INSPIRING BUSINESS INNOVATION

COMMUNICATIONS SECURITY POLICY

Version 1.1
Policy Number:
 COMMUNICATIONS SECURITY POLICY

1. Table of Contents
1. Table of Contents ........................................................................................................................ 2
2. Property Information .................................................................................................................. 3
3. Document Control ...................................................................................................................... 4
3.1. Information............................................................................................................ 4
3.2. Revision History ................................................................................................... 4
3.3. Review, Verification and Approval ...................................................................... 4
3.4. Distribution List .................................................................................................... 4
4. Policy Overview ........................................................................................................................... 5
4.1. Purpose ................................................................................................................. 5
4.2. Scope..................................................................................................................... 5
4.3. Terms and Definitions .......................................................................................... 5
4.4. Change, Review and Update ............................................................................... 7
4.5. Enforcement / Compliance .................................................................................. 7
4.6. Waiver.................................................................................................................... 7
4.7. Roles and Responsibilities (RACI Matrix) .......................................................... 8
4.8. Relevant Documents ............................................................................................ 8
4.9. Ownership ............................................................................................................. 9
5. Policy Statements ...................................................................................................................... 10
5.1. Network Controls................................................................................................ 10
5.2. Security of Network Services ............................................................................ 11
5.3. Segregation in Networks ................................................................................... 12
5.4. Information Transfer Policies and Procedures ................................................ 12
5.5. Agreements on Information Transfer ............................................................... 13
5.6. Electronic Messaging......................................................................................... 13
5.7. Confidentiality or Non-Disclosure Agreement ................................................. 13

Page 2/13
 COMMUNICATIONS SECURITY POLICY

2. Property Information
This document is the property information of Imam Abdulrahman bin Faisal University - ICT Deanship. The
content of this document is Confidential and intended only for the valid recipients. This document is not
to be distributed, disclosed, published or copied without ICT Deanship written permission.

Page 3/13
 COMMUNICATIONS SECURITY POLICY

3. Document Control

3.1. Information

Title Classification Version Status

COMMUNICATIONS SECURITY POLICY Confidential 1.1 validated

3.2. Revision History

Version Author(s) Issue Date Changes

0.1 Alaa Alaiwah – Devoteam November 18, 2014 Creation

0.2 Nabeel Albahbooh – Devoteam December 1, 2014 Update

0.3 Osama Al Omari – Devoteam December 23, 2014 QA

1.0 Nabeel Albahbooh – Devoteam December 31, 2014 Update

1.1 Muneeb Ahmad – ICT, IAU 24 April 2017 Update

3.3. Review, Verification and Approval

Name Title Date

Lamia Abdullah Aljafari Quality Director

Dr. Saad Al-Amri Dean of ICT

3.4. Distribution List

Copy # Recipients Location

Page 4/13
 COMMUNICATIONS SECURITY POLICY

4. Policy Overview
This section describes and details the purpose, scope, terms and definitions, change, review and update,
enforcement / compliance, wavier, roles and responsibilities, relevant documents and ownership.

4.1. Purpose
The main purpose of Communications Security Policy is to:

Ensure the protection of information in networks and its supporting information processing facilities, and
maintain the security of information transferred within IAU and with any external entity.

4.2. Scope
The policy statements written in this document are applicable to all IAU’s resources at all levels of sensitivity,
including:

 All full-time, part-time and temporary staff employed by, or working for or on behalf of IAU.

 Students studying at IAU.

 Contractors and consultants working for or on behalf of IAU.

 All other individuals and groups who have been granted access to IAU’s ICT systems and
information.

This policy covers all information assets defined in the Risk Assessment Scope Document and will be used as a
foundation for information security management.

4.3. Terms and Definitions

Table 11 provides definitions of the common terms used in this document.

Term Definition

A security principle indicating that individuals shall be able to be

Accountability
identified and to be held responsible for their actions.
Asset Information that has value to the organization such as forms,

Page 5/13
 COMMUNICATIONS SECURITY POLICY

media, networks, hardware, software and information system.

The state of an asset or a service of being accessible and usable
Availability
upon demand by an authorized entity.
An asset or a service is not made available or disclosed to
Confidentiality
unauthorized individuals, entities or processes.
A means of managing risk, including policies, procedures, and
Control guidelines which can be of administrative, technical, management
or legal nature.
A description that clarifies what shall be done and how, to achieve
Guideline
the objectives set out in policies.
The preservation of confidentiality, integrity, and availability of
Information Security information. Additionally, other properties such as authenticity,
accountability, non-repudiation and reliability can also be involved.
Maintaining and assuring the accuracy and consistency of asset
Integrity
over its entire life-cycle.
A person or group of people who have been identified by
Management as having responsibility for the maintenance of the
Owner
confidentiality, availability and integrity of an asset. The Owner
may change during the lifecycle of the asset.
A plan of action to guide decisions and actions. The policy process
includes the identification of different alternatives such as
Policy
programs or spending priorities, and choosing among them on the
basis of the impact they will have.
A combination of the consequences of an event (including changes
Risk
in circumstances) and the associated likelihood of occurrence.
An equipment or interconnected system or subsystems of
equipment that is used in the acquisition, storage, manipulation,
System management, control, display, switching, interchange, transmission
or reception of data and that includes computer software,
firmware and hardware.
Table 1: Terms and Definitions

