Information Security Policy

The Main Objectives of Information Security at Majmaah University:
Majmaah University considers information security a major objective of its work.
- The management and staff of Majmaah University are committed to strictly adhering to its information security policies and practices. All staff members, third-party employees and related third parties should adhere to information security policies, procedures and standards.
- Violation of information security policies, procedures and standards leads to disciplinary actions by Majmaah University administration that may reach up to termination of services in accordance with Saudi regulations, which include, without limitation, the labor law, the information crime control law, the electronic transaction law, etc.
- The use of Majmaah University information systems should be limited to authorized business purposes only, and to specific employees in line with the policy of acceptable use of information systems (see public information security policies).
- Majmaah University must ensure that there is sufficient awareness of information security in the relevant departments, among staff members and third parties consistent with their specific awareness requirements.
- Virtual and physical access to Majmaah university information systems must be adequately controlled, depending on the risks involved and their sensitivity to the University.
- Majmaah University information systems must be protected from malicious software attacks (e.g. viruses, worms, Trojans, e-mail bombs, etc.).
- Majmaah University should ensure that the risks to third-party information systems are detected, controlled and managed.
- Majmaah University must ensure that its clients' information is adequately secured. It must publish and use adequate security measures and solutions to deal with the risks arising from its customers' access to its information systems.
- Information transmission media such as USB ports and mobile hard drives must be protected from damage, theft and unauthorized access.
- All information security incidents and weaknesses in Majmaah University security systems should be reported and dealt with effectively.
- Majmaah University must ensure that all its information systems are identified and assigned to information system administrators who have full responsibility for information security in their information systems.
- Sensitive documents at Majmaah University must be identified, classified and adequately protected from damage, theft and unauthorized access.
- Majmaah University must maintain the confidentiality of personal information in its information systems in accordance with its security needs and relevant regulations.
- Majmaah University must identify, apply and maintain adequate information security controls for its information systems in line with the classification of risks and best practices.
- Majmaah University must limit the chances of abuse, misuse or destruction of its information systems by ensuring the integrity of its employees who have access to information systems.
- Majmaah University must ensure that there is sufficient security for its information systems facilities by deploying environmental and natural information security controls based on the risks to which they may be exposed.
- Majmaah University must determine and comply with all Saudi (and international) regulations of information systems.
- Majmaah University must proactively consider information security requirements during the procurement/development of information systems in accordance with its information security policies, procedures, standards, and best practices.
- Changes to key information systems must be controlled through the Change Management Policy to reduce the impact of incidents related to change in information systems.
-The status of information security within the information systems at Majmaah University must be monitored through planning and dissemination of adequate methods to monitor the security of information in line with the relevant risks and the sensitivity of information systems.
- Majmaah University must assess the information security of its information systems to identify the weaknesses, threats and risks causing its information security, and then take appropriate remedial action with due speed.
- Majmaah University must conduct independent audits of its information security in accordance with the relevant risks and the sensitivity of the information systems. It must take appropriate and timely action to address the observations identified during the audit process.
- Majmaah University must ensure that its sensitive operations and services are protected in a timely manner from the effects of major failures of information systems by following a formal plan to maintain workflow and service availability in addition to ensuring the use of additional support units.
- Majmaah University employees and the relevant third parties must be obliged to identify and report any improper fraud, practices or activities. The University is also committed to preventing fraudulent activities, and takes swift and effective action against these reported incidents.

Acceptable use of information systems
General Use and Ownership
- Users are authorized to use the information sources of Majmaah University only for the purposes of their authorized work. Any unauthorized use of Majmaah University information systems and sources, such as personal or on behalf of any third party (such as a personal client, family member, political, charitable, school or otherwise is strictly prohibited). The user who violates this will be subject to appropriate disciplinary and/or legal procedures.
- All computer data generated, received or transmitted by the information systems of Majmaah University is owned by Majmaah University. Majmaah University reserves the right to examine all data for any reason and without notice, for example, when there are suspicions of violating these rules or any of Majmaah University policies.
- Employees, contractors and third-party employees who use or have access to Majmaah University information should be aware of the current limits of their use of Majmaah University information systems and are responsible for their use and any use under their responsibility.

Intellectual Property Rights and Licensing
- Majmaah University values and respects intellectual property rights (which include copyright, design rights, patent rights and software and documentation source code licenses) associated with its information systems.
- The violation of any rights of any person or company protected by copyright, patent or other intellectual property rights, or similar regulations, including the installation of unauthorized or illegal software applications on Majmaah University or other systems that are not affiliated with Majmaah University but connected to Majmaah University IT environment is strictly prohibited.
- The IT Deanship must retain appropriate information about the licenses, terms and conditions relating to its important information systems.
- The use of unlicensed software or intellectual property rights is strictly prohibited.

