removal. Thus all members of the
university community have a responsibility to understand data classification and protect university data.
This policy outlines measures and establishes protection profile requirements for each class of data.
Violations of this policy can lead to disciplinary action up to and including dismissal, expulsion, and/or legal
action.
Data Classification
The classification of data helps determine what baseline security controls are appropriate for safeguarding
that data. Reasonable precautions and protections should be taken, regardless of classification. All UOD
institutional data has been classified into four levels or classifications:
Tier1- High Confidential Data

Data is classified as Confidential when an unauthorized disclosure, alteration or destruction of that data
will cause a significant level of risk to the University. Access to Confidential data must be individually
requested and then authorized by the Data Owner who is responsible for the data. The assessment of risk
and access approval will be determined by the data owner or risk committee.
Tier2- Confidential Data

Confidential or sensitive information that would not necessarily expose the University to significant loss,
but the data owner has determined security measures are needed to protect from unauthorized access,
modifications, or disclosure.
Tier 3-Internal Data

Data is classified as Internal/Private for all the information assets that are not explicitly classified as
Confidential or Public data A reasonable level of security controls should be applied to internal data.
Tier 4-Public Data

Data will be classified as Public when the unauthorized disclosure, alteration or destruction of that data
would results in little or no risk to the University and its affiliates.
Data Classification and Handling
Definition Public Internal Confidential High Confidential

Information that is widely Routine or daily operational Confidential or sensitive Information requiring the
available to the public information requiring no information that would not highest levels of
through publications, special measures to protect necessarily expose the protection because
pamphlets, web content, from unauthorized access, University to significant loss, disclosure is likely to
and other distribution modifications, or disclosure, but the data owner has result in significant
methods and disclosure, but these are not widely determined security measures adverse impact to the
alteration or modifications available to the public are needed to protect from university
will cause no risk to the unauthorized access, (embarrassment, financial
university modifications, or disclosure loss, etc.)
Examples brochures, news Routine Intellectual property licensed Protected Health Information
releases, pamphlets, correspondence,employee and/or under development, (PHI), Student Identifiable
web sites, internal newsletters, inter-office records, purchasing information, Information, department
phone directories, memoranda, internal policies vendor contracts, system financial data, personnel
marketing materials & procedures configurations, system logs, risk information, credit or bank
reports, RFP, RFI etc. details.
contract research protocols
Transmissions 1. No special 1. No special 1. Use of e-mail to 1. Use of e-mail to
1. E- handling required handling required, but transfer confidential information transfer confidential information
mail within reasonable precautions is discouraged. Forwarding only is discouraged. .
theorganization should be taken allowed by data owner Forwarding onlyallowed by data
owner
2. E- 2. No special 2. Use of e-mail strongly
2. No special
mail outside of handling required,but discouraged. Consider using 2. Encryption is
handling required
the reasonable precautions encryption. Broadcast to required.
organization should be taken distribution lists is prohibited.
Forwarding only allowed by data
Back to Contents
3.Data transfers 3. No special 3. Encryption is
owner
(file precautions arerequired recommendedbut not 3. Encryption is required
3. Encryption is required
transmissions, required
website, etc.)
4. No restrictions
4. Data print 4. printer to be 4. Monitoring required
4. Monitoring required
and printer located in an area not and removal of the printed
location and removal of the printed
accessible by general material immediately
material immediately
public
Backup and Should be backed up - Should be backed - Should be backed up - Should be backed
Recovery monthly and up monthly and monthly and up monthly and
incrementally based on incrementally based on incrementally based on incrementally based on
content change information recovery information recovery information recovery
requirements by data requirements by data requirements by data
owners and business owners and business operational owners and business
operational needs needs operational needs
- Backups Should be - Backups Should be - Backups Should
tested regularly to tested regularly to be tested regularly
ensure reliability ensure reliability to ensure reliability - Never
overwrite the most recent
backups
Definition Public Internal Confidential High Confidential

Storage 1. No special 1. Reasonable 1. Storage in a secure 1. Storage in a
1. Printed precautions required precautions toprevent access by manner, e.g. lockableenclosure. Must be locked
materials nonemployees. secure area, lockable enclosure. when not in use
Must be locked when unattended 2. Storage on secure
2. Storage on all 2. Storage on all drives 2. Store on secure drives or drives only. Password protection of
2. Electronic drives allowed but access allowed but access controls must secure shared drives only. Data document preferred.
documents controls must be enforced be enforced should be stored on an internally
accessible server, and cannot be
stored on a server directly accessible
from the Internet. 3. Store in a secure
manner, e.g.
3. emails 3. No special 3. Reasonable 3. Store in a secure password access or reduce to
precautions required precautions to prevent access by manner, e.g. printed format, delete electronic
non-staff & employees password access or reduce to form, and store in accordance with
printed format, delete electronic storage of print materials
form, and store in accordance with
storage of print materials 4. Use lockable containers
4. portable 4. Use lockable or devices.
devices 4. No special containers or devices 4. Use lockable containers
precautions required 5. Secured with or devices. 5. Secured with lockable
5. storage by lockable enclosures and access enclosures andaccess controls
third party 5. No special controls required 5. Secured with lockable required
precautions required enclosures and access controls
required
Marking
1. Documents “Internal Use Only” note at the
No restrictions bottom “Confidential” note at the top “Confidential” at the top and bottom
Physical Security Password protected screen- Password protected screen- Password protected screen-saver Password protected screen-saver to
1. Workstatio saver to be used when not in saver to be used when not in to be used when not in use. Sign be used when not in use. Sign off
ns use. Sign off when not in use use. Sign off when not in use off when not in use for long time. when not in use for long time.
for long time. for long time.
Secured area location and limited Secured area location and limited
2. Servers Secured area location and access based on the job access based on the job
Not permitted limited access based on the responsibilities responsibilities
job responsibilities
No restrictions
3. Printing Printouts to be collected Minimize the prints and collect Print only when necessary and do
immediately immediately not leave unattended
No restrictions
4. Office No restrictions Access to the sensitive area must be Access to the sensitive area must
access restricted using access control be restricted using access
control. Confidential
Devices must not be left information must be kept under
5. Portable unattended at any time Devices must not be left Devices must not be left unattended lock.
devices unattended at any time at any time. Consider using lock and Devices must not be left
access control unattended at any time aznd must
be placed under lock and access
control
Access Control Content changes by only Password access control Password access control Password/Biometric/
authorized persons Content changes based on the data Authentication based access control
owner and business needs Content changes based on the data
owner and business needs
Responsibilities
Data owners are responsible for appropriately classifying data.
Data custodians are responsible for labeling data with the appropriate classification and applying required
and suggested safeguards.
Data users are responsible for complying with data use requirements and must report immediately any
breach of the policy to the data owner.
Data users are responsible for immediately referring requests for public records to the University Relations
Division – Office of Public Affairs or to the Office of the Vice President and General Counsel.
Disciplinary Actions
Violation of this policy may result in disciplinary action, which may include suspension or termination from
UOD or legal action as determined by the legal department.
Definitions
Availability - The assurance that information and services are delivered when needed. Certain data must
be available on demand or on a timely basis.
Confidential - Sensitive data that must be protected from unauthorized disclosure or public release
Confidentiality - The assurance that information is disclosed only to those systems or persons who are
intended to receive the information.
Data custodian – Individual or group responsible for classifying data and generating guidelines for its
lifecycle management.
Data owner - Senior leadership, typically at the dean, director or department chair level, with the ultimate
responsibility for the use and protection of university data.
Data user - Any member of the university community who has access to university data, and thus is
entrusted with the protection of that data.
Impact – A combination of data confidentiality, integrity and availability.
Integrity - The assurance that information is not changed by accident or through a malicious or otherwise
criminal act.
Public - Data for which there is no expectation for privacy or confidentiality.

