WIXLIB

INSPIRING BUSINESS INNOVATIONCOMMUNICATIONS SECURITY POLICYVersion 1.1Policy Number:

COMMUNICATIONS SECURITY POLICY1. Table of Contents1. Table of Contents . 22. Property Information . 33. Document Control . 43.1. Information. 43.2. Revision History . 43.3. Review, Verification and Approval . 43.4. Distribution List . 44. Policy Overview . 54.1. Purpose . 54.2. Scope. 54.3. Terms and Definitions . 54.4. Change, Review and Update . 74.5. Enforcement / Compliance . 74.6. Waiver. 74.7. Roles and Responsibilities (RACI Matrix) . 84.8. Relevant Documents . 84.9. Ownership . 95. Policy Statements . 105.1. Network Controls. 105.2. Security of Network Services . 115.3. Segregation in Networks . 125.4. Information Transfer Policies and Procedures . 125.5. Agreements on Information Transfer . 135.6. Electronic Messaging. 135.7. Confidentiality or Non-Disclosure Agreement . 13Page 2/13

COMMUNICATIONS SECURITY POLICY2. Property InformationThis document is the property information of Imam Abdulrahman bin Faisal University - ICT Deanship. Thecontent of this document is Confidential and intended only for the valid recipients. This document is notto be distributed, disclosed, published or copied without ICT Deanship written permission.Page 3/13

COMMUNICATIONS SECURITY POLICY3. Document Control3.1. CATIONS SECURITY POLICYConfidential1.1validated3.2. Revision HistoryVersionAuthor(s)Issue DateChanges0.1Alaa Alaiwah – DevoteamNovember 18, 2014Creation0.2Nabeel Albahbooh – DevoteamDecember 1, 2014Update0.3Osama Al Omari – DevoteamDecember 23, 2014QA1.0Nabeel Albahbooh – DevoteamDecember 31, 2014Update1.1Muneeb Ahmad – ICT, IAU24 April 2017Update3.3. Review, Verification and ApprovalNameTitleLamia Abdullah AljafariQuality DirectorDr. Saad Al-AmriDean of ICTDate3.4. Distribution ListCopy #RecipientsLocationPage 4/13

COMMUNICATIONS SECURITY POLICY4. Policy OverviewThis section describes and details the purpose, scope, terms and definitions, change, review and update,enforcement / compliance, wavier, roles and responsibilities, relevant documents and ownership.4.1. PurposeThe main purpose of Communications Security Policy is to:Ensure the protection of information in networks and its supporting information processing facilities, andmaintain the security of information transferred within IAU and with any external entity.4.2. ScopeThe policy statements written in this document are applicable to all IAU’s resources at all levels of sensitivity,including: All full-time, part-time and temporary staff employed by, or working for or on behalf of IAU. Students studying at IAU. Contractors and consultants working for or on behalf of IAU. All other individuals and groups who have been granted access to IAU’s ICT systems andinformation.This policy covers all information assets defined in the Risk Assessment Scope Document and will be used as afoundation for information security management.4.3. Terms and DefinitionsTable 11 provides definitions of the common terms used in this document.TermAccountabilityAssetDefinitionA security principle indicating that individuals shall be able to beidentified and to be held responsible for their actions.Information that has value to the organization such as forms,Page 5/13

COMMUNICATIONS SECURITY POLICYmedia, networks, hardware, software and information system.AvailabilityConfidentialityThe state of an asset or a service of being accessible and usableupon demand by an authorized entity.An asset or a service is not made available or disclosed tounauthorized individuals, entities or processes.A means of managing risk, including policies, procedures, andControlguidelines which can be of administrative, technical, managementor legal nature.GuidelineA description that clarifies what shall be done and how, to achievethe objectives set out in policies.The preservation of confidentiality, integrity, and availability ofInformation Securityinformation. Additionally, other properties such as authenticity,accountability, non-repudiation and reliability can also be involved.IntegrityMaintaining and assuring the accuracy and consistency of assetover its entire life-cycle.A person or group of people who have been identified byOwnerManagement as having responsibility for the maintenance of theconfidentiality, availability and integrity of an asset. The Ownermay change during the lifecycle of the asset.A plan of action to guide decisions and actions. The policy processPolicyincludes the identification of different alternatives such asprograms or spending priorities, and choosing among them on thebasis of the impact they will have.RiskA combination of the consequences of an event (including changesin circumstances) and the associated likelihood of occurrence.An equipment or interconnected system or subsystems ofequipment that is used in the acquisition, storage, manipulation,Systemmanagement, control, display, switching, interchange, transmissionor reception of data and that includes computer software,firmware and hardware.Table 1: Terms and DefinitionsPage 6/13

