Sorry, you need to enable JavaScript to visit this website.

Policy for compliance with cybersecurity legislation, regulations, and standards


General Terms:

·       The list of cybersecurity-related legislations, regulations, and relevant requirements must be identified, documented, and updated annually.

·       King Saud University must comply with all necessary controls set by the National Cybersecurity Authority (NCA) as per Royal Decree No. 6801:

-       Basic cybersecurity controls (ECC-2:2024)

-       Cybersecurity controls for institutional social media accounts (OSMACC-1:2021)

-       Cybersecurity controls for cloud computing (CCC-2:2024)

-        Cybersecurity controls for remote work (TCC-1:2021)

-       Cybersecurity controls for data (DCC-1:2022)

·       Compliance with national and relevant legislative and regulatory cybersecurity requirements must be ensured annually using appropriate tools, including but not limited to:

-       Cybersecurity risk assessment activities.

-       Vulnerabilities management activities.

-       Penetration testing activities.

-       Cybersecurity standards review.

-       Security source code review.

-        User surveys.

-        Stakeholder interviews.

-        System and network permissions review.

-       Cybersecurity logs and incident review.

·       The university must identify and analyze all applicable statutory, regulatory, legal, and contractual requirements and take appropriate measures to comply with them. The following areas must be covered:

-       Relevant standards and guidelines related to information and cybersecurity.

-       Relevant government and/or external requirements (such as laws, regulations, guidelines, and standards) related to external relations and external requirements reviews.

-       Labor laws, especially regarding IT-related safety and health requirements.

-       Intellectual property rights and software copyright laws.

-       Information systems security requirements, particularly concerning the use of encrypted data and data transfer.

-       Audit reports from external auditors, service providers, and government entities.

·       If there are locally approved international agreements that include cybersecurity requirements, King Saud University must comply with those requirements.

·        Cybersecurity policies and procedures must be reviewed annually to ensure compliance with related legislative and regulatory requirements.

·       Cybersecurity policies and procedures must be applied annually.

·       Corrective actions must be identified and implemented to address any gaps in compliance for all stakeholders.

·       The cybersecurity department must review the application of cybersecurity controls annually.

·       The cybersecurity department must review the application of cybersecurity controls for sensitive systems at least once per year.

·       The Anti-Cybercrime Law, Royal Decree No. M/17, is applied, and King Saud University must comply with the mentioned law.

·        All individuals, including contractors, consultants, and employees of external entities, must understand and acknowledge their responsibility to comply with King Saud University's information security policies and procedures.

·        All areas and information assets within King Saud University are subject to regular audits to ensure compliance with security policies and standards.

·       Technical compliance reviews must only be conducted by qualified and licensed individuals or under their supervision.

·       The correct and effective use of Key Performance Indicators (KPI) must be activated to ensure continuous development of the cybersecurity compliance program requirements.

 

Intellectual Property Rights:

·       King Saud University must apply intellectual property rights (including software or document copyrights, design rights, trademarks, patents, and source code licenses) related to its information systems.

·       All departments must establish appropriate procedures to ensure compliance with legal restrictions on the use of materials that may have intellectual property rights, such as copyrights, design rights, and trademarks.

·        Appropriate procedures must be implemented to ensure compliance with legislative, regulatory, and contractual requirements concerning the use of materials that may have intellectual property rights and the use of proprietary software products.

·       All software used within King Saud University must be purchased and issued in accordance with licensing agreements.

·       No person or entity within King Saud University is permitted to participate in unauthorized copying of software.

·       King Saud University must retain proof of ownership (licenses or evidence).

·       The university must comply with licensing requirements that limit the use of products, software, designs, and other materials obtained by the university.

·        All employees using King Saud University's information assets must strictly adhere to copyright laws and restrictions set by the software vendor.

·       King Saud University must not reproduce third-party materials, convert them into another format, or extract them from commercial recordings (film, sound) unless allowed by copyright policy.

·       Documents related to King Saud University's intellectual property must be marked as "Confidential."

 

Protection of Organizational Records:

·       A set of documented procedures must be established to define methods for classifying information records, as well as appropriate protection controls for these records to prevent loss, destruction, and falsification.

·        Records must be classified into types of records (such as accounting records, database records, audit records, operational procedures) with details of retention periods and storage media types (such as paper, magnetic, optical).

·       Records must be protected from loss, destruction, and falsification based on the importance of the records and should be stored appropriately for the media on which they were recorded.

·       The record storage and handling system must clearly define records and their retention periods, and also allow for the appropriate destruction of records after the retention period if the organization no longer needs them.

 

Data Protection and Privacy of Personal Information:

·       A data protection and privacy policy must be developed and implemented to define the requirements in relevant laws, regulations, and contractual requirements for King Saud University.

·       The organizational structure and controls to ensure compliance with this policy and all relevant data protection laws and regulations required by King Saud University must be defined.

·       No employee at King Saud University may share confidential or proprietary data belonging to King Saud University or personal data with entities, companies, business units, or government organizations unless permission is granted to share this information.

·       Personal information must not be transferred or shared when statistical information can be used as an alternative.



Last updated on : October 14, 2025 9:42am