Back to Contents
References:
1. Robert Johnson; Mark Merkow (2010), Security Policies and Implementation Issues
2. Woody, Aaron (2013), Enterprise Security: A Data-Centric Approach to Securing the Enterprise
Information Security Policy
Back to Contents
Policy: Information Security Policy Approval Date: Page:
Objective:
To establish the policy of the University for the use, protection, and preservation of computer-based
information generated by, owned by, or otherwise in the possession of
University of Dammam, including all academic, administrative, and research data.
Responsible Official: Information Security Officer
Responsible Office: Operational Unit
Signature:
(a) Data Classification Policy
Executive Summary
Information is a vital asset to any organization and this is especially so in a knowledge-driven organization
such as the University of Dammam (UOD), where information will relate to learning and teaching, research,
administration and management. It is imperative that computer data, hardware, networks and software be
adequately protected against alteration, damage, theft or unauthorized access.
University of Dammam is committed to protecting information resources that are critical to its academic
and research mission. These information assets, including its networks, will be protected by controlling
authorized access, creating logical and physical barriers to unauthorized access, configuring hardware and
software to protect networks and applications. An effective Information Security Policy will provide a
sound basis for defining and regulating the management of institutional information assets as well as the
information systems that store, process and transmit institutional data. Such a policy will ensure that
information is appropriately secured against the adverse effects of breaches in confidentiality, integrity,
availability and compliance which would otherwise occur. This policy sets forth requirements for
incorporation of information security practices into daily usage of university systems.
Information Security Policy Objectives

The University recognizes the role of information security in ensuring that users have access to the
information they require in order to carry out their work. Computer and information systems underpin all
the University’s activities, and are essential to its research, learning, teaching and administrative functions.
The university is committed to protecting the security of its information and information systems. The
following are the objectives of information security policy:
1. to protect academic, administrative and personal information from threats.
2. to maintain the confidentiality, integrity and availability of the UOD information assets.
3. to prevent data loss, modification and disclosure, including research and teaching data from
unauthorized access and use.
4. to protect information security incidents that might have an adverse impact on UOD business,
reputation and professional standing.
5. to establish responsibilities and accountability for information security.
Information Security Principles

Enforcing an appropriate information security policy involves knowing university information assets,
permitting access to all authorized users and ensuring the proper and appropriate handling of information.
The University has adopted the following principles, which underpin this policy:
• Information is an asset and like any other business asset it has a value and must be protected.
• The systems that are used to store, process and communicate this information must also be
protected.
• Information should be made available to all authorized users.
• Information must be classified according to an appropriate level of sensitivity, value and criticality
as presented in the ‘data classification policy’.
• Integrity of information must be maintained; information must be accurate, complete, timely and
consistent with other information.
• All members of the University community who have access to information have a responsibility to
handle it appropriately, according to its classification.
• Information will be protected against unauthorized access.
• Compliance with this policy is compulsory for UOD community.

By enforcing the data classification policy, we aim to achieve the following outcomes:
1. Mitigation of the dangers and potential cost of UOD computer and information assets misuse.
2. Improved credibility with the UOD community and partner organizations.
3. Protected information at rest and in transit.
Policy Rationale
University of Dammam possesses information that is sensitive and valuable, ranging from personally
identifiable information, research, and other information considered sensitive to financial data. This
Back to Contents
information needs to be protected from unauthorized use, modification, disclosure or destruction. The
exposure of sensitive information to unauthorized individuals could cause irreparable harm to the
University or University community. Additionally, if University information were tampered with or made
unavailable, it could impair the University’s ability to do business. The University therefore requires all
employees to diligently protect information as appropriate for its sensitivity level.
The information security policy has been laid down in accordance with the principles and guideline defined
and enforced by the ‘Communications & Information Technology Commission’ in the document titled
“Information Security Policies and Procedures Development Framework for Government Agencies”.

• All full-time, part-time and temporary staff employed by, or working for or on behalf of the
University.
• Students studying at the University.
• Contractors and consultants working for or on behalf of the University.
• All other individuals and groups who have been granted access to the University’s ICT systems and
information.
Business Impact of no Information Security

The potential adverse business impact to the university due to lack of information security policy may
include:
• Loss of critical campus information
• Higher costs due to waste of resources
• Damage to the reputation of the UOD
• Lack of corrective actions or repairs
• Violation of University and government regulatory policies and procedures
Policy Benefits
1. It will address risks associated with the unauthorized disclosure, use, modification and deletion of
university data.
2. Improved and appropriate security measures for the data.
3. Protect UOD information assets.

Information is fundamental to the effective operation of the University and is an important business asset.
The purpose of this Information Security Policy is to ensure that the information managed by the
University is appropriately secured in order to protect against the possible consequences of breaches of
confidentiality, failures of integrity or interruptions to the availability of that information. Any reduction in
the confidentiality, integrity or availability of information could prevent the University from functioning
effectively and efficiently.
A. Applicability
• All full-time, part-time and temporary staff employed by, or working for or on behalf of the University.
• Students studying at the University.
• Contractors and consultants working for or on behalf of the University.
• All other individuals and groups who have been granted access to the University’s ICT systems and
information.
B. Security Roles and Responsibilities
All members of the University have direct individual and shared responsibilities for handling information or
using university information resources to abide by this policy and other related policies.
In order to fulfill these responsibilities, members of the University must:
• be aware of this policy and comply with it,
• understand which information they have a right of access to,
• know the information, for which they are owners,
• know the information systems and computer hardware for which they are responsible.
Information Users
Every member of the university community, who has a legitimate access to the university ICT resources, is
responsible to abide by this policy. No individual should be able to access information to which they do not
have a legitimate access right. Information users should neither violate this policy nor allow others to do
so. Information users must be aware of the nature of the information to which they have been granted
access and must handle information carefully according to its classification. They should protect the
confidentiality of information and do not give access to other illegitimate individuals knowingly or
unknowingly.
For the purpose of information security, access to all emails servers other than University of Dammam
email server will be blocked through University network resources.
Information Owners
The information owners have responsibility to maintain the confidentiality, integrity and availability of
information. In particular
• Each university unit (Deanship, Department, College, Section and Center) will identify its sensitive
and critical information assets and classify it according to the University ‘Data Classification
Policy’.
• Heads of departments, departmental administrators and IT support staff are responsible for the
confidentiality, integrity and availability of information maintained by members of their
department, such as students’ academic records. They are also responsible for the security of all
departmentally operated information systems.
• Data and systems managers in support services are responsible for the confidentiality, integrity
and availability of information, such as student, personnel and financial data.
• Project managers leading projects for the development or modification of information systems,
are responsible for ensuring that projects take account of the needs of information access and
security and that appropriate and effective control mechanisms are instituted, so that the
confidentiality, integrity and availability of information is guaranteed.
• Information owners will conduct risk assessment of their information assets and may recommend
the mitigation strategies.
Back to Contents
• Any information security incident will be reported to the chief security officer.
Definitions
Availability - The assurance that information and services are delivered when needed. Certain data must
be available on demand or on a timely basis.
Confidentiality - The assurance that information is disclosed only to those systems or persons who are
intended to receive the information.
Data Custodian – Individual or group responsible for classifying data and generating guidelines for its
lifecycle management.
Data Owner - Senior leadership, typically at the dean, director or department chair level, with the ultimate
responsibility for the use and protection of university data.
Data User - Any member of the university community who has access to university data, and thus is
entrusted with the protection of that data.
ICT Infrastructure- All electronic communication devices, networks, data storage, hardware, and network
connections to external resources such as the Internet.
Impact – A combination of data confidentiality, integrity and availability.
Information System - Any tangible item such as hardware, software, communications facilities and
networks, used to store, process and transmit Information Assets owned, controlled, or hosted by the
University.
Integrity - The assurance that information is not changed by accident or through a malicious or otherwise
criminal act.
Reference
1. Alan Calder; Steve G. Watkins (2010), ISO27000 and Information Security: A Combined Glossary
2. Mark Rhodes-Ousley (2013), Information Security The Complete Reference
Network Access Control Policy

