GOVERNING LAW & JURISDICTION
1. Acceptable Usage Policy
1.1.1. Information Handling
- Users shall ensure that their information assets regardless of its form (electronic or physical) are classified appropriately to avoid loss of confidentiality, integrity and availability of the information.
- Users shall ensure that their information assets are labelled and stored securely with appropriate protection measures to avoid unauthorized access.
- Users shall ensure that their information assets are distributed or transferred on a “need to know” basis, taking into consideration adequate protection measures.
- Users shall ensure that their information assets in form of paper are shredded appropriately before disposal.
- Unless permitted, users shall not reproduce sensitive or confidential information in any manner using equipment such as scanners, photocopiers, photos and printers.
1.1.2. Information Exchange
- Users shall not share or upload any official information on private cloud services without prior approval from the Business Owner.
- When information is exchanged between two parties with the use of information exchange equipment like mobile, answering machine, electronic mail, Internet or any other transformation media, following controls shall be considered:
- While using a mobile phone in a public place, ensure that the information is not overheard by any unauthorized person.
- Ensure that fax is sent to the correct fax numbers only.
- Follow the controls on exchange of information or software through the use of electronic mail and Internet as described in the Internet and Email Security Policy.
- Users shall ensure that any confidential information is not left as a message on an answering machine.
- Before transferring any confidential information using postal services users shall ensure that it is covered and sealed in a tamper-proof envelope.
1.1.3. Clear Desk and Clear Screen
- Users shall ensure that they lock the computer before leaving their desk.
- Users shall ensure that they log-off of all applications at the end of their work hours or while leaving for the day.
- Users shall ensure that sensitive information assets are maintained around their desks in a manner that it avoids any unauthorized views.
- Users shall ensure that they store paper documents and electronic media in locked cabinets or other secure storage areas, especially after office hours.
- Users shall ensure that they do not leave any paper documents unattended around photocopiers, scanners, or printing facilities.
1.1.4. Desktop/Laptop and Equipment Usage
- Users shall not try to change any hardware configuration, settings in the operating system or any applications installed on their desktops/laptops. If users require any change in the hardware or software settings, they shall contact the IT Help Desk.
- Users shall not install any unauthorized software on their desktop that is not essential to stc channels business. If the users require additional software, they shall contact the IT Help Desk.
- Users shall be responsible for the security of their desktops/laptops and will take adequate measures to ensure its physical and logical security.
- Whenever connecting their laptops or desktops to the LAN, users shall ensure that the anti-virus agent is running on their machines.
- Users shall take adequate measures for physical protection of laptop, like not leaving laptops unattended in public places or while travelling.
- Users shall clean the data on a regular basis to remove unwanted data from their desktops/laptops.
- Users must not use stc channels information systems to engage in any hacking activities such as the following:
- Gaining unauthorized access to any other information systems.
- Damaging, altering or disrupting the operations of any other information systems.
- Capturing or obtaining passwords, encryption keys or any other access control mechanism that could permit unauthorized access.
- stc channels computers shall not be loaned to third parties without prior management approval.
- Users shall not accept any form of assistance and free consulting services, free security software via Internet, etc. to improve the security of their systems without first taking approval from the Information Security department.
- Users shall not disable the installed anti-virus agent or change any settings. This includes settings for periodic system scans; anti-virus server IP address and signature update schedules.
- Users shall not disrupt the scheduled virus scans in their systems. If the scan is affecting system performance, users shall contact IT Help Desk for resolution.
- On suspecting any abnormal system behavior or seeing virus alerts in the system, user shall stop their work and immediately report to IT Help Desk.
1.1.6. Internet Usage
- All critical hosts that need an internet connection shall be connected through proxy for updating, patching and maintenance purposes.
- Internet access is provided to users for the fulfilment of job responsibilities. Users shall access Internet for business purposes only and refrain from using Internet for personal or non-business activities.
- Users shall not connect Internet data cards to their machines unless and otherwise approved by Information Security department.
- Installing chat software for chatting, talking and attaching files is strictly
prohibited unless authorized.
- The browsing of adult content via stc channels computers or networks is strictly prohibited. This includes content obtained via web sites, email attachments, CD-ROMs and file sharing networks.
- Users shall not use Internet facilities to:
- Download or distribute malicious software or tools or to deliberately propagate any virus.
- Violate any copyright or license agreement by downloading or distributing protected material.
- Upload files, software or data belonging to stc channels to any Internet site without authorization of the owner of the file/ software/ data.
- Post views or opinions in public on behalf of stc channels unless authorized by executive management.