Unacceptable Use of Systems and Network
- It is prohibited to introduce malicious software (e.g. viruses, electronic worms, Trojans, etc.) into Majmaah University information systems.
- It is prohibited to install free software programs in Majmaah University network, whether downloaded from the Internet or obtained from other media, without the authorization of the Dean of Information Technology.
- It is prohibited to use Majmaah University information systems to store, process, upload, or transmit data that may be considered biased (politically, religiously, racially, ethnically, etc.) or involve harassment.
- It is prohibited to make offers, products, items or services involving fraud and deception using Majmaah University systems resources.
- It is prohibited to carry out any form of network control during which data that does not concern the host device is intercepted for the employee's account, unless this activity is part of the employee's authorized function/task.
- It is prohibited to circumvent the identification of the user or the security of any host, network or computer.
- It is prohibited to use any software/language/order, or to send messages of any kind, for the purpose of interfering with or disabling any user, through any means, locally or over the Internet/intranet/extranet.
- It is prohibited to provide information concerning the staff of Majmaah University or lists of names to any parties outside Majmaah University.
- Information system passwords must be changed every three months.

Email and Communications Use
- It is prohibited to send any unwanted (unsolicited) e-mail messages, including "junk mail" or other advertising material, to people who have not specifically requested such material (spam).
- It is prohibited to harass via email, phone, fax or Paging, whether in terms of language, frequency or volume of messages.
- The use of unauthorized email or forging e-mail information or contents is strictly prohibited.
- It is prohibited to create or edit "chain letters", "Ponzi" or "pyramid schemes" of any kind.
- It is strictly forbidden to register with and communicate with news groups and blogs on behalf of Majmaah University (spam for news groups).
- The staff of Majmaah University must exercise the utmost caution when sending any e-mail from within Majmaah University to external networks, with the exception of employee manager's approval. Majmaah University e-mails will not be sent to any third party. Sensitive information must not be passed by any means unless the e-mail message is very important and encrypted.

Due Diligence
- Each user is responsible for protecting unauthorized access, including viewing, to sources of information under his\her control (e.g. information available on mobile devices, desktops, access terminals, printers, tape media, etc.).
- Each user is responsible for informing the Information Security Department of any suspicious conduct resulting from viruses or suspicious activities in their systems through the Information Security Unit web page.
- It is acceptable to browse the public domain for some research provided that users adhere to the policies, standards and procedures of Majmaah University in relation to this use.
- In this case, users must comply with the policies, standards and procedures of the sites they are browsing.

Internet Usage Policy:
- Internet users through Majmaah University network should not expect any privacy of the information stored, processed and transmitted using the University information system. The University must develop a mechanism to control internet use, including blocking access to certain categories of websites (such as pornographic sites). Blocking is in parallel with the use of other technical and procedural controls, such as recording user activities. These records can be monitored to ensure that the Internet is not misused. These records will track internet usage and monitor the content and nature of sites accessed by users.
- Majmaah University will not stand idle towards internet abuse, particularly activities that may expose it to prosecution or legal proceedings (including pornography and harassment). It will take appropriate disciplinary action that may amount to the dismissal of the employee. In the event of any illegal activities by the employee, the University reserves the right to report such activities to the relevant regulatory, governmental or legal authorities.
- Majmaah University blocks specific categories of websites based on particular lists or databases. These lists or databases are not always accurate and up-to-date. If any website is illegal or irrelevant to the work, it does not mean that the University has authorized or deemed it acceptable to access. Therefore, users should not visit such websites that may be considered illegal, immoral or contrary to University principles.
- The user should understand the time spent on personal use of the Internet, which can be considered acceptable. The user may consult his or her management to clarify such requirements.
- Public or personal e-mail addresses should not be used to send e-mail messages containing work-related information.
- The user should note that e-mails sent from work computers using public e-mail accounts such as Yahoo, Gmail and other accounts can be tracked by the recipient being sent from the University and therefore, any abuse may expose the University to judicial proceedings.
- If certain sites have been blocked and must not be blocked (or vice versa), the user should notify the Information Security Department through their web page.
- If the user accidentally visits an inappropriate site, or if it is automatically routed to that site, they must leave that site immediately.
- Users should refrain from downloading any software or other material (music, photos, etc.) that have nothing to do with the work.
- While downloading work-related information, the user should ensure that no intellectual property rights are violated, which may expose the University to the risk of judicial proceedings.
- Majmaah University should ensure that the information available on its website has been properly verified.
- The user should not register their work email address on any website that is not related to their work.