General Terms:

·       The cybersecurity requirements for protecting King Saud University's data and information must be defined, documented, and approved, and handled according to the relevant legislative and regulatory requirements.

·       The cybersecurity requirements for protecting King Saud University's data and information must be implemented.

·       The cybersecurity requirements for protecting data and information must, at a minimum, cover the following:

-       Ownership of data and information.

-       Classification and labeling mechanisms of data and information.

-       Privacy of data and information.

·       King Saud University must define the ownership of the data and information related to King Saud University.

·       King Saud University must classify the data and information related to King Saud University and implement labeling mechanisms (Classification and Labeling Mechanisms).

·       King Saud University must consider the privacy of the data and information related to King Saud University.

·       The implementation of cybersecurity requirements for protecting data and information related to King Saud University must be reviewed annually.

·       Any changes in ownership of data and information must be documented and approved.

·       The required retention period (Retention Period) for data and information must be determined according to relevant legislation, and the required data (as long as it does not contain personal identifiers) must only be retained in the production environment.

·       The necessary protection must be provided for data and information throughout its lifecycle and handled according to its classification, in alignment with relevant legislative and regulatory requirements.

·       Procedures for secure handling of protected information (i.e., information classified at one of the following levels: Top Secret, Confidential, or Restricted) belonging to King Saud University must be documented, approved, and shared with relevant parties.

·       Information must be protected from destruction, loss, or leakage using anti-malware software in accordance with the approved policies at King Saud University.

Access Identity and Authorization Management:

·       The cybersecurity requirements related to identity and access management for King Saud University must, at a minimum, cover the following:

-       Strictly limiting the access and viewing of data and sharing of data based on authorization lists limited to Saudi employees unless an exception is made by the authorized person (the President of King Saud University or their delegate), and these lists must be approved by the authorized person.

-       Preventing the sharing of approved authorization lists with unauthorized individuals.

·       Manage access identities and data access authorizations using critical and sensitive authorization management systems.

·       The approved authorization lists and authorizations used to handle data must be reviewed periodically for each level.

Protection of Systems and Information Processing Devices:

·       The cybersecurity requirements for protecting systems and information processing devices must, at a minimum, include the following:

-       Apply updates and security patches as soon as they are released for systems used to process data according to the period defined for each level.

-       Review the security configurations and hardening of systems used to process data according to the defined period for each level.

-       Review and harden factory settings (such as fixed passwords and default backgrounds) for technical assets used to process data.

-       Disable the print screen or screen capture feature for devices that create or process documents.

Mobile Device Security:

·       The cybersecurity requirements for mobile device security must, at a minimum, include the following:

-       Centrally manage mobile devices owned by King Saud University using a Mobile Device Management (MDM) system and enable the remote wipe feature.

-       Centrally manage BYOD devices using a Mobile Device Management (MDM) system and enable the remote wipe feature.

Data and Information Protection:

·       The cybersecurity requirements for data and information protection must, at a minimum, cover the following:

-       Use watermarking to encrypt the entire document during creation, storage, printing, on-screen, and on every copy, ensuring the code can be traced at the user or device level.

-       Use data leakage prevention techniques and rights management techniques.

-       Prohibit the use of data in any environment other than the production environment unless a risk assessment is conducted, and controls are applied to protect that data, such as data masking or data scrambling techniques.

-       Use brand protection services to protect King Saud University's identity from impersonation.

Encryption:

·       The cybersecurity requirements for encryption must, at a minimum, include the following:

-       Use updated and secure encryption methods and algorithms for creation, storage, and sharing and for the entire network connection used to transfer data, in accordance with the advanced level (Advanced) under the National Cryptographic Standards (NCS-1:2020).

-       Use updated and secure encryption methods and algorithms for creation, storage, and sharing and for the entire network connection used to transfer data, in accordance with the moderate level (Moderate) under the National Cryptographic Standards (NCS-1:2020).

Secure Data Destruction:

·       The cybersecurity requirements for data destruction must, at a minimum, include the following:

-       Identify the techniques, tools, and procedures for implementing secure data destruction operations based on the data classification level.

-       When there is no longer a need to use storage media, secure destruction (Secure Disposal) of the media must be carried out using the specified techniques and tools.

-       When storage media needs to be reused, secure erasure (Secure Erasure) of data must be performed so that it cannot be recovered.

-       Verification of secure data destruction or erasure must be carried out.

-       Keep a record of all secure data destruction or erasure operations performed.

-       The implementation of secure data destruction requirements must be reviewed periodically for each level.

Cybersecurity for Printers, Scanners, and Copiers:

·       The cybersecurity requirements for the protection of printers, scanners, and copiers at King Saud University must be defined, documented, and approved.

·       The cybersecurity requirements for printers, scanners, and copiers at King Saud University must be implemented.

·       The cybersecurity requirements for printers, scanners, and copiers must, at a minimum, include the following:

-       Disable the spooling feature.

-       Enable the identity verification feature on central printers, scanners, and copiers before starting printing, copying, or scanning operations.

-       Maintain a secure electronic record of operations using printers, scanners, and copiers for a period of no less than 12 months.

-       Enable and protect CCTV surveillance records for the locations of central printers, scanners, and copiers.

-       Use cross-shredding devices to destroy documents when they are no longer needed.

·       The implementation of cybersecurity requirements for printers, scanners, and copiers must be reviewed periodically for each level.

Cybersecurity for External Parties:

·       The cybersecurity requirements for external parties must, at a minimum, include the following:

-       Conduct security screening for external party employees who have access to data.

-       Ensure contractual guarantees for the ability to securely delete the organization's data by the external party when the contractual relationship ends, with evidence of such deletion.

-       Document all data-sharing operations with external parties, including justifications for data sharing.

-       When sharing data outside the Kingdom, verify the host entity's ability to protect that data, obtain approval from the authorized party, and comply with relevant legislative and regulatory requirements.

-       Require external parties to inform the entity directly when a cybersecurity incident occurs that may affect shared or created data.

-       Reclassify data to the lowest level necessary to achieve the goal before sharing it with external parties using data masking or data scrambling techniques.