General Cybersecurity Policy – Najran University
Entity: Cybersecurity Management Department
Reference: National Cybersecurity Authority
Version: 1.2
Date: 10/01/2022
Document Classification: Internal – Restricted

1. General Policy:
This policy aims to provide the cybersecurity requirements based on best practices and standards, reducing cyber risks by protecting systems and information against internal and external threats, and ensuring the confidentiality, integrity, and availability of information.

Additionally, this policy seeks compliance with all regulatory and legislative requirements applicable to Najran University, adhering to the National Cybersecurity Authority’s controls and guidelines (ECC-1:2018).

2. Objectives:
1. Comply with regulatory and legislative requirements as well as National Cybersecurity Authority mandates.
2. Achieve the foundational cybersecurity controls (ECC-1:2018) issued by the National Cybersecurity Authority.
3. Communicate cybersecurity requirements to all university stakeholders to ensure understanding and adherence.

3. Scope and Applicability:
This policy applies to all information and technology assets at Najran University, including but not limited to:
- Computer devices (desktops, laptops, tablets).
- Network infrastructure and communication systems.
- Electronic platforms and applications.
- Databases and stored information.
- Any other systems or devices associated with the university’s digital activities.

This policy serves as the primary reference for all related cybersecurity policies and procedures in project management, human resources, vendor management, change management, and any operational processes that involve these information and technology assets.

4. Policy Elements:
Najran University’s Cybersecurity Management Department must develop, review, and implement the following elements on a periodic basis:

4-1. Cybersecurity Policy Development:
- Establish clear cybersecurity policies and standards based on risk assessment results.
- Obtain formal approval for these policies from the relevant regulatory bodies within the university leadership.

4-2. Cybersecurity Strategy:
- Prepare a comprehensive strategy to protect Najran University’s information and technology assets.
- Include goals, policies, implementation guidelines, governance, and operational processes within the strategy framework.

4-3. Cybersecurity Roles and Responsibilities:
- Define explicit roles and responsibilities for all parties involved in enforcing cybersecurity controls within the university.
- Ensure an organizational structure is in place to oversee, monitor, and continuously evaluate cybersecurity effectiveness.

4-4. Cybersecurity Risk Management:
- Implement a systematic program to identify and assess cybersecurity risks.
- Define controls and procedures to address risks according to priority, ensuring protection of information and technology assets.

4-5. Cybersecurity in IT Projects:
- Integrate cybersecurity requirements into every system and application development project at Najran University.
- Validate project compliance with all applicable policies, procedures, and legislative/regulatory requirements.
- Follow established methodologies to design, test, and secure systems before deployment.

4-6. Regulatory Compliance:
- Ensure all university cybersecurity programs comply with national laws and regulations.
- Monitor legislative updates and revise policies and plans as needed.

4-7. Periodic Cybersecurity Assessment and Audit:
- Conduct regular reviews and audits to verify implementation of cybersecurity controls across the university.
- Document audit findings and take corrective actions upon identifying deficiencies or vulnerabilities.

4-8. Cybersecurity in Human Resources:
- Ensure that employees and contractors at Najran University are aware of cybersecurity risks and know how to mitigate them.
- Incorporate cybersecurity requirements into hiring, training, performance evaluation, and promotion processes.
- Enforce visitor security controls and obtain necessary approvals before granting access to sensitive areas.

4-9. Cybersecurity Awareness and Training Program:
- Develop recurring training modules to raise cybersecurity awareness among university personnel.
- Include content on the most critical cyber threats and effective countermeasures.
- Evaluate training effectiveness and regularly update materials to reflect new threats and best practices.

4-10. Asset Management Policy:
- Maintain an accurate, up-to-date inventory of all information and technology assets at Najran University.
- Classify assets based on sensitivity and importance, and assign responsible custodians.
- Oversee procurement and secure disposal of assets that are obsolete or no longer functional.

4-11. Identity and Access Management Policy:
- Establish controls for creating and managing digital identities and for authenticating user access to systems.
- Apply the principle of least privilege when granting access rights.
- Continuously monitor, log, and analyze access activities to detect unauthorized attempts or unusual behavior early.

4-12. Information System and Processing Facilities Protection Policy:
- Enforce controls to protect computing systems (servers, workstations, processing devices) from cyber threats.
- Implement a regular patch management process for operating systems and applications.
- Secure production, staging, and development environments to prevent security breaches.

4-13. Email Protection Policy:
- Deploy email protection mechanisms such as filtering, anti-malware/anti-spam solutions, and encryption where necessary.
- Enforce two-factor authentication (2FA) for employee email accounts.
- Train users to recognize suspicious emails and report them appropriately.

4-14. Networks Security Management Policy:
- Design a network architecture that segments and isolates sensitive university departments.
- Implement firewalls, intrusion detection/prevention systems (IDS/IPS), and encryption protocols (VPN, SSL/TLS) to secure network traffic.
- Continuously monitor network activity to detect anomalies and potential threats.

