Access Control and Identity Management Policy
Document Category: Restricted
Version: 2.0
Date: 11/02/2025
Reference: The National Cyber Security Agency

Disclaimer:
This model was developed by the National Cyber Security Agency as an illustrative example that can be used as a reference guide for business operations, with customization and modification by the competent authorities at Najran University for legal and regulatory requirements related to it. This model must be approved by the head of the entity or by the person authorized to delegate it. The Agency highlights that it is not responsible for the use of this model as is, and that it is nothing more than an illustrative example.

Table of Contents:

  1. Purpose
  • Scope of Work
  • Policy Items
    1. General Items
  • Access Permission Granted
  • Important and Sensitive Access Permissions Requirements
  • Grant remote access permissions
  • Cancel and change access permissions
  • Reviewing user identities and permissions
  • Password Management
  • Password Protection
  • The Roles and Responsibilities
  • Update and Review
  • Commitment to the Policy


    1. 1. Purpose:
      To identify cybersecurity requirements related to user and access management on the information and technical assets of Najran University, to protect them from cyber threats and internal and external threats, through focusing on the primary protection objectives: confidentiality, integrity, and availability. This policy is aligned with the controls and standards issued by the National Cybersecurity Authority and the relevant regulatory and legislative requirements.

      2. Scope of Work:
      This policy applies to all information and technical assets of Najran University, and to all employees (staff and contractors) in the university.

      3. Policy Items:
      3.1 General Items:

    1. 1-1. Access granting, modification, cancellation, and monitoring procedures must be documented and approved for Najran University’s information and technical assets.
  • 1-2. Create user identities in accordance with Najran University’s relevant legislation and regulations.
  • 1-3. User verification must be performed using a username and password before granting access to the information and technical assets of Najran University.
  • 1-4. Must ensure the confidentiality of user identity, accounts, and permissions, including requesting users (employees, external parties, and users) to maintain their privacy.
  • 1-5. Must adopt a User Authorization Matrix document and review it based on the following access control and authorization principles:
    1. Need-to-Know and Need-to-Use principle
  • Segregation of Duties Principle
  • Least Privilege Principle
  • 1-6. Identity and authorization controls must be applied to all information and technical assets through a centralized, automated access control system such as Active Directory – Domain Services at Najran University.
  • 1-7. Access to university IT assets must be restricted to individual accounts only (Generic User Accounts).
  • 1-8. Must ensure secure session management, including setting sessions to automatically close after a specified period (Timeout), disabling sessions (Lockout), and verifying session authenticity according to Najran University’s standards in the Access and Authorization Identity Management Policy.
  • 1-9. Must configure system settings and connection sessions to terminate automatically after a specified period (Timeout) according to Najran University’s standards set by the Identity and Access Management Department.
  • 1-10. Must temporarily disable system settings and connection sessions after a certain number of failed login attempts according to the Najran University approved standard by the User Identity and Authorization Management Unit.
  • 1-11. All inactive user accounts must be disabled according to the Najran University approved standard by the User Identity and Authorization Management within a specified timeframe.
  • 1-12. Must configure identity and access management system settings to send logs to a central cybersecurity event logging and monitoring system according to Najran University policy.
  • 1-13. Access to direct databases should not be granted to sensitive systems except for database administrators (Database Administrators) after implementing the approved database security procedures by Najran University.
  • 1-14. Must document and approve service account management procedures, disable interactive login, and review them periodically according to Najran University’s approved procedures.
  • 1-15. User permissions must be managed based on the sensitivity of technical assets and the functional needs of the job, taking into account relevant legislative and regulatory requirements before a user is employed and updating their account when job duties change.
  • 1-16. Must develop continuous performance indicators (KPIs) to measure the correct and effective use of identity and access management to ensure compliance with access protection requirements.


      • 3.2 Access Granting Permissions:

    1. 2-1-1. Access permission must be granted based on user request through an approved form from the relevant administration (direct manager or system owner) in the Cybersecurity Management System, including the system name, request type, permission, and validity period (if temporary).
  • 2-1-2. Access to Najran University’s information and technical assets must be granted with appropriate approvals and considering the relevant roles and responsibilities.
  • 2-1-3. Must follow a unified mechanism for creating user identities that allows writing “User ID” in a consistent manner, such as using the first letter of the first name and a period followed by the last name, or the employee number pre-identified by the Human Resources Department.
  • 2-1-4. Must prevent concurrent login (Concurrent Logins) from multiple computers at the same time for the same user.
  • 2-1-5. Must specify the number of unsuccessful login attempts permitted according to Najran University's approved standards by the User Identity and Authorization Management Department to prevent password guessing attacks.


