Computing Policies and procedures - جامعة البحرينIT Policies and Procedures University of Bahrain IT Center 1.2 Information Technology Disaster Recovery Plan Purpose The

UNIVERSITY OF BAHRAIN

INFORMATION TECHNOLOGY CENTER

INFORMATION TECHNOLOGY POLICIES AND

PROCEDURES

Prepared by IT Center

Approved by Council of University of Bahrain with the decree no 2053/2014

IT Policies and Procedures

IT Center 2 University of Bahrain

Information Technology Policies and procedures

1.0 General.

1.1 Compliance with Standards Required for Emergency – Disaster Supports

1.2 Information Technology Disaster Recovery Plan.

1.3 Data Center Security and Access.

1.4 Confidentiality Agreements.

1.5 Procurement and Asset Management of IT Equipments.

1.6 Disaster detective approach

2.0 Information Systems.

2.1 Access to the University Information Systems.

2.2 Data Access of University Information Systems.

2.3 Protection of Information Assets.

2.4 Signed Forms Required for Issuance of IT Accounts.

2.5 User Access Privileges – Periodic Review and Reauthorization.

2.6 Use of Information systems

3.0 Network.

3.1 Network Security.

3.2 Visitors Accounts.

3.3 Internet Security.

3.4 Information Security Alert System.

4.0 Computing Facilities.

4.1 Access Computer Areas.

4.2 Computer Threats.

4.3 Computing Environment Supporting Equipment.

4.4 Conditions of Use.

4.5 Computing Equipments Borrowing Procedures – Academic staff.

5.0 Information Systems Development Methodology (ISDM).

6.0 Change Management Policy.

Appendix



Information Technology Policies and procedures

1.0 General.

1.1 Compliance with Standards Required for Emergency – Disaster Supports.

1.2 Information Technology Disaster Recovery Plan.

1.3 Data Center Security and Access.

1.4 Confidentiality Agreements.

1.5 Procurement and Asset Management of IT Equipments.




1.1 Compliance with Standards Required for Emergency- Disaster Support

Purpose

The purpose of this policy is to adopt international standards when implementing the required strategies

for disaster support (e.g. COBIT, ISO).

Policy Statement

Faculties, Divisions and/or departments, and other University areas wishing to be supported by the

Information Technology Center on a priority basis in the event of an emergency or a disaster, must

implement hardware, software, and related procedures consistent with University of Bahrain

Information Technology policies.

Policy Content

Supporting non-standard computer systems (not comply with IT Center policies) is very difficult in the

event of an emergency and/or disaster. This policy allows the flexibility in the acquisition and

maintenance of computing environment, however, the department must put them on notice that the

Information Technology Center reserves the right to give priority to those who comply with IT policies

over those who do not in the event of emergencies and/or disasters.

Policy Area: Subject:

Title of Policy: Policy Code: IT001

Effective Date: Page Number:

Approved Date: Approved by:

Revision Date: Amendments:

Policy Owner: IT centre Policy Sponsor: UOB



1.2 Information Technology Disaster Recovery Plan

Purpose

The University of Bahrain needs to assign the task of developing a robust disaster recovery plan to an

IT committee. This committee must have periodical meetings to discuss the new issues of risks in IT.

Policy Statement

Information Technology Center must prepare, periodically update, and regularly test approved disaster

recovery plan that will provide for the availability of critical computer and communications systems in

the event of a major disaster such as storm, flood, earthquake, fire, and power failure.

Policy Content

Preparation, Maintenance, and periodically testing of Computer Disaster Recovery Plans requires UOB

management to financially support and diligently attend to disaster recovery planning efforts. This is

because disasters occurred so rarely, technical management may place a low priority on developing and

maintaining adequate disaster recovery processes. IT Centre shall develop a standard University wide

process for developing, maintaining, and testing computer recovery plans. This shall be documented and

distributed to relevant positions.









1.3 Data Center Security and Access

Purpose

The purpose of this policy is to implement the process needed to access the data centers across

University of Bahrain.

Policy Statement

All University information processing and communications areas must be protected by physical controls

appropriate for the size and complexity of the operations and the criticality or sensitivity of the systems

operated at those locations.

Policy Content

1. Passwords and lock combinations and keys to all computer room areas are granted only to

authorize IT staff that have a clear need to access the data centers.

2. Only those authorized by the Information Technology Center are to be granted access to

secured data centers. The Information Technology Center will provide the Security Officer, or

any other required departments with details of all staff granted access to secured data centers

areas.

3. Passwords and lock combinations are to be changed on a regular basis or when:

a. a staff member leaves

b. passwords or lock combination are compromised

c. a lock is serviced

d. at other times as required

e. Keys to secured areas should be held by the Security Officer for emergency access

only. Authorized visitors to these areas must complete the Visitor's Log and be

escorted at all times whilst in these areas.

4. Information Technology staff are to carry University identification cards and are required to

wear them in plain view at all times. These cards should only contain photographs, card

numbers and sufficient information to associate them with their owner. Cards should not

contain any facility identification or address to which the badges will permit access.









1.4 Confidentiality Agreements

Purpose

The purpose of this policy is to require all Information Technology staff, consultants and contractors to

sign confidentiality agreements in order to enhance the security over the computer systems and data.

Policy Statement

Information Technology staff, consultants and contractors required to have access to University

computing systems, data, or data centers, must sign Confidentiality agreements at the time they

commence employment at University of Bahrain.

Policy Content

Written acknowledgment that University workers agree not to disclose sensitive data is required. This

document is very important if legislative processes and/or disciplinary action processes are required to

be followed at a later date.









1.5 Procurement and Asset Management of IT Equipments

Purpose

The main purpose of this policy is to promote a "full service" model that will reduce the Total Cost of

Ownership of computers and IT equipments by reducing the time individuals and departments spend in

purchasing decisions, asset control, set-up, support, maintenance and disposal. By limiting its purchases

to fewer vendors the University will be able to obtain better prices ( on annual volume deals ), better

back-up and local service, consistent quality machines profiled before delivery and a considerable

improvement in overall productivity. The asset management and warranty repair aspects of the policy

are intended to provide a coordinated level of computing facilities management, which has not existed

previously at University of Bahrain.

Policy Statement

This policy will be put into practice by purchasing department with collaboration with assets &stores

department and IT Center in order to coordinate the overall procurement, asset management, warranty

repair and disposal of all future purchases/leases of computers and peripheral equipment. The policy

applies to desktop and laptop computers and all peripheral computing equipment used for normal

administrative and academic purposes. Including the specialist, high-end workstations and peripheral

equipment purchased especially for academic purposes and which utilizes specialist operating systems

and/or applications. The policy will be managed by calling for tenders to provide equipment and leasing

arrangements.. IT Center will be responsible for developing, implementing and maintaining an assets

management system to provide control over, and information about, desktop computing resources.

Revisions to this policy will be the responsibility of the Information Technology Center.