4-15. Mobile Devices Security Policy:
- Require security controls on mobile devices (smartphones, tablets, laptops) used to access university resources.
- Utilize a Mobile Device Management (MDM) solution to enforce security configurations.
- Prohibit use of personal “Bring Your Own Device” (BYOD) unless approved by the Cybersecurity Management Department and subject to security requirements.

4-16. Data and Information Protection Policy:
- Classify and encrypt sensitive data during transmission and storage according to international standards.
- Define controls for sharing information internally and externally while ensuring data confidentiality and integrity.
- Implement regular data backup procedures and test recovery processes to maintain data availability in case of disasters or incidents.

4-17. Cryptography Policy:
- Choose internationally recognized encryption algorithms to safeguard sensitive information.
- Securely manage encryption keys throughout their lifecycle and document all cryptographic procedures.
- Ensure all encryption operations comply with university policies and regulatory requirements.

4-18. Backup and Recovery Management Policy:
- Define documented backup procedures for databases and critical systems supporting university operations.
- Regularly test disaster recovery plans to verify readiness for system restoration in case of catastrophic events.
- Store encrypted off-site backups to guarantee data integrity and availability.

4-19. Vulnerabilities Management Policy:
- Conduct periodic vulnerability scans on systems and applications using approved tools to identify security gaps.
- Classify vulnerabilities by severity and apply patches or remediations within defined timeframes.
- Document scanning and remediation results and track remediation tickets until closure.

4-20. Penetration Testing Policy:
- Perform regular penetration tests to simulate real-world cyber attacks.
- Focus on critical assets such as servers containing sensitive data or payment systems.
- Produce a professional report detailing discovered weaknesses and technical recommendations for mitigation.

4-21. Cybersecurity Event Logs and Monitoring Management Policy:
- Collect all cybersecurity event logs from sources such as firewalls, servers, and intrusion detection systems.
- Analyze collected logs to identify suspicious activity and potential threats.
- Securely archive logs and make them available for forensic analysis when needed.

4-22. Threat and Incident Management Policy:
- Establish an incident response plan to detect, identify, and respond to cybersecurity incidents promptly.
- Comply with Royal Decree No. 3714 dated 14/08/1438H for reporting and coordinating with relevant authorities.
- Provide technical and procedural guidelines to address incidents and protect affected systems.

4-23. Physical Security Policy:
- Implement physical controls (locks, surveillance cameras, guards) to protect technological and information assets from theft or destruction.
- Define and enforce security measures for sensitive areas (e.g., server rooms, data centers).

4-24. Web Application Security Policy:
- Adopt web application security standards (e.g., OWASP Top Ten) to secure Najran University web applications.
- Conduct periodic security assessments to prevent common vulnerabilities (e.g., SQL injection, cross-site scripting).
- Apply immediate remediation for discovered vulnerabilities or misconfigurations.

4-25. Cybersecurity Resilience and Business Continuity Policy:
- Integrate business continuity requirements into the university’s cybersecurity strategy.
- Develop rapid recovery plans to ensure continuity of digital services during disasters or incidents.
- Perform regular tests to confirm plan effectiveness in responding to unexpected outages.

4-26. Third-Party and Cloud Computing Cybersecurity Policy:
- Evaluate risks associated with third-party services, outsourcing, and managed service providers.
- Verify that external service providers comply with Najran University’s cybersecurity standards before contracting.
- Ensure contracts include confidentiality clauses and specify responsibilities for cloud-based services.

4-27. Hosting Cybersecurity Policy:
- Secure cloud and hosting environments where university services are deployed.
- Enforce security controls to protect data in transit and at rest with cloud service providers.
- Continuously validate the provider’s compliance with applicable legislative and regulatory requirements.

4-28. Cybersecurity Forensics and Evidence Collection:
- The Cybersecurity Management Department has the right to access information and collect evidence required to investigate security incidents.
- Handle digital evidence and assets according to legal and regulatory procedures to maintain chain-of-custody integrity.

5. Exceptions:
No cybersecurity policy or control may be bypassed without prior formal authorization from the Cybersecurity Management Department, unless doing so conflicts with higher-level legislative or regulatory mandates.

6. Roles and Responsibilities:
Cybersecurity-related Roles and Responsibilities for University Members:

7. Policy Enforcement:
1. Authorized personnel must ensure full compliance with and enforcement of all cybersecurity policies.
2. The Cybersecurity Management Department must review and update cybersecurity policies periodically to align with legislative and regulatory changes.
3. All Najran University employees and affiliates must adhere to this policy without exception.
4. Any violation of these policies may result in disciplinary action in accordance with Najran University’s internal regulations.

This policy is approved by Najran University’s Cybersecurity Management Department and is mandatory for all university members.