You can download the National Information Security & Safety Policies by filling this form
Password Policy
Introduction
Password is an important information security component. They are used for user authentication to prove identity or access approval to gain access to a resource, and used in many ways to protect users, data, systems, and network, and also used to protect files and other stored information from access from unauthorized individuals both internally and externally.
Since strong passwords one of the effective security controls, and given the need of passwords for high-priority matters, this requires strong, highly encrypted passwords so that would be hard to predict.
Purpose
To provide a set of minimum security standards governing the use of passwords for (Organization) information technology systems.
Domain
This policy applies to all (Organization) Staff.
This policy applies to all username and password pairs on all devices, systems and applications that are part of the (Organization) network that provide access to (Organization) owned information.
Policy
1. Enforce strong passwords
- Passwords should be at least 12 positions in length.
- All users must choose passwords that cannot be predicted easily. It should be a combination of the four available character types: Alphabetic, Combination of both upper and lower case letters, Numeric: 0 to 9, and Special Characters.
- Users shouldn’t use popular, easily predictable passwords, such as names, birthdays, or phone numbers.
- Users shouldn’t use their username in the password.
- Password shouldn’t be repeated numbers or characters such as (3333 or AAAA).
- In case of using a common word, users should mix the characters, so it doesn’t give a clear meaning.
- Implement strict controls for system-level and shared service account passwords.
2. Passwords must be stored in a secure manner to ensure not to be detected
- All passwords should be treated as sensitive, confidential information at (Organization).
- Users shouldn’t write password down or store it in an insecure manner anywhere in the office, and shouldn’t store passwords in a file on a computer system or mobile devices (phone, tablet) without encryption.
- Passwords should never be stored on computer systems in an unprotected form.
- System level passwords (e.g. Root, Administrator) must be stored within an encrypted password vault.
- Users shouldn’t use “Remember Password” feature of applications.
3. Keep passwords confidential: Password mustn’t be shared with anyone for any reason.
- Passwords should not be shared or disclosed, and shouldn’t be written in an explicit manner, and it should be changed immediately in case of disclosure.
- During access to accounts, users should be aware of obtrusive people while typing password.
- Users shouldn’t send passwords via email or any other media via the internet.
- Users should change passwords whenever there is any indication of possible system or password compromise.
- Passwords used for shared accounts should be changed immediately if compromised or when a holder transfers or leaves the (Organization).
- Users shouldn’t use the same password for multiple administrator accounts.
- Where possible, users must not use the same password for various (Organization) access needs.
- Users must not use the same password for (Organization) accounts and devices as for other non- (Organization) access.
4. Initial passwords: Users must require a change of the initial passwords they receive, and force expiration of initial passwords.
- Users must change their initial passwords they receive and before expiration; in order to ensure that passwords not to be leaked to other users.
- Temporary passwords should be given to users in a secure manner; the use of third parties or unprotected (clear text) electronic mail messages should be avoided, and it shouldn’t be transmitted in plain-text.
- Users should acknowledge receipt of initial passwords.
- Establish procedures to verify the identity of a user prior to providing a new, replacement or temporary password.
5. Require screening of new passwords against lists of commonly used or compromised passwords.
6.Access to internal and private systems must be prevented after 3 false attempts within a period of time not exceeding 15 minutes. Prevention lasts for a minimum of 30 minutes and a maximum of 3 hours.
7. Users should be required to sign a statement to keep personal passwords confidential; this signed statement could be included in the terms and conditions of employment.
8. All users are responsible for reporting any suspected misuse of passwords. Any user suspecting that his/her password may have been compromised must report the incident and change all passwords.
9. All users must be aware that they are solely responsible for protecting their password.
Email Usage Policy
Introduction
E-mail is the primary communication tool in most business areas for its speed and efficiency, and because it is an expressive reliable tool, misuse of it can post many legal, privacy and security risks. Thus it’s necessary to develop a policy to understand the appropriate use of email to avoid such problems. This policy outlines the minimum requirements for use of email within (Organization) Network.
Purpose
The purpose of this policy is to ensure the proper use of (Organization) email system and make users aware of what (Organization) deems as acceptable and unacceptable use of its email system, and to ensure that every user has a responsibility to maintain the (Organization)’s image, to use it in a productive manner and to avoid placing the (Organization) at risk of legal liability based on their use.
Scope
This policy applies to all employees, vendors, and agents operating on behalf of (Organization), and to the Email system in use within (Organization).
Policies
- Email Account:
- Every employee is granted an email account, and it must be uniquely identifiable.
- When creating a new user email, the user must be enforced to change his/her password at next logon. The system must be configured to enforce the users to change their passwords.
- All user emails must have a password that complies with (Organization)‘s Password Policy.
- Email box size must be controlled by a quota, and every user is responsible if they exceed the limited capacity, users must periodically archive the important mail and delete them from the inbox.
2. Use of email, All users must adhere to the following when using (Organization) E-mail facilities:
- The use of email must be compliant with (Organization) policies and procedures and with the applicable laws and proper business practices.