Policy Content

Computers and peripheral equipment purchased, or leased, by the University, under normal

circumstances, should be sourced under "Preferred Supplier" arrangements that will be approved by an

IT Committee and managed by Information Technology Center. Procurement of computers and

peripherals may be by direct purchase or lease arrangement. The University will enter into a leasing

arrangement via tender with one vendor and all leases must be arranged through that vendor. The

management of asset records relating to the purchase or lease of computers and peripheral equipment

will be the responsibility of the Technical Support Team. All warranty repair and service work on

desktop computers and peripheral equipment will be carried out within University of Bahrain by trained

and, where necessary, vendor certified, computer support staff. The disposal of all computing equipment

purchased by the University will be done in accordance with the procedures used by the Finance

Department for Sale of Surplus and Redundant Equipment.

Procurement

The University represented by the purchasing department in coordination with the IT Centre will

periodically call for Tenders from Vendors who wish to be considered as a preferred supplier. There



will be wide consultation and within the campus, utilizing the expertise of Technical Support Staff

within the faculties as well as IT Center experts, regarding the proposals and equipment proffered by

vendors. The decision to grant "Preferred Supplier" status will be based on price, suitability, reliability

and service levels. A range of configurations will be identified for supply, and equipment will either be

supplied with fully profiled hard disks or be configured by the University before delivery to the desktop.

Equipment ordering will be standardized and simplified to enable users to order equipment via a Web

Page. Vendors will deliver new machines to the IT Center who will enter the necessary asset

management details, check the machine for functionality, install the standard software/hardware

required and either install the machine in its permanent location or pass the machine on to Faculty based

Technical Support staff. These staff will 'customize' the machine as necessary before final installation.

A handling charge for providing this service will be met by the Vendor.

Leasing

The University represented by the purchasing department in coordination with the IT Centre will

periodically call for Tenders from vendors who wish to be considered for providing a leasing

arrangement to the University for the lease of computers and IT peripheral equipment. The lease

provider will enter into arrangements with the University and the Preferred Suppliers such that the

Preferred Supplier will directly invoice the lease provider for the total cost and the lease provider will

adjust the periodic leasing invoice to the University. The lease provider may be required to provide all

or some of the following services at the request of the University:

Buy and rent back of existing equipment quarterly lease payments.

Stepped rental plans (to match depreciation of computers).

Equipment exchange/cascading during the lease term end of lease options -

continue/upgrade/buy/end.

Cost center level invoicing fire, theft, and accidental damage or loss insurance premiums

included in the rental terms.

Insurance claims management.

Disposal

The purchasing department with collaboration with assets &stores department and in coordination with

IT Center will periodically dispose computers and IT equipment used in the University as a result of

upgrading or malfunctioning. The department that wishes to dispose some of its computer systems and

IT equipment must fill up a disposal request and get it approved by the department head and send it to

the purchasing department which in turn will send a copy to the IT center which accordingly will send

their technicians to examine and test the computer systems and IT equipment specified in the request.

According to the recommendation of the IT center the computer systems and IT equipment will be

disposed and send to the university stores or remain in usage. In order to ensure that these disposed



computers and IT equipment does not pile up and sit in the stores well beyond their potential useful life,

one of the following actions will be taken:

Redeploy or reuse the disposed computers and IT equipment within the University. New staff

members can make use of it till new computers and IT equipment is purchased or it can serve

as backup equipment in case newer computers break down.

Sell these disposed computers and IT equipment to staff members or outsiders.

Donate these disposed computers and IT equipment to charity organizations or schools.

Therefore, the technicians and the other employees working in the University different departments must

not take or remove any internal parts ( Memory, Hard Disks, etc ) of the disposed computers and IT

equipment. Moreover, when the disposed computers and IT equipment is to be sold or donated the IT

center technicians must erase securely all the data and University licensed software from its hard disks

and this done by reformatting the hard disks and running a specialized " Disk Wiping " software to erase

the entire contents of the disks. The buyers of the disposed computers and IT equipment should be aware

that the University takes no further responsibility towards the maintenance or upkeep of the equipment.

Assets Management

The IT Center in collaboration with the assets &stores department will develop, implement and manage

an asset management system for computers and all IT peripheral equipment. The system will provide

the following services to the University:

Initial asset data capture.

Quarterly asset reconciliation.

Periodic reporting to Cost Center management.

Annual verification audit.

Warranty Repairs

The Preferred Supplier will provide full on-campus warranty service through arrangements with the

University's IT Centre.










Purpose

The purpose of this policy is to implement a disaster detective approach for the data centers at University

of Bahrain.

Policy Statement

Information Technology center is required to have disaster detective approach in order to detect any

unwanted events within the information technology infrastructure, network, computing facilities,

application systems and any other IT resources.

Policy Content

Detective approaches are taken to discover the presence of any unwanted events within the IT resources.

The aim is to uncover any potential threats, unwanted events, problems or decrease on services levels

because of disasters ‘occurrences.









Information Technology Policies and Procedures

2.0 Information Systems.

2.1 Access to the University Information Systems.

2.2 Data Access of University Information Systems.

2.3 Protection of Information Assets.

2.4 Signed Forms Required for Issuance of IT Accounts.

2.5 User Access Privileges – Periodic Review and Reauthorization.




2.1 Access to University Information Systems

Purpose

The tendency of this policy is to organize the process of accessing the university information systems.

The information systems include all kinds of information systems, applications, enterprise systems

which have been developed in-house/procured by the University.

Definitions

Data Owner: Data owner normally managers or directors, who have responsibility for the integrity,

accurate reporting and use of computerized data. Their security responsibilities include authorizing

access, ensuring access rules are updated when personnel changes occur, and regularly inventorying

access rules for the data for which they are responsible.

Policy Statement

The decision as to who and at what level should be granted access to data held on the University

information systems is made by the owner of the data concerned but as a rule:

Only authorized personnel who require access as part of their normal duties are permitted

access to University information systems and networks.

Users must only be permitted to access data for which they have Authorized as their job is

required.

The level of access assigned to a user must be commensurate with the duties they perform.

Policy Content

1. Application for user System/Network Accounts

Users may request accounts on the University computer systems and networks through the

Manager/Head of their Department by completing the form – User Privileges Application Form .

Application must be approved by the users Manager/Head of Department/Division.

2. Access to Data

Requests for access to any production database or data must be made through the Manager/Head of

the Department/Division to the owner of the data and must be approved by the owner before access

can be provided. The Manager/Head of Department/Division requesting access must ensure that the

level of access being requested for a staff member is aligned with that person's duties. Development

staff normally should not have access to production data. However, under certain circumstances

(e.g. as part of diagnostic and/or maintenance activities) may be granted limited access. In such

circumstances the access must be for a pre-determined period and must be approved by the data

owner prior to access being granted. Access must be revoked as soon as the defined task is

completed. All access to production data must be logged and indicate the reasons for the access and

any changes that have been made. University top management has the right to grant access for any

employee that his duties need access to information system.



Computers and networks can be accessed on and off campus. Such open access provided by

information technology centre is a privilege, and requires that individual users act responsibly.

Users must respect the rights of other users, respect the integrity of the system and related

physical resources, and observe all relevant laws, regulations, and contractual obligations.

1. Account Creation Procedure.

Upon receipt of a request that has been signed by the Manager/Head of Department/Division.

Concerned and approved by the data owner, who has specified the level of access the user should

have, the system Administrator will create a system and/or network account. All amendments and

deletions of user access privileges will be handled in the same manner.

