Policy Goal

The purpose of this policy is to provide cybersecurity requirements based on best practices and standards related to documenting them as well as the Arab American University’s commitment to these requirements to reduce cyber risks and protect itself from internal and external threats. This is done by focusing on the basic objectives of protection, which are: confidentiality, integrity, and availability of information.

This policy aims to comply with the regulatory acts requirements of the Arab American University as well as the relevant legislative and regulatory requirements.

 

Policy Statement

The Information Security and Quality Assurance Unit must define cybersecurity standards and document its policies and programs based on the results of the risk assessment. This has to be done in a way that ensures the dissemination of cybersecurity requirements and the Arab American University’s adherence to them in accordance with its organizational work requirements and the relevant legislative and regulatory requirements. The cybersecurity requirements must be approved by the Assistant President for Information Technology. The concerned employees at the Arab American University and the other concerned parties must also be informed of it.

 

The Information Security and Quality Assurance Unit must develop and implement the following cybersecurity policies, programs and standards:

  • Access Control Policy: To ensure cybersecurity protection by regulating access to the Arab American University’s information and technical assets. This policy establishes controls to prevent unauthorized access, restrict permissions to only what is required for specific roles, and safeguard the confidentiality, integrity, and availability of the University’s data and systems.
     
  • Asset Management Policy: To ensure that the Arab American University maintains an accurate and up-to-date inventory of all information and technical assets. This includes recording relevant details to support the University’s operational processes and cybersecurity requirements, ensuring the confidentiality, integrity, and availability of these assets.
     
  • Risk Management Policy: To identify, assess, and mitigate cybersecurity risks that could affect the Arab American University’s operations and assets. This policy aims to establish a systematic approach for managing risks to maintain the security and resilience of the University’s information systems.
     
  • Information Classification and Handling Policy: To ensure that all information at the Arab American University is appropriately classified and handled according to its sensitivity and value. This policy establishes guidelines for labeling, accessing, sharing, and disposing of information to protect its confidentiality, integrity, and availability.
     
  • Information Security Awareness and Training Policy: To ensure that all Arab American University employees and stakeholders are aware of cybersecurity threats and trained to follow best practices. This policy aims to promote a culture of information security and reduce risks through continuous education and awareness programs.
     
  • Acceptable Use Policy: To define the appropriate and secure use of the Arab American University’s information systems, networks, and devices. This policy ensures that all users understand their responsibilities in maintaining cybersecurity and preventing misuse of resources.
     
  • Clear Desk and Clear Screen Policy: To ensure that sensitive information is not exposed or accessible when workspaces are unattended. This policy mandates the secure handling of physical and digital assets, reducing the risk of unauthorized access and data breaches.
     
  • Mobile and Teleworking Policy: To ensure the secure use of mobile devices and teleworking arrangements at the Arab American University. This policy establishes controls to protect information and technical assets when accessed remotely or via mobile platforms.
     
  • Business Continuity Policy: To ensure that the Arab American University can maintain critical operations and quickly recover from disruptions. This policy outlines measures for business continuity planning, disaster recovery, and maintaining system availability during emergencies.
     
  • Backup Policy: To ensure that the Arab American University’s critical data is securely backed up and can be restored in the event of a loss. This policy outlines backup schedules, retention periods, and recovery procedures to protect against data loss.
     
  • Malware and Antivirus Policy: To ensure that the Arab American University’s systems and devices are protected against malware and viruses. This policy establishes controls for detecting, preventing, and responding to malicious software threats.
     
  • Change Management Process: To ensure that all changes to the Arab American University’s information systems and assets are systematically managed to minimize risks. This policy outlines procedures for planning, testing, approving, and implementing changes securely.
     
  • Third Party Supplier Security Policy: To ensure that third-party suppliers accessing the Arab American University’s information and systems comply with cybersecurity standards. This policy establishes controls for vendor risk management and secure collaboration.
     
  • Continual Improvement Policy: To ensure that the Arab American University’s information security practices are continuously improved. This policy emphasizes monitoring, reviewing, and updating processes to address emerging threats and enhance security posture.
     
  • Logging and Monitoring Policy: To ensure that all activities within the Arab American University’s information systems are logged and monitored for suspicious behavior. This policy aims to detect and respond to cybersecurity incidents effectively.
     
  • Network Security Management Policy: To ensure the protection of the Arab American University’s networks from cyber risks. This policy establishes controls for securing network infrastructure, monitoring traffic, and preventing unauthorized access.
     
  • Information Transfer Policy: To ensure the secure transfer of information within and outside the Arab American University. This policy establishes protocols for encrypting, verifying, and logging data exchanges to protect against unauthorized interception or tampering.
     
  • Secure Development Policy: To ensure that all software and systems developed or deployed at the Arab American University follow secure coding practices. This policy aims to mitigate vulnerabilities and enhance the security of applications.
     
  • Physical and Environmental Security Policy: To ensure that the Arab American University’s facilities, equipment, and infrastructure are protected against physical threats and environmental hazards. This policy outlines controls for secure access, surveillance, and environmental safeguards.
     
  • Cryptographic Key Management Policy:  To ensure the secure management of cryptographic keys used at the Arab American University. This policy establishes protocols for generating, storing, distributing, and retiring keys to protect sensitive data.
     
  • Cryptographic Control and Encryption Policy: To ensure that sensitive information at the Arab American University is protected using strong encryption methods. This policy outlines standards for encrypting data at rest, in transit, and during processing.
     
  • Document and Record Policy: To ensure that all documents and records at the Arab American University are securely managed throughout their lifecycle. This policy establishes guidelines for classification, storage, access, and disposal.
     
  • Significant Incident Policy and Collection of Evidence: To ensure that cybersecurity incidents are effectively managed, and evidence is properly collected for investigation and legal purposes. This policy outlines procedures for incident response, evidence handling, and reporting.
     
  • Patch Management Policy: To ensure that all software and systems at the Arab American University are updated with the latest security patches. This policy aims to mitigate vulnerabilities and reduce the risk of exploitation by threat actors.

 

The department concerned with cybersecurity shall have the right to review the information and collect the necessary evidence to ensure compliance with relevant legislative and regulatory requirements relevant to cybersecurity.