Communications Technology
ICT.2014.1
Policy: Network Access Control Approval Date: Page:
Objective: The purpose of the Network Access Policy is to establish the rules for the access and use of
the network infrastructure. These rules are necessary to preserve the integrity, availability and
confidentiality of UOD information.
Responsible Office:
Signature:
(b) Information Security Policy
Executive Summary
In order to comply with information security policy and data classification policy, the Deanship of ICT has
implemented a network access control (NAC) policy that will challenge computers and devices that try to
access network resources. The policy lays down the principles used to secure the campus wired and
wireless networks through user authentication. It ascertain that only authorized students, faculty and staff
gain access to our network by checking that computer systems meet established policy configuration
requirements. The purpose of the NAC is to ensure that computers and devices trying to gain access to the
network resources have a minimum requirement of both Operating System versions and patches and
AntiVirus software. If a computer and/or device meets the minimum requirements, it is granted access to
the network. If a computer does not meet the requirements, then it will be given limited access to the
Internet in order to update and/or install Operating System updates/Anti-Virus software.
Introduction
Network access control (NAC) is a method of assessing devices and computers that try to use network
resources (file shares, printers, web pages, etc) to see if they meet certain criteria, as defined by the
University, such as requiring anti-virus software and the most recent operating system patches.
Network access control policies will define who is allowed access to which physical locations and logical
resources. The policy enforcement will ensure that all computers that use network resources have both
updated anti-virus software and updated operating system (Windows 7, etc) patches applied. NAC allows
us to grant access to computers that meet these requirements, and deny access while still allowing
temporary Internet access to address the requirements that are not met.
To provide a more stable and secure network, UOD employs a Network Access Control (NAC) system
assuring that devices connected to the network meet these minimum security requirements:
Each desktop computer or other listed device must be authenticated using UOD ID and password
and joined to domain.
Must be running Microsoft Windows 7 with SP1 operating System.

Must have Symantec Endpoint Protection AntiVirus software with current definitions.
Back to Contents
Firewall feature is installed and enabled.
Rationale:
The need to respond to security incidents on campus, and an obligation to protect our valuable network
resources, UOD must be able to identify every individual who connects to the campus network. For these
reasons, UOD has implemented a network access control to be used by all students, employees and others
to authenticate for campus network use. This will also provide a single point for collecting and reporting on
user access to information for security incident investigations.
NAC Policy Objectives

1. Prevent unauthorized physical and logical access
2. Use appropriate and robust identification and authentication techniques to control access
3. Use unique identifiers for all users
4. Ensure good password policies are implemented
5. Implement measures to prevent and trace misuse of general access machines

By enforcing the NAC policy, we aim to achieve the following outcomes:
1. Access to systems by default and explicitly authorize access.
2. Network access to confidential information is secured with appropriate encryption and

authentication

This policy applies to all persons who have, or are responsible for, an account on any system accessed on
the University network or computer systems.
Supported Operating Systems and Browsers for endpoints
OS Support (Genuine OS only) Supported Browser
Windows 8 (x64, Professional, Professional x64,Enterprise, Enterprisex64) Microsoft IE 10
Windows 7 (x64, Professional, Professional x64,Enterprise, Enterprisex64) Microsoft IE 9 and later
Google Chrome 11 and later
Mozilla Firefox 5 and later
Apple iOS 6.1, 6, 5.1, 5.0.1, 5.0 Safari 5,6,7, Firefox 5
Apple Mac OS X 10.6, 10.7, 10.8 Mozilla Firefox 3.6, 4, 5, 9, 14, 16 Safari
4, 5, 6
Google Chrome 11
Google Android 4.1.2, 4.0.4, 4.0.3, 4.0, 3.2.1, 3.2, 2.3.6, 2.3.3, 2.2.1, 2.2 Native browser
Mozilla Firefox 5
VMware ESX 4.x, ESXi 4.x, ESXi 5.x
NAC Process:
1. Once you join/register your computer or device, an agent software will run automatically to
scan your computer for compliance with OS, antivirus and firewall.
2. If you FAIL the scan, you must contact the ICT help desk for an appropriate update
3. If you PASS the scan, your computer will be allowed FULL access to all network resources and
the Internet
Wired Access:
NAC for employees:
• Check for anti-virus Symantec endpoint, Antispyware and Antivirus definitions for an update
not older than 5 days.
• Compliant machines will get access to UoD network based on the agreed policy – Full Access
based on the Port VLAN membership.
• Non-compliant Domain PC/users will be denied access to the corporate network including the
Internet connection
NAC for Students:
• Check for anti-virus Symantec endpoint, Antispyware and Antivirus definitions for an update
not older than 5 days.
• Compliant machines will get access based on the agreed policy –Partial Access to SIS Servers
and Internet connection.
• Non-compliant Domain PC/users will be denied access to the SIS Servers including Internet
connection.
Wireless Access
NAC for Employee:
Back to Contents
• Web redirection to Cisco Web NAC agent to check for an anti-virus update not older than 5 days.
• Compliant users will grant access to UC services using their mobile devices after profiling.
• Compliant users will get access to Internet but no internal network access.
• Non- compliant users will be denied access even to Internet.
NAC for students:
• Web redirection to Cisco Web NAC agent to check for an anti-virus update not older than 5 days.
• Compliant users will get access to Internet and internal SIS servers.
• Non- compliant users will be denied access even to Internet.
NAC for Guests:
• Guest will login to Open SSID.
• Enforce redirect to web page to submit required information
• Allowed for Self-registration by submitting first name, Last Name and Mobile Number.
• Will Receive an SMS.
• Login with credentials sent by SMS.
• Mapped to AD
• Will have access to Internet only.
Definitions
Authorized User - An individual who has been granted access to University ICT services
Authenticate: To authenticate is to determine whether someone or something is, in fact, who or what it is
declared to be through the use of an identifier and password or related means.
Campus Network: A campus network is an autonomous network that exists on a university campus
connecting local area networks in and among buildings and aggregating traffic to a wide area network.
Network Access Control system: Network access control (NAC), a method of bolstering the security of a
proprietary network by restricting the availability of network resources to endpoint devices that
authenticate. Additional features include checking for current virus protection and that operating system
updates are enabled.
Network Access logs: Information captured upon network access, including identifier, time of connection,
network card MAC address, and time of disconnection.
Back to Contents
OneDrive Cloud Storage Policy
Policy:OneDrive Cloud Storage Policy Approval Date: Page:
Objective: This policy provides advice and best practices for using cloud storage services to support the
processing, sharing and management of institutional data
Responsible Office:
Signature:
ICT Reference Policies :
(b) Information security policy
Executive Summary
Cloud computing services are application and infrastructure resources that users access via the internet.
These services, contractually provided by companies such as Apple, Google, Microsoft, and Amazon,
enable customers to leverage powerful computing resources that would otherwise be beyond their means
to purchase and support. Cloud services provide services, platforms, and infrastructure to support a wide
range of business activities. These services support, among other things, online information storage. The
stored data is generally easy for people to use and is accessible over the internet through a variety of
platforms such as workstations, laptops, tablets, and smart phones. The purpose of this policy is to inform
UOD community about the security risks associated with storing documents on the cloud and provide the
guidance about the types of information which should and should not be stored in the cloud.
Introduction
Deanship of Information and Communication Technology (DICTY) is implementing cloud based storage
‘OneDrive’ provisioned by the Microsoft that will be available to its users. OneDrive is a convenient way to
store files in the “cloud” and protect against hard drive failure, lost or stolen laptops. Keeping your
important files in OneDrive means that you have access to them from anywhere in the world provided you
have an internet connection. OneDrive also allows for easy sharing and collaboration with friends, family
and colleagues. Microsoft provides OneDrive apps for your laptop, desktop, iPads, iPhones, Android
devices, Windows 8 and Windows Phone.
This service is available to all students, faculty and employees at the University. To use OneDrive you use
the same login and password credentials as you do for Microsoft Outlook.
It is important to keep in mind that the University does not have the ability to backup or restore the files
that you keep on OneDrive. OneDrive is a service offered to the University, for free, from Microsoft in
conjunction with other tools the University deploys. Microsoft maintains a “best effort” service level for
OneDrive and while highly reliable you should periodically backup your important data to an external hard
disk.
Use of this data storage must be in compliance with all other University policies and procedures. It is the
responsibility of University community using such services to ensure that they are aware of, and are fully
Back to Contents
compliant with all relevant policies, procedures and legislation.
Policy Objectives
• Inform UOD community about the security risks associated with storing documents on the cloud
• Provide the guidance about the types of information which should and should not be stored in
the cloud.

