1- General requirements:

·       King Saud University must comply with the legislative and regulatory requirements related to data protection in the Kingdom of Saudi Arabia, as well as the policies and procedures followed by the university.

·       King Saud University must define and update the cybersecurity requirements for data.

·       King Saud University must ensure the efficient management of data cybersecurity requirements in accordance with the cybersecurity policy in human resources and the university's asset management policy.

·       King Saud University must ensure the protection of mobile devices in accordance with the university's mobile device security policy.

·       The use of King Saud University's data in any environment other than the production environment is prohibited, except after conducting a risk assessment and implementing controls to protect that data, such as (Data Masking) or (Data Scrambling) techniques.

·       King Saud University must specify the technologies, tools, and procedures for securely disposing of data according to its classification level.

·       King Saud University must use a secure method for data extraction and transfer, as well as for extracting and transferring virtual infrastructure.

·       King Saud University must prevent the transfer of any sensitive system data from the production environment to any other environment.

·       King Saud University must use the (Watermark Feature) to mark the entire document when preparing, storing, printing, or displaying it on the screen, and ensure that each copy of the document contains a traceable number.

2- Classification and safe handling of information:

·       The data of King Saud University must be classified according to its approved data classification policy.

·       Employees should avoid discussing King Saud University's data verbally in public areas or in areas where their discussions might be overheard. Discussions should take place in the university premises and in secure locations within the premises.

·       The data stewards, appointed by King Saud University to work with relevant stakeholders associated with the university, must be responsible for classifying the data as outlined in this policy.

·       Classified data (confidential, highly confidential) should not be stored on portable storage devices such as external hard drives or USB drives, regardless of the level of encryption used on the portable storage device.

·       Classified data (confidential and highly confidential) should not be entered, processed, modified, saved, or transferred to devices owned by employees, known as Bring Your Own Device (BYOD), unless that data is specific to the employees.