2. Removal of Access

The Information Technology Center has the responsibility to ensure that access to University

computer systems and networks is removed from users when it is no longer required. This includes:

a. Change of Duties: The removal of access may be requested by the users Manager/Head

of Department/Division when they determine that the user no longer requires the level

of access that was originally granted. It is the responsibility of the Manager/Head of

Department/Division to regularly review the level of access granted to staff under their

supervision and to request appropriate changes.

b. Termination or Transfer: Access must be revoked when a staff member leaves the

University or is transferred to a position that requires a different level of access.

c. Leave: Whenever a staff member proceeds on leave (greater than 1 month) it is essential

that their access to the University computer systems will be restricted to a different level

of access.







2.2 Data Access of University Computer Systems

Purpose



The tendency of this policy is to control accessing to the data of university computer systems. The data

computer systems include all kinds of data, information, and knowledge owned by the university.

Definitions

Owner of the data: One who is considered to have rights or obligations of an owner on the data of a

particular system regardless of legal title or job position at the university.

Data: Are raw material (facts): Data need to be filtered/refined and then treated in some way (i.e. sorting,

classifying and aggregating and averaging) to become useful information.

Information: Is data that are or may be useful to managers in their job. It is the processed data or the

meaning that human beings assign or extract from data.

Knowledge: Does not refer to raw data or plain, unanalyzed information, but includes both evaluations

and conclusions. It is the outcome of the meshing and reconciliation of a set of information.

Policy Statement

Data collected and stored on University computer systems must only be used for the purpose for which

it was originally collected. The data owner, in conjunction with the custodian, (Information Technology

Centre) must determine the way in which data may be used and to whom access may be granted.

Policy Content

1. Data stored on University computers may not be shared or transferred, including downloading, to

any computer systems without prior approval of the data owner.

2. Permission to transfer raw data to any IT device should only be given in exceptional circumstances.

3. Unauthorized access, malicious or otherwise shall be prosecuted under Kingdom of Bahrain Laws.







2.3 Protection of Information Assets

Purpose



The purpose of this policy to ensure the integrity of the information stored on their computer systems,

preserve the confidentiality of sensitive data and ensure continued availability of their information

assets.

Policy Statement

Security policies govern the steps and procedures taken to protect business assets and confidential

information from intrusion via the use of technology or physical intervention. When considering the

possibility of transacting business over public networks, the goal should be how best to protect corporate

assets, data integrity and confidentiality. Business assets can be considered to be and include items such

as valuable and sensitive data that needs to be kept secure and confidential.

Policy Content

1. Collection Limitation Principle

There should be limits to the collection of data should be obtained by lawful and fair means and

where appropriate, with the knowledge or consent of the data subject.

2. Data Quality Principle

Data should be relevant to the purposes for which they are to be used and, to the extent

necessary for those purposes, should be accurate, complete and kept up-to-date.

3. Purpose Specification Principle

The purposes for which data is collected should be specified not later than at the time of collection

and the subsequent use limited to the fulfillment of those purposes or such others as are not

incompatible with those purposes and as are specified on each occasion of change or purpose.

4. Use Limitation Principle

Data should not be disclosed, made available or otherwise used, for purposes other than those

specified in accordance with Principle 3 except with the consent of the data subject; or by the

authority of law.

5. Openness Principle

There should be a general policy of openness about developments, practices and policies with respect

to data. Means should be readily available of establishing the existence and nature of data, and the

main purpose of their use, as well as the identity and usual residence of the data controller.









2.4 Signed Forms Required for Issuance of Computer Accounts

Purpose

This policy is to assure that users are conscious of the information technology regulations of the

University prior to use any IT facilities.

Policy Statement

Users of University systems and networks, must sign an agreement indicating their adherence to the

University Rules: 'Use of IT Facilities', prior to being given a user-ID allowing access to University

systems and networks.

Policy Content

Users are reminded about information security policies and their specific security related responsibilities

before they get access to University systems. Signed agreements are required for possible future referral

in respect of staff and/or student conduct regulations. Failure to sign the relevant undertaking may result

in non - granting of system and/or network user-ID.







2.5 User Access Privileges - Periodic Review and Reauthorization

Purpose



The main purpose of this policy is to make sure that accounts status is monitored periodically.

Additionally, this policy will strength the security strategy as it assure periodic for the authorization.

Policy Statement

System privileges granted to all University system users must be re-evaluated by system owner

management every 12 months who must report promptly, all significant changes in end-user duties or

employment status to the system security administrator handling the user-ID of the affected persons.

Policy Content

1. As user job changes so should their associated system privileges. The Information Technology

Center will issue to all managers, a ‘User Access ‘report detailing level of staff computer system

access.

2. The manager/s should reauthorize the system privileges, or make appropriate amendments, as

defined in the report.(it is also the department/division head to notify the information technology

centre with any reauthorization for any staff by completing a specific form for it)

3. The completed report must be returned within 21 days to the Information Technology Center.

4. Upon formal advice of access changes, the detailed user system accounts will be amended as

requested by University management.










Purpose

The main purpose of this policy is to make sure that all information system resources are used for

educational purposes only.

Policy Statement

Information system resources in university of Bahrain should only be used for educational purposes

only.

Policy Content

Information technology resources provided by University of Bahrain in all functional and academic

units must be only used for educational and academic purposes only. Any miss use of these resources

other than its educational purposes will be considered violation and will be subject to appropriate

disciplinary action (appendix).










3.0 Network.

3.1 Network Security.

3.2 Visitors Accounts.

3.3 Internet Security.

3.4 Information Security Alert System.



3.1 Network Security

Purpose

The purpose of this policy is to establish direction, procedures, and requirements to ensure the

appropriate protection of University information handled by University information infrastructure

networks.

This policy has two purposes:

Emphasize for all University staff and students the importance of security in the various

network environments and their role in maintaining that security.

Assign specific responsibilities for the provision of data and information security, as well

as for the security of the various network infrastructures.

Policy Scope

This policy applied to all University employees, students, contractors, including those affiliated with

third parties who access University computer networks. In the level of University IT infrastructure, this

policy is to be used for university IT backside infrastructure of hardware and software (such as servers

and network switches),as well as front side infrastructure (such as personal computers) and related

applications in the level of end users.

Policy Statement

It is the right of the University to prohibit unauthorized access, disclosure, duplication, modification,

diversion, destruction, loss, misuse, or theft of information.

Policy Content

1. Specific Security Responsibilities

1.1. Users

Users are expected to have some basic computer knowledge and should understand and adhere to

University security policies and procedures. Users ultimately are responsible for their own behavior.

Users’ responsibilities are:

a. Employing available security mechanisms for protecting the confidentiality and integrity of

their own information when required.

b. Must select and maintain strong passwords.

c. Notifying the local administrator or management if a security violation or failure is observed

or detected.

d. Users must not exploit system weaknesses is exists and must report it to IT Center immediately.

e. Users should provide the correct identity and authentication information when requested and

not attempt to assume another party's identity.

f. Users are responsible of protecting their data and information by performing a regular back up

on their PCs.



g. Users are responsible for knowing how to monitor specific systems and software to detect signs

of abnormal activity and for knowing what to do or whom to contact for more information.

h. Users must not test, or attempt to compromise computer or communication system security

measures unless specifically approved in advance and in writing by the Information

Technology Center.

i. Users should utilize available tools to secure access to their machine's hard disk drive, such as

locking the screen or logging off the user profile.

j. Advising others who fail to properly employ available security mechanisms. Users must help

to protect the property of other individuals and notify them of resources (such as files and

accounts) left unprotected.