This policy applies to all the community of University of Dammam using computing and network resources.
These include
• Users (academic, professional and support staff, students and management) using either personal
or University provided equipment connected locally or remotely to the network of the University.
• All ICT equipment connected (locally or remotely) to University servers.
• ICT systems owned by and/or administered by the Deanship of ICT.
• All devices connected to the University network irrespective of ownership.
• Connections made to external networks through the University network.
6
42
• All external entities that have an executed contractual agreement with the University.

1. To use OneDrive - all users must comply with Microsoft’s Terms and Privacy conditions. On
first use, you will be prompted to accept these Microsoft terms and conditions.
2. The use of OneDrive is optional. UOD does not require you to use OneDrive to complete
your studies. If you do not wish to accept Microsoft’s Terms and Privacy conditions for the
use of OneDrive - that is ok - but you will not be able to utilize the Microsoft OneDrive
utility.
3. UOD and Microsoft will not be held responsible for any and/or all data loss or corruption.
Students will have to arrange their own backup or replication of their data. Microsoft
provides no commitment to guarantee continuous access to your files; therefore any loss
of service may deny access to important files at critical times.
4. When information or data is stored in OneDrive which is not owned by the University, it is
the responsibility of the staff member storing the information or data to ensure to backup
important data to an external hard disk.
5. You should be aware that it is both a breach of the OneDrive contract and University terms
and conditions to store any copyright material within this facility. This includes books,
music or videos subject to copyright. Breach of these rules may result in your account
being terminated by Microsoft without notification and result in the loss of all data
within the account, which may well be irretrievable.
. Information or data must not be stored in this storage where the University’s intellectual
property, copyright, trademarks or patents may be compromised.
7. Use caution when storing documents and data in public cloud storage. Store only
nonsensitive, non-critical, or non-confidential documents.
8. Do not use public cloud storage to store files containing sensitive information. Please refer to
the University Data Classification policy for more complete data classifications.
9. Even for instances when you work with non-sensitive information, using public cloud storage
services for institutional documents does not make a good long-term storage solution. In
many cases, public cloud storage requires that files be associated with an individual›s
personal account. Should that individual leave the University, the institution loses access to
the data.
Definitions
Cloud computing Abstraction of virtualized web-based computers, resources, and services that support
scalable IT solutions.
OneDrive (officially Microsoft OneDrive, previously Windows Live OneDrive and Windows Live Folders) is a
file hosting service that allows users to upload and sync files to a cloud storage and then access them from
a Web browser or their local device.
References
Tom Negrino (2014), Microsoft Office for iPad: An Essential Guide to Microsoft Word, Excel, PowerPoint,
andOneDrive
Password Policy
Back to Contents
Policy: Password Policy Approval Date: Page:
Objective: The purpose of this policy is to establish a standard for the creation of strong passwords, the
protection of those passwords, and the frequency of change.
Responsible Office: Operation Unit
Signature:
Executive Summary
Passwords are an important aspect of computer security. They are the front line of protection for user
accounts. A poorly chosen password may result in a compromise of UOD entire network. The purpose of
having a password policy is to ensure a more consistent measure of security for UODs’ network and the
information it contains. The implementation of this policy will better safeguard the personal and
confidential information of all individuals and organizations affiliated, associated, or employed by the
University. Additionally, this policy establishes a standard for creation of strong passwords, the protection
of those passwords, and the frequency of change of passwords.
Introduction
University of Dammam significantly provides access authentication to online information technology
resources such as email, institutional data, University websites, library and e-learning portal, academic and
personal data, cloud computing resources, and other sensitive services. In particular, passwords are the
user’s ‘keys’ to gain access to University information and information systems. A compromise of these
authentication credentials directly impacts the confidentiality, integrity, and availability of IT systems, and
University as well as user information. This policy establishes minimum standards for the creation and
protection of each person’s University password(s). All users accessing UOD IT resources are bound by the
requirements as described in this policy, to create and secure their password(s).
Password Policy Objectives

1. Defend against unauthorized access of UOD systems that could result in a compromise of personal
or institutional data
2. Ensure that ICT resources are used in an appropriate fashion, and support the university’s mission
and institutional goals.
3. Encourage users to understand their own rights and responsibilities for protecting their passwords.
4. Protect the privacy and integrity of data stored on the University network.

By enforcing the acceptable use policy, we aim to achieve the following outcomes:
1. Better informed university community regarding acceptable and unacceptable use of university ICT
resources.
2. Responsible UOD community regarding the value and use of ICT resources.

This policy applies to all persons who have, or are responsible for, an account on any system accessed on
the University network or computer systems.
Responsibilities
Users are responsible for assisting in the protection of the network and computer systems they use. The
integrity and secrecy of an individual’s password is a key element of that responsibility. Each individual has
the responsibility for creating and securing an acceptable password per this policy. Failure to conform to
these restrictions may lead to the suspension of rights to University systems or other action as provided by
University Policy

Guidelines & Procedures
• Passwords must be changed every 90 days.
• All passwords must meet the definition of a Strong password described below
• Each successive password must be unique. Re-use of the same password will not be allowed.
• Any temporary password will expire at 23:59:59 of the date issued
• A user account will be temporarily locked for after 3 consecutive failed logins  Account Lockout
Duration: 15 mins.
 Account Lockout Threshold: 3
• The “reset password” process will be applied to users who logs in for the first time
Poor, weak passwords have the following characteristics:
• The password contains less than eight characters.
• The password is a word found in a dictionary (English or foreign)

Back to Contents
• The password is a common usage word such as:
* Name of family, pets, friends, co-workers, fantasy characters, etc.
* Computer terms and names, commands, sites companies, hardware, software.
* Birthdays and other personal information such as addresses and phone numbers.
* Word or number patterns like aaabbb, 111222, zyxwvts, 4654321, etc.
* Any of the above spelled backward like fesuoy, damha, etc.
* Any of the above preceded or followed by a digit (e.g., secret1, 1secret).
Strong Password Construction Guidelines

• Are at least eight alphanumeric characters long
• Passwords do not contain user ID
• Contain no more than two identical characters in a row and are not made up of all numeric or alpha
characters
• Contain at least three of the five following character classes:
Lower case characters
Upper case characters
Numbers
“Special” characters (e.g. @#$%^&*()_+|~-=\`{}[]:”;’<>/ etc) Contain at least eight
alphanumeric characters.
Definitions
Authorized User - An individual who has been granted access to University ICT services.
Expiration - Date at which password for access to University systems is required to be changed meeting
strong password standards.
References
1. Mark S. Merkow; Jim Breithaupt (2014), Information Security: Principles and Practices
ICT User Authentication Policy
Policy: ICT User Authentication Approval Date: Page:
Policy
Objective: The authentication and access control measures ensure appropriate access
to information and information processing facilities - including servers, desktop and
laptop clients, mobile devices, applications, operating systems and network services –
and prevent inappropriate access to such resources.
Responsible Office:
Signature:
(a) Information security policy
(b) Acceptable use policy
User Authentication Policy

Principle
All users should be authenticated, either by using User IDs and passwords or by stronger authentication
such as smartcards or biometric devices (e.g. fingerprint recognition) before they can gain access to any
information or systems within the installation.
Objective
To prevent unauthorized users from gaining access to any information or systems within the computer
installation.
General
All users should be authenticated, either by using UserIDs and passwords or by stronger authentication
such as smartcards or biometric devices before they can gain access to any information or systems within
the organization.
1. All system-level passwords (e.g., root, enable, Windows Administrator, application administration
accounts, etc.) must be changed on at least a quarterly basis.
2. All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least 4
months.
3. User accounts that have system-level privileges granted through group memberships or programs
must have a unique password from all other accounts held by that user.
4. Where SNMP is used, the community strings must be defined as something other than the standard
defaults of “public,” “private” and “system” and must be different from the passwords used to log in
interactively. A keyed hash must be used where available (e.g., SNMPv2).
Back to Contents
5. All user-level and system-level passwords must conform to the guidelines described below.
User IDs and Password Attributes
User authentication should be enforced by automated means that:
1. Ensures UserIDs are unique

2. Ensures passwords are not displayed on screen or on print-outs
3. Issue temporary passwords to users that must be changed on first use
4. Force new passwords to be verified before the change is accepted
5. Ensures users set their own passwords
6. Ensures passwords are changed regularly and more frequently for users with special access
privileges
Account Lockout Policies