COMMUNICATIONS SECURITY POLICY4.4. Change, Review and UpdateThis policy shall be reviewed once every year unless the owner considers an earlier review necessary toensure that the policy remains current. Changes of this policy shall be exclusively performed by theInformation Security Officer and approved by Management. A change log shall be kept current and be updatedas soon as any change has been made.4.5. Enforcement / ComplianceCompliance with this policy is mandatory and it is to be reviewed periodically by the Information SecurityOfficer. All IAU units (Deanship, Department, College, Section and Center) shallensure continuouscompliance monitoring within their area.In case of ignoring or infringing the information security directives, IAU’s environment could be harmed (e.g.,loss of trust and reputation, operational disruptions or legal violations), and the fallible persons will be maderesponsible resulting in disciplinary or corrective actions (e.g., dismissal) and could face legal investigations.A correct and fair treatment of employees who are under suspicion of violating security directives (e.g.,disciplinary action) has to be ensured. For the treatment of policy violations, Management and HumanResources Department have to be informed and deal with the handling of policy violations4.6. WaiverInformation security shall consider exceptions on an individual basis. For an exception to be approved, abusiness case outlining the logic behind the request shall accompany the request. Exceptions to the policycompliance requirement shall be authorized by the Information Security Officer and approved by the ICTDeanship. Each waiver request shall include justification and benefits attributed to the waiver.The policy waiver period has maximum period of 4 months, and shall be reassessed and re-approved, ifnecessary for maximum three consecutive terms. No policy shall be provided waiver for more than threeconsecutive terms.Page 7/13

COMMUNICATIONS SECURITY POLICY4.7. Roles and Responsibilities (RACI Matrix)Table 2 shows the RACI matrix1 that identifies who is responsible, accountable, consulted or informed forevery task that needs to be performed. There are a couple of roles involved in this policy respectively: ICTDeanship, Information Security Officer (ISO), Human Resources Department / Administrative Unit (HR/A),Legal Department, Project Management Officer (PMO), Owner and User (Employee and Contract).RolesResponsibilitiesDefining non-disclosure agreements for IAU’semployees and third parties.Implementing appropriate controls to protect theconfidentiality, integrity, availability and authenticity ofsensitive information.Adhering to information security policies andprocedures pertaining to the protection of information.Administering network security infrastructures (e.g.,routers, switches and R,ACUserIR,AITable 2: Assigned Roles and Responsibilities based on RACI Matrix4.8. Relevant DocumentsThe followings are all relevant policies and procedures to this policy: Information Security Policy Asset Management Policy Access Control Policy Information Security Incident Management Policy Compliance Policy Risk Management Policy Backup and Restoration Procedure1The responsibility assignment RACI matrix describes the participation by various roles in completing tasks for a business process. It isespecially useful in clarifying roles and responsibilities in cross-functional/departmental processes. R stands for Responsible who performsa task, A stands for Accountable (or Approver) who sings off (approves) on a task that a responsible performs, C stands for Consulted (orConsul) who provide opinions, and I stands for Informed who is kept up-to-date on task progress.Page 8/13

COMMUNICATIONS SECURITY POLICY Change Management Procedure Patch Management Procedure Physical and Logical Access Management Procedure System Acquisition, Development and Maintenance Procedure4.9. OwnershipThis document is owned and maintained by the ICT Deanship of University of Imam Abdulrahman bin Faisal.Page 9/13

COMMUNICATIONS SECURITY POLICY5. Policy StatementsThe following subsections present the policy statements in 7 main aspects: Network Controls Security of Network Services Segregation in Networks Information Transfer Policies and Procedures Agreements on Information Transfer Electronic Messaging Confidentiality or Non-Disclosure Agreement5.1. Network Controls1. ICT Deanship shall identify and implement appropriate countermeasures to:a. Control the confidentiality and integrity of sensitive information passing over publicnetworks.b. Protect the connected systems and applications.c. Maintain the availability of the network services and computers connected.2. All IAU’s employees and visitors shall not be allowed to connect any device (e.g., personal computer,laptop or network equipment) to IAU’s network, without a proper permission and approval fromICT Department.3. ICT Deanship shall authorize all routing traffic based on IAU’s business communicationsrequirements.4. ICT Deanship shall implement appropriate routing control mechanisms to restrict information flowsto designated network paths.5. ICT Deanship shall ensure proper management and technical oversight are performed over securityperimeter structure (e.g., firewall) and current configuration. The following shall be covered, but notbe limited to:Page 10/13

COMMUNICATIONS SECURITY POLICYa. Documenting the security perimeter rules and reviewing them in a regular basis.b. Documenting configuration changes and getting management approval.c. Getting management approval prior applying any changes to security perimeter rules.d. Taking an adequate care while applying changes on the security perimeter rules to ensureminimal distortion to IAU’s environment.6. The connection capability of users shall be restricted through network gateways that filter traffic bymeans of pre-defined tables or rules. The restrictions shall include, but not be limited to:a. Messaging (e.g. electronic mail).b. File transfer.c. Interactive access.d. Application access.REF: [ISO/IEC 27001: A.9.1.1]5.2. Security of Network Services1. ICT Deanship shall protect IAU’s network infrastructure by implementing proper network securitymeasures and features. Security features of network services shall include, but not be limited to:a. Technology applied for security of network services such as authentication, encryption andnetwork connection controls.b. Technical parameters required for secured connection with the network services inaccordance with the security and network connection rules such as firewall, VPN and IDS/IPS.c. Procedures for the network service usage to restrict access to network services orapplications, where necessary.REF: [ISO/IEC 27001: A.9.1.2]Page 11/13