Sorry, you need to enable JavaScript to visit this website.

Policy for compliance with cybersecurity legislation, regulations, and standards

1- General Requirements:

- A list of cybersecurity-related legislation and regulations, along with relevant requirements, must be identified, documented, and updated annually.

- King Saud University adheres to all necessary controls established by the National Cybersecurity Authority (NCA), pursuant to Royal Decree No. 6801:

  • Basic Cybersecurity Controls (ECC-2:2024).
  • Cybersecurity Controls for Corporate Social Media Accounts (OSMACC-1:2021).
  • Cybersecurity Controls for Cloud Computing (CCC-2:2024).
  • Cybersecurity Controls for Remote Work (TCC-1:2021).
  • Cybersecurity Controls for Data (DCC-1:2022).

- Compliance with legislative, regulatory, and national cybersecurity requirements must be ensured annually, using appropriate tools, including, but not limited to:

  • Cybersecurity Risk Assessment activities.
  • Vulnerability Management activities.
  • Penetration Testing activities.
  • Reviewing cybersecurity standards.
  • Security Source Code Review.
  • User surveys.
  • Stakeholder interviews.
  • Reviewing system and network access rights.
  • Reviewing cybersecurity logs and incidents.

The university must identify and analyze all applicable regulatory, legal, and contractual requirements and take appropriate measures to comply with them. The following areas must be covered:

  • Relevant standards and guidelines related to information technology and security.
  • Relevant governmental and/or external requirements (i.e., laws, regulations, guidelines, regulations, and standards) related to external relations and external  requirements reviews.
  • Labor laws, particularly those addressing IT-related safety and health requirements.
  • Intellectual property rights and software copyright laws.
  • Information systems security requirements, particularly regarding the use of encrypted data and data transmission.
  • Audit reports from external auditors, external service providers, and government agencies.

- King Saud University must comply with any locally approved international agreements or commitments that include cybersecurity requirements.

- Cybersecurity policies and procedures must be reviewed periodically to ensure compliance with relevant legislative and regulatory requirements.

- Cybersecurity policies and procedures must be reviewed annually to ensure compliance with relevant legislative and regulatory requirements.

- Cybersecurity policies and procedures must be implemented annually.

- Necessary corrective actions must be identified and implemented to address gaps in compliance with all relevant stakeholders' requirements.

- The cybersecurity department must review the implementation of cybersecurity controls annually.

- The cybersecurity department must review the implementation of cybersecurity controls for critical systems at least annually.

- Royal Decree No. M/17 of the Anti-Cybercrime Law applies, and King Saud University is committed to complying with the law.

- Everyone, including contractors, consultants, and third-party employees, must understand and acknowledge their responsibility for compliance with King Saud University's information security policies and procedures.

- All areas and information assets within King Saud University are subject to regular audits to ensure compliance with security policies and standards.

- Technical compliance reviews should only be conducted by, or under the supervision of, competent and authorized personnel.

- Proper and effective use of key performance indicators (KPIs) should be implemented to ensure the continuous development of the requirements of the cybersecurity compliance program.

2- Intellectual Property Rights:

- King Saud University must enforce intellectual property rights (including software or document copyright, design rights, trademarks, patents, and source code licenses) associated with its information systems.

- All departments must establish appropriate procedures to ensure compliance with legal restrictions on the use of materials that may be subject to intellectual property rights, such as copyrights, design rights, and trademarks.

- Appropriate procedures must be implemented to ensure compliance with legislative, regulatory, and contractual requirements regarding the use of materials that may be subject to intellectual property rights and the use of proprietary software products.

- All software used within King Saud University must be purchased and issued in accordance with licensing agreements.

- No person or entity at King Saud University may engage in unauthorized copying of software.

- Proof of ownership (licenses or manuals) must be maintained by King Saud University.

- The University must comply with licensing requirements that restrict the use of products, software, designs, and other materials acquired by the University.

- All employees using King Saud University information assets must strictly adhere to the copyright laws and restrictions detailed by the software vendor.

- King Saud University may not duplicate third-party materials, convert them to another format, or extract them from commercial recordings (film, audio) other than as permitted by the Copyright Policy.

- Documents relating to King Saud University's intellectual property must be marked "Confidential."

3- Protecting Organizational Records:

- A set of documented procedures must be established to define methods for classifying information records, as well as appropriate safeguards for these records against loss, destruction, and falsification.

- Records must be classified into record types (e.g., accounting records, database records, audit records, and operational procedures), detailing retention periods and storage media types (e.g., paper, magnetic, optical).

- Records must be protected from loss, destruction, and falsification based on their importance and must be stored in a manner appropriate to the media on which they were recorded.

- The records storage and handling system must ensure clear identification of records and their retention period. Records will also be appropriately destroyed after that period if the organization no longer needs them.

4- Data Protection and Personal Information Privacy:

- A data protection and privacy policy must be developed and implemented that outlines the requirements in relevant laws, regulations, and contractual requirements of King Saud University.

- The administrative and oversight structure must be established to ensure compliance with this policy and all relevant data protection laws and regulations required by King Saud University.

- No King Saud University employee may share confidential or proprietary data of King Saud University or citizen data with affiliated entities, companies, business units, or government organizations unless they have given permission to share this information.

- Personal information may not be transferred or shared when statistical information can be used as an alternative.

 

5- Data Protection and Personal Information Privacy:

- A data protection and privacy policy must be developed and implemented that outlines the requirements in relevant laws, regulations, and contractual requirements of King Saud University.

Last updated on : August 18, 2025 11:47am