• Account Lockout Duration: 15 mins.
• Account Lockout Threshold: 3
• Reset Account Lockout Counter: 30 mins.
Password Changing Procedures
There should be a process for issuing new or changed passwords that:
a) Ensures s that passwords are not sent in the form of clear text e-mail messages
b) Directly involves the person to whom the password uniquely applies
c) Verifies the identity of the end user, such as via a special code or through independent
confirmation
d) Includes notification to users that passwords will expire soon.
Acceptable Password Characteristics The

acceptable user passwords should as minimal:
1. Ensures passwords are a minimum 8 number of characters in length,
2. Differ from their associated UserIDs,
3. Contain no more than two identical characters in a row and are not made up of all numeric or alpha
characters
4. Restrict the re-use of passwords: 5 previous passwords (e.g. so that they cannot be used again within
a set period or set number of changes).
Password Protection Awareness

Where authentication is achieved by a combination of UserIDs and passwords, users should be advised to
keep passwords confidential (i.e. to avoid writing them down or disclosing them to others) and to change
passwords that may have been compromised.
If an account or password compromise is suspected, report the incident to ICT Help Desk number 322322.
Users should made aware of choosing a strong password; Strong passwords have the following
characteristics: o Contain at least three of the five following character classes:
Lower case characters
Upper case characters
Numbers
Punctuation
“Special” characters (e.g. @#$%^&*()_+|~-=\`{}[]:”;’<>/ etc)
o Contain at least fifteen alphanumeric characters.
Weak passwords have the following characteristics:

o The password contains less than fifteen characters o The
password is a word found in a dictionary (English or foreign) o The
password is a common usage word such as:
Names of family, pets, friends, co-workers, fantasy characters, etc.
Computer terms and names, commands, sites, companies, hardware,
software. Birthdays and other personal information such as addresses
and phone numbers.
Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
Any of the above spelled backwards.
Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
Single Sign-on
Single sign-on (SSO) or reduced sign on should be applied within the organization upon completing a formal
risk assessment and in compliance with the approved Identity and Access Management Architecture.
Two Factor Authentication

Two-factor authentication (e.g. smartcards or biometric devices, such as fingerprint recognition) should be
applied to users with access to critical business applications or sensitive information and to users with
special access privileges or access capabilities from external locations.
Web Hosting Policy with Third-

Party Service Providers
Policy: Web Hosting Policy with Approval Date: Page:
Third-Party Service Providers
Back to Contents
Objective: This policy provides guidelines for website hosting with third-party
service providers for the affiliated colleges and units.
Responsible Office:
Signature:
Executive Summary
The Deanship of |Information and Communications Technology (DICT) seeks to provide up-to-date,
accurate, and meaningful information on university-related websites. Likewise, the university’s integrity
and reputation rely on consistent and strong content on the www.uod.edu.sa domain and on any websites
that relate to, refer to, or could be perceived as representing the university. It is therefore important that
all such websites conform to minimum university standards and comply with the guidelines provided in this
policy.
In general, all university Internet services and all information about the university available from accessing
the Internet, including any of its colleges, departments, deanships, affiliated institutes, centers,
management units, faculty, staff and students, must use only the www.uod.edu.sa domain. In certain
exceptional cases, affiliated colleges of the university may find it necessary to hire third-party service
providers for website hosting or other applications. This policy addresses these exceptional cases.
Introduction
Creation, publication and maintenance of web pages and other web materials at the University of Dammam
is a prime way to providing critical information and services to members of the University commumnity,
prospective students, and the general public, playing a vital role in helping the University fulfill its mission.
This policy statement is intended to protect the interests of the University and all of its students, faculty and
staff. It is designed to provide guidance to those individual affiliated units of the University that wish to host
websites with third party service providers. It outlines minimum security requirements to be observed when
content owner wishes to host their web material with external service providers.
Scope
This policy governs any electronic documents made available via standard web protocols which represent
an official unit or activity of the University, bearing marks, logos, domain or symbols that might imply
endorsement by the University hosted by third party service providers.
Non-Compliance
Ministry of Information and communication Technology and, Ministry of Interior, Kingdom of Saudi Arabia
monitors and reports any security breaches to the University. Any non-compliance with these
recommended guidelines may result in legal action or otherwise by the relevant authorities.
The web content owner and content publisher intending to host web pages with third party service should
consider the following security issues relevant for third party hosts and the level of service required from
them.
1. Physical Security:
The service provider must comply with physical security requirements such as
• Facility Security Procedures that ensure facilities containing these confidential systems
are safeguarded from unauthorized physical access.
• Access Control to must be logged and audited at least ever six months, and must include 1
or more of the following: multi-factor authentication (e.g. token and pin number), key-
card access, biometric access controls.
• Caged or shared racks for physical security and depends on the requirements.
2. Perimeter Security:
• IP Reputation Filtering against malicious IP addresses.
• Monitor & mitigate DoS/DDoS attacks directed toward customers and their infrastructure.
3. Network Security:
The service provider must have hardware and software in place to ensure
• Intrusion detection/prevention systems to monitor all inbound and outbound network
activity and identify any suspicious patterns that may indicate a compromised network or
system and prevent intrusion signatures.
• Established Isolated Security Zones for reducing security risks.
• Vulnerability Monitoring tools for protection against spyware, spam, viruses etc.
• Vulnerability Auditing to determine which network assets are at the most risk of being
successfully attacked and its impact.
4. Server Security:
• Hardened operating systems for more secure server operating environment.
• Managed OS patches and updates to create a consistently configured environment that
is secure against known vulnerabilities in operating system and application software.
5. Hardened VMware hypervisor

The service provider must adhere to the following best practices
• Password security policies
• Malware protection
• Resource availability monitoring
• Network event logging
6. Application Security:
The service provider must employ the following
• Web application firewall
• Intelligent WAF policies for common attacks
• Application specific and custom WAF policies if needed
• HTTP DoS application attack mitigation
• Application performance monitoring
• SSL certificates highly recommended for important services
Back to Contents
7. Administrative Security:
• Secure portal for user management
• Log Management
• Two-Factor authentication
Content Owner Responsibilities

For the Application or website, we recommend the following:
• Source Code review to be carried out.

• Vulnerability testing at least once a month to be done.
• Penetration Testing services once every three months to be considered.
• SSL Certificate for Authentication services to be ensured.
• Two factor authentications to be employed.
• Reliable/reputed Hosting Company to be sought.
A Recommended checklist when hosting with third party service providers

Read the terms and conditions of use of the service - what sort of intellec
tual property rights do the terms of use of the service grant to the service ?
provider? What rights are you signing away
What measures does the service provider take to keep information
confiden-
?tial
Is it possible to take down and delete information easily, quickly and per?
manently from the site? Are you locked in to the service
Security - What are the service provider’s arrangements for protecting your
data from unauthorized access, unauthorized amendment or deletion? Do ?
the guidelines provided in this policy adhere to
Do unauthorized exposures of university data shall result in the service pro?
vider notifying within mutually agreed time of discovery
Performance - Does the service provider make any performance guaran ?
tees? Are they adequate for your needs
Does the external service provider have arrangements in place to ensure
the ?long-term survival of the data
?What cookies or monitoring of usage does the service provider use
Have both disaster recovery and business continuity plans been developed ?
and are there plans to regularly test and review them
Does the service provider comply with data retention and protection regula?
tions and policies
Definitions
Domain: A unique name that identifies an Internet site.