1.2. Functional Managers

a. Managers are responsible for ensuring computer and communication system security measures

are observed in their area and that all staff within the workplace area is made aware of this

policy and are responsible for incorporating it into staff briefings and training programs.

b. Managers with the help of HR department are responsible for informing the IT Center of the

change of status, access rights and upon position change or a termination from University

employment.

c. Management must promptly report all significant changes in worker duties or employment

status to the IT Center responsible for user-IDs associated with the involved persons.

1.3. Network Management

These individuals are responsible for enforcing local University security policies as they relate

to technical controls in hardware and software, to archive critical programs and data, and to

control access and protect network physical facilities. Specific responsibilities are:

a. Securing the network environment within the site and interfaces to outside networks.

b. Responding to emergency events in a timely and effective manner.

c. Employing generally approved and available auditing tools to aid in the detection of security

violations.

d. Conducting timely audits of network logs, as well as monitoring and reporting various logs.

e. Develop appropriate procedures and issuing instructions for the prevention, detection, and

removal of malicious software.

f. Backing up all data and software on the systems/networks on a timely basis.

g. Promptly notifying the Information Technology Center of all computer security incidents.

h. Conduct periodic reviews to ensure that proper security procedures are followed.

1.4. System Administrators



Local administrators are expected to utilize, on their assigned IT infrastructure, the available

network security services and mechanisms to support and enforce applicable security policies

and procedures. They are responsible for:

a. Managing all users' access privileges to data, programs and functions.

b. Monitoring all security related events and following up on any actual or suspected

violations where appropriate.

c. Notify network management if a penetration has occurred or in progress and must assist

other administrators in responding to security violations.

d. Notifying the Information Technology Center of all computer security incidents.

e. Maintaining and protecting server software and relevant files using available and

approved security mechanisms and procedures.

f. Must assign a unique User-ID and initial password to each authorized user after proper

documentation has been completed.

1.5. The Information Technology Center

The main responsibility is to manage the IT security direction for the university, this direction

should be up to date and compliance to the IT security appropriate circumstances available in

marketplace. Moreover, the Information Technology Center responsible for conducting

investigations into any alleged computer or network security compromises, incidents and/or

problems. All computer security compromises or potential security compromises must be

reported to the Information Technology Center.

2. Access Controls

2.1. Log-In/Log-Off Process

a. All authorized persons must be positively identified prior to being able to use any multi-

user computer or any information system resources. Positive identification for

University networks involves both a user-ID and a password.

b. The initial log-in process for network-connected University devices or information

systems must simply ask the user to log-in with a username and password and log off

once there is no usage.

2.2. Password Controls

a. All computers permanently or intermittently connected to University networks must

have password access controls.

b. Whenever system/network security has been compromised, or even if there is a

convincing reason to believe that it has been compromised, the relevant system

administrator should immediately:

reassign all relevant passwords, and

inform all concerned parties to change their passwords.

2.3. User Passwords



Passwords are by far the most common authentication technique used on computer systems

today. The following password measures should be implemented on all University systems

and networks:

o There should not be any critical IT hardware/software without an authenticated user

name and password.

o Only one user may use an account; passwords may not be shared or revealed to anyone

else.

o There should not be any accounts that do not require a password.

o All vendors supplied and default passwords should be immediately changed.

o Choose passwords which are difficult-to-guess. Personal names should not be used as

passwords.

o Passwords must not be a word found in the dictionary or some other part of speech. For

example, proper names, places, technical terms, and slang must not be used.

o Passwords should be no shorter than 8 characters.

o Passwords are to be changed every 90 days. University systems will enforce password

changes.

o Different passwords should be used for different systems and no password used at the

University should be used on any outside computers.

o Passwords must not be written down and left in a place where unauthorized persons

might discover them. However, should you have passwords which are not easily

remembered, you may write them down and must keep them secured at all times.

o All passwords must be immediately changed if they are suspected of being disclosed,

or known to have been disclosed to anyone.

2.4. Process for Granting System Privileges

a. Requests for user-IDs. access privileges and email system access must be granted only

by a clear chain of authority delegation. Management approval must be obtained from

the user's manager before a local administrator grants network privileges.

b. System and network privileges of all users, systems and programs must be restricted

based on the need-to-know. Excessive privileges granted to users, must be avoided.

c. Individuals who are not University employees must not be granted a user-ID or

otherwise be given privileges to use University computers or communications systems

unless the advance written approval of a Department head has first been obtained.

d. All users wishing to use University networks, or multi-user systems that are connected

to University networks, must sign a compliance statement prior to being issued a user-

ID.



e. A signature on this compliance statement indicates the involved user understands and

agrees to abide by University policies and procedures related to computers and

networks (including the instructions contained in this policy).

f. All original staff account documentation must be forwarded to the Information

Technology Center for records retention in the event of possible legal and/or law

enforcement matters.

2.5. Process for Revoking System Access

All user-IDs must automatically have the associated privileges revoked after a certain period

of inactivity. This period should be determined by Information Technology Center based

on the matter of functionality and security.

3. Information System Threats (Viruses, Worms, And Trojan Horses)

Information System Threats (Such as virus, worms and Trojan horses) are unauthorized

programs that may negatively affect the IT infrastructure or any related components.

Threats control

a. To assure continued uninterrupted service for both computers and networks, all user

machines must keep approved threats screening software enabled on all University devices.

This is particularly important for University computer laboratories. Privately owned

computers that are used for official University work purposes are also included.

b. This screening software must be used to scan all software coming from either third parties

or other University departments; the scanning must take place before the new software is

executed.

c. Although users are responsible for eradicating viruses from their systems whenever they

have been detected, they must immediately contact the Information Technology Center’s

"Help Desk" whenever they believe that a system has been infected. This will allow steps

to promptly be taken to assure that no further infection takes place and that experts needed

to eradicate the virus are promptly engaged.

d. Software available on the Internet and electronic bulletin boards, shareware, public domain

software, and other software from untrusted sources must not be downloaded or used unless

it has first been subjected to a rigorous testing approved by Information Technology Center.

4. Data And Back-Ups

a. To protect University information resources from loss or damage, microcomputer users are

responsible for backing-up the information on their machines.

b. Specialist computer staff will install, or provide technical assistance for the installation of

back-up hardware and/or software when it is requested from a user side.

c. All sensitive or "confidential", valuable, or critical information residents on University

computers systems and networks must be regularly backed-up and stored on the centralized

university’s sttorage.



d. Department managers must define which information and which machines are to be backed-

up, the frequency of back-up, and the method of back-up based on the following guidelines:

If the system supports more than one individual and contains data that is critical to the

day-to-day operation within the University, then back-up is required daily and retained

for at least seven years.

If the system is used to support job related functions and contains key data critical to

the day-to-day operation of that job, then back-up is required weekly.

