INSPIRING BUSINESS INNOVATION

OPERATIONS SECURITY POLICY

Version 1.1
Policy Number:
 OPERATIONS SECURITY POLICY

1. Table of Contents
1. Table of Contents ........................................................................................................................ 2
2. Property Information .................................................................................................................. 3
3. Document Control ...................................................................................................................... 4
3.1. Information............................................................................................................ 4
3.2. Revision History ................................................................................................... 4
3.3. Review, Verification and Approval ...................................................................... 4
3.4. Distribution List .................................................................................................... 4
4. Policy Overview ........................................................................................................................... 5
4.1. Purpose ................................................................................................................. 5
4.2. Scope..................................................................................................................... 5
4.3. Terms and Definitions .......................................................................................... 5
4.4. Change, Review and Update ............................................................................... 8
4.5. Enforcement / Compliance .................................................................................. 8
4.6. Waiver.................................................................................................................... 8
4.7. Roles and Responsibilities (RACI Matrix) .......................................................... 9
4.8. Relevant Documents ............................................................................................ 9
4.9. Ownership ........................................................................................................... 10
5. Policy Statements ...................................................................................................................... 11
5.1. Documented Operating Procedures ................................................................. 11
5.2. Change Management ......................................................................................... 12
5.3. Capacity Management........................................................................................ 12
5.4. Separation of Development, Testing and Operational Environments ........... 13
5.5. Controls against Malware .................................................................................. 13
5.6. Information Backup ............................................................................................ 15
5.7. Event Logging .................................................................................................... 16
5.8. Protection of Log Information ........................................................................... 16
5.9. Administrator and Operator Logs ..................................................................... 16
5.10. Clock Synchronization ..................................................................................... 17
5.11. Installation of Software on Operational Systems .......................................... 17
5.12. Management of Technical Vulnerabilities ...................................................... 18
5.13. Restrictions on Software Installation ............................................................. 19
5.14. Information Systems Audit Controls .............................................................. 19

Page 2/19
 OPERATIONS SECURITY POLICY

2. Property Information
This document is the property information of Imam Abdulrahman bin Faisal University - ICT Deanship. The
content of this document is Confidential and intended only for the valid recipients. This document is not
to be distributed, disclosed, published or copied without ICT Deanship written permission.

Page 3/19
 OPERATIONS SECURITY POLICY

3. Document Control

3.1. Information

Title Classification Version Status

OPERATIONS SECURITY POLICY Confidential 1.1 validated

3.2. Revision History

Version Author(s) Issue Date Changes

0.1 Alaa Alaiwah - Devoteam November 18, 2014 Creation

0.2 Nabeel Albahbooh - Devoteam December 1, 2014 Update

0.3 Osama Al Omari – Devoteam December 27, 2014 QA

1.0 Nabeel Albahbooh - Devoteam December 31, 2014 Update

1.1 Muneeb Ahmad – ICT, IAU 02 May 2017 Update

3.3. Review, Verification and Approval

Name Title Date

Lamia Abdullah Aljafari Quality Director

Dr. Saad Al-Amri Dean of ICT

3.4. Distribution List

Copy # Recipients Location

Page 4/19
 OPERATIONS SECURITY POLICY

4. Policy Overview
This section describes and details the purpose, scope, terms and definitions, change, review and update,
enforcement / compliance, wavier, roles and responsibilities, relevant documents and ownership.

4.1. Purpose
The main purpose of the Operations Security Policy is to:

Ensure proper and secure operations of information processing facilities, in addition to ensuring protection
against malware, viruses, trojans data loss.

Nevertheless, this policy ensures the integrity of operational systems; prevent exploitation of technical
vulnerabilities; and minimize the impact of audit activities on operational systems.

4.2. Scope
The policy statements written in this document are applicable to all IAU’s resources at all levels of sensitivity,
including:

 All full-time, part-time and temporary staff employed by, or working for or on behalf of UD.

 Students studying at UD.

 Contractors and consultants working for or on behalf of IAU.

 All other individuals and groups who have been granted access to IAU’s ICT systems and
information.

This policy covers all information assets defined in Risk Assessment Scope Document and will be used as a
foundation for information security management.

4.3. Terms and Definitions

Table 1 provides definitions of the common terms used in this document.

Term Definition

Page 5/19
 OPERATIONS SECURITY POLICY

A security principle indicating that individuals shall be able to be

Accountability
identified and to be held responsible for their actions.
Information that has value to the organization such as forms,
Asset
media, networks, hardware, software and information system.
The state of an asset or a service of being accessible and usable
Availability
upon demand by an authorized entity.
The process of determining the system capacity needed to deliver
Capacity Management specific performance levels through quantification and analysis of
current and projected workload.
An asset or a service is not made available or disclosed to
Confidentiality
unauthorized individuals, entities or processes.
A means of managing risk, including policies, procedures, and
Control guidelines which can be of administrative, technical, management
or legal nature.
A description that clarifies what shall be done and how, to achieve
Guideline
the objectives set out in policies.
An event is an identified occurrence of a system, service or
network state indicating a possible breach of information security
Even
policy or failure of safeguards or a previously unknown situation
that may be security relevant.
The preservation of confidentiality, integrity, and availability of
Information Security information. Additionally, other properties such as authenticity,
accountability, non-repudiation and reliability can also be involved.
Maintaining and assuring the accuracy and consistency of asset
Integrity
over its entire life-cycle.
Software designed to disrupt computer operation, gather sensitive
Malware (Malicious) information, or gain access to private computer systems
(e.g., virus or Trojan horse).
A person or group of people who have been identified by
Management as having responsibility for the maintenance of the
Owner
confidentiality, availability and integrity of an asset. The Owner
may change during the lifecycle of the asset.
A method of evaluating the security of a computer system or
Penetration Testing network by simulating an attack from malicious outsiders (who do
not have an authorized means of accessing the organization's
Page 6/19
 OPERATIONS SECURITY POLICY

systems) and malicious insiders (who have some level of

authorized access). The process involves an active analysis of the
system for any potential vulnerability that could result from poor
or improper system configuration, both known and unknown
hardware/software flaws or operational weaknesses in process or
technical countermeasures. This analysis is carried out from the
position of a potential attacker and can involve active exploitation
of security vulnerabilities.
A plan of action to guide decisions and actions. The policy process
includes the identification of different alternatives such as
Policy
programs or spending priorities, and choosing among them on the
basis of the impact they will have.
A combination of the consequences of an event (including changes
Risk
in circumstances) and the associated likelihood of occurrence.
An equipment or interconnected system or subsystems of
equipment that is used in the acquisition, storage, manipulation,
System management, control, display, switching, interchange, transmission
or reception of data and that includes computer software,
firmware and hardware.
A potential to cause an unwanted incident which may result in
harm to a system such as unauthorized disclosure, destruction,
Threat removal, modification or interruption of sensitive information,
assets or services or injury to people. A threat may be deliberate,
accidental or of natural origin.
A weakness in security procedures, processes or controls that
Vulnerability could be exploited by a threat to gain unauthorized access to
information or disrupt critical processing.
A process of identifying, quantifying and prioritizing (or ranking)
the vulnerabilities in a system. Vulnerability from the perspective
Vulnerability Assessment
of disaster management means assessing the threats from
potential hazards to the population and to infrastructure.
Table 1: Terms and Definitions

Page 7/19
 OPERATIONS SECURITY POLICY

4.4. Change, Review and Update

This policy shall be reviewed once every year unless the owner considers an earlier review necessary to
ensure that the policy remains current. Changes of this policy shall be exclusively performed by the
Information Security Officer and approved by Management. A change log shall be kept current and be updated
as soon as any change has been made.

4.5. Enforcement / Compliance

Compliance with this policy is mandatory and it is to be reviewed periodically by the Information Security
Officer. All IAU units (Deanship, Department, College, Section and Centre) shall ensure continuous
compliance monitoring within their area.

In case of ignoring or infringing the information security directives, IAU’s environment could be harmed (e.g.,
loss of trust and reputation, operational disruptions or legal violations), and the fallible persons will be made
responsible resulting in disciplinary or corrective actions (e.g., dismissal) and could face legal investigations.

A correct and fair treatment of employees who are under suspicion of violating security directives (e.g.,
disciplinary action) must be ensured. For the treatment of policy violations, Management and Human
Resources Department should be informed and deal with the handling of policy violations.

4.6. Waiver
Information security shall consider exceptions on an individual basis. For an exception to be approved, a
business case outlining the logic behind the request shall accompany the request. Exceptions to the policy
compliance requirement shall be authorized by the Information Security Officer and approved by the ICT
Deanship. Each waiver request shall include justification and benefits attributed to the waiver.

The policy waiver period has maximum period of 4 months, and shall be reassessed and re-approved, if
necessary for maximum three consecutive terms. No policy shall be provided waiver for more than three
consecutive terms.

Page 8/19
 OPERATIONS SECURITY POLICY

4.7. Roles and Responsibilities (RACI Matrix)

Table 2 shows the RACI matrix1 that identifies who is responsible, accountable, consulted or informed for
every task that needs to be performed.

There are a couple of roles involved in this policy respectively: ICT Deanship, Information Security Officer
(ISO), Project Management Office (PMO), Owner and User (Employee and Contract).

Roles
ICT ISO PMO Owner User
Responsibilities
Identify and maintain capacity requirements for all new and
R,A C R,I
ongoing activities of IT project.
Determining the required access rights of users to assets. R,C C R,A I
Performing system/application/network security monitoring. R,A C
Administering critical security infrastructures (e.g., antivirus
R,A C I
infrastructure).
Designing and implementing network and system security. R,A C I
Implementing appropriate controls to protect the
confidentiality, integrity, availability and authenticity of sensitive R,A C I
information.
Coordinating a response to actual or suspected breaches in the
R,A C I
confidentiality, integrity or availability of critical IAU’s systems.
Implementing changes and installing patching on
system/application/network according to Change Management R,A C C,I
and Patch Management Procedures.
Adhering to information security policies and procedures
C C R,A,I
pertaining to the protection of information.
Reporting actual or suspected security incidents to ICT
A,C C I R
Deanship.
Table 2: Assigned Roles and Responsibilities based on RACI Matrix

4.8. Relevant Documents

The followings are all relevant policies and procedures to this policy:

 Information Security Policy

 Asset Management Policy

1
The responsibility assignment RACI matrix describes the participation by various roles in completing tasks for a business process. It is
especially useful in clarifying roles and responsibilities in cross-functional/departmental processes. R stands for Responsible who performs
a task, A stands for Accountable (or Approver) who sings off (approves) on a task that a responsible performs, C stands for Consulted (or
Consul) who provide opinions, and I stand for Informed who is kept up-to-date on task progress.

Page 9/19
 OPERATIONS SECURITY POLICY

 Access Control Policy

 Information Security Incident Management Policy

 Compliance Policy

 Risk Management Policy

 Backup and Restoration Procedure

 Change Management Procedure

 Patch Management Procedure

 Physical and Logical Access Management Procedure

 System Acquisition, Development and Maintenance Procedure

4.9. Ownership
This document is owned and maintained by the ICT Deanship of University of Imam Abdulrahman bin Faisal.

Page 10/19
 OPERATIONS SECURITY POLICY

5. Policy Statements
The following subsections present the policy statements in 14 main aspects:

 Documented Operating Procedures

 Change Management

 Capacity Management

 Separation of Development, Testing and Operational Environments

 Controls against Malware

 Information Backup

 Event Logging

 Protection of Log Information

 Administrator and Operator Logs

 Clock Synchronization

 Installation of Software on Operational Systems

 Management of Technical Vulnerabilities

 Restrictions on Software Installation

 Information Systems Audit Controls

5.1. Documented Operating Procedures

1. ICT Deanship and Information Security Officer shall initiate or direct the development of processes,
procedures, guidelines and standards, in accordance with IAU’s operational activities. The
documented operating procedures may include, but not be limited to:

a. System restart and recovery

b. System installation and configuration

c. Backup

d. Equipment maintenance

Page 11/19
 OPERATIONS SECURITY POLICY

e. Server room

f. Mail handling management

g. Monitoring

2. Implementing, transferring newly developed or updated software from a testing environment to a

production environment shall follow a proper documentation procedure.

[ISO/IEC 27001: A.12.1.1]

5.2. Change Management

1. ICT Deanship in cooperation with Information Security Officer shall develop a formal management
procedure that defines all roles and responsibilities to ensure satisfactory control of all changes.

2. Detailed change management procedures with appropriate controls shall include, but not be limited
to:

a. Acceptance criteria are established in coordination with Asset Owner.

b. Risk assessment is conducted by Information Security Officer for the proposed new major
changes.

c. Emergency changes to ICT facilities, systems or applications are only used in extreme
circumstances with Management approval.

d. Document control procedure is always applied.

e. Patches to resolve software bugs are only applied where verified as necessary and with
Technical Team, Management and vendor authorization.

f. Upgrades to software or systems are properly tested before they are deployed in IAU’s
production environment.

Reference: [ISO/IEC 27001: A.12.1.2]

5.3. Capacity Management

1. New systems performance and capacity requirements shall be considered in the planning and
designing phase. Examples of managing capacity demand include, but not be limited to:

a. Deletion of obsolete data (disk space).

Page 12/19
 OPERATIONS SECURITY POLICY

b. Decommissioning of applications, systems, databases or environments.

c. Optimization application logic or database queries.

d. Restricting bandwidth usage for non-critical business services that consume more resources
(e.g., video streaming).

2. ICT Deanship in cooperation with Project Management Office shall identify and maintain capacity
requirements for all new and ongoing activities.

[ISO/IEC 27001: A.12.1.3]

5.4. Separation of Development, Testing and Operational

Environments
1. Separation in the testing and production environments shall be implemented to reduce the
opportunities of negligent or deliberate systems misuse.

2. Where appropriate, no live data shall be used to perform testing to any assets, neither in a production
nor in a test environment.

3. ICT Deanship shall ensure that all changes are strictly applied and tested in a test environment prior
to authorizing the change for the production environment.

[ISO/IEC 27001: A.12.1.4]

5.5. Controls against Malware

1. ICT Deanship shall be responsible to ensure that malware detection infrastructure remains active
and is not / cannot be disabled at any potential entry point.

2. ICT Deanship shall implement appropriate controls to prevent the transmission of malware to users
connected to IAU’s network infrastructure.

3. To protect the integrity of software and information, an adequate level of controls shall be identified
and implemented. Such controls may include, but not be limited to:

a. Detection, prevention and recovery controls to protect against malware.

b. Appropriate user awareness procedures.

Page 13/19
 OPERATIONS SECURITY POLICY

4. Where appropriate, centralized antivirus software shall be implemented at various levels (e.g.,
servers, desktops, laptops and gateways in the perimeter network) in the network and systems
infrastructure as part of a layered approach to reduce malware entry into IAU’s environment. The
followings shall be considered:

a. Antivirus software signature files shall be kept current. These files shall be consistently
updated to be protected against new malware that regularly arise.

b. The centralized antivirus server shall be connected to the vendor’s virus definition update
server, at all times. The servers’ signature files shall be updated on a daily basis; as soon as
applicable vendor releases become available, and shall be pushed to all users of IAU’s
workstations.

c. Workstations, network enabled devices and servers shall be configured to obtain the latest
signature file as soon as they connect to IAU’s network, both physically or over VPN
connection.

d. All malware detected on IAU’s systems shall be immediately removed. The systems on which
malware is not removed/disabled shall not be allowed to connect to IAU’s network.

e. The antivirus software shall be configured to automatically remove all malware detected on
the system.

5. The installation of unauthorized or illegal software on any IAU’s systems shall be strictly prohibited.
The followings shall be considered:

a. All USB memory sticks, CD-Rooms, DVD’s or removable media shall not be used on any
IAU’s computer, unless it is authorized by ICT Deanship.

b. All IAU’s servers and workstations shall be configured to scan external removable media for
viruses once these devices are connected to the machines.

c. Virus infected media shall be cleaned before being mounted as data volumes on IAU’s servers
and workstations.

d. Prior to distributing any software or information in computerized form, users shall first have
subjected the software or information in question to appropriate screening, including
comprehensive scanning to identify any computer viruses.

Page 14/19
 OPERATIONS SECURITY POLICY

6. IAU’s employees shall understand their responsibility to report any issues related to suspected
presence of malicious code (if any) to ICT Deanship. Also, they shall report any abnormal or unusual
system behavior such as:

a. Slow processing of applications.

b. Continuous/prolonged hard disks or network activity.

[ISO/IEC 27001: A.12.2.1]

5.6. Information Backup

1. ICT Deanship in corporation with Asset Owners shall identify backup and restoration requirements
of all information, applications, operating systems, databases, user configurations and hardware
configurations in line with legal and regulatory implications, manufacturer’s recommendations,
criticality of the information and other relevant factors.

2. To meet and address the backup requirements; and manage a backup environment, the followings
shall be considered:

a. Minimize administration effort in handling information backup tapes.

b. Consolidate the backup and storage media into a central location.

c. Intuitive backup software which offers easy of backup and data recovery, so that even a
Backup Operator can be delegated to perform these tasks.

d. Install a central backup solution to manage backup policy, configuration and operation of
information backup requirements.

3. ICT Deanship shall maintain, review and keep the backup logs up to date (e.g., Symantec Net backup)

4. Wherever possible, backup that contain sensitive information shall be encrypted.

5. All backup storage media shall be kept in a secured location with access restricted to the authorized
IAU’s personnel only.

[ISO/IEC 27001: A.12.3.1]

Page 15/19
 OPERATIONS SECURITY POLICY

5.7. Event Logging

1. Based on the criticality of information, Information Security Officer shall ensure that specific and
adequate levels of event logs are implemented and enabled in IAU’s systems, applications and
databases.

2. Information Security Officer shall ensure that detailed event logs of user account creation, deletion
and revocation of access rights are recorded and kept for a minimum of 3 years.

3. A detailed procedure for monitoring use of ICT facilities shall be established. This procedure shall
include, but not be limited to:

a. Details of who is monitoring these activities and what is the management information
produced and for whom.

b. Frequency of monitoring.

c. Details of any triggered action performed in the event of any security breach is identified.

[ISO/IEC 27001: A.12.4.1]

5.8. Protection of Log Information

1. ICT Deanship shall ensure the existing controls are aimed to prevent logging facility from
unauthorized changes and operational problems. These controls shall include, but not be limited to:

a. Alterations to the message types that are recorded.

b. Log files being edited or deleted.

c. Storage capacity of the log file media being exceeded, resulting in either the failure to record
events or over-writing of past recorded events.

[ISO/IEC 27001: A.12.4.2]

5.9. Administrator and Operator Logs

1. ICT Deanship shall ensure that system administrator and operator logs are reviewed on a regular
basis.

Page 16/19
 OPERATIONS SECURITY POLICY

2. ICT Deanship shall ensure that all system administrators and operators do not have permission to
modify or de-activate logs of their own activities.

[ISO/IEC 27001: A.12.4.3]

5.10. Clock Synchronization

1. ICT Deanship shall ensure that the date and time stamp of the audit trails for all systems, servers and
network components are synchronized to facilitate the tracking of user's identity and activities.

2. To ensure accuracy of security log file data, all systems, servers and network devices clocks shall be
synchronized using the internationally accepted Network Time Protocol (NTP).

[ISO/IEC 27001: A.12.4.4]

5.11. Installation of Software on Operational Systems

1. Procedures shall be implemented to control the installation of software on IAU’s systems, and to
minimize the risk of interruptions in or corruption of services.

2. All systems shall be securely hardened through secure configuration in accordance with international
best practice standards.

3. End-point security controls shall be implemented to restrict the use of system devices and
peripherals.

4. ICT Administrators (e.g., system admin, application admin, database admin and network admin) shall:

a. Be only the authorized personnel to perform updates to the operational software,

applications and program libraries.

b. Ensure that formal configuration procedures are adequately documented and maintained.

5. Any decision to upgrade to a new release shall consider IAU’s business and security requirements.

6. Operation procedures for IAU’s systems shall be clearly documented and an activity log detailing all
types of activity shall be maintained. This activity log shall be monitored periodically in compliance
with IAU’s policies and procedures.

[ISO/IEC 27001: A.12.5.1]

Page 17/19
 OPERATIONS SECURITY POLICY

5.12. Management of Technical Vulnerabilities

1. ICT Deanship shall undertake an annual technical vulnerability assessment and or upon major change
to identify any weaknesses in the systems configuration or any missing patches.

2. Management shall review the technical vulnerability assessment reports, and Information Security
Officer shall develop a risk treatment plan to close the findings based on their priority.

3. The roles and responsibilities of technical vulnerabilities management shall be clearly defined and
established.

4. Information Security Officer and ICT Administrators shall:

a. Take proactive steps to identify and minimize the vulnerabilities in systems technology before
it could be exploited.

b. Identify the appropriate controls to mitigate the risks and threats after conducting
vulnerability assessment and penetration testing.

c. Take necessary steps to provide security of systems and network infrastructure.

5. Any new patches shall not be installed in a production environment unless they are properly tested
and evaluated in a test environment with vendor approval.

6. Personnel who are performing vulnerability management duties shall ensure the followings:

a. Security scanning tools shall be used on a prescribed basis to identify vulnerabilities that could
be exploited by persons performing unauthorized scanning with similar tools. Also, these
tools shall not affect the performance of IAU’s network;

b. Where appropriate, multiple tools with different technologies shall be used to identify as
much vulnerabilities as possible.

c. Asset Owner shall be notified and accepted of potential effects of the scanning activity on
the target environment before scanning is initiated.

d. Third party sources of technical vulnerability information (e.g., vendors’ website, security
alerts, system patches, workarounds and virus updates) shall be monitored for systems
relevance.

e. If a vendor releases a patch to repair a security related control, the patch release shall be
considered an implicit vulnerability notification and risk mitigation shall be taken.

Page 18/19
 OPERATIONS SECURITY POLICY

f. All approved devices attached IAU’s network, and running operating systems and application
with identified security vulnerabilities are patched to address known vulnerabilities as per
vendor recommendations.

g. If a device or system attached to IAU’s network or systems cannot be patched, the

vulnerability shall be mitigated with an acceptable alternate security control.

[ISO/IEC 27001: A.12.6.1]

5.13. Restrictions on Software Installation

1. ICT Deanship shall define and implement proper rules to govern the installation of software by users.
The followings shall be considered:

a. Type of permitted software installations (e.g., updated and security patches of approved
software).

b. Type of prohibited software installations (e.g., software that is used for personnel use only).

[ISO/IEC 27001: A.12.6.2]

5.14. Information Systems Audit Controls

1. ICT Deanship shall take measures to:

a. Prevent the possible misuse of systems audit tools (e.g., to extract confidential information
without appropriate authorization).

b. Ensure that the integrity of systems and associated data is maintained.

c. Avoid possible disruptions to systems as a result of the usage of such tools.

2. The usage of systems audit tools (e.g., monitoring software, data extraction and manipulation
software and utilities) shall be:

a. Subject to authorization, restrictions and controls in accordance with specific guidelines.

b. Separated from operational systems and not held in tape libraries or user areas, unless given
an appropriate level of additional protection.

3. Audit activities shall not be performed by persons responsible for implementing and maintaining
controls.
Page 19/19
 OPERATIONS SECURITY POLICY

4. Persons conducting audit activities shall have limited access (e.g., read-only access to software and
data). Access other than read-only shall be limited to isolated copies of system files and shall be
erased when the audit activities are completed.

5. All access during audit activities shall be monitored and logged to produce a reference trail. All
procedures, requirements and responsibilities shall be documented.

6. If third parties are involved in performing audit activities (i.e., there might be a risk of misuse of audit
tools by these third parties, and information being accessed by this third-party organization), risk
assessment and physical access restriction controls shall be considered to address this risk and any
consequences, such as immediately changing passwords disclosed to the auditors.

[ISO/IEC 27001: A.12.7.1]

-------------------------------------------------------- End of Document -------------------------------------------------------

Page 20/19