KA CORPORATE SERVICES

IT SECURITY

EMAIL POLICY
REV 0.2
 IT Security Policy Rev 0.2

Document Number: ITS 05

Document Name: Email Policy
Effective Date: 01/02/2021
Document Status: Final

Contents
Overview ..................................................................................................................................... 2
Scope ........................................................................................................................................... 2
Objective ..................................................................................................................................... 2
Policy Statement ......................................................................................................................... 2
Enforcement ............................................................................................................................... 3
Policy review ............................................................................................................................... 3
Document History ....................................................................................................................... 4

Last Modified By: Policy Owner Last Modified On: February 2021 Page: 1
Document Owner: Corporate IT Services Department Original Date: June 2017
 IT Security Policy Rev 0.2

Overview

Describes the acceptable use of khatib and Alami email service.

Scope

Applies to all Khatib and Alami employees which is associated with the organization Information
Systems.

Objective

Ensures optimum and secure usage of email service for employees.

Policy Statement

1. Users should only use the official organization email service for official business and should not
use free email services such as Yahoo, Gmail and Hotmail.
2. Users shall use email forwarding with due care and should not forward Junk, SPAM or marketing
emails.
3. Password sharing is prohibited.
4. Users are only allowed to send emails and attachments that are consistent with religious, cultural,
political and moral values. Users shall not send emails which may impact liability to khatib and Alami
or might damage the image or reputation.
5. Users are not allowed to send, reply, forward or distribute any email messages containing
confidential information or is considered to contain material that breaches Intellectual Property
Rights.
6. Users are not allowed to send, reply, forward or distribute any email messages containing virus
attachments or malicious programs.
7. Users should not open SPAM email messages and should delete them.
8. Users are prohibited from using the khatib and Alami email system for personal purposes.
9. Users are prohibited from participating in publishing emails for personal reasons, commercial or
religious or political.
10. Users are prohibited from participating in publishing e-mails for charity causes without prior
approval from the Federal entity.
11. Users are prohibited from using the organization email system to impersonate someone else.
12. Users are prohibited from sending, redirecting, transferring, distributing or replying to e-mails
when using another person's e-mail system.
13. Users are not allowed to enter any changes to the electronic message content, or change the
date and time, or source, or party, or the label, or any other information.
14. Users must examine and verify that the files attached to email messages, do not contain viruses
or malicious code.
15. Confidential information shall only be exchanged via email in line with the Data Classification and
Information Handling procedures.
16. Users shall use Khatib and Alami approved signatures and disclaimers with all emails.

Last Modified By: Policy Owner Last Modified On: February 2021 Page: 2
Document Owner: Corporate IT Services Department Original Date: June 2017
 IT Security Policy Rev 0.2

17. Users shall not register Khatib and Alami email address with Websites for non-business purposes.
18. Users shall not use automatic forwarding to or from external email addresses.
29. Users are allowed to check their private email accounts, but are not allowed to upload any khatib
and Alami information to their private email account.
21. Mass email communication on the organization network is not allowed unless authorized by
Khatib and Alami management.
22. When using e-mail on a mobile device such as a Smart Phone, the mobile device should be
provided with a password lock security feature activated automatically when device is idle.
23. Khatib and Alami shall include the topic of Phishing emails and email usage in the Induction
Training Program to develop awareness for new khatib and alami employees.
24. khatib and alami employees shall review and comply with Saudi Aramco requirements related to
e-mail usage and internet security. Saudi Aramco provides awareness training sessions to khatib and
alami employees.
25. Khatib and Alami shall issue email alerts / reminders / awareness memos related to Phishing
emails / e-mail usage, to khatib and Alami employees.
26 khatib and alami shall send phishing emails to check, whether any employee is opening these
emails. Any employee who has failed to identify a phishing email shall be found by his email address
or IP address will be issued a warning.
27 In case a complaint related to Phishing emails is received from Client. Khatib and alami shall
request Client to provide the employee details and shall recommend appropriate disciplinary action,
after verifying whether it is a first-time violation or a repeated violation.
28 Khatib and Alami shall get every Khatib and Alami employees working to sign an undertaking
which states that failure to follow email security protocols may result in termination of his / her
services from Khatib and Alami.
29 Client complaints on violations, Warning letters and/or other Disciplinary Action memos shall be
maintained in the personal file of concerned Khatib And Aalami employee, and shall affect his
performance appraisal in terms of salary increment, promotion and other benefits.

Enforcement

The Information Security Officer will investigate suspected violations, and may recommend
disciplinary action in accordance with organization codes of conduct, policies, or applicable
laws. Sanctions may include one or more of the following:

1. First Failure: Verbal Warning & Immediate Additional Training.

2. Second Failure: Written Warning & Immediate Additional Training.
3. Third Failure: 15% Salary deduction & Immediate Additional Training.
4. Fourth Failure: Termination of employment.

Policy review

This policy shall be reviewed on an annual basis by the IT Department to:

Last Modified By: Policy Owner Last Modified On: February 2021 Page: 3
Document Owner: Corporate IT Services Department Original Date: June 2017
 IT Security Policy Rev 0.2

Determine if there have been changes in International, National or Internal references that
may impact on this policy.
Determine if there are improvements or changes in the IT process that should be reflected in this
policy

Document History

Date
Rev. Performed By Verified By Comments
(DD/MM/YYY)

07/06/2017 0.1 Mohamad Berjawi Initial Policy Availability

01/02/2021 0.2 Mohamad Berjawi

Last Modified By: Policy Owner Last Modified On: February 2021 Page: 4
Document Owner: Corporate IT Services Department Original Date: June 2017