Professional Documents
Culture Documents
1. Table of Contents
1. Table of Contents ........................................................................................................................ 2
2. Property Information .................................................................................................................. 3
3. Document Control ...................................................................................................................... 4
3.1. Information............................................................................................................ 4
3.2. Revision History ................................................................................................... 4
3.3. Review, Verification and Approval ...................................................................... 4
3.4. Distribution List .................................................................................................... 4
4. Policy Overview ........................................................................................................................... 5
4.1. Purpose ................................................................................................................. 5
4.2. Scope..................................................................................................................... 5
4.3. Terms and Definitions .......................................................................................... 5
4.4. Change, Review and Update ............................................................................... 7
4.5. Enforcement / Compliance .................................................................................. 7
4.6. Waiver.................................................................................................................... 7
4.7. Roles and Responsibilities (RACI Matrix) .......................................................... 8
4.8. Relevant Documents ............................................................................................ 8
4.9. Ownership ............................................................................................................. 9
5. Policy Statements ...................................................................................................................... 10
5.1. Network Controls................................................................................................ 10
5.2. Security of Network Services ............................................................................ 11
5.3. Segregation in Networks ................................................................................... 12
5.4. Information Transfer Policies and Procedures ................................................ 12
5.5. Agreements on Information Transfer ............................................................... 13
5.6. Electronic Messaging......................................................................................... 13
5.7. Confidentiality or Non-Disclosure Agreement ................................................. 13
Page 2/13
COMMUNICATIONS SECURITY POLICY
2. Property Information
This document is the property information of Imam Abdulrahman bin Faisal University - ICT Deanship. The
content of this document is Confidential and intended only for the valid recipients. This document is not
to be distributed, disclosed, published or copied without ICT Deanship written permission.
Page 3/13
COMMUNICATIONS SECURITY POLICY
3. Document Control
3.1. Information
Page 4/13
COMMUNICATIONS SECURITY POLICY
4. Policy Overview
This section describes and details the purpose, scope, terms and definitions, change, review and update,
enforcement / compliance, wavier, roles and responsibilities, relevant documents and ownership.
4.1. Purpose
The main purpose of Communications Security Policy is to:
Ensure the protection of information in networks and its supporting information processing facilities, and
maintain the security of information transferred within IAU and with any external entity.
4.2. Scope
The policy statements written in this document are applicable to all IAU’s resources at all levels of sensitivity,
including:
All full-time, part-time and temporary staff employed by, or working for or on behalf of IAU.
All other individuals and groups who have been granted access to IAU’s ICT systems and
information.
This policy covers all information assets defined in the Risk Assessment Scope Document and will be used as a
foundation for information security management.
Term Definition
Page 5/13
COMMUNICATIONS SECURITY POLICY
Page 6/13
COMMUNICATIONS SECURITY POLICY
In case of ignoring or infringing the information security directives, IAU’s environment could be harmed (e.g.,
loss of trust and reputation, operational disruptions or legal violations), and the fallible persons will be made
responsible resulting in disciplinary or corrective actions (e.g., dismissal) and could face legal investigations.
A correct and fair treatment of employees who are under suspicion of violating security directives (e.g.,
disciplinary action) has to be ensured. For the treatment of policy violations, Management and Human
Resources Department have to be informed and deal with the handling of policy violations
4.6. Waiver
Information security shall consider exceptions on an individual basis. For an exception to be approved, a
business case outlining the logic behind the request shall accompany the request. Exceptions to the policy
compliance requirement shall be authorized by the Information Security Officer and approved by the ICT
Deanship. Each waiver request shall include justification and benefits attributed to the waiver.
The policy waiver period has maximum period of 4 months, and shall be reassessed and re-approved, if
necessary for maximum three consecutive terms. No policy shall be provided waiver for more than three
consecutive terms.
Page 7/13
COMMUNICATIONS SECURITY POLICY
Roles
HR
ICT ISO Legal PMO Owner User
/A
Responsibilities
Defining non-disclosure agreements for IAU’s
R,A C C C R,A I
employees and third parties.
Implementing appropriate controls to protect the
confidentiality, integrity, availability and authenticity of R,A C I
sensitive information.
Adhering to information security policies and
C C R,A
procedures pertaining to the protection of information.
Administering network security infrastructures (e.g.,
R,A C I
routers, switches and firewalls).
Table 2: Assigned Roles and Responsibilities based on RACI Matrix
Compliance Policy
1
The responsibility assignment RACI matrix describes the participation by various roles in completing tasks for a business process. It is
especially useful in clarifying roles and responsibilities in cross-functional/departmental processes. R stands for Responsible who performs
a task, A stands for Accountable (or Approver) who sings off (approves) on a task that a responsible performs, C stands for Consulted (or
Consul) who provide opinions, and I stands for Informed who is kept up-to-date on task progress.
Page 8/13
COMMUNICATIONS SECURITY POLICY
4.9. Ownership
This document is owned and maintained by the ICT Deanship of University of Imam Abdulrahman bin Faisal.
Page 9/13
COMMUNICATIONS SECURITY POLICY
5. Policy Statements
The following subsections present the policy statements in 7 main aspects:
Network Controls
Segregation in Networks
Electronic Messaging
a. Control the confidentiality and integrity of sensitive information passing over public
networks.
2. All IAU’s employees and visitors shall not be allowed to connect any device (e.g., personal computer,
laptop or network equipment) to IAU’s network, without a proper permission and approval from
ICT Department.
3. ICT Deanship shall authorize all routing traffic based on IAU’s business communications
requirements.
4. ICT Deanship shall implement appropriate routing control mechanisms to restrict information flows
to designated network paths.
5. ICT Deanship shall ensure proper management and technical oversight are performed over security
perimeter structure (e.g., firewall) and current configuration. The following shall be covered, but not
be limited to:
Page 10/13
COMMUNICATIONS SECURITY POLICY
a. Documenting the security perimeter rules and reviewing them in a regular basis.
c. Getting management approval prior applying any changes to security perimeter rules.
d. Taking an adequate care while applying changes on the security perimeter rules to ensure
minimal distortion to IAU’s environment.
6. The connection capability of users shall be restricted through network gateways that filter traffic by
means of pre-defined tables or rules. The restrictions shall include, but not be limited to:
b. File transfer.
c. Interactive access.
d. Application access.
a. Technology applied for security of network services such as authentication, encryption and
network connection controls.
b. Technical parameters required for secured connection with the network services in
accordance with the security and network connection rules such as firewall, VPN and IDS/IPS.
c. Procedures for the network service usage to restrict access to network services or
applications, where necessary.
Page 11/13
COMMUNICATIONS SECURITY POLICY
c. Value and classification of information stored or processed in the network (e.g., Critical,
Sensitive).
2. Internal network shall be segregated from the external network with different perimeter security
controls on each of the networks.
2. All users shall manage the creation, storage, amendment, copying and deletion or destruction of data
(in electronic and paper form) in a manner which is consistent with IAU’s policies, and which control
and protect the confidentiality, integrity and availability of such data.
3. Asset Owners shall ensure appropriate mechanisms are implemented and followed to protect
transfer of their information.
Page 12/13
COMMUNICATIONS SECURITY POLICY
a. Management responsibilities.
d. Protection requirements.
e. Notification requirements.
g. Courier identification.
k. Encryption requirements.
c. Specify the terms for the return or destruction of information upon termination of the
commitment.
e. Publish the penalties applicable in the event a user fails to respect the commitment.
2. Confidentiality and non-disclosure commitments shall consider IAU’s legal enforceable terms in order
to address the requirement to protect IAU’s assets.
Page 14/13