General Terms:

·       User devices and mobile devices, including operating systems, software, and applications, must be updated and equipped with the latest updates and patches in accordance with the vulnerability management standard adopted by King Saud University.

·       Configuration controls and hardening must be applied to user devices and mobile devices according to cybersecurity standards.

·       Employees should not be granted access privileges to user devices and mobile devices, and privileges must be granted based on the principle of least privilege.

·       Default user accounts in operating systems and applications should be deleted or renamed.

·       The time must be synchronized centrally from an accurate and reliable source for all user devices and mobile devices.

·       User devices and mobile devices should be provided with a text message (Banner) to enable authorized use.

·       Only a specific list of applications (whitelisted applications) should be allowed, data leakage should be prevented, and data monitoring systems should be implemented, etc.

·       Storage media for important and sensitive user devices and mobile devices with advanced privileges must be encrypted according to the university’s approved encryption standards.

·       The use of external storage media should be prohibited, and prior permission must be obtained from the Cybersecurity Department to grant permission for the use of external storage media.

·       User devices and personal mobile devices (BYOD) with outdated or expired software (including operating systems, software, and applications) should not be allowed to connect to the King Saud University network to prevent security threats from outdated software not protected by update and patch packages.

·       User devices and personal mobile devices (BYOD) that are not equipped with the latest security software should be prevented from connecting to the King Saud University network to avoid cybersecurity risks that lead to unauthorized access, malware installation, or data leakage. This protection software should include mandatory programs such as antivirus, suspicious activity programs, malware, host-based firewalls, and advanced intrusion detection/prevention systems.

·       User devices and mobile devices not in use should be set to display a password-protected screensaver if the device is inactive (Session Timeout) for 10 minutes.

·       User devices and mobile devices should be managed centrally through King Saud University’s Active Directory domain server or a central management system.

·       User devices and mobile devices should be configured by the appropriate domain controller to apply the correct policies and install necessary software settings.

The university will not routinely monitor personal devices; however, it retains the right to:

·       Prevent access to a specific device from both wired and wireless networks, or both.

·       Prevent access to a specific system.

·       Take all necessary and appropriate steps to recover university-owned information.

Cybersecurity Requirements for User Device Security:

·       User devices assigned to technical staff with critical privileges must be isolated on a dedicated management network and should not be connected to any other network or service.

·       Critical and sensitive user devices with advanced privileges should send logs to a centralized logging and monitoring system, and this cannot be disabled by the user.

·       User devices must be physically secured within the buildings of King Saud University.

Cybersecurity Requirements for Mobile Device Security:

·       Mobile devices should be prohibited from accessing sensitive systems except for a temporary period, after conducting a risk assessment and obtaining the necessary approvals from the relevant management (CSCC-2-5-1-1).

·       Mobile device disks that can access sensitive systems must be fully encrypted (Full Disk Encryption) according to control (CSCC-2-5-1-2).

Cybersecurity Requirements for Personal Devices (BYOD):

·       Mobile devices must be centrally managed using a Mobile Device Management (MDM) system.

·       King Saud University’s data and information stored on employees' personal devices (BYOD) must be separated and encrypted.

·       Periodic backups of data stored on user devices and mobile devices must be conducted in accordance with the university’s approved backup policy by the relevant department.

King Saud University data stored on mobile and personal devices (BYOD) will be deleted under the following circumstances:

·       Loss or theft of the mobile device.

·       Termination or cessation of the employment relationship between the user and the university.

Faculty Responsibilities:

·       Faculty members using their personal devices for King Saud University business are responsible for their personal devices and how they are used. They must:

-       Enable relevant security features within their devices.

-       Maintain the security of their devices and ensure they are regularly updated.

-       Using devices with outdated operating systems is prohibited.