KKU Security Key Objectives

   KKU management considers Information Security as a key business objective for the University.

   KKU's management and staff are committed to strict adherence to its information security policies and practices. All management and staff personnel and relevant third parties are required to comply with relevant KKU's information security policies, procedures and standards.

   Violations of information security policies and standards shall result in disciplinary actions by management up to and including termination as per Saudi Arabia’s laws and regulations including but not limited to Labor Laws, Anti e-Crimes Law and e-Transaction Law...

   KKU information systems shall be used only for authorized business purpose and limited personal usage as per the University’s information system acceptable use policy (Refer to Information Security Public Policies).

   KKU shall ensure generation of adequate information security awareness among management, staff and relevant third parties in line with their specific awareness requirements.

   Logical and physical access to KKU's information systems shall be adequately controlled in line with their relevant risks and criticality for the University.

   KKU's information systems shall be protected from malicious software attacks (e.g. viruses, worms, Trojan horses, e-mail bombs, etc.).

   KKU shall ensure that risk to its information systems from third parties are effectively identified, controlled and managed.

   KKU shall ensure adequate security of its customers’ information. Further, the University shall deploy adequate security measures to address risk from its customer’s access to its information systems.

   Electronic information handling media such as (USBs, Portable hard disks, etc) shall be protected from damage, information theft and unauthorized access.

   Information security Incidents and security weaknesses related to KKU's information systems shall be reported, tracked, investigated and resolved in timely and effective manner.

   KKU shall ensure that all of its Information Systems are identified and assigned to information systems owners who shall be ultimately responsible for the information security of their Information Systems.

   KKU's sensitive documentation shall be identified, classified and adequately protected from damage, theft and unauthorized access.

   KKU shall ensure privacy of personal information in its information systems in line with their security needs and relevant laws and regulations.

   KKU shall define, implement and maintain adequate information security controls for its information systems in line with their risk classification and relevant best practices.

   KKU shall minimize the chances of abuse, misuse, or destruction of its key information systems by verifying the integrity of personnel provided access to its information systems.

   KKU shall ensure that its physical establishment housing its Information Systems are adequately secured by deploying risk based physical and environmental information security controls.

   KKU shall identify and comply with all Saudi Arabia’s (and international - where mandatory) laws and regulation having implication on the information security of the University’s Information Systems.

   KKU shall proactively consider information security requirements during the acquisition/development of its information systems in line with the University’s information security policies and standards and relevant best practices.

   Changes to key information systems shall be controlled through change management policy in order to minimize the impact of change-related incidents upon University’s information systems.

   Information security status of KKU's information systems shall be monitored by planning and deploying adequate security monitoring techniques in line with the relevant risk and criticality of the information systems.

   KKU shall perform information security assessments of its Information Systems to identify their information security vulnerabilities, threats, risks and accordingly take appropriate timely remedial actions.

   KKU shall plan and perform independent information security audits for its Information Systems in line with the relevant risk and criticality of the information systems. KKU shall take timely and appropriate actions to address observations identified as part of the audits.

   KKU shall ensure that its critical business processes/services are protected from the effects of major failures of information systems or disasters in a timely manner through a formal business continuity plan, high availability, redundancy.

   KKU employees and third parties are obligated to identify and report any Malicious or malpractice activities that come to their notice. KKU is committed to preventing malacious activities and taking timely effective actions on such reported incidents.

 

General Use and Ownership

   Customers are only authorized to utilize KKU's information resources for business purposes for which they have been authorized. Any unauthorized use of KKU's information systems and resources for personal use or on behalf of a third party (i.e., personal client, family member, political or charitable or school, etc.) is prohibited and will be subjected to appropriate disciplinary and/or legal action.

   All computer data created, received, or transmitted using KKU’s information systems is the property of KKU and is not considered the property information of the user. KKU's reserves the right to examine all data for any reason and without notice, such as when violations of this code or other KKU's policies are suspected.

   Any employee, temporary or permanent, student or third party (vendors, business partners, and contractor personnel etc.) using or having access to the KKU’s information system shall be aware of the limits existing for their use of the information systems. They are responsible for their use of any information systems and any such use carried out under their responsibility.

 

  • Intellectual Property Rights and Licensing

   KKU recognizes and respects intellectual property rights (that include software or document copyright, design rights, patents, and source code licenses) associated with its information systems.

   It is prohibited to violate rights of any person or company protected by copyright, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation of unauthorized or illegal software on any KKU or non-KKU systems connected to KKU IT environment.