If the system is primarily used as a personal productivity tool and contains no data that

would be classified as job or departmental in nature, then back-up is at the discretion of

the individual user.

e. Storage of back-up media is the responsibility of the microcomputer user or multi-user

machine systems administrator involved in the back-up process. Back-ups should be stored

on site for quick recovery from data or network problems. Back-ups for critical business

functions should also be stored off-site. Recovery procedures must be documented and

tested.

f. Media should be stored in fireproof security container at a separate location at least 100

meters away from the system being backed-up.

g. Implement a data library that provides safe storage for the off-line data files, those files

could be back up or current data files.

5. Portable Computers

a. Portable, laptop, notebook, palmtop, and other transportable computers containing

"confidential" University information, must not be left unattended at any time unless the

information is stored in encrypted form.

b. To prevent unauthorized disclosure, workers in the possession of transportable computers

containing unencrypted "confidential" University information must not check these

computers in airline luggage systems, with hotel porters, etc. These computers must remain

in the possession of the traveler as hand luggage.

c. Whenever "confidential" information is written to a floppy disk, magnetic tape, smart card,

or other storage media, the storage media must be suitably marked with the highest relevant

sensitivity classification. When not in use, this media must be stored in a secured container

and/or location.

6. Remote Printing

7. Printers must not be left unattended if confidential information is being printed or will soon be

printed.

8. Privacy

Unless contractual agreements dictate otherwise, electronic information sent over University

computer and communications systems are the property of University of Bahrain. To properly



protect and manage this property, University management reserves the right to examine all data

stored in or transmitted by these systems.

9. Internet Security

Refer to: Internet Security Policy

10. Software Copyright

a. Users shall only use legally obtained software on University computing equipment. Users

shall be held liable for any breach of copyright. The University shall not be liable for any

breaches of copyright made by users.

b. Third party software in the possession of the University must not be copied unless such

copying is consistent with relevant license agreements and either management has

previously approved of such copying or copies are being made for contingency planning

purposes.

c. All University small systems must use approved software license management software.

Besides detecting unauthorized copies of third-party software, these license management

systems must be configured to detect new and/or modified application programs developed

by end-users.

d. All computer programs and program documentation owned by the University must include

appropriate copyright notices.

11. Network Logs And Other Security Tools

a. All University computer or communications systems must include sufficient automated

tools to assist the administrator in verifying the systems' security status. These tools must

include mechanisms for the recording, detection, and correction of commonly-encountered

security problems.

b. To the extent that systems software permits, computer and communications systems

handling sensitive, valuable, or critical University information must securely log all

significant security relevant events.

c. Logs containing computer or communications system security relevant events/incidents

must be retained for at least three (3) months. During this period, logs must be secured with

the Information Technology Center because they should not be modified and read only by

authorized persons.

d. Incident logs are important for error correction, auditing, security breach recovery, and

related efforts. Logs must support audit events which should provide sufficient data to

support comprehensive audits of the effectiveness of, and compliance with formal approved

measures.

12. Reporting Security Information



a. All staff and students must promptly report any suspected information security problem

including intrusions and out-of-compliance situations to the Manager, and Information

Technology Center

b. Computer threats can spread quickly and need to be eradicated as soon as possible to limit

serious damage to computers, networks and data. All University staff and students are

encouraged to report a computer threats infestation immediately after it is noticed. All

network or systems software malfunctions must be immediately reported to the Help Desk.

13. Release Of Information

Information about security measures for all University computer and communication systems

is confidential and should not be released to people who are not authorized users of the involved

systems unless the permission of the Manager, Information Security has first been obtained.

14. Physical Security Of Computer And Communications Equipment

a. All University network equipment must be physically secured. Local area servers must be

placed in locked cabinets, closed closets or locked computer rooms.

b. Access to computer rooms, network switching rooms and other work areas containing

sensitive or confidential information must be physically restricted.

15. Exceptions

Under rare circumstances, certain persons will need to employ systems that are not compliant

with this policy. All such instances must be approved in writing and in advance by the Faculty

Dean or the Divisional Director and from the Information Technology Center.

16. Enforcement

The failure to comply with this policy may expose University information to the unacceptable

risk of the loss of confidentiality, integrity or availability while stored, processed or transmitted

on University networks. University staff must be notified that this policy exists and that they

are expected to comply with the policy.







3.2 Visitors Accounts

Purpose

The main purpose of the visitor accounts policy is to adopt standards and limitations to issue and create

these accounts to approved University visitors and for limited time only.

Policy Statement



It is the policy of this University to grant authorized access to students as well as staff of University of

Bahrain. However, there are some users who have temporary tasks or requirements to use the computing

facilities including the university’s network such as visitor students or visitors professors. These users

will be only granted limited access.

Policy Content

1. Visitor accounts are created by the network supervisor for a limited time only.

2. Visitor accounts are not to be issued for access to the University Administrative systems.

3. Visitor accounts must only be issued once an application for an account has been completed and

approved by the Director of Information Technology Center.

4. Application forms are available from Information Technology Center.

5. Applicants must complete ‘Application for Information System and Services Account’ and sign the

declaration.

6. Rules: Computing Facilities.

a. Completed forms are to be forwarded to the Information Technology Center.

b. User-IDs must be unique and clearly identify the user.

c. Account expiry will be as approved by the Director of Information Technology Center but must

not exceed 14 days after which a new application must be made.

d. In addition to system start-up and shut-down times, audit transaction histories should log the

following information:

date, time, location of visitor account activity

user identification

sign-on and sign-off activity.







3.3 Internet Security

Purpose

The main purpose of this policy is to establish direction, procedures, and requirements to ensure the

appropriate protection for the usage of the internet at the university.

This policy has two purposes:



Emphasize for all University staff and students the importance of security when using the

internet inside the university’s laboratory or any computing facilities.

Attempt to minimize the risks from the internet by describing the prohibited actions.

Policy Statement

The new resources, new services, and inter-connectivity available via the Internet all introduce new

opportunities and new risks. In response to the risks, this policy describes University of Bahrain official

policy regarding Internet security. It applies to all University employees - academic/Administrative,

contractors, temporaries, who use the Internet with University computing or networking resources, as

well as those who represent themselves as being connected with University of Bahrain.

Policy Content

All Internet users are expected to be familiar with and comply with these policies.

Transmission of Information

1. Downloading

All software downloaded from non-University sources via the Internet must be screened with

threats detection software prior to being invoked. Whenever the provider of the software is not

trusted, downloaded software should be tested on a stand-alone non-production machine. If this

software contains threats, then the damage will be restricted to the involved machine.

2. Suspect Information

All information taken off the Internet should be considered suspect until confirmed by separate

information from another authenticated source. There is no quality control process on the

Internet, and a considerable amount of its information is outdated or inaccurate.

3. Information Security

Wiretapping and message interception is straightforward and frequently encountered on the

Internet. Accordingly, University, proprietary, or private information must not be sent over the

Internet unless it has first been encrypted by approved methods.

Moreover, credit card numbers, log-in passwords, and other parameters that can be used to gain

access to University systems, networks and services, must not be sent over the Internet in

readable form.

