General Terms:

·       Cybersecurity requirements must be defined, documented, and approved in contracts and agreements with third parties for King Saud University.

·       Third-party service providers must be carefully selected and chosen in accordance with King Saud University's policies and procedures and relevant legislative and regulatory requirements.

·       A risk assessment of third parties and the services provided must be conducted, ensuring their integrity, by reviewing third-party projects within King Saud University and reviewing the cybersecurity event logs of the third party's service (if applicable) before, during, and annually.

·       Contracts and agreements with third parties must be prepared to ensure the third party's compliance with King Saud University's cybersecurity policies and the relevant legislative and regulatory requirements.

·       The terms of contracts and agreements with third parties must include requirements related to reporting cybersecurity incidents and informing the university in the event of a cybersecurity incident, including, but not limited to, defining and documenting procedures for communication between the third party and the university.

·       If the external party experiences a cybersecurity incident that may affect university data or information, it must report directly within one business day.

·       Contracts and agreements with third parties must be reviewed by the legal affairs department to ensure that the terms of the agreement are binding during and after the contract period, and that violating these terms exposes the third party to legal liability.

·       Contracts and agreements must include non-disclosure clauses and the secure deletion of King Saud University data by the external party upon service termination. It should also include, but is not limited to:

-       Terms and conditions for provided access.

-       Type of data to be accessed and the method of access.

-       A "right to audit" clause must be included in external party agreements.

-       Definition of acceptable uses for the data handled by the external party.

-       The security responsibilities of the external party.

·       External access to King Saud University information will only be granted after implementing appropriate security controls, and where applicable, a contract specifying the terms and conditions will be signed.

·       Cybersecurity requirements should be reviewed with third parties annually.

Cybersecurity Requirements for IT Outsourcing or Managed Services Provided by Third Parties:

·       To obtain IT outsourcing or managed services, the external party must be carefully selected, and the following must be verified:

-       Conduct a cybersecurity risk assessment and ensure risks are controlled before signing contracts and agreements or when changing relevant legislative and regulatory requirements.

-       Managed cybersecurity service operation centers, using remote access, must be fully located within the Kingdom.

·       Security screening must be conducted for outsourcing service companies, outsourcing service employees, and managed service personnel working on sensitive systems and those with access to data.

·       Outsourced and managed services on sensitive systems must be provided by national companies and entities in accordance with relevant legislative and regulatory requirements.

·       Cybersecurity requirements when dealing with consulting firms for high-sensitivity strategic projects at the national level must, at a minimum, include the following:

-       Conducting security screening for employees of consulting firms with access to data.

-       Contractual safeguards must be in place, including requiring consulting firm employees not to disclose information and the ability to securely delete King Saud University data when the contractual relationship ends, with evidence of such deletion.

-       Documenting all data-sharing activities with consulting firms, including justifications for data sharing.

-       Requiring consulting firms to notify King Saud University directly when a cybersecurity incident occurs that may affect shared or created data.

Cybersecurity Requirements for External Party Employees:

·       Cybersecurity responsibilities and non-disclosure clauses must be included in contracts for external party employees (including during and after the termination of their relationship with King Saud University).

·       The need for using social media account management services and automated monitoring for social media accounts or protecting King Saud University’s identity from impersonation and the related cybersecurity risks must be assessed.

·       Cybersecurity requirements for the use of social media account management services, automated monitoring for social media accounts, or protecting King Saud University’s identity from impersonation must cover, at a minimum, the following:

-       Non-disclosure clauses and secure deletion of King Saud University data by the external party upon service termination.

-       Communication procedures for reporting vulnerabilities and in case of discovering a cybersecurity incident.

-       Requiring the external party to implement cybersecurity policies and procedures to protect King Saud University’s social media accounts and comply with relevant legislative and regulatory requirements.

Documentation and Access Controls:

·       External parties must develop and follow a documented and formalized process for granting and revoking access to all information and technology systems that process, transmit, or store King Saud University information, in line with King Saud University's cybersecurity requirements and objectives.

·       Access to King Saud University information must be granted and processed in a secure and monitored manner.

·       Password controls must be applied to all users with access to King Saud University information in line with King Saud University’s cybersecurity requirements and objectives.

·       Access rights must be revoked immediately when any employee of the external party, who has access to King Saud University’s information or information assets, terminates their service or changes their role that no longer requires continued access.

·       External parties must review access rights annually in accordance with King Saud University’s approved cybersecurity policies.

·       All audit logs must be stored, maintained, and made available upon request by King Saud University.

Cybersecurity Requirements Related to Change Management:

·       External parties must follow an official and appropriate change management process in accordance with King Saud University’s policies and procedures and in compliance with cybersecurity requirements.

·       Changes made to King Saud University’s information and technology assets must be reviewed and tested before being implemented in the production environment.

·       Relevant parties at King Saud University must be informed of major planned and implemented changes to King Saud University’s information and technology assets.

Data and Information Protection Requirements:

·       External parties must process, store, and dispose of King Saud University data and information in accordance with King Saud University’s approved data and information protection policy and standard.

·       Appropriate encryption controls must be applied to protect King Saud University’s data and information and ensure their confidentiality, integrity, and availability according to King Saud University’s encryption standard.

·       Backup copies of King Saud University’s data and information must be made annually and in accordance with King Saud University’s backup management policy.

·       Contractual guarantees must be in place to ensure that King Saud University’s data is securely deleted by the external party when the contractual relationship ends, with evidence of such deletion.

·       All data-sharing activities with external parties must be documented, including justifications for data sharing.

·       When sharing data outside the Kingdom, the host entity’s ability to protect that data must be verified, and the authorized party’s approval must be obtained, in addition to complying with relevant legislative and regulatory requirements.

·       Data must be reclassified to the lowest level necessary before being shared with external parties, using data masking or data scrambling techniques.