Umm Al-Qura University

Umm Al-Qura University

Information Security Policy

- 2019/04/09

Information Security Policy:

This policy defines the mechanisms adopted to secure information technology systems and the infrastructure against security threats.


This policy applies to the following types of security at the university:

Computer Systems and Application Security

Physical Security

Operational Security

Procedural Security

Network Security


Establishing and developing an integrated technical infrastructure to meet the requirements of the local and international commissions.

Strategic Objective

Providing protection against the potential consequences resulting from breaches of confidentiality or lack of service availability.

Ensuring the protection of the information assets, and network and computer facilities against damage, loss, and misuse.

Ensuring that the members of the university community understand and adhere to the principles of electronic information usage.

Increasing the awareness and understanding of the university's information security requirements.

Increasing user awareness of their direct responsibility for protecting the confidentiality and integrity of the data they own or deal with.

Detailed Objective



  1. The university relies on the availability and integrity of its electronic services in the fields of teaching, learning, research, and management. In this context, it is necessary to protect IT systems and infrastructure against internal, external, deliberate, or accidental security risks.
  2. All members of the university community are responsible for awareness of and compliance with the mechanisms and regulations that ensure:
  • Information is protected against any unauthorized access.
  • Information confidentiality is assured.
  • Information integrity is maintained.
  • Information availability is maintained.
  • Legislative and regulatory requirements are met.
  • Information security awareness training is available for faculty members, students, and staff members.
  • All actual or suspected information security breaches are reported to the Deanship of IT for thorough investigation.
  • Rules exist to support this policy and its procedures, including internal virus control measures, passwords, and continuity plans.
  • Requirements for the availability of information and systems are met.
  • No system is allowed on the network without an anti-virus program.
  • Update of all system components and software system verification on a regular basis.
  • Verification that all files downloaded via e-mail are free of viruses.
  • Servers are equipped with an anti-virus program with a high degree of virus protection.
  • All the unfixed media are inspected and scanned for viruses before use.
  1. Users will be allowed to use a memory chip (USB) in their computers, after checking to verify that they are free of viruses before use.
  2. All outgoing and incoming e-mails will be scanned to ensure that they are free from viruses and harmful content.
  3. The mail server will be updated periodically with the latest software (service packs/patches) for anti-viruses.
  4. Infected emails will be isolated and kept in the Quarantine System and users will be informed. Dean of IT will provide the appropriate solution.
  5. User will not have any admin access to enable or disable features of Antivirus software.
  6. Compromised users/systems will be taken off the network and kept in isolation until further clearance from the Deanship of IT.
  7. Any phishing or spam email or content will not be accessed by user without instructions from the Deanship of IT.
  8. All UQU-operated computers and servers that are compatible with the Active Directory (AD) and connected to the UQU network must be a member of the UQU’s enterprise domain.
  9. Deanship of IT is responsible for maintaining this policy, and for providing support and advice during its implementation.

Operational Policies and Procedures:

1. Confidentiality and Privacy:

All members of the UQU Community are obligated to respect and protect confidentiality of data. UQU does not monitor the content of personal web pages, e-mail, or other online communications. However, UQU reserves the right to examine computer records and monitor the activities of individual computers upon approval by the UQU Administration.

2. Access:

No one in UQU is allowed to access confidential records unless specifically authorized to do so. Authorized individuals may use confidential records only for legitimate purposes. Technology assets must be kept in an appropriately secure physical location. The management team must ensure that controls are in place to avoid unauthorized intrusions into systems and networks and to detect attempts of such intrusions.

3. Accountability:

Members of the UQU community are responsible for ensuring that others do not use their system privileges. UQU authorized staff are responsible for reviewing the audit logs and identifying potential security violations. All controlled systems should maintain audit logs to track usage information up to a level appropriate for each system. If a UQU authorized staff member suspects that a security breach has occurred, they must immediately notify the immediate supervisor.

4. Authentication:

Authentication for point-to-point communication is implemented for all systems that send or receive data.

5. Availability:

Mission critical systems are expected to be 99.9% available. Both mission critical systems and critical systems must be redundant and should have detailed recovery procedures and specific notification for downtime periods. Data backup procedures should be tested and well documented.

6. Reporting Violations

Owners of computer, network, and applications systems, and users of these systems, have the responsibility to report any apparent security violations. Guidelines for reporting violations must be available to all users and management teams. These guidelines should provide guidance on what, when, where, to whom, and within what time frame the violation should be reported. The concerned user(s) must be notified in case of a breach.