Acceptable Use Policy for Technology Assets
Document Classification: Internal – Restricted
 

1. General Provisions
   • 1-1. Information must be handled according to its assigned classification level, in compliance with Najran University’s Data Classification Policy and Data & Information Protection Policy, ensuring confidentiality, integrity, and availability.
   • 1-2. It is prohibited to infringe on the rights of any person or company—such as copyrights, patents, or any intellectual property laws or regulations—including, but not limited to, installing unlicensed software or obtaining programs through illegal means.
   • 1-3. Do not leave printouts on shared printers unattended.
   • 1-4. Removable storage devices (e.g., USB drives, portable hard disks) must be secured with appropriate password protection and stored in a secure, locked location.
   • 1-5. It is forbidden to use another user’s access badge or credentials (including passwords) on any workstation.
   • 1-6. Adhere to the Clean Desk Policy and maintain a tidy workspace; ensure no classified or sensitive information is left in plain view on your desk or monitor.
   • 1-7. Disclosure of any Najran University–related information—such as systems or network details—to unauthorized internal or external parties is strictly prohibited.
   • 1-8. Posting any Najran University–related information on media outlets or social networks without prior authorization is forbidden.
   • 1-9. University devices and assets must not be used for personal gain or any personal activities that conflict with the university’s mission and security requirements.
   • 1-10. Personal devices must not be connected to Najran University’s networks or systems without prior written authorization, in accordance with the Mobile Device Security (BYOD) policy.
   • 1-11. Conduct that circumvents established security controls—such as installing malware or bypassing antivirus or firewall defenses—is strictly prohibited unless prior written approval is granted by the Cybersecurity Management Department.
   • 1-12. The Cybersecurity Management Department reserves the right to monitor and audit university systems, networks, and user accounts periodically to ensure compliance with cybersecurity policies and standards.
   • 1-13. Hosting unauthorized individuals in sensitive areas is strictly prohibited without prior written authorization.
   • 1-14. The university ID badge must be worn at all times within Najran University facilities.
   • 1-15. Report any loss, theft, or compromise of data or assets immediately to the Cybersecurity Management Department.
2. Asset and Device Protection
   • 2-1. The use of removable storage devices (e.g., USB drives, portable hard disks) is prohibited without prior written authorization from the Cybersecurity Management Department.
   • 2-2. Any actions that could degrade the performance or integrity of university systems and technology assets—including attempts to escalate privileges—are forbidden unless approved in advance by the Cybersecurity Management Department.
   • 2-3. Workstations (desktops or laptops) must be secured—locked or signed out (Sign out or Lock)—before leaving the workspace at the end of the workday or for short absences.
   • 2-4. Do not leave any classified information (paper or electronic) in locations accessible to unauthorized individuals.
   • 2-5. Installing any external hardware or software on a workstation is prohibited without prior written permission from the Cybersecurity Management Department.
   • 2-6. Immediately notify the Cybersecurity Management Department if you suspect any activity that may harm computing devices or technology assets belonging to Najran University.
3. Acceptable Use of the Network, Software, and Internet
   • 3-1. Report to the Cybersecurity Management Department any suspicious websites or links; similarly, verify that any downloaded work-related documents do not violate intellectual property rights.
   • 3-2. The use of unlicensed software or any other intellectual property without proper authorization is strictly forbidden.
   • 3-3. Only authorized web browsers may be used to access the internal network or the Internet; unapproved browsers are prohibited.
   • 3-4. Techniques that bypass a proxy server (Proxy) or firewall (Firewall)—including VPN software—are strictly forbidden.
   • 3-5. Downloading or installing any software or tools that violate university policies or applicable laws from Najran University’s network or the Internet is prohibited without prior written authorization from the Cybersecurity Management Department.
   • 3-6. The university’s internal network or the Internet must not be used to download or share any files or media that have not been specifically authorized.
   • 3-7. Handle incoming email with caution; if you suspect phishing, malware, or any cybersecurity threat, immediately report to the Cybersecurity Management Department.
   • 3-8. Regular security scans and penetration tests must be performed to identify vulnerabilities; such tests—especially those conducted by external parties—require prior written authorization from the Cybersecurity Management Department.
   • 3-9. Using file-sharing sites or cloud storage services without prior written authorization from the Cybersecurity Management Department is prohibited.
   • 3-10. Visiting any suspicious or hacking-related websites is prohibited.
4. Acceptable Use of Email and Communication Systems
   • 4-1. The university email account, telephone, fax, or electronic fax must not be used for any non–university-related activities and must comply with all cybersecurity policies and standards.
   • 4-2. Sending or forwarding any inappropriate or unacceptable content—internal or external—is forbidden.
   • 4-3. When emailing sensitive information, use authorized encryption and secure methods to protect data in transit.
   • 4-4. Do not register Najran University email addresses on websites that are not related to official university business.
   • 4-5. Report immediately to the Cybersecurity Management Department any email content that may harm university assets or systems.
   • 4-6. The Cybersecurity Management Department reserves the right to inspect the contents of university email messages to verify that the user has the necessary authorizations and that all procedures are followed.
   • 4-7. Do not open suspicious or untrusted email attachments or links under any circumstance.
5. Video & Voice Conferencing and Communications
   • 5-1. Conducting unauthorized video or voice conferences over the Internet is strictly prohibited.
   • 5-2. Unauthorized communications or meetings using non–university-approved applications or platforms for work purposes are forbidden.
6. Passwords and Account Security
   • 6-1. Passwords must be strong and secure. Keep university account passwords confidential; do not use university passwords for personal accounts or vice versa.
   • 6-2. When first issued a new password by the system administrator, change it immediately. Passwords must be changed periodically (e.g., every 90 days) in accordance with university policy.