- (Organization) email accounts should be used only for (Organization) business-related purposes to help employees in their job duties.
- The e-mail address allocated to an employee should not be used for personal purposes.
- All (Organization) data contained within an email message or an attachment must be secured according to the Data Privacy Policy.
- Great care must be taken when attaching documents or files to an email. Letters, files and other documents attached to emails may belong to others. By forwarding this information, without permission from the sender, to another recipient user may be liable for copyright infringement.
- All users should be cautious when opening e-mails and attachments from unknown sources.
- All users should ensure that email content is accurate, factual and objective. Users should avoid subjective opinions about individuals or other organizations.
- Users should be aware that e-mails may be subject to audit to ensure that they meet the requirements of this policy. This applies to message content, attachments and addresses and to personal e-mails.
- All messages distributed via (Organization)’s email system, even personal emails, are (Organization) property. User must have no expectation of privacy in anything that they create, store, send or receive on the (Organization)’s email system.
- Emails can be monitored without prior notification if (Organization) deems this necessary. If there is evidence that users are not adhering to the guidelines set out in this policy, (Organization) reserves the right to take disciplinary action in accordance with the applicable regulations.
- It is necessary to select the appropriate words and not to write any offensive or insulting words.
- Users should not disclose account passwords or allow anyone else to use their accounts, and shouldn’t use another user account.
- In the following cases (resignation, dismissal, suspension), user will be informed that email account will be locked and given timed opportunity to copy and archive the email contents.
- If recognizing or noticing an actual or suspected security issue, users must contact the Information Security Department and report immediately.
- Attach each email with a text signature with the name, job, telephone number, department and the name of (Organization).
- The user should be aware that he / she is solely responsible for the contents of the messages sent through his / her email account.
- Users must ensure that email messages are sent only to users who need to know the information in the email content.
3. Unacceptable Use of E-Mail:
- The (Organization) email system shall not to be used for the creation or distribution of any disruptive or offensive messages. Employees who receive any emails with this content from any (Organization) employee should report the matter to their supervisor immediately.
- Use (Organization) email account to sign in any of social media websites unless for a business related purposes, and must have an approval from higher management.
- Using a false identity in (Organization) emails.
- Tampering with email content or addresses of redirected messages or attachments without getting an approval.
- Sending unsolicited email messages, including the sending of “junk mail” or other advertising material to individuals who did not specifically request such material (Spam Emails).
- Unauthorized use, or forging, of email header information.
- Creating or forwarding “chain letters”, “Ponzi” or other “pyramid” schemes of any type.
- Use of unsolicited email originating from within (Organization)‘s networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by (Organization) or connected via (Organization)‘s network.
- Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (Newsgroup Spam).
- Changing content and / or email addresses of the forwarded emails or their attachments without getting an approval.
Internet Usage Policy
Introduction
Internet is now the most utilized source of information, it provides access to endless sources of data, ideas, research and news. Concurrently easing the access of users to these sources encouraging them to optimize their usage of internet.
Access to the Internet by personnel that is inconsistent with business needs results in the misuse of resources, this may present (Organization) with new risks that must be addressed to safeguard the its vital information assets. Additionally, (Organization) may face loss of reputation and possible legal action through other types of misuse. Having the Internet Usage Policy in place helps to protect both the business and the employee from the misuse of using the internet.
Purpose
Internet usage policy aims to provide employees with rules and guidelines regarding the appropriate use of (Organization) equipment, network and Internet access to ensure that employees make the most effective use of the internet.
Scope
This policy applies to all Internet users (employees and all third parties) who access the Internet through (Organization)‘s computing or networking resources and to its related services.
Policy
- Resource Usage:
- Access to the Internet will be approved and provided only if reasonable business needs are identified. Internet services will be granted based on an employee’s current job responsibilities.
- User Internet access requirements will be reviewed periodically by (Organization) departments to ensure that continuing needs exist.
- Employees of the (Organization) are allowed to use internet for (Organization) business-related purposes, and in a way that consistent with this policy and doesn’t conflict with (Organization) rules and laws.
- (Organization) doesn’t ensure the accuracy of any information obtained through the Internet, it’s the responsibility of the originator and producer of such information.
- (Organization) reserves the right to impose the permitted capacity for the use of the internet, as the competent technical authority deems appropriate to the requirements of each department.
2. Allowed Usage
- Communication between employees and non-employees for business purposes.
- IT technical support downloading software upgrades and patches.
- Review of possible vendor web sites for product information.
- Reference regulatory or technical information.
- Research.
3. Personal Usage:
- Using (Organization) computer resources to access the Internet for personal purposes, without approval from the user’s manager and the IT department, may be considered cause for disciplinary action accordance with the applicable regulations.
- All users of the Internet should be aware that (Organization) network creates an audit log reflecting request for service, both in-bound and out-bound addresses, and is periodically reviewed.
- Users who choose to store or transmit personal information such as private keys, credit card numbers or certificates or make use of Internet “wallets” do so at their own risk. (Organization) is not responsible for any loss of information, such as information stored in the wallet, or any consequential loss of personal property.