ISP: Internet Services Provider; a company that provides access to the Internet, Information Services &
Technology.
Web Host: A company that maintains a client’s website and provides a computing environment for the website
that is accessible through the Internet.
References
Tugberk Ugurlu; Alexander Zeitler; Ali Kheyrollahi (2013), Pro ASP.NET Web API: HTTP Web Services in ASP.NET
Back to Contents
Core ICT Services Service Level
Agreement
PURPOSE OF THE SLA
The purpose of this service level agreement (SLA) is to establish a cooperative partnership between the
Deanship of Information & Communications Technology (DICT) and its users. It aims to ensure that services
support the core business of University of Dammam. This Sla aims to:
• identify clear and consistent expectations
• outline agreed roles and responsibilities
• deliver services that are measured, monitored, reported and reviewed for continuous
improvement
• provide mechanisms for resolving problems
• provide a platform to enable changes in response to new technologies, user requirements and
other opportunities
PARTIES TO THE SLA

This SLA has been outlined between the Deanship of ICT as service provider, and the University community
referred hereafter as ‘users’
DURATION
This SLA has been enforced with immediate effect and remains effective for a period of one year after
which it may be reviewed. Services are provided on an ongoing basis. As required, this SLA may be
modified and any changes will be published for user interest and information.
SERVICES INCLUDED
The following services are included in this SLA defined as core ICT services. These ICT services meet all or
most of the following criteria.
• They support the core business of teaching, learning, research and administration.
• They are widely used across UOD without requiring specialized content knowledge.
• They need to be reliable and available.
• For the most part, they are provided to the user free of charge.
• Accountability for their provision rests with DICT
FUNDAMENTAL EXTERNAL CONSTRAINTS

The deanship of ICT may be prevented to provide any service mentioned in this SLA due to constraints over
which it may have little or no control.
These include:
• power and air conditioning outages
• physical damage, including but not limited to fires, floods, and contractors
• products or services received from vendors to DICT
• unpredictable and significant changes in activity levels (e.g. ICT Helpdesk calls, number of email
messages sent , number of users for a system, etc)
Back to Contents
FUNDAMENTAL USER RESPONSIBILITIES
The end users are expected to observe the following:
– report incidents or log service requests by logging calls with the ICT Helpdesk
– abide by the applicable policies listed for each service
– have the prerequisite hardware or software
– make reasonable attempts to co-operate with ICT to resolve incidents, including providing
information, performing troubleshooting steps, and ensuring ICT’ access to physical space
– acquire training in the use of their system (as necessary to do their jobs) by attending training
classes, keeping available and reading instructions, manuals, etc.
– perform routine backups of important data and files
– be able to understand and perform basic computer tasks such as copying files, installing some
software, etc.
– use their systems responsibly and ethically as University assets to do their jobs.
eFax
Service Service level targets User responsibilities

eFax service provides web management interface Availability To Request this service
for user to manage or maintain their contacts, Fill out the ‘Service Request Form’ to avail this service.
incoming or outgoing fax documents. eFax service is available 98% of the time 24 hours a day, 7 days a week
excluding planned/unplanned official maintenance windows. Prerequisites
Description – Fundamental user responsibilities
Service request Service level
The eFax service provides outgoing fax and – An email address
target
incoming fax. Outgoing fax service is best suited
(working days) – Software client installed on a Windows
for users who occasionally need to fax out
computer
computer files. For incoming fax service, fax
document sent to a particular fax number will Response Time Resolution Time
(business days) To report a fault or problem with the service
appear as a message in a designated email account.
Contact the ICT Helpdesk by phone (Ext: 31111), by email
Installing software to hours 1-2 1-2 or via the ICT web site.
Applicable to (subject to approval) send faxes from a
– Management computer
– Faculty setting up a personal hours 1-2 1-2
– Staff fax number
fixing a fault hours 1-2 1-2
Exclusions Constraints
– students – Fundamental external constraints
– visitors – Existing fax number cannot be changed
– Supported document format is pdf only
WebEx
Back to Contents
5
5
Availability To Request this service
UOD free web conferencing service, WebEx, provides on-
Fill out the ‘Service Request Form’ to avail this service.
demand, real-time, collaborative web meetings and conferencing. WebEx service is available 98% of the time 24 hours a day, 7 days a
WebEx can be used to host online meetings and interactive week excluding planned/unplanned official maintenance windows.
Prerequisites
sessions with individuals inside and outside of UOD.
Service quest Service level – Fundamental user responsibilities
Description target – An email address
Faculty can use WebEx to record/capture class lectures and (working days) – WebEx enablement
facilitate student discussions for distance education. While
students use WebEx to watch and attend class lectures, Response Time Resolution Time To report a fault or problem with the service
communicate with the instructor and collaborate with other (business days) Contact the ICT Helpdesk by phone (Ext: 31111), by
students in the class. The staff can use WebEx to share email or via the ICT web site.
documents, hold online meetings, and collaborate on team Request to enable hours 2-24 1-2
projects. WebEx facility
fixing a fault hours 1-2 2-3
Applicable to
Constraints
– Management
– Fundamental external constraints
– Faculty
– Account changes are not allowed
– Staff (attendees only)
– students
Exclusions
– visitors
Cisco IP Telephone
Back to Contents
5
6
UOD offers voice over IP as an enterprise communication Availability To Request this service
solution. Fill out the ‘Service Request Form’ to avail this service.
IP Telephony service is available 98% of the time 24 hours a day, 7
Description days a week excluding planned/unplanned official maintenance Prerequisites
Internet Protocol (IP) or Voice over IP (VoIP) telephony is windows. – Fundamental user responsibilities
technology which enables telephone messages to be – Cisco CallManager Administration
Service request Service level
transmitted and received via the internet rather than the
target – Windows 2000 Terminal Services
traditional analogue telephone system.
(working days)
To report a fault or problem with the service
Applicable to
Response Resolution Time Contact the ICT Helpdesk by phone (Ext: 31111), by
– Management
Time (business days) email or via the ICT web site.
– Faculty
(hours)
– Staff
IP Telephone request 1-2 3
Exclusions process
– students setting up an 1-2 3
– visitors IP telephone
Move, Add and 1-2 5
Change
fixing a fault 1-2 3
New wiring 1-2 15
IP telephone features 1-2 1-2
Constraints
New SoftPhone
Back to Contents
5
7
A softphone is a software program for making telephone Availability To Request this service
calls over the internet or University Data Network using a The SoftPhone service is available 98% of the time 24 hours a day, 7 Fill out the ‘Service Request Form’ to avail this service.
computer or laptop, rather than a deskphone or landline. days a week excluding planned/unplanned official maintenance
Description windows. Prerequisites
The Deanship has implemented Cisco Unified Personal – Fundamental user responsibilities
Service request Service level target (working days)
Communicator (CUPC) to enhance the voice – Laptop or desktop
communication experience by enabling Presence
– UOD valid email address
functionality. It provides real-time status for coworkers, Response Time Resolution Time
integrating with calendars for meeting notifications and (business days)
allowing real-time chat, voice or video communication.
Applicable to Contact the ICT Helpdesk by phone (Ext: 31111), by
Delivery of hardware hours 1-2 1-2
email or via the ICT web site.
– Management Client Installation hours 1-2 1-2
– Faculty
Fixing a fault hours 1-2 1-2
– Staff
Constraints
Exclusions
– students
– visitors
Request Database Services

The Deanship provides a wide range of database consulting Availability To Request this service
and hosting options for your application. The hosting The service is available 98% of the time from 8:00 a.m. to 4:00 Fill out the ‘Service Request Form’ to avail this
services feature high availability and disaster recovery p.m., 5 business days a week excluding planned/unplanned official service.
options in a secure environment. The service includes the maintenance windows.
following: Prerequisites
– Database Schema creation – Fundamental user responsibilities
– Database users – Database type
– Database consultation Response Resolution Time
– Database backup Time (business days)
(hours)
– Database user permissions
Database Schema 4-6 1
creation
Back to Contents
5
8
Description Database users 4-6 1
The Deanship offers two environment: application and
testing. Using the database hosting is tailored to the Database consultation 4-6 1
requester requirements and gives you control as well.
Applicable to
Database backup 4-6 1
– Management
– Faculty
Database user 4-6 1
Exclusions permissions
– Staff
– students
– visitors Constraints
– Oracle Database hosting Only
Request Hosting Training Material in ICT servers ( video , pdf etc)

The eligible users can request to host relevant material in Availability To Request this service
audio, video or text form to published for employee The service is available 98% of the time from 8:00 a.m. to Fill out the ‘Service Request Form’ to avail this service.
development. 4:00 p.m., 5 business days a week excluding
planned/unplanned official maintenance windows. Prerequisites
Description – Fundamental user responsibilities
The Deanship of ICT offers to host training – UOD valid email address
material for employee development for interested Response Resolution Time
UOD colleges/department/Centers . To report a fault or problem with the service
Time (business days)
Back to Contents
5
9
Applicable to Request for service hours 1-2 business day 1 Contact the ICT Helpdesk by phone (Ext: 31111), by email
– Management or via the ICT web site.
– Faculty
Constraints
Exclusions
– Staff
– ICT will host the material after careful review and
– students relevant authority permission.
– visitors
Request Reset Password