Software Security

5. University computer software, documentation, and all other types of internal information must

not be sold or otherwise transferred to any non-university party for any purposes other than

University purposes expressly authorized by Faculty Deans or Divisional Directors.

6. Exchanges of software and/or data between University and any third party may not proceed unless

a written agreement has first been signed. Such an agreement must specify the terms of the

exchange, as well as the ways in which the software and/or data is to be handled and protected.



Regular business practices--such as shipment of software in response to a customer purchase

order--need not involve such a specific agreement since the terms are implied.

7. The University strongly supports strict adherence to software vendors' license agreements. When

University computing or networking resources are employed, copying of software in a manner

that is not consistent with the vendor's license is strictly forbidden.

Personnel Security

8. Privacy

Staff using University information systems and/or the Internet should realize that their

communications are not automatically protected from viewing by third parties. Unless

encryption is used, workers should not send information over the Internet if they consider it to

be private.

9. Right to Examine

At any time and without prior notice, University management reserves the right to examine e-

mail, personal file directories, and other information stored on University IT infrastructure. This

examination assures compliance with internal policies, supports the performance of internal

investigations, and assists with the management of University information systems.

10. Resource Usage

University of Bahrain encourages staff to explore the Internet, but if this exploration is for

personal purposes, it should be done on personal, not University time. Likewise, games, news

groups, and other non-University activities must be performed on personal, not University time.

Use of University computing resources for these personal purposes is permissible so long as the

incremental cost of the usage is negligible, and so long as no University activity is pre-empted

by personal use.

11. Public Representations

Staff may indicate their affiliation with the University in bulletin board discussions and other

offerings on the Internet. This may be done by explicitly adding certain words, or it may be

implied, for instance via an e-mail address. In either case, whenever staff provide an affiliation,

they must also clearly indicate that the opinions expressed are their own, and not necessarily

those of University of Bahrain. All external representations on behalf of the University must

first be cleared with the Faculty Dean or Divisional Director. Additionally, to avoid libel

problems, whenever any affiliation with the University is included with an Internet message or

posting, "flaming" or similar written attacks are strictly prohibited.

12. All staff must not publicly disclose internal University information via the Internet that may

adversely affect the University's relations or public image.

13. Care must be taken to properly structure comments and questions posted to mailing lists, public

news groups, and related public postings on the Internet. If a user is working on a research



and/or development project, or related University matters, all related postings must be cleared

with Faculty Deans and Directors prior to being placed in a public spot on the Internet.

Access Control

14. All users wishing to establish a connection with University computers via the Internet must

authenticate themselves at a firewall before gaining access to University internal network.

15. Unless the prior approval of the IT Center has been obtained, staff may not establish modems,

Internet or other external network connections that could allow non-University users to gain

access to University systems and/or networks and University information.

16. Likewise, unless the IT Center has approved in advance, users are prohibited from using new or

existing Internet connections to establish new communication channels. These channels include

electronic data interchange (EDI) arrangements, electronic malls with on-line shopping, on-line

database services.

Reporting Security Problems

17. The Information Technology Center must be notified immediately when:

Sensitive University information is lost, disclosed to unauthorized parties, or suspected

of being lost or disclosed to unauthorized parties.

Unauthorized use of University information systems has taken place, or is suspected of

taking place.

When passwords or other system access control mechanisms are lost, stolen, or disclosed,

or are suspected of being lost, stolen, or disclosed.

All unusual systems behavior, such as missing files, frequent system crashes, misrouted

messages.

Security problems should not be discussed widely but should instead be shared on a need-

to-know basis.

Users must not attempt to probe computer security mechanisms at University of Bahrain

campuses or other Internet sites. If users probe security mechanisms, alarms will be

triggered and University resources will needlessly be spent tracking the activity.

Violations of these computer security policies can lead to withdrawal and/or suspension

of system/network privileges and/or disciplinary action.

Violations of these computer security policies may exposed for legal action according to

university of Bahrain laws, or the kingdom laws









3.4 Information Security Alert System

Purpose

This policy recommends an implementation of robust Alert System in order to inform the users about

the possible threats, security issues, failure of systems, or any other problems within the IT field.

Policy Statement



Information Technology Center management must establish, maintain, and periodically test the method

by which staff and students notify appropriate staff about suspected information security problems. This

is to ensure that all suspected information security incidents are reported promptly through correct

channels.

Policy Content

An Information Security Alert System includes reports of problems involving computer threats

infestations, hacker break-ins, improper disclosures of University information, system service

interruptions, and other events with serious information security implications.

University staffs have a duty to report all information security transgressions and problems to the

Information Technology Center staff on a timely basis so that prompt remedial action may be taken.

Reports must not be made anonymously the user has to identify himself/herself.

Information describing all reported information security problems must be retained for a period of three

(3) years. Copies of Staff and/or student transgression reports must be placed on the reported persons

staff or student file.










4.0 Computing Facilities.

4.1 Access Computer Areas.

4.2 Computer Threats.

4.3 Computing Environment Supporting Equipment.

4.4 Conditions of Use.

4.5 Computing Equipments Borrowing Procedures – Academic staff.



4.1 Access Computer Areas

Purpose

The tendency of this policy is to rule the process of accessing all areas which have computing facilities

(e.g. Laboratory, library, etc.) this will strength the security over the university’s computing equipments

Policy Statement

Information Technology working areas have been identified on all campuses at University of Bahrain.

These computer facility working areas are to be maintained by implementing appropriate security

measures that ensure the facilities are always available and secure for staff and students.

Policy Content

Staff and Student Access - After-hours access to computer areas is granted to those University staff and

student members who require access to computer work areas. Staff and students may obtain permission

from the Security Officer on each campus, the Information Technology Center and the Head of the

department. Relevant documentation is to be completed prior to issue of permissions. Records are

retained on each campus for inspection. Building access is provided to legitimate University staff and

student members and must only be used for activities which are directly related to the University.







4.2 Computer Threats

Purpose



This policy is to prevent users not to down-load software from electronic systems outside the University.

This prohibition is necessary because such software may contain threats and software programs which

may damage University information and systems.

Definition

Threats: Computer programs designed to disrupt the normal operation of a computer and causes an

increasing threat to the security of data and programs stored on it.

These threats could be; and not limited to, the following:

1-Viruses. 2-Worms.

3-Logic bombs. 4-Back doors.

5-Trojan horses. 6-Breaches.

Policy Content

1. To reduce the risk of ‘threats’ the Information Technology Center has arranged for a University-

wide license for threat scanning software and copies are available from the Information Technology

Center.

2. All diskettes should be scanned by this software before they are placed in any microcomputer that

is attached to the University networks.

3. Users of microcomputers attached to the University networks must not:

a. Use public domain software without first having it checked for threats, to ensure that

the program itself does not cause damage to data stored on the microcomputer or the

network.

b. Place ‘foreign’ diskettes or any hardware into their microcomputer without first

checking for the presence of ‘threats’.

c. Connect up to remote computers and down-load programs using University

microcomputers.

d. Down-load software via the Internet which may contain a threats or similar rogue

program.







4.3 Computing Environment Supporting Equipment

Purpose



Information Technology Center must provide and maintain all the appropriate computing environment

protection systems necessary to assure continued service for critical University computer systems.

