1. Technical Infrastructure Policies
1.1 Policy of Acceptable Use of Information Technology Resources:
This policy and related procedures determine the acceptable use of IT resources, and the rights and obligations of the different parties that use these resources.
|
Overview
|
This policy applies to all users at the university.
|
Scope
|
Establish and develop an integrated technical infrastructure to meet the requirements of local, regional and international authorities.
|
Strategic Objective
|
This policy aims to :
- Safeguard and protect computers, networks and data at the university.
- Conform the use of e-communication to the university's policies.
- Ensure the university fulfills its legal obligations regarding control of data access.
- Make the use of cloud computing services in line with the cloud computing policy at Umm Al-Qura University.
|
Detailed Objective
|
Policy
- Computers, networks and electronic information systems are essential resources which are needed for the university to achieve its mission of teaching, conducting scientific research, and serving the community. The university grants its members access to these resources in order to support its mission.
- These resources are valuable facilities for the university and should be used and managed responsibly to ensure their security and safety, and to make them available for appropriate educational activities. All users of these resources must use them responsibly and effectively.
- University employees are responsible for knowing their rights and duties towards this policy. This policy explains the responsibility of personal communications and security issues, and identifies the consequences of violations. Users are responsible for identifying themselves, and fulfilling any additional requirements related to their college or unit.
- Users must know the rights and responsibilities of using the public cloud computing facilities. This document defines the responsibilities for personal communications, security issues and privacy issues when using cloud services.
- Users of IT facilities at the university are responsible for the content of their personal communications, and may be held liable for such use. The university assumes no responsibility for the personal or unauthorized use of its resources by any user.
- Information/data and systems may only be used by authorized individuals in accomplishing tasks related to their job responsibilities. Use of the information and systems for personal gain or business, or to commit fraud, is prohibited.
- Users are not allowed to disclose any information without formal authorization. Unauthorized access, manipulation, disclosure, or secondary release of such information constitutes a security breach, and may be grounds for disciplinary action which may involve termination or lead to legal prosecution by government authorities.
- Users should be aware of the university's user rights and responsibilities. This document outlines liability for personal communications, privacy and security issues, and sets out the consequences of violations.
- The Internet should be used only for university work and assignments.
- It is prohibited to enter banned sites or those that contain blocked content under the policy of the university.
- Users are prohibited from entering, contributing to or downloading files from abusive sites. These abusive sites include, but are not limited to, sites that promote racism, contain extremist views in religion, derogatory or offensive language, are libelous or abusive against any individual or group, or have pornographic content.
- Internet users should not participate in any activity that would lead to suspension of computer system operations.
- Internet users should not upload, download or install software from the Internet without prior approval of the Deanship of Information Technology.
- Users should not install any private virtual networks or use proxy software to circumvent the university's network security policy.
Operational Policies and Procedures:
Responsibilities:
** Rights, duties and responsibilities of the user:
- Members of the university community are granted access to information technology resources in order to facilitate their university-related academic, research, and job activities. However, by using these resources, users agree to abide by all relevant university policies and procedures. These include, but are not limited to, areas related to harassment, plagiarism, commercial use, security, and unethical conduct, as well as laws prohibiting theft, copyright and licensing infringement, unlawful intrusions, and data privacy laws.
- When guests are granted access to information technology resources, they must abide by the same university policies that are granted to regular users.
Users are responsible for:
- Reviewing, understanding, and complying with all policies, procedures and laws related to access and acceptable use of information technology resources.
- Asking system administrators or data custodians for clarification on access or acceptable and safe use of the information technology resources.
- Reporting policy violations to the appropriate entities or management authority.
Liability for Personal Communications:
Users of the university information technology resources are responsible for the content of their personal communications. UQU accepts no responsibility or liability for any personal or unauthorized use of its resources by users.
Privacy and Security Awareness:
Users should be aware that although UQU takes reasonable security measures to protect the security of its computing resources and accounts assigned to individuals, UQU does not guarantee absolute security and privacy. Users should follow the appropriate security procedures.
Cloud Computing:
The use of the general cloud computing services shall be consistent with all policies and procedures set out by the UQU. The use of these services is the responsibility of the employees, and they should ensure that the use is consistent with the university's policies. In addition to complying with relevant rules and policies, the following procedures should be taken into account when using the cloud computing services:
1. Privacy and Data Security:
Cloud computing may not be used for the circulation of any information classified as confidential, personal, private, or sensitive by the UQU's information classification policy
2. Other Requirements:
Academic staff members, employees and students at Umm Al-Qura University should be very careful when using cloud services to process, store, exchange or manage any corporate data.
All cloud services involve risks related to managing critical data that may be exposed to risk or change, without notice. It is assumed that all cloud services require individual users to comply with specific agreements and agree to certain terms by clicking on specific links. These agreements do not allow users to negotiate any terms and conditions, and do not provide any opportunity to explain or clarify the terms; these terms and guarantees are often presented in ambiguous contexts. In most cases, conditions are changed without prior notice. The use of cloud services includes the following risks:
- Poor access control, and lack of public security rules.
- Sudden loss of service, without prior warning.
- Sudden loss of data, without prior warning.
- Possible manipulation with stored data that has been processed through cloud services, and these data can be resold through a third party which poses a threat to privacy.
- There may be risks to exclusive intellectual property rights related to stored data processed through cloud services.