Password Reset enables all users to reset their Availability To access the service
forgotten University password, without calling the Password self-service is available 98% of the time 24 In order to avail this service, the users must log on to the
Service Desk. hours a day, 7 days a week. eservices.ud.edu.sa/ and provide appropriate information and follow the
instructions for setting the password.
Description Prerequisites
Users are now able to reset their password or Constraints – Fundamental user responsibilities
change their password 24/7 hassle-free from any – Fundamental external constraints – email account
computer.
Applicable to To report a fault or problem with the service
– Management Contact the ICT Helpdesk by phone (Ext: 31111), by email or via the ICT
– Faculty web site.
– Staff
– Students
– Guests
Exclusions
– None
Back to Contents
6
0
Requesting/decommissioning VMWare virtual server

Users can request a Windows or Linux virtual server. Availability To Request this service
Requested virtual servers are subject to normal approvals Password self-service is available 98% of the time 24 hours a day, 7 Fill out the ‘Service Request Form’ to avail this service.
and some special provisioning tasks. A decommissioning days a week excluding official monthly maintenance windows.
workflow enables a user to make a request for the Prerequisites
deletion of a virtual server. – Fundamental user responsibilities
– email account
Description Response Time Resolution Time – Virtual server OS, memory, storage, CPUs and
UOD departments or eligible users can choose to locate (business days) speed
virtual servers in the ICT Data Center. To report a fault or problem with the service
Services provided include 24 hour system monitoring, Standard request hours 1-2 1
Contact the ICT Helpdesk by phone (Ext: 31111), by email
controlled power and temperature environment, a secure Standard hours 1-2 3 or via the ICT web site.
facility, backup, restore and offsite storage services, and provisioning
problem management.
Applicable to Service hours 1-2 2
– Management Outage/unusable
– Faculty Service Degraded/ hours 1-2 2
unreliable
Exclusions
Minor/inconvenient hours 1-2 7
– Students Constraints
– Staff – Fundamental external constraints
– Visitors
E-mail services
Back to Contents
6
1
• Description Availability To Request this service
• This service provides personal e-mail services through Fill out the ‘Service Request Form’ to avail this
Office365. The service includes the following features: Password self-service is available 98% of the time 24 hours service.
– an email address within the @ud.edu.sa domain that a day, 7 days a week excluding official monthly
complies to the email naming standard maintenance windows. To access the service
– a mailbox with 25GB storage space for users. Service request Service level target
– You can move messages, flag them for follow-up, (working days) The users can access this service through UOD
categorize messages. website or UOD smartphone apps
– organize your messages easily by sorting them into
Response Time Resolution Time Prerequisites
a hierarchy of folders.
– Built-in anti-spam message filtering. Integrated anti- (business days)
– Fundamental user responsi-
spam tools for smoother control of email filtering bilities
creating an email hours 1-2 1-2
and identification. – Users must manage their mailboxes to
account
– Convenient web and desktop access to your email ensure that they do not exceed space
and integrated calendar. Allocating additional hours 1-2 1-2 limitations and risk being prevented
– Access from portable devices, including iOS and mailbox space(subject from sending mail.
Android-based phones and tablets. to – Users are responsible for backing up
– personal, shared and system address books feasibility/ap(proval any email data (e.g. archived mail)
– ability to archive messages creating a mailing list hours 1-2 1-2 stored on their local computer.
– ability to set up filtering rules and vacation replies – Users should follow the service
• changing personal hours 1-2 1-2 request procedure on ICT service
Applicable to details
– Management Desk if they face any difficulty.
Constraints
– Faculty – Fundamental external constraints To report a fault or problem with the service
– Staff Note: No service level targets can be set for speed of access Contact the ICT Helpdesk by phone (Ext:
– Students from off campus, as this is constrained by ICT bandwidth 31111), by email or via the ICT web site.
– Officially Approved Contractors & staff availability and service from the user’s ISP. Similarly, speed of
– Guests email delivery and receipt cannot be guaranteed when it Applicable policies
• depends on mail servers external to ICT. Many external mail – Acceptable use policy
Exclusions servers restrict the delivery of large messages during office
– Naming standard
– Temporary visitors hours.
– Service desk procedures
– Only a limited set of features is available when
connecting via smartphones/mobile devices
Software Services
Back to Contents
6
2
Description Availability Constraints
Software services range from installation of printers Password self-service is available 98% of the time 24 hours a day, 7 days – Fundamental external constraints
to lab specific software installation. The Deanship a week excluding official monthly maintenance windows. – UOD account
commits to providing these services on priority
Service request Service level target (working
basis. To Request this service
days)
Applicable to Fill out the ‘Service Request Form’ to avail this service.
– Management Response Resolution
– Faculty Time Time (BD)
– Staff To report a fault or problem with the service
Request installing printer drivers hours 1-2 * 1-2
– Students (Specific cases only) Contact the ICT Helpdesk by phone (Ext: 31111), by
or connect printer to the network
– Guests (Upon approval) email or via the ICT web site.
Exclusions Request Installing Software on hours 1-2 * 1-2
– visitors Labs PCs Applicable policies
Request Join PC to the Domain hours 1-2 *1 – Acceptable use policy
Request Share folder in servers hours 1-2 * 1-2
Request remote assistance hours 1-2 * 1-2
Request installing or activate hours 1-2 * 1-2
application license
Request Format Damage PC hours 1-2 * 1-2
*Subject to the availability of software, licenses and/or ICT resources
Request developing applications

Request Software Consultations
Back to Contents
6
3
Description Availability To Request this service
The Deanship provides advisory and Subject to the availability of the ICT resources and task to be handled Fill out the ‘Service Request Form’ to avail this service.
consultative service relating to software.
Service request Service level target
Additionally it may undertake application Prerequisites
(working days)
development through its resources under - Detailed Requirements
certain circumstance. Response Resolution
Applicable to Time Time
– Management (business To report a fault or problem with the service
days) Contact the ICT Helpdesk by phone (Ext: 31111), by email or via
Exclusions Request developing Variable variable the ICT web site.
– Faculty applications
– Staff
– students Request Software Variable variable
– visitors Consultations
Constraints
Back to Contents
6
4
Request remote access

A secure service that enables you to remotely connect Password self-service is available 98% of the time 24 hours a Fill out the ‘Service Request Form’ to avail this service.
to UOD’s network using your own Internet Service day, Prerequisites
Provider (ISP). 7 days a week excluding official monthly maintenance
– Management Contact the ICT Helpdesk by phone (Ext: 31111), by email or via
– Faculty, staff (subject to approval) the ICT web site.
Response Resolution Time
Exclusions Time (business days)
Applicable policies
– students – Acceptable use policy
Remote Access hours -2 1 1-2
– visitors – Information security policy
Request
Constraints
– Downtime arrtibutable to UOD bandwidth
provider
Back to Contents
6
5
Hardware Services

