Umm Al-Qura University

Umm Al-Qura University

Data Access Control Policy


- 2019/04/09

Data Access Control Policy:

This policy defines access control to all UQU information, data, software, resources and hardware.

Overview

This policy applies to all UQU community members, staff members, students, third-party contractors, and any such entity, which is associated with UQU information, data, software, resources and hardware and related processing facility and in anyway interacts with the information assets of UQU.

Scope

Building and developing integrated e-systems internally and externally.

Automating all services and transactions.

Strategic Objective

To comply with security standards and requirements in order to ensure that UQU has controls to limit access to its associated electronic information.

Detailed Objective

 

Policy:

  1. Compliance with UQU’s Access Control Policy enables consistent resource controls throughout UQU to minimize exposure to security breaches, while allowing systems administrators in the Deanship of Information Technology to conduct their activities within a legitimate framework.
  2. Access, dissemination and authorization of information flow and business processes are controlled on the basis of business and security requirements.
  3. Access to UQU information, data, software, resources and hardware is restricted to authorized users only to prevent accidental or unintentional exposure or amendment to application software, information or data.

Operational Policies and Procedures:

1. User Access Management

a. User Registration:

  1. The User ID Registration Procedure governs the authorization, deactivation and deletion of accounts.
  2. Authorized user accounts (UQU users, third-party contractors/vendors, client representatives) shall be created/activated for a required period of time, as per the respective academic, administrative or business needs.
  3. User IDs should follow standard conventions relevant to User Name, Attributes, Distribution Lists, Security Groups Association, Mailbox properties, etc., as specified in the User ID Registration Procedure.

b. Authorization:

User accounts are only to be created, deactivated or deleted following the approval of the correct authority. It is the responsibility of the authorized personnel who creates user accounts to confirm that the level of authority has been granted whenever and wherever required.

c. Traceability:

  1. Unique user accounts are to be created so that the identity of all users can be established at all times during their computer and related facilities usage.
  2. Periodic user ID reconciliation will be performed.
  3. A unique reference number will be attached to each User ID creation request, to enable reverse traceability.
  4. Shared user ID (shared account between multiple users) are to be created for internal use only, internet access will be blocked for such accounts.
  5. Shared mailbox IDs (shared mailbox between multiple users) are to be created and assigned an owner for traceability and accountability.

d. Accountability:

The User ID registration procedure contains specific responsibilities for personnel operating critical functions in the creation, discontinuation and deletion process for user IDs or other functions. These procedures ensure that there are no conflicts of interest, such as a requester being also an approver.

e. Privilege Management:

  1. Access to operating systems and applications is to be generally restricted to designated administrators and staff members who are associated with the management and maintenance of the respective platforms.
  2. Users are assigned specific account profiles and privileges as defined and authorized by their respective function head in accordance with their particular function or role.
  3. User privileges are to be reviewed on a regular and frequent basis (the interval of review is established by the agreement with data custodian or system owner) and necessary action must be taken based on the outcome of the review process. Access will be revoked where the circumstances of those who have been granted privileges no longer allowed such access.

f. Password Management:

The assignment/use of passwords is controlled in accordance with the defined Password Policy.

g. Review User Access Management:

  1. The Deanship of Information Technology will have in place procedures by which identified teams review the occurrences of user IDs and access rights.
  2. Bi-annual audits will ensure that the access rights and user IDs of users who have left the Institution have been removed.
  3. A process shall be in place to ensure that access rights of users who have been transferred to different locations, different departments, etc. are changed in light of the change in job requirements and are modified accordingly in the system. This process is activated following Human Resources notification.
  4. The users' access rights are reviewed at regular intervals.

h. Unattended User Equipment:

  1. All computers belonging to UQU Network must be password-protected with a standard screen saver.
  2. Active Sessions are disconnected after a pre-defined time frame.
  3. Users shall be advised to terminate unattended active sessions.
  4. Users are responsible not to leave their computers unattended.
  5. The general best practice for enabling automatic lockout of a screen saver is to set the timeout to 15 minutes, so that it can provide adequate security and not be inconvenient to the user.

i. Broadcast Message:

  1. Important announcements are conveyed to the UQU community via mass email broadcast.
  2. The Information Technology Deanship under the supervision of the Director of Information Technology controls the access to and dissemination of message broadcasts.
  3. Only authorized staff members are allowed to send broadcast email messages.
  4. The broadcast access request is managed and controlled based on Signatory Authority, which clearly sets forth the authority and approval required.

2 . Network Access Controls

a. User Authentication for External Connections:

  1. VPN (Virtual Private Network) connectivity shall be provided to remote users with proper approvals to specific resources only.
  2. Encryption shall be enabled to encrypt the traffic between client and server for remote users.

b. Network Perimeter Security:

  1. Internal networks shall be protected and separated from the Internet and other organizations’ networks through firewalls.
  2. Border routers/firewalls shall be configured to prevent IP spoofing, interruption of service, and other common Internet-based attacks.
  3. Firewalls shall be specifically configured to deny all incoming connections except the ones that are specifically required for process or business requirements and have been formally documented and approved. Any connection from the external network must be provided through firewall with proper approvals.
  4. Any unauthorized remote access control is not allowed.

c. Server Security:

  1. No server shall be exposed directly on the Internet. All servers and/or servers under the Deanship of Information Technology custody shall be placed on internal zone of the firewall.
  2. Servers that are accessible from the Internet shall be deployed in a DMZ (Demilitarized Zone) and IP addresses shall be NATed (Network Address Translation).
  3. All servers shall be hardened as per the specified Hardening Documents provided by hardware and operating systems suppliers.
  4. Servers should be deployed in a different VLAN (Virtual Local Area Network).
  5. All servers on UQU network shall maintain clock synchronization to ensure that audit trails are accurate.
  6. VA (Vulnerability Assessment) / PT (Penetration Testing) should be conducted before moving to production network.
  7. All systems should forward all logs to a central logging system provided by the Deanship of Information Technology.
  8. Servers should be installed in a physically secure server rooms after the approval of the Deanship of Information Technology.

d. Network Equipment Security:

  1. Diagnostic/externally accessible/dial-up ports shall remain disabled on all the active network elements and systems, unless specifically opened for some particular activity such as business/client requirements, activities such as PT (Penetration Testing)/VA (Vulnerability Assessment), etc. Appropriate approval from the Deanship of Information technology shall be obtained prior to commencing the activity.
  2. All network elements on the UQU network shall maintain clock synchronization to ensure that audit trails are accurate.

e. Internal Network Security:

Network devices shall be configured to ensure that user access to systems is restricted to required services and unlimited network roaming is avoided. This is to be accomplished by:

  1. Segregating production networks from non-production networks.
  2. Segregating networking equipment and servers from user environment.

f. External Network Security:

  1. All connections for Internet browsing from within UQU network shall go through defined security policy.
  2. All external customer connections to UQU over the Internet shall be secured through the use of VPN (Virtual Private Network).
  3. All external access requirements shall be subject to a risk assessment based on business requirements of access and shall be authorized only after all security controls requirements have been implemented and verified.

g. Network Change Management:

All changes to the network architecture or configurations on the network elements that could impact security (movement of servers, addition of new servers and network devices, etc.) shall follow the Change Management Process defined by the Information Technology Deanship.

3. Operating System Access Control

a. Secure Log-on Procedures:

  1. Access to information services shall be made available via a secure log-on process. The procedure for logging on to a computer system shall disclose minimum information about the system in order to prevent unauthorized users from accessing unnecessary information.
  2. The log-on procedure includes the following characteristics:
  • All systems shall have a standard log-on banner configured, clearly stating that the system is for authorized UQU users only and may be monitored.
  • The log-on procedure shall not detail errors during log-on.
  • Systems shall be configured to lock the user account after predefined unsuccessful attempts.
  • Unsuccessful log-on attempts for all users shall be logged.
  • All log-on attempts for technical users (viz. system administrators, DBAs (database administrators), network administrators, etc.) shall be duly logged and maintained for a predefined period.

b. User Identification and Authentication:

  1. All users (including technical support staff, such as operators, network administrators, system programmers and database administrators) shall have a unique identifier (user ID) so that activities can subsequently be traced to the responsible individual. User IDs should not give any indication of the user's privilege/organizational level, e.g. manager, supervisor.
  2. All authorized users on a particular system will be made part of a separate group so that an audit trail can be maintained.
  3. Any user account which is suspected of being compromised or sharing password will be disabled temporarily. The account owner will be informed and a security incident will be logged with the Helpdesk for further investigation and resolution.

c. Password Management System:

A password management system helps user to select strong passwords and enforces certain password guidelines, which users should follow.

The password management system in use shall have the following features, as a minimum:

  1. The system should only allow the selection of passwords as described in the Defined Password Policy.
  2. The system should allow users to change their passwords.
  3. The system should be able to maintain password age and history as defined in the UQU Password Policy, and prevent re-use based on the same.
  4. The system should not store the passwords in clear text. It should store passwords using encryption.
  5. The system should force the users to change temporary passwords on their first log-on.
  6. The system should not display passwords on screen when they are being entered.
  7. The system should provide confirmation when passwords have been successfully changed.

d. Use of System Utilities:

Most computer installations have one or more system utility programs (e.g. Editors, Compilers, Ntbackup, Disk Fragmentors) that might be capable of overriding system and application controls. It is essential that their use is restricted and tightly controlled.

The following should be adhered to, as a minimum:

  1. All systems shall be configured with minimal access rights, and only as per the user requirements. All system installations will follow the system hardening policies.
  2. No third-party utilities shall be installed on any system without prior authorization from the Deanship of Information Technology.

e. Session Time-out:

Terminal time-out is required to close the connection after a defined period of inactivity. Terminal time-out for customer systems shall be configured based upon technical or security requirements specified by the customers. For UQU systems, the following should be configured:

  1. Telnet/SSH session: Wherever active, inactivity time-out for network devices shall be configured for a period not more than five minutes.
  2. Other internal applications (Client/Server, Web based) developed/acquired would also include session time-outs, as defined.

f. Limitation of Connection Time:

  1. The period shall be defined during which connections to computer services are allowed for high risk/critical systems.
  2. The duration of active sessions shall be defined.

4. Application and Information Access Control

a. Information Access Restriction:

Users shall be given access to information based upon business requirements only. Role-based permissions shall be configured. Business applications at UQU shall have the following controls:

  1. Access shall be given to business-required menu options according to the needs of the user and as explicitly defined in the application-specific documentation.
  2. Access rights shall be controlled based upon the business requirement and as defined in the system-specific documentation.
  3. Applications shall produce defined output according to roles set out in the application-specific documentation.

b. Sensitive System Isolation:

Sensitive systems may require a dedicated (isolated) computing environment. The sensitivity may indicate that the application system should run on a dedicated computer or should share resources only with trusted applications/systems. Judgments are made on a case-by-case basis under authorization and control by the Deanship of Information Technology.

5. Mobile Computing and Communications

All mobile computing devices authorized by UQU are allowed to connect to the UQU network. All devices must comply with UQU mobile computing rules.

Loading