General Terms

Social Media Usage:

·       All members (faculty, staff, students, contractors) must adhere to the university's acceptable use policy when using social media.

·       It should be understood that any inappropriate or irrelevant content posted in the name of the university may cause harm to the individuals or the university.

·       Posting confidential or internal information is prohibited, and posting should be limited to public information with approval from the concerned entity.

·       Information related to university operations (i.e., public information only) may only be shared on social media via the university's official social media accounts and after obtaining approval from the relevant administration.

·       Any content should be reviewed before being posted through official channels and approved by the concerned administration.

·       Faculty members, staff, and all university affiliates are prohibited from using their personal social media accounts to post any information or content related to the activities or operations of King Saud University; official posting should be done via university-approved channels.

Account Management and Official Naming:

·       The specified naming convention must be used for King Saud University’s social media accounts, such as (_KSU) (e.g., KSU_etc).

·       Faculty and staff should hide their current job titles in their LinkedIn profiles as "Confidential."

·       Registration should be done using official data (official email and phone number), and personal data should not be used.

·       Social media accounts should be documented and maintained with consistent identity across all platforms used, making it easier to identify official accounts and detect fraudulent accounts.

Identity and Access Management:

·       The cybersecurity requirements related to identity and access management for social media accounts at King Saud University must, at a minimum, cover the following:

-       Use of social media accounts assigned to entities, not individuals.

-       Use of a secure password for each social media account and changing the password annually, avoiding reusing previously used passwords.

-       Use of multi-factor authentication for logging into social media accounts.

-       Enabling and securely documenting security questions.

-       Managing user permissions for social media accounts based on business needs, considering the sensitivity of the accounts, the level of permissions, and the types of devices and systems used.

-       Limiting access permissions for service providers managing or monitoring social media accounts or protecting the entity’s identity from impersonation.

-       Restricting access to social media accounts to specific devices.

-       Reviewing the identities and permissions used for social media accounts at least once a year.

Mobile Devices Security:

·       The cybersecurity requirements for mobile devices and BYOD (Bring Your Own Device) for King Saud University should, at a minimum, cover the following:

-       Centralized management of mobile devices using Mobile Device Management (MDM).

-       Applying security patches and updates to mobile devices at least once a month.

Data and Information Protection:

·       The cybersecurity requirements for protecting data and information must, at a minimum, cover the following:

-       King Saud University's social media accounts should not contain classified data, as per the relevant regulations.

Cybersecurity Related to Third Parties (Third-Party and Cloud Computing Cybersecurity):

·       The need for using social media management services and automated monitoring for social media accounts or protecting the entity's identity from impersonation should be evaluated for cybersecurity risks.

·       The cybersecurity requirements for using social media management services, automated monitoring of social media accounts, or protecting King Saud University's identity from impersonation should cover, at a minimum, the following:

-       Non-disclosure clauses and secure deletion of the entity’s data by the third party upon the termination of service.

-       Procedures for reporting vulnerabilities and in the event of discovering a cybersecurity incident.

-       Requiring the third party to comply with the university's cybersecurity policies and relevant legislative and regulatory requirements for protecting social media accounts.