Policy Statement

Information Technology Management must provide and maintain fire detection/suppression, power

conditioning, air conditioning, and other computing environment protection systems necessary to assure

continued service for critical University computer systems.

Policy Content

These environmental support systems are critical to continuous computer and communications support.

The intention of this policy is to ensure that IT management provide and maintain the necessary support

facilities needed for ensuring the continued operation of University systems handling critical

information.







4.4 Condition of Use

Purpose



Computing facilities are provided to facilitate and enhance the academic program of the University.

Therefore, this policy is designed to keep the computing equipment operating, and generate a productive

academic environment.

Policy Statement

The University reserves the right to examine all computer data and software on its facilities, and to

monitor usage, in order to ensure conformance with these conditions and to ensure that the facilities

function in a secure, efficient and effective manner. These conditions apply to all University computer

systems and all other computing systems that can be accessed via University networks.

The authority to use University computing facilities normally expires at the end of each semester but

may be extended under certain circumstances.

Policy Content

1. Authorized Users

Persons authorized to use University computing resources are:

• students enrolled in the University.

• staff employed by the University.

• other persons having special authorization from the University’s authority.

2. Proof of Status

• Your personal University identification card is proof of your authorized status. Failure to produce

the card when requested by security may result in your being requested to leave. Students are

strongly advised to carry their University identification card at all times when they are using

computer laboratory facilities.

3. Access Cards

• Access cards are for personal use only and may not be used by other persons. Only one person

is permitted to enter the computing facilities per access card. For security reasons, details of

all access card use are automatically recorded.

4. Use of Facilities

• You may use only those facilities for which you have been authorized.

• Facilities may only be used for the purposes for which they have been provided and not be

used for other projects, games, 'hobby computing', private or consulting work.

• Facilities must not be wasted or consumed by inappropriate or irresponsible use.

• You must not attempt to tamper with any facility in any way which might alter or impede its

use by others.

• You must not harass others, including using computing facilities to send obscene, abusive,

fraudulent, threatening or unnecessarily repetitive messages.

5. Proper Conduct

• Computer laboratories are work places. In the interest of other users, noise should therefore be

kept to a minimum.



Computer laboratories are used for its educational purposes only.

• Eating and drinking is not permitted in computer laboratories as spilt fluids can damage the

equipment, particularly keyboards and circuitry.

• For safety reasons' children are not permitted in computer laboratories.

6. Data Security and Privacy

• Passwords, when used, must not be divulged to any other person.

• You should take every reasonable precaution to ensure that your passwords, accounts and data

are adequately secured.

• You must not attempt to find out another user's password, or to gain access to another user's

account.

• Any computer account allocated to you is for your exclusive use. You must not allow another

person to use it.

• Regardless of the prevailing level of security, you must not access any data or software except

that which belongs to you or has been provided for your use.

• You must not:

• attempt to examine, disclose, copy, rename, delete or modify another user's data

without their express written permission.

• attempt to recover deleted data, that does not belong to you.

• attempt to subvert any restrictions imposed on your use of any facility.

7. Software Copyright Regulations

• Only legally obtained software is to be used on University computing equipment - the penalties

for breaching copyright are very high. All users of University equipment are warned that any

such breach is the liability of the user. The University will not be liable for any breaches made

by users.

• Software provided for use in laboratories must not be copied from computers without prior

authorization. Users must not violate copyright law and must respect licenses to copyrighted

materials. For the avoidance of doubt, unlawful file-sharing using the University's information

resources is a violation of this policy.

8. Breaches of Conditions

• Failure to adhere to the above conditions will be considered an act of grave misconduct and

cancellation of enrolment may result.

• Breaches which involve security and/or access violations may be referred to the Interior

ministry and may lead to expose for legal action in court.

• It is a criminal offence to:

• Obtain access to data without permission.

• Damage, delete, alter or insert data without permission.









4.5 Computing Equipments Borrowing Procedures– Academic Staff

Purpose



This policy allow staff members to borrow computing equipments which have been specifically

designated for staff use off campus for any purpose by seeking approval from Head of Department.

Policy Statement

Where a staff member is using computing equipments in the teaching or learning program, it is

recognized that there may be a need for that staff member to borrow these equipments for one or more

of the following purposes:

a. evaluation of software having potential application in a course;

b. preparation of lectures involving the use of certain software;

c. marking of student work where this is submitted on a diskette;

d. other University related work including University funded research.

Policy Content

1. The Head of Department will be responsible for managing the borrowing system and verifying that

a borrowed computing equipment is in working order when it is returned.

2. In borrowing equipment staff are required to:

i. Take full responsibility for returning the equipment in good working order;

ii. Ensure that a temporary asset transfer form has been completed and handed to the Head of

Department (a copy to IT Center).

iii. Ensure that only licensed software is loaded and used on the machine. In this respect staff

borrowing equipment are liable for any breach of copyright law involving the use of

unlicensed software on borrowed equipment;

iv. Ensure that the equipment is properly maintained;

v. Ensure that the equipment is not taken out of Kingdom of Bahrain without a permission from;

- The Head of Department where the equipment has been acquired

- The IT Center.








5.0 Information System Development Policy

5.0 Information System Development Policy



Purpose

the purpose of the Information System Development Policy is to describe the requirements in

particular security and control requirements for developing, implementing, and acquisition of new

systems or modification, upgrading and maintain existing software at University of Bahrain.

Policy Statement

The frequent requests to develop and acquire new information systems or modify and upgrade existing

systems continue to escalate. Therefore, implementing solid information systems policy that secure

and control these actions at all stages of system development life cycle is required. This will

a) ensure conformance with all appropriate security requirements.

b) protect sensitive information throughout its life cycle.

c) facilitate efficient implementation of security controls.

d) prevent the introduction of new risks when the system is modified.

e) ensure proper removal of data when the system is retired.

Policy Content

1. Information Technology Center is responsible for developing, maintaining, and participating

in a System Development Life Cycle at university of Bahrain.

2. All software developed in-house which runs on production systems must be developed

according to the SDLC. At a minimum, this plan should address the areas of preliminary

analysis or feasibility study; risk identification and mitigation; systems analysis; general

design; detail design; development; quality assurance and acceptance testing;

implementation; and post-implementation maintenance and review. This methodology

ensures that the software will be adequately documented

and tested before it is used for critical information.

3. All production systems must have designated Owners and Custodians for the critical

information they process. IT Center must perform annual risk assessments of production

systems to determine whether the controls employed are adequate.

4. All production systems must have an access control system to restrict who can access the

system as well as restrict the privileges available to these Users. A designated access control

administrator (who is not a regular User on the system in question) must be assigned for all

production systems.

5. Where resources permit, there should be a separation between the production, development,

and test environments. This will ensure that security is rigorously maintained for the

production system, while the development and test environments can maximize productivity



with fewer security restrictions. Where these distinctions have been established,

development and test staff must not be permitted to have access to production systems.

Likewise, all production software testing must utilize

sanitized information.

6. All application-program-based access paths other than the formal user access paths must be

deleted or disabled before software is moved into production.

7. System security plans and documentation must be prepared for all information systems or

other systems under development due to the risk of harm resulting from loss, misuse, or

unauthorized access to or modification of the information therein.