   The General Department of IT shall maintain appropriate license information and relevant terms and conditions of its important information systems.

   Usage of unlicensed software or other intellectual property is strictly prohibited.

 

  • Unacceptable Use of System and Network

   It is prohibited to introduce malicious programs (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.) into KKU's information systems.

   It is prohibited to introduce freeware and shareware software in the University’s network, whether downloaded from the Internet or obtained through any other media, without authorization from General Department of IT.

   It is prohibited to use KKU's information systems to store, process, download, or transmit data that can be construed as biased (politically, religiously, racially, ethnically, etc.) or supportive of harassment.

   It is prohibited to make fraudulent offers of products, items, or services using KKU's system resources.

   It is prohibited to perform port scanning or security scanning of University’s network or information system unless it is authorized by the General Department of IT and prior notification is made to relevant stakeholders.

   It is prohibited to execute any form of network monitoring which will intercept data not intended for the employee's host, unless this activity is a part of the employee's authorized job/duty.

   It is prohibited to circumvent user authentication or security of any host, network or account.

   It is prohibited to use any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet.

   It is prohibited to provide information about, or lists of, KKU employees to parties outside the university.

   Information system level passwords shall be changed quarterly.

 

  • Use of Email and Communication

   It is prohibited to send unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam).

   It is prohibited to harass via email, telephone, fax or paging, whether through language, frequency, or size of messages.

   Unauthorized use, or forging, of email header information or content shall be strictly prohibited.

   It is prohibited to create or forward "chain letters", "Ponzi" or other "pyramid" schemes of any type.

   Posting at newsgroups or blogs (newsgroup spam) on behalf of the University or by disclosing sensitive information shall be strictly prohibited.

   KKU employees shall exercise utmost caution when sending any email from inside KKU to an outside network. Unless approved by an employee's manager, KKU email will not be automatically forwarded to an external destination. Sensitive information shall not be forwarded via any means, unless this email is critical to business and is encrypted.

 

  • Due Diligence

   Each user has the responsibility to prevent unauthorized access, including viewing, of information resources under his responsibility or control.

   Each user has the responsibility to notify General Department of IT of any virus like behavior or suspicious activities on their systems through KKU's information security web page or 8000.

   Exploration of public domain with regard to some research is acceptable provided that users shall comply with KKU's policies and standards regarding such use and they shall also comply with the policies and standards of the researched site.

 

Internet Usage Policy

   Internet Users on KKU's network shall not expect privacy of information stored, processed and transmitted using the University’s information system. KKU shall establish mechanisms to control and monitor the use of the Internet, including blocking access to certain categories of web sites (e.g., pornography). Blocking will be combined with other technical and procedural controls such as logging of user activity. These logs can be monitored to ensure that Internet use is not abused. Such logging will track Internet usage and monitor the content and nature of sites being accessed by users.

   Abuse of the Internet, especially for those activities that expose the University to potential litigation, (i.e., pornography, harassment of individuals) will not be tolerated. Appropriate disciplinary action will be taken which may include termination of employment. For any illegal activities, the University reserves the right to report these activities to the appropriate regulatory, government or legal authorities.

   KKU blocks certain categories of web sites based on certain lists or databases. These lists / databases are not always accurate and up to date. If some non-business or illegal site is accessible, it does not mean, that it is authorised by the KKU or KKU considers it as acceptable. Therefore users shall not visit such Internet sites that would be considered illegal, immoral or against the University’s principles.

   The user shall understand the time spent for the personal use on the Internet that may be considered acceptable. The user may consult his management to further clarify such requirement.

   Public or personal email addresses shall not be used to e-mail any business related information.

   The user shall note that any e-mails sent using public e-mail accounts such as Yahoo, Hotmail, Gmail etc., from their work PC can be traced by the recipient as having been sent from KKU. Therefore, any misuse can expose the University to litigation.

   If there are certain sites that are blocked but should not be (or vice-versa), the user shall notify General Department of IT through KKU's information security web page or 8000. 

   If the user accidentally visits an inappropriate site, or if is automatically directed there, then the user shall leave that site immediately.

   Users shall refrain from downloading any software or any other material (music, pictures etc.) that is not business related.

   During download of business related information, the user shall ensure that any intellectual property rights are not violated and thus exposing the University to potential litigation.

   KKU shall ensure that the information available on its website is adequately verified and validated.

   The user shall not register his work E-mail address at any website for non-business related work.