      • 3.3 Important and Sensitive Access Permissions Requirements:

    1. 2-2-1. System Manager authorities (Sys ID) must be assigned based on job functions, taking into account the principle of segregation of duties.
  • 2-2-2. Password History must be enabled to track the number of password changes.
  • 2-2-3. Must change default or private accounts with important and sensitive permissions (such as "Admin Account" or "Root Account" or "Sys ID") before production.
  • 2-2-4. Access to the internet should be restricted for accounts with important and sensitive privileges.
  • 2-2-5. Must verify high-value and sensitive user accounts on technical assets through Multi-Factor Authentication (MFA) according to Najran University’s approved standards.
  • 2-2-6. Must use Privilege Access Management Solution to protect sensitive technologies and high-permissions assets.
  • 2-2-7. Access to sensitive systems must require multi-factor authentication (MFA) and compliance with its tracking by Najran University employees.


      • 3.4 Granting Remote Access Permissions:

    1. 2-3-1. Remote access privileges to information and technical assets must be granted after obtaining prior approval from the Cybersecurity Management and restricted access using Multi-Factor Authentication (MFA) through secure and approved channels.
  • 2-3-2. All remote access session logs related to information and technical assets must be continuously monitored and maintained.


      • 3.5 Revoking and Changing Access Permissions:

    1. 2-4-1. Upon transfer or termination of the user relationship with Najran University, or changes to their duties, the Human Resources Department must notify the Information Technology Department to disable or modify user accounts and their privileges as soon as possible and with the maximum possible automation.
  • 2-4-2. User event logs must be prevented from being deleted, or their permissions must be halted before they are saved, in accordance with Najran University’s approved event log management and cybersecurity monitoring policies.


      • 3.6 Reviewing User Identities and Permissions:

    1. 2-5-1. User IDs and their usages on sensitive systems must be reviewed at least annually.
  • 2-5-2. User Profiles and their usages must be reviewed annually, at a minimum, on sensitive information and technical assets.


      • 3.7 Password Management:

    1. 2-6-1. A secure password policy with high standards must be applied to all accounts within Najran University, in accordance with the Identity and Access Management Policy and relevant legislation and regulatory requirements.
  • 2-6-2. Users must be notified before password expiration.
  • 2-6-3. Passwords previously used must be prohibited.
  • 2-6-4. Systems must be configured to require password changes upon the user’s first login.
  • 2-6-5. All default passwords installed on all information and technical assets must be changed prior to production.
  • 2-6-6. Default strings such as "Community", "Public", "Private", and "System" used in Network Asset Management (SNMP) should be changed to different passwords.


      • 3.8 Password Protection:

    1. 2-7-1. All passwords for information and technical assets must be stored and transferred using encryption technology in accordance with the encryption policy approved by Najran University.
  • 2-7-2. Passwords must be masked when entered on the screen (Password Mask).
  • 2-7-3. Must disable the “Remember Password” feature on systems and applications for Najran University.
  • 2-7-4. Must prohibit the use of known passwords (Dictionary) through specific procedures.
  • 2-7-5. Passwords must be delivered securely, reliably, and in a verified manner.
  • 2-7-6. In the event that a user requests a password reset via phone or any other method, it is mandatory to verify the user’s identity before resetting the password.
  • 2-7-7. Passwords for service accounts and important, sensitive permissions must be protected and stored securely in a suitable location (within a sealed envelope in a safe) or using Privilege Access Management Solutions.


      • 4. The Roles and Responsibilities:

    • Cybersecurity Director: Policy Owner.
  • Cybersecurity Management: Reviewing and updating the policy.
  • Digital Transformation Office and Knowledge Sources: Responsible for implementing the policy.
  • Cybersecurity Management: Responsible for measuring policy compliance.


      • 5. Update and Review:
      The Cybersecurity Management must review this policy annually or when changes occur in policies or regulatory procedures or related legal and regulatory requirements for Najran University.

      6. Policy Compliance:

      • Cybersecurity Management must periodically verify the compliance of all employees at Najran University with this policy.
    • All employees of Najran University must comply with this policy.
    • Any violation of this policy may result in disciplinary action for the offender according to the procedures followed at Najran University.