- User is fully responsible for his/her computer devices and the use of them, and he/she has to be aware of the security and preserve of IT resources.
- If recognizing or noticing an actual or suspected security issue, users must contact the Information Security Department and report immediately.
4. Prohibited Usage:
- It’s strictly prohibited to use the internet in a way that may damages the (Organization)’s network, or to expose any security vulnerabilities or to help in spread any harm or illegal applications.
- Impersonation of others or devices is forbidden.
- Users must not use (Organization)’s name or any of its departments or employees unless there is a written approval to do so.
- Tampering with other’s information or disclosing them illegally.
- Publishing any of (Organization)‘s information or any of its employees without consent to do so.
- It’s prohibited to decipher/decrypt/decode other’s data in any information systems without a consent from targeted party.
- Copyright, or intellectual property rights to any data, applications, programs or information must not be infringed.
- It’s prohibited to monitor electronic communications by other users for the purpose of espionage and privacy violation.
- Users should not abuse the usage of internet in a way that affect other users or the performance of devices and networks.
- Use of the Internet for any illegal purposes is prohibited. Examples include sending media contains violence, threat, fraud, obscenity or illegal material that cause any harm to any person or authority or its cyber security.
- It is prohibited to waste information resources or to make any change on them without an approval.
- It is prohibited to create a website or account on social networking sites representing (Organization) or its departments without a permission.
- Must not contact or access to any other information resources unless through available channels and officially authorized by (Organization).
- It’s not allowed for (Organization)’s employees to use informational resources in a way that waste their time.
- Internet connection of (Organization) shouldn’t be used for commercial, political, or personal purposes, or for commercial or marketing profit.
- It is prohibited to create unauthorized electronic copies of documents that pertaining to (Organization) and to its departments, or any material protected by copyright for the purpose of publishing or sending them through (Organization)‘s network.
Workstation Security Policy
Introduction
User’s workstation including computers and peripherals (printers, scanners, laptops, etc.) are used in daily performance in a reasonable and proportionate manner that compatible with (Organization)‘s objectives and strategies. This policy outlines the minimum requirements for the use of computers and peripherals within (Organization).
Purpose
The purpose of this policy is to protect users and workstations from potential risks by defining policies and procedures for the use of computers and peripherals within the (Organization).
Scope
This policy applies to all employees and users who use computers, peripherals and associated services.
Policy
- Users are only allowed to use their computer devices. They shouldn’t use or attempt to access other’s devices.
- Users should be fully responsible for the proper use of all resources allocated to them, including computer devices, peripherals and software.
- Users are not allowed to access network using personal computers, tablets and smartphones, unless authorized by competent technical department.
- Users should not attempt to access to unauthorized parts of the network, such as the main operating system, security software, etc., without getting an approval to do so.
- Users must not install, or use any software, tools, or devices that may damage software, hardware or system components.
- It’s prohibit to install or use any tools commonly used to attack security systems or to penetrate computer systems or other networks (such as password detectors, network scanners, etc.).
- Personal privacy and the rights of others should be respected, and shouldn’t attempt to obtain data from other users, as well as other programs or files without prior permission.
- Special approval from Information Technology Department required prior to installation of any special software or hardware on the (Organization)‘s systems.
- Computers on loan from the (Organization) are for official (Organization) use only. They are not to be used by family members or friends under any circumstances.
- When the computer is returned, Information Technology department reserves the right to scrub the hard disk of any data and reinstall all of the standard software. Users are responsible for any data they leave on the laptop when it is returned to the (Organization).
- Information Technology department reserves the right to recall all equipment out on loan in order to perform upgrades to software, and/or hardware replacement/upgrades at any time.
- IT staff should not login into user’s devices for maintenance work unless the permission is taken directly from the concerned user.
- Computers and peripherals are available to serve employees and users to perform better work, therefore cannot be used for personal purposes.
- (Organization) offers a wide variety of networked printers for (Organization) use in several central locations. Individual desktop printers are permitted, and will be supported by the Information Technology department.
- (Organization)‘s staff are prohibited from purchasing their own network equipment including, but not limited to, LAN cards, Wireless Cards, Routers, Switches, Network Cabling, and network‐ready Printers.
- Network stability is paramount in (Organization) environment, and the addition of unauthorized network gear to (Organization) network can potentially result in hard‐to‐diagnose problems.
- Logging computer using username and password, and when leaving the device even for a short period of time, it’s a must to lock screen with password.
- Users shouldn’t save files, documents, or any media into hard drivers that are unrelated to job.
- User is responsible to learn how to use the computer and its peripherals properly, and if facing any problems while using, he/she should ask help from the competent technical department.
- Non-employees shall not be allowed to use computer devices at (Organization) without an official written permission.
- Users should not disable antivirus and malware software on (Organization) computer devices, and they should always check any data storage mediums (e.g. CDs, Hard drives, flash memory, etc.) before opening any file or program.
- Users shouldn’t copy any material or software from (Organization)‘s computer devices to distribute outside (Organization) without a written consent to do so.