Consequences of Violations:
Access privileges to UQU's information technology resources will not be denied without cause. If in the course of an investigation it appears necessary to protect the integrity and security of its computers and networks, UQU may temporarily deny access to those resources. Alleged policy violations will be referred to the appropriate UQU authority. Depending on the nature and severity of the offense, policy violations may result in loss of access privileges, UQU disciplinary action, and/or criminal prosecution.
UQU's Rights and Responsibilities:
As owner of the computers and networks that comprise UQU's technical infrastructure, UQU owns all official administrative and academic data that resides on its systems and networks, and is responsible for taking necessary measures to ensure the security of its systems, data, and user accounts. When UQU becomes aware of violations, either through routine system administration activities or from a complaint, it is the responsibility of UQU to investigate, as needed or directed, and to take necessary actions to protect its resources and/or to provide information relevant to an investigation.
1. Individual units within UQU may define additional conditions of use for resources or facilities under their control. Such additional conditions must be consistent with UQU overall policies, but may provide additional details, guidelines, and/or restrictions.
Roles and responsibilities for specific UQU information technology-related entities and individuals are defined in greater detail below:
2. The Deanship of Information Technology's Rights and Responsibilities:
- Establishes, disseminates and enforces rules regarding access to and use of information technology resources, after their adoption based on the validity of the signature.
- Establishes reasonable security policies and measures to protect data and systems.
- Monitors and manages system resource usage.
- Investigates alleged violations of UQU information technology policies.
- Refers violations to appropriate UQU offices for resolution or disciplinary action.
3. Colleges and Departments' Rights and Responsibilities:
- Create, disseminate and enforce conditions of use that are consistent with UQU policies for facilities and/or resources under their control.
- Monitor the use of UQU resources under their control.
- Refer violations to appropriate UQU offices for resolution or disciplinary action. Policy violations should be reported to the Executive Director of the Deanship of Information Technology.
4. Data Custodians' Rights and Responsibilities:
- Grant authorized users appropriate access to the data and applications they are working on in coordination with the Deanship of Information Technology, based on a legitimate role-based need.
- Review access rights of authorized users on a regular basis.
- Respond to questions from users relating to appropriate use of data.
- Determine the criticality and sensitivity of the data and/or applications for which they deal with.
5. System/Network Administrators' Rights and Responsibilities:
- Take reasonable actions to ensure the authorized use and security of data and networks.
- Participate and advise, as requested, in developing conditions of use or authorized use procedures.
- Cooperate with appropriate UQU departments and law enforcement officials in investigating alleged violations of policy or law, including the right to access UQU electronic resources upon appropriate approval.
6. Information Security Officers' Rights and Responsibilities:
- Protect UQU network, systems, and data. Coordinate with information security staff to ensure the confidentiality, integrity, and availability of UQU systems, and ensure that appropriate and timely action is taken.
7. Rights, Responsibilities, and Authorization of Access:
Access to Information Technology Resources:
- 1. Information technology resources and related services will be assigned and made available to users. The UQU Human Resources Management and the Deanship of Admissions and Registration determine the students, faculty members and employees who have the right to use these resources. The head of each unit will determine rights of access for visiting faculty, temporary staff, and long-term consultants.
- 2. Owners and operators of any computer, server, IT device and service within the UQU network may not grant access to accounts on their IT resources and services to anyone except with prior approval.
- 3. Installation of unlicensed and non-standard encryption and software is prohibited.
- 4. Network scanning software, software copying, and distribution or interception of information or seizure of passwords without a specific permission is prohibited.
- 5. License terms of any software must always be taken into consideration.
- 6. Software is used in accordance with federal or local laws in the country, including, in particular, copyright laws and commercial transactions and patents.
Special Circumstances:
- 1. Department access to shared network resources is authorized by the Head of the Unit that owns the network resources.
- 2. Requests to access cross-UQU resources must be authorized by the Head of the Unit, in addition to the Executive Director of the Deanship of Information Technology.
Authority to Access User Data:
- 1. Email confidentiality and security are of prime importance. Access to any UQU community member's mailbox must have written authorization by the Office of the University President.
- 2. Access to a department’s generic mailbox and mailing list must be authorized by the head of the unit or his immediate supervisor.
- 3. Requests to access data logs concerning use of information and telecommunications technology must be approved by the Director of Information Technology.
- 4. Requests to access data on a desktop must be authorized in writing by the head of the concerned unit, the dean of the concerned college, or the Director of Information Technology.
Loss of Data:
Users are responsible for backing up their own files. They should not assume that files on their machines are backed up. Users must maintain and archive backup copies of important work on their machines. Deleted email messages that are older than 30 days are not recoverable; recovery of deleted emails is a self-service, which is performed by the owner of the mailbox.
Usage and Responsibilities:
- Users are responsible for protecting the desktop/laptop and the information stored on it from damage, loss, and theft.
- In the case of theft of a laptop/mobile device, the user must inform the local police immediately, and also inform the Deanship of Information Technology.
- In case of damage or loss of a laptop/mobile device, the user must immediately inform the Deanship of Information Technology about the loss.
- Users should not leave the laptop/mobile device unattended in public.
- Users have to use a lock screen password when they finish using the laptop/desktop/mobile devices.
- Users should not connect private personal computers to the UQU University network.
- Users should not change the administrative functions in the portable computer in any way, such as the operating system in the device or the definition of a system administrator and password.
- Users must complete copies/support of their data associated with the login identity that is provided by the university before the last day of work or graduation from the university.