General Terms

 Telework Cybersecurity Controls:

·       All university employees and contractors must comply with the Acceptable Use Policy for assets and the Data and Information Protection Policy when using and accessing King Saud University systems and services through remote work.

·       Official management approval must be obtained, and all necessary arrangements and security controls must be implemented before allowing remote work activities.

·       Remote access must be granted through independent accounts (VPN) separate from regular accounts.

·       Access privileges must be granted based on the principle of need-to-know, considering the sensitivity of systems and the type of devices used.

·       Multi-factor authentication (MFA) must be applied to all remote access users.

·       Remote access must be limited to a single active session per user, prohibiting simultaneous logins from multiple devices.

·       Requests for remote access privileges must be submitted by the account owner themselves, except for external parties, which require approval by the supervisory committee.

·       The system used for remote work activities must be capable of verifying the implementation of anti-malware on user devices before connecting to the university network.

·       Upon completion of remote work activities, all granted privileges must be revoked, and any university-provided device must be returned immediately.

·       An accurate and up-to-date log of all remote work activities must be maintained.

Device Usage Requirements:

·       King Saud University only allows the use of personal devices by employees or devices provided by the university for remote work and connection to the network, and the owner of the asset must take into account the following security arrangements:

-       Ensure the physical security of devices and protection from theft and loss.

-       Ensure devices are encrypted (if they contain confidential information).

-       Use appropriate anti-malware and device security tools (e.g., antivirus software, personal firewalls, and mobile device management tools).

-       Connect to the university network using a secure tunneling method (e.g., SSL, VPN).

-       Implement appropriate authentication or authorization mechanisms.

-       Handle identities and passwords securely; each user is responsible for securing their username and password and is fully accountable for all actions carried out through their account.

-       Communicate directly with the General Directorate of Cybersecurity if any threat or suspected incident occurs.

-       Security patches and required updates must be applied at least once every three months.

Session Management Controls:

·       Session management must be sufficiently secured, including session validity, protection, and timeouts.

·       Remote access from outside the Kingdom of Saudi Arabia is prohibited, with exceptions granted only upon approval by the supervisory committee.

·       Remote work systems must be hosted within the Kingdom of Saudi Arabia.

·       The use of any third-party remote work systems not approved by King Saud University for remote work activities (such as TeamViewer, AnyDesk, etc.) is prohibited.

·       The Network Department must configure the VPN concentrator to limit connection times to regular working hours or as determined by operational needs.