Page 6/13
 COMMUNICATIONS SECURITY POLICY

4.4. Change, Review and Update

This policy shall be reviewed once every year unless the owner considers an earlier review necessary to
ensure that the policy remains current. Changes of this policy shall be exclusively performed by the
Information Security Officer and approved by Management. A change log shall be kept current and be updated
as soon as any change has been made.

4.5. Enforcement / Compliance

Compliance with this policy is mandatory and it is to be reviewed periodically by the Information Security
Officer. All IAU units (Deanship, Department, College, Section and Center) shall ensure continuous
compliance monitoring within their area.

In case of ignoring or infringing the information security directives, IAU’s environment could be harmed (e.g.,
loss of trust and reputation, operational disruptions or legal violations), and the fallible persons will be made
responsible resulting in disciplinary or corrective actions (e.g., dismissal) and could face legal investigations.

A correct and fair treatment of employees who are under suspicion of violating security directives (e.g.,
disciplinary action) has to be ensured. For the treatment of policy violations, Management and Human
Resources Department have to be informed and deal with the handling of policy violations

4.6. Waiver
Information security shall consider exceptions on an individual basis. For an exception to be approved, a
business case outlining the logic behind the request shall accompany the request. Exceptions to the policy
compliance requirement shall be authorized by the Information Security Officer and approved by the ICT
Deanship. Each waiver request shall include justification and benefits attributed to the waiver.

The policy waiver period has maximum period of 4 months, and shall be reassessed and re-approved, if
necessary for maximum three consecutive terms. No policy shall be provided waiver for more than three
consecutive terms.

Page 7/13
 COMMUNICATIONS SECURITY POLICY

4.7. Roles and Responsibilities (RACI Matrix)

Table 2 shows the RACI matrix1 that identifies who is responsible, accountable, consulted or informed for
every task that needs to be performed. There are a couple of roles involved in this policy respectively: ICT
Deanship, Information Security Officer (ISO), Human Resources Department / Administrative Unit (HR/A),
Legal Department, Project Management Officer (PMO), Owner and User (Employee and Contract).

Roles
HR
ICT ISO Legal PMO Owner User
/A
Responsibilities
Defining non-disclosure agreements for IAU’s
R,A C C C R,A I
employees and third parties.
Implementing appropriate controls to protect the
confidentiality, integrity, availability and authenticity of R,A C I
sensitive information.
Adhering to information security policies and
C C R,A
procedures pertaining to the protection of information.
Administering network security infrastructures (e.g.,
R,A C I
routers, switches and firewalls).
Table 2: Assigned Roles and Responsibilities based on RACI Matrix

4.8. Relevant Documents

The followings are all relevant policies and procedures to this policy:

 Information Security Policy

 Asset Management Policy

 Access Control Policy

 Information Security Incident Management Policy

 Compliance Policy

 Risk Management Policy

 Backup and Restoration Procedure

1
The responsibility assignment RACI matrix describes the participation by various roles in completing tasks for a business process. It is
especially useful in clarifying roles and responsibilities in cross-functional/departmental processes. R stands for Responsible who performs
a task, A stands for Accountable (or Approver) who sings off (approves) on a task that a responsible performs, C stands for Consulted (or
Consul) who provide opinions, and I stands for Informed who is kept up-to-date on task progress.

Page 8/13
 COMMUNICATIONS SECURITY POLICY

 Change Management Procedure

 Patch Management Procedure

 Physical and Logical Access Management Procedure

 System Acquisition, Development and Maintenance Procedure

4.9. Ownership
This document is owned and maintained by the ICT Deanship of University of Imam Abdulrahman bin Faisal.

Page 9/13
 COMMUNICATIONS SECURITY POLICY

5. Policy Statements
The following subsections present the policy statements in 7 main aspects:

 Network Controls

 Security of Network Services

 Segregation in Networks

 Information Transfer Policies and Procedures

 Agreements on Information Transfer

 Electronic Messaging

 Confidentiality or Non-Disclosure Agreement

5.1. Network Controls

1. ICT Deanship shall identify and implement appropriate countermeasures to:

a. Control the confidentiality and integrity of sensitive information passing over public
networks.

b. Protect the connected systems and applications.

c. Maintain the availability of the network services and computers connected.

2. All IAU’s employees and visitors shall not be allowed to connect any device (e.g., personal computer,
laptop or network equipment) to IAU’s network, without a proper permission and approval from
ICT Department.