Description To Request this service
The Deanship provides various hardware services Fill out the ‘Service Request Form’ to avail this service.
for the official desktops/laptops. Service request Service level target (working days)
Prerequisites
Applicable to
– Management Response Time Resolution Time
– Faculty (hours) (business days) To report a fault or problem with the service
– Staff Contact the ICT Helpdesk by phone (Ext: 31111), by email or via
Request install New PCs 1-2 *3-5 the ICT web site.
Exclusions Request installing or 1-2 *2-4
– students replace PCs peripherals
– visitors ( (printer , scanner etc
Request maintenance for 1-2 *2-4
PCs peripherals ( printer ,
(scanner etc
* Subject to the availability of peripheral devices, ICT resources,

and complexity Constraints
– Availability of hardware/ related software
Portal Services
Back to Contents
6
6
This service provides access Portal service is available 98% of the time 24 hours a day, 7 days Fill out the ‘Service Request Form’ to avail this service.
permission to the portal and update a week excluding official monthly maintenance Prerequisites
for web page contents.
– Management Contact the ICT Helpdesk by phone (Ext: 31111), by email or via the ICT web
Response Time Resolution Time site.
Exclusions (hours) (business days)
– Faculty – Staff
Request Access 1-2 1 Applicable policies
Permissions to UD›s
– visitors
Portal
Request updates of 1-2 2
web page contents
Constraints
– Copy right material
Video Conferencing Services
Back to Contents
6
7
The Deanship of ICT provides several video Video conferencing service is available 98% of the time 24 hours a day, 7 days a Fill out the ‘Service Request Form’ to avail this
Conferencing services that that you can use to meet week excluding official monthly maintenance service.
and collaborate with colleagues across campus or Prerequisites
around the world.
– Management Response Time Resolution Time Contact the ICT Helpdesk by phone (Ext: 31111),
– Faculty (hours) (business days) by email or via the ICT web site.
– Staff (subject to Approval )
Request installing New Video 2 3-4
Conference Device
Applicable policies
Exclusions – Acceptable use policy
– students Request installing Maintenance & 2 3-4
– visitors Modification Video Conference Device
Request Multiple Video Service Calls 2 1-2
((MCU Servers
Request Recording Video Conference 2 1-2
(Meeting (Content Server
Request Scheduling Video Conference 2 1-2
(Meeting (Internal & External Call
Request Video (Call, Meeting, 2 1-2
Presentation) Real Time Support
Constraints
– Availability of fundamental equipment
Digital Signage Service
Back to Contents
6
8
Digital Signage service is a centrally Portal service is available 98% of the time 24 hours a day, 7 days a Fill out the ‘Service Request Form’ to avail this
managed/locally controlled electronic sign week excluding official monthly maintenance service.
and interactive display platform to
Service request Service level target (working To report a fault or problem with the service
distribute information in an engaging,
days) Contact the ICT Helpdesk by phone (Ext: 31111), by
interactive manner using large format email or via the ICT web site.
displays across campus. Response Resolution Time
Applicable to Time (hours) (business days)
– Management Request installing digital 2 3-4
signage on monitors
Exclusions (internal advertising system
Request maintenance 2 1-2
– students installing digital signage on
– visitors moni-
tors (internal advertising
(system
Constraints
– Copy right material
Wireless LAN Service

Wireless technology provides secure The UOD network from the central data center to the required Fill out the ‘Service Request Form’ to avail this
d network access to mobile devices service.
building is available 98% of the time 24 hours a day, 7 days a week
within buildings with consistent excluding official monthly maintenance To report a fault or problem with the service
capabilities. Service request Service level target (working Contact the ICT Helpdesk by phone (Ext: 31111), by
Applicable to
Back to Contents
6
9
– Management days)
Exclusions Response Resolution Time
– Faculty – Staff Time (business days)
– students (hours)
– visitors Request installing Wireless 2 10-15
LAN
Request Maintaining of 2 1-2
existing wireless LAN
Constraints
Cable Nodes and Network Ports Checkup Service

The service installs, activates and This service available 98% of the time 24 hours a day, 7 days Fill out the ‘Service Request Form’ to avail this
troubleshoots an Ethernet port to allow a service.
a week excluding official monthly maintenance
department to connect a device to the
Service request Service level target To report a fault or problem with the service
campus network.
(working days) Contact the ICT Helpdesk by phone (Ext: 31111), by
Applicable to email or via the ICT web site.
– Management Response Resolution
Exclusions Time (hours) Time Applicable policies
– Faculty – Staff (business – Acceptable use policy
– students days) – Network Access Control Policy
– visitors Request New Cabling 2 1-2
Back to Contents
7
0
Nodes
Request Fix Existing Cable 2 1-2
Node
Request Network Ports 2 1-2
Checkup
Request Network Checkup 2 2-3
for a building (Connection,
Traffic to & from the
building)
Constraints
Data Center Services

The service provides internet and This service available 98% of the time 24 hours a day, 7 days a Fill out the ‘Service Request Form’ to avail this service.
server connectivity. week excluding official monthly maintenance
Applicable to Service request Service level target (working Contact the ICT Helpdesk by phone (Ext: 31111), by email
– Management days) or via the ICT web site.
Exclusions Response Resolution
– Faculty – Staff Time Time Applicable policies
(hours) (business days) – Network Access Control Policy
– visitors Request Data Center 2 1-2
service (Internet & Servers
Connec(tivity
Back to Contents
7
1
Constraints
The primary purpose of this policy is to inform, educate and set expectations for the members of the university community of their individual and corporate
responsibilities towards the use of information, products and services obtained from the internet. Internet filtering is provided to all students, faculty and
staff to protect them from the unintentional or deliberate accessing of internet content that is offensive and inappropriate.
Security Services

The primary purpose of this This service available 98% of the time 24 hours a day, 7 days a week Fill out the ‘Service Request Form’ to avail this service.
service is to provision the ability to excluding official monthly maintenance
block, unblock, filter the network To report a fault or problem with the service
Service request Service level target (working days) Contact the ICT Helpdesk by phone (Ext: 31111), by
traffic, publishing on 3rd party email or via the ICT web site.
domain.
Response Time Resolution Time
Applicable policies
(hours) (business days)
Applicable to – Acceptable use policy
– Management Request block or unblock or filter 1-2 3-5 – Information security policy
network traffic ( website, protocol, – Network Access Control Policy
Exclusions
(port
Request Publishing Services 1-2 3-5
– students Outside UD
– visitors Request remote access through 1-2 3-5
VPN
(Add/Modify/Delete/Trou(bleshoot
Constraints
Back to Contents
7
2

Ict Policies Procedures - v6.0

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Ict Policies Procedures - v6.0

Загружено:

Авторское право:

Доступные форматы

ICT

Policies & Procedures

 Bandwidth Use Policy  Data Classification Policy 

Information Security Policy  Network Access Control

Policy  OneDrive Cloud Storage Policy  Password

Policy  ICT User Authentication Policy  Web Hosting

Policy with Third-Party Service Providers  Core ICT

Services Service Level Agreement

Objective: To ensure the appropriate use of the University’s Information and

(a) Information Security Policy

(b) Password Policy

Acceptable Use Policy Objectives

5. Elaborate the consequences of the inappropriate use of these resources.

Outcomes of the Policy

Business Impact of No AUP

Section B – Policy Statement: Acceptable

Unacceptable Use Policy

of obscene or pornographic material, abusive, indecent, obscene, and defamatory or hate

(a) Information Security Policy

(b) Operational Unit Data Center SLA

• Selections: what information needs to be backed up on which systems.

System Backup Profiles

2. Critical System Backup:

3. Special Request Backup:

Storage Locations and Retention

Storage, Access, and Security

Retirement and Disposal of Media

• Restore the backup system according to documented configuration so as to restore server

• Obtain all necessary backup media to restore server computing systems

lined for restoration and recovery in the Disaster Recovery Plan.

Date of data backup

(Type of data backup (incremental, differential, full

Responsibility for data backup

(Extent of data backup (files/directories

Data media on which the operational data are

Data media on which the backup data are stored

Data backup hardware and software (with version

Bandwidth Use Policy

(a) Acceptable Use Policy

Bandwidth Use Policy Objectives

1. to establish awareness and accountability for bandwidth use

2. to educate the users of the priority related to internet traffic

3. to provide guidelines for responsible use

Section B – Policy Statement:

Excessive use of the network

The following reasons would NOT be acceptable grounds for appeal:

P2P file sharing: direct communication or sharing of resource between commercial or

Data Classification Policy

(a) Information Security Policy

(b) Acceptable Use Policy

Data Classification Policy Objectives

2- Protect UOD’s data in terms of availability, confidentiality and integrity.

3- Identify who gets access to which kind of data.

4- Implement security provisions against unauthorized access.

Outcomes of the Policy

2. Mapped data protection methods with the university policies.

3. Accountability of the management and use of data.

4. Appropriate levels of confidentiality, integrity and availability in place.

Data classification provides several benefits by providing an inventory to university information

Entities affected by this Policy

Business Impact of no data classification

Policy Relevance for UOD Community

Section B – Policy Statement: