Data and Information Access Policy

This document aims to organize the access control management process for assets, resources, and information systems of Najran University, to ensure the protection of data and information stored and used within the university. This policy was designed to comply with national and international data management standards, as well as specifically with the personal data protection system, to provide a secure environment that guarantees the confidentiality, integrity, and availability of the university’s information, while clearly defining responsibilities and authorities to prevent unauthorized access.

This policy applies to all assets and resources of Najran University, physical and digital, regardless of their classification or sensitivity. It includes all individuals and entities that are granted access to university systems or data, who are:

• Faculty and staff in all categories
Students registered in the University and authorized to use any of its electronic systems.Contractors and Consultants working for or on behalf of the University.Any third party grants access authority within the scope of collaboration or service provision.

First: General Rules for Granting and Managing Access PermissionsThe following controls are defined based on what is stated in paragraphs (2) and (2-4) of the policy of the Student Identification and Access Management Office within the University.

Secondly: User Identity ManagementUser Identity Management)

These controls are based on paragraph (1) of the Information Systems and Authorities Policy, approved by the Cyber Security Administration.Thirdly: Password Management Policy

• The following controls are applied according to the provisions outlined in paragraphs (2-2) and (2-7) of the “Identification, Access, and Privileges Management Policy” issued by the Cyber Security Administration.

Fourth: Review and Revoke Access Permissions

• These regulations are based on paragraphs (2-3) and (2-6) of the “Access and Authorities” policy of the Cyber Security Administration.

Fifth: Secure Log-on Procedures)

• Access to university systems is only permitted through official and authorized interfaces.

A legal warning message appears on the login screen stating that the system is for authorized users only.All successful and unsuccessful login attempts are recorded in the system log, along with the dates and device information.An automatic delay mechanism is applied between failed attempts to reduce the risk of automated attacks (Brute Force).Automatic alarms are activated when the maximum number of login attempts is exceeded.Multiple verification methods are used (Multi-factor Authentication) in sensitive systems.A periodic review (weekly) is conducted for failed login attempts (Digital Transformation Office and Knowledge Sources and Cybersecurity Management).Automatic session locking will be enabled for inactive sessions after a specified period of inactivity.Access to the system is prohibited from untrusted environments.

Sixth: Controlling Access to Software and Peripherals (Software & Peripheral Access)

• It is prohibited to install or use any software other than that approved by the Digital Transformation College and Sources of Knowledge, unless written approval is obtained.

All unnecessary services and software are removed from operating systems.Access to programs is restricted through privilege control and authorization delegation.We review all installed software periodically to ensure its compatibility with policies and security updates.It is prohibited to attempt to install or run external programs from portable storage devices.Only licensed and officially updated software versions are used.Access to software is monitored through SIEM systems or central control tools.The use of sensitive software is recorded for audit and review purposes.The use of unauthorized torrent or remote control tools is prohibited.Security controls are applied to open-source software used in the infrastructure.

Seventh: Control of Access to Source Code (Source Code Access Control)

• Access to source code for systems is restricted to authorized individuals only, according to a formal license.

Source codes are stored in secure repositories with encryption enabled and version control implemented.Each code change is documented within the Change Log record.It is prohibited to copy the source codes to personal or unprotected devices.Code reviews are applied to the code (Code Review) before merging or publishing.Access to configuration files and sensitivities is restricted within the code (such as passwords or keys).Periodic backups of the code are stored in an isolated environment.The source code lifecycle management policy is applied, from creation to cancellation.

The Party

Roles and Responsibilities

Office of Digital Transformation and Knowledge Sources

• Management and development of systems that control identity and access.

Creating, modifying, and disabling user accounts securely and systematically.Protecting systems through the implementation of multi-factor authentication (MFA) and single sign-on (SSO).The integrated link between the access control system, the human resources system, and the financial system.Manages immediate access revocation upon changes in user status or termination of employment.

Monitoring and recording user activities to track logins, logouts, and any changes in permissions.Conduct periodic maintenance and security updates on access control systems.Development and implementation of password management and update policies periodicallyConduct periodic penetration tests to assess the security of access control systems.Warranty of compatibility with data protection requirements and sensitive information.Prepare periodic reports for senior management regarding the status and security of access systems.Collaboration with Cybersecurity in Technical Investigations of Access Incidents.

Cybersecurity

• Developing updated security policies to control access in compliance with ISO 27001.
• Continuous monitoring of systems using tools such as SIEM and IDS/IPS to monitor suspicious activity.Strict controls have been imposed on high-privilege accounts (Privileged Access Management - PAM).).
• Implementing strategies to reduce security risks related to unauthorized access.Review of access privileges requests and analysis of potential risks.Regularly assess weaknesses and update security controls based on the results of the assessment.Issue notifications and alerts immediately upon detecting attempted breaches or misuse.
• Warranty of protection of systems from phishing attacks and malware associated with login attempts.
• Review and monitoring of access to sensitive accounts.Development of immediate response procedures for security incidents related to access.

Data Office

• Define and configure data access levels according to classification (confidential, public, restricted, etc.).
• Control access to data and grant privileges only based on the principle of least privilege..Ensure that the principle of “Need to Know” is applied in accessing databases and repositories..
Identifying the data owners and the level of permissions granted to them.
• Working with data owners to determine who can access various datasets...The Data Access and Validation Management System regularly verifies their accuracy.Monitoring data movement while ensuring that everyone with access to databases still has a justified needWarranty of compliance with local and international data protection laws (such as GDPR).Tracking the implementation of security controls related to backup and data protection.Developing mechanisms for reviewing authorizations and permits related to data access.Prepare periodic reports on data usage and compliance with access control policies.
• Training of university personnel on the importance of data protection and following access control procedures.

Risk Management

• Conduct periodic risk assessments for access control according to recognized methodologies (such as
• Develop risk management plans and implement appropriate security controls.Preparing comprehensive reports on the risk situation associated with access control.
• Supports the implementation of internal and external audits related to security risks.

The Legal Department

• Review all policies and procedures to ensure they align with local and international laws.
Drafting clauses of employment contracts and security agreements with external parties.
• Providing legal support during internal and external investigations related to information security.Legal risk assessment resulting from the use of data and privacy protection.University Departments and Units (Colleges, Deanships, Centers, and all administrative units)
  • Analysis of job functions to determine the necessary access rights.
  • Follow up on access permissions reviews periodically to ensure their suitability.Report any incidents or misuse of access privileges immediately.Participating in the assessment of security risks associated with accessing administrative unit data.Coordinate with the Digital Transformation Office and Knowledge Sources to support access authorization verification processes.
  • Support the implementation of security policies within the unit and compliance with them.

University access to data is subject to a set of systematic and regulatory frameworks, both local and international, aimed at ensuring data protection and integrity, promoting transparency and accountability in its use. Among these references:

• National Data Governance Policy, issued by the Saudi Data and Cyber Lab (SDAIA), Version 1 (2020), which is the main reference in the regulation of data management at the national level, including access management, data ownership, and controls for its use.

Cybercrime Control System, issued by Royal Decree No. m/17 dated 26/3/1428H (2007), which criminalizes unauthorized access to data or information systems, and frames the responsibility of individuals and institutions when dealing with access privileges..Basic Cybersecurity Controls, issued by the National Cyber Security Agency (NCA), which include access control provisions (Access Control) as one of the main axes for protecting the national information infrastructure. The internationally approved standards, such asISO/IEC 27001:2022 related to information security, andISO/IEC 27701 related to privacy and personal data management, which specify the technical and administrative controls to organize access rights and define responsibilities.

• Data access policy is mandatory for all university personnel, including faculty members, administrators, researchers, contractors, and any external entities granted access to university informational assets, whether for contractual, research, or operational purposes.

Units (such as colleges, departments, and research centers) bear responsibility for applying this policy at the operational level and ensuring that employees comply with the authorities granted to them and do not abuse them.The Data Office is responsible for monitoring compliance with this policy, in coordination with the Cyber Security Unit, through monitoring and follow-up tools, periodic reports, and internal audit mechanisms.In case of any violation or misuse or exceeding access privileges, it is dealt with according to the incident response security policy, and the violation is referred to the competent authorities within the University, with the possibility of referring it to the national supervisory authorities if necessary.This policy is aligned with the access identity management and authorization policy of the Cyber Security Administration of the University.

• The Data Office undertakes, in cooperation with the Digital Transformation Deanship and Knowledge Sources, and Cybersecurity Administration, the review of this policy periodically (at least annually), or upon occurrence of material changes in the systems or relevant legislation, or in the university's technical or administrative infrastructure.