3. ICT Deanship shall authorize all routing traffic based on IAU’s business communications
requirements.

4. ICT Deanship shall implement appropriate routing control mechanisms to restrict information flows
to designated network paths.

5. ICT Deanship shall ensure proper management and technical oversight are performed over security
perimeter structure (e.g., firewall) and current configuration. The following shall be covered, but not
be limited to:

Page 10/13
 COMMUNICATIONS SECURITY POLICY

a. Documenting the security perimeter rules and reviewing them in a regular basis.

b. Documenting configuration changes and getting management approval.

c. Getting management approval prior applying any changes to security perimeter rules.

d. Taking an adequate care while applying changes on the security perimeter rules to ensure
minimal distortion to IAU’s environment.

6. The connection capability of users shall be restricted through network gateways that filter traffic by
means of pre-defined tables or rules. The restrictions shall include, but not be limited to:

a. Messaging (e.g. electronic mail).

b. File transfer.

c. Interactive access.

d. Application access.

REF: [ISO/IEC 27001: A.9.1.1]

5.2. Security of Network Services

1. ICT Deanship shall protect IAU’s network infrastructure by implementing proper network security
measures and features. Security features of network services shall include, but not be limited to:

a. Technology applied for security of network services such as authentication, encryption and
network connection controls.

b. Technical parameters required for secured connection with the network services in
accordance with the security and network connection rules such as firewall, VPN and IDS/IPS.

c. Procedures for the network service usage to restrict access to network services or
applications, where necessary.

REF: [ISO/IEC 27001: A.9.1.2]

Page 11/13
 COMMUNICATIONS SECURITY POLICY

5.3. Segregation in Networks

1. ICT Deanship shall split IAU’s network into logical segments, zones or domains based on the
following criteria, but not be limited to:

a. Access requirements (e.g., Management, Department, Academic, Employees, IT, Students,

Third Parties).

b. Relative cost and performance impact of incorporating suitable technology.

c. Value and classification of information stored or processed in the network (e.g., Critical,
Sensitive).

d. Levels of trust (e.g., Trusted, Internet, DMZ).

e. Lines of business (e.g., Service, Support).

2. Internal network shall be segregated from the external network with different perimeter security
controls on each of the networks.

REF:[ISO/IEC 27001: A.9.2.1]

5.4. Information Transfer Policies and Procedures

1. Formal controls based on the criticality of information shall be defined to protect the transfer of
information through the use of communication facilities. Transfer of confidential information shall be
appropriately protected.

2. All users shall manage the creation, storage, amendment, copying and deletion or destruction of data
(in electronic and paper form) in a manner which is consistent with IAU’s policies, and which control
and protect the confidentiality, integrity and availability of such data.

3. Asset Owners shall ensure appropriate mechanisms are implemented and followed to protect
transfer of their information.

REF:[ISO/IEC 27001: A.9.2.2]

Page 12/13
 COMMUNICATIONS SECURITY POLICY

5.5. Agreements on Information Transfer

1. Prior to the transfer of information with external organization, a formal and an appropriate SLA with
an adequate level of security controls shall be defined. This agreement shall cover, but not be limited
to:

a. Management responsibilities.

b. Manual and electronic exchanges.

c. Sensitivity of the critical information being exchanged.

d. Protection requirements.

e. Notification requirements.

f. Packaging and transmission standards.

g. Courier identification.

h. Responsibilities and liabilities.

i. Data and software ownership.

j. Protection responsibilities and measures.

k. Encryption requirements.

REF:[ISO/IEC 27001: A.9.2.3]

5.6. Electronic Messaging

1. Security controls shall be established to protect electronic messaging (e.g., e-mail) from unauthorized
access, modifications or denial of service.

REF:[ISO/IEC 27001: A.9.2.4]

5.7. Confidentiality or Non-Disclosure Agreement

1. Requirements relating to confidentiality and non-disclosure commitments (i.e., for IAU’s employees
and third parties) shall be identified and regularly reviewed. As such, ICT Deanship in cooperation
with various support departments (e.g., Information Security Officer, Project Management Office,
Human Resources Department / Administrative Unit and Legal Department) shall:
Page 13/13
 COMMUNICATIONS SECURITY POLICY

a. Define the information to be protected and required levels of sensitivity.

b. Indicate the expected length of the commitment.

c. Specify the terms for the return or destruction of information upon termination of the
commitment.

d. Specify the responsibilities and requirements concerning signatories in order to prevent

unauthorized disclosure of information.

e. Publish the penalties applicable in the event a user fails to respect the commitment.

2. Confidentiality and non-disclosure commitments shall consider IAU’s legal enforceable terms in order
to address the requirement to protect IAU’s assets.

REF: [ISO/IEC 27001: A.9.2.5]

---------------------------------------------------------- End of Document -----------------------------------------------------

Page 14/13