8. Test data - Testing of information systems should be done with fabricated data that mimics the

characteristics of the real data, or on copies of real data with any confidential data

appropriately sanitized. Testing should not be done on live data due to the threat to its

confidentiality and/or integrity. Testing that requires the use of live data or confidential data

must have appropriate security controls employed and approval from data owners.

9. If an information system or component of that system is acquired from an external vendor,

written documentation must be provided that specifies how the product meets the security

requirements of this policy and any special requirements of the system. The vendor must

allow testing of the system's security controls by the university team or an independent

third party, if needed

10. New systems, existing system upgrades/new versions will only be installed following the

definition of formal acceptance criteria. System Owners are responsible for co-ordinating the

acceptance criteria and involving the required areas of the organization. The following are

controls that should be considered:

a) Performance and capacity requirements (in terms of response times & other

capacity elements)

b) Preparation and testing of routine operating procedures (such as standard

reports etc)

c) Testing of security controls (passwords, usernames, information access

controls)

d) Training provision to all appropriate staff, including education/communication of

upgrades

e) System owners should document the acceptance criteria, both prior to and post

installation.

11. The organization will protect itself from covert channels and Trojan code that allow

unauthorized access to information by applying the following controls.



a) For In-house development, application developers will be bound by contract terms of

employment and job description responsibilities from inserting covert channels and Trojan

code

b) For Vendor supplied software, contractual arrangements will ensure that the vendor does

not insert covert access channels or Trojan code. Should these be found to be present in any

vendor supplied software, contracts will contain appropriate penalty or termination clauses

agreed by legal departments.

12. The endorsement of systems developed by information technology students in the college of

information technology in university of Bahrain, such as: offline systems, web based system,

and mobile application.

These systems can be classified as prototypes and will be a base line for an information

system development life cycle.










6.0 Change Management Policy

0.6 Change Management Policy

Purpose

The purpose of the Change Management Policy is to manage all changes (additions, deletions and

modifications) to an information technology resources regardless of who initiates it. The changes must

be managed in a rational and predictable manner thus staff can plan accordingly.

Policy Statement

As University of Bahrain has grown, the interdependencies between systems continues to grow and

become more complex. Therefore, it is essential that changes to infrastructure are managed carefully

to reduce negative impact on users and avoid unexpected consequences.

Policy Content

1. The policy covers all changes to the production environment which includes the University’s

IT infrastructure (e.g. hardware, software, operating systems, data, databases, voice and video

networks, applications, and information systems.)

2. The policy includes environmental facilities that support IT infrastructure such as air-

conditioning, heat, electricity and alarm systems, etc.

3. The policy does not apply to changes to test or development systems, providing they are

isolated from the live environments.

4. Any change to an information technology resource must be performed in compliance with the

University's IT Infrastructure and Systems Change Management Policy and Procedures.

5. Changes require two steps of approval : prior to commencing the development or testing of a

change (a Change Request) and prior to releasing the fully tested change into the live

environment (a Release Request).

6. An "emergency change", which is defined as a repair to a current breakage and / or a change

required to prevent an imminent breakage in the live environment, will, by necessity, proceed

through the abbreviated and more immediate form of Change Request process as documented

below.

7. Certain changes occur regularly, for example, adding a PC to the network. Once a change has

been approved once, it may be advertised as a "pre-approved change". This means that all

subsequent iterations of the change during the specified period are likewise approved,

possibly with conditions. A list of pre-approved changes is maintained by IT Center.

8. A Change Advisory Board (CAB) of relevant IT Services staff, appointed by the Director of

IT Center, will meet regularly to process Change Requests in accordance with change



management procedures. A representative from the work area proposing the change is invited

to attend the CAB.

9. The process of appeal for Change Requests denied by the CAB is via the Vice President of IT

Services or equivalent role.

10. Changes that do not comply with the Change Management Policy and Procedures are

classified as 'unauthorized changes.'

11. IT Center resources will not be made available or committed for an unauthorized change and

has the authority to reverse any unauthorized changes that cause, are suspected as

causing, or have the potential to cause disruption to other users of the services.









Acknowledgement

Published policies of the following universities were referenced during the preparation

of these policies. For academic integrity's sake we acknowledge the following sources as

contributors to the text of these policies.

University of Wales, Newport

http://lis.newport.ac.uk/computing/i/it_policies

University of North Carolina

www.uncw.edu/itsd/policies.html

University of BATH

www.bath.ac.uk/bucs/policies

University of Utah

www.it.utah.edu/plans_policies.html

Yale University

www.yale.edu/policy

University of Massachusetts

www.umassp.edu/policy

University of Colorado

www.colorado.edu/policies

Northwestern University

www.it.northwestern.edu/policies

Florida State Technology Office

http://sto.myflorida.com/isdm/

http://lis.newport.ac.uk/computing/i/it_policies

http://www.uncw.edu/itsd/policies.html

http://www.bath.ac.uk/bucs/policies

http://www.it.utah.edu/plans_policies.html

http://www.yale.edu/policy

http://www.umassp.edu/policy

http://www.colorado.edu/policies

http://www.it.northwestern.edu/policies

http://sto.myflorida.com/isdm/



Appendix

Examples of Misuse

Examples of misuse include, but are not limited to, the activities in the following list.

1. Using a computer account that you are not authorized to use. Obtaining a password for

a computer account without the consent of the account owner.

2. Using the Campus Network to gain unauthorized access to any computer systems.

3. Knowingly performing an act which will interfere with the normal operation of

computers, terminals, peripherals, or networks.

4. Knowingly running or installing on any computer system or network, or giving to

another user, a program intended to damage or to place excessive load on a computer

system or network. This includes but is not limited to programs known as computer

viruses, Trojan horses, and worms.

5. Attempting to circumvent data protection schemes or uncover security loopholes.

6. Violating terms of applicable software licensing agreements or copyright laws.

7. Deliberately wasting computing resources.

8. Using electronic mail to harass others.

9. Masking the identity of an account or machine.

10. Posting materials on electronic bulletin boards that violate existing laws or the

University's codes of conduct.

11. Attempting to monitor or tamper with another user's electronic communications, or

reading, copying, changing, or deleting another user's files or software without the

explicit agreement of the owner.

12. Activities will not be considered misuse when authorized by appropriate University

officials for security or performance testing.



Revision Log – General

This revision log will allow you to view all changes made to this section. It will let you view

and see which collaborators made edits to any of these Policies.

Log# Date Policy Change Reference Reviewed By



Revision Log – Information System






Revision Log – Network






Revision Log – Computing Facilities






Revision Log - Information Systems Development Methodology (ISDM)






Revision Log - Change Management Policy






Revision History - INFORMATION TECHNOLOGY

POLICIES AND PROCEDURES

This revision history will allow you to view at a glance all changes made to this document by

each collaborator. It will let you view and revert to earlier sections of this document, and see

which collaborators made edits to any of these sections.

Note: you can use the log number to track the changes made in a specific Policy.

Date Section Description Author/Title Log#

Documents

Computing Policies and procedures - جامعة البحرينIT Policies and Procedures University of Bahrain IT Center 1.2 Information Technology Disaster Recovery Plan Purpose The