- Conduct illegal or unethical activities including gambling, accessing obscene material or misrepresenting stc channels.
- Carry out port scanning, security scanning, and network monitoring or using any technology which circumvents the security of host computer.
- Users are responsible for protecting their Internet account and password. Users shall be held responsible for any misuse of Internet access originating from their account.
- Users shall not download and install, execute or store computer games on any stc channels facilities.
- User’s internet bandwidth quota is determined by IT Operations based upon resources availability.
1.1.7. E-mail Usage
- stc channels provides electronic mail facility to support business communication requirements.
- As far as possible stc channels official mail shall not be used in any way for personal usage and/or communication.
- The e-mail message including all attached files is limited to a 10 MB of file size for transmission.
- Users owning the e-mail account are responsible for the content of the e-mail originated, from their account to other users inside or outside stc channels.
- Users are prohibited from sending or forwarding:
- E-mails with offensive, racist or obscene remarks.
- E-mails containing messages that may damage the reputation of stc channels.
- E-mails that contains viruses or worms.
- Chain e-mails like e-mails forwarded from a chain of people usually containing virus hoaxes, jokes, charitable fund-raising campaigns, political advocacy efforts, religious beliefs and others.
- E-mails containing any illegally acquired document, software or other information.
- The E-mail exchanges with third parties shall contain a disclaimer against contractual obligations or similar commitments during usual business communications.
- Users shall protect their e-mail account on the server through strong and complex passwords and shall not share their password or account with anyoneelse.
- Users shall not configure Automatic forwarding of electronic mail to external mail addresses.
- Users shall not subscribe to mailing lists using stc channels official email account unless for business need.
- Users shall restrain from revealing their e-mail accounts or email accounts of any other user in stc channels to any website, mailing list, newsgroups or discussion boards without appropriate authorization.
- Users shall refrain from opening e-mail attachments unless and until they trust and expect the sender of e-mail or have mutually exchanged e-mails previously.
- Users shall not forward sensitive business information over non- corporate e-mails. In-case such information needs to be shared, appropriate authorization from the respective manager/business owner shall be received and necessary controls such as encryption and password protection shall be implemented prior to sharing.
- stc channels reserves the right to monitor email messages communications to ensure that email usage is as per this policy and probable data leakage is contained.
- In case of any misuse of the e-mail system is detected, stc channels can terminate the user e-mail account and take other disciplinary action.
- Users shall promptly report all suspected security vulnerabilities or incidents that they notice with the Email system to the IT Help Desk.
- Users sending approved and confidential information to authorized entities shall make sure that email encryption is applied prior sending.
1.1.8. Telephones and Voice Mail
- Unauthorized recording or duplication of voice mails that are stored in answering machines and voice mail systems are strictly prohibited.
- All voice mail messages that are one month older shall be deleted.
- Users shall be careful about using stc channels telephone for personal calls. They shall keep the call brief, particularly during office hours.
- Users are responsible to use telephone and voice service for business need; and not to personal usage/calls.
1.1.9. Social Media Usage
- Users shall behave in a way on social media sites that preserves the reputation of stc channels if authorized to represent stc channels.
- Users shall restrain from posting content on social media sites that are of the following nature, but not limited to:
- Profane language.
- Comments that promote discrimination.
- Comments that promotes illegal activity.
- Comments that violates any legal or intellectual property rights.
- Users shall observe the finest moral principles in his/her behavior and conduct on social media sites.
- Users shall use stc channels corporate resources in an honest and transparent manner and avoid wastage of time in using social media sites.
- While managing personal accounts for social media sites, users shall not post their official company contact details for correspondence.
- In all cases, it shall be employee’s responsibility to ensure that his/her personal behavior on social media sites does not harm the reputation of stc channels or any other entities in any way.
- Users shall be careful of three main security concerns related to social media sites – Spear phishing, Social Engineering, and Web Application Attacks.
1.1.10. Password Usage
- Users shall not disclose their passwords with anyone inside or outside stc channels.
- Passwords shall not be communicated via email unless e-mail communication is encrypted.
- Passwords shall never be written down or stored in an unprotected fashion (including mobile or similar devices) without encryption.
- Users are accountable and liable for all actions originating from their accounts and shall take due care to secure their account credentials by not sharing account details with anyone.
1.1.11. Document and Storage Security
- All documents containing sensitive information shall be marked as per the Asset Management Policy. Confidential documents and media shall not be kept unattended in the user’s work area, near printers or fax machines and shall be stored with appropriate physical security.
- Users shall ensure that whenever sensitive documents are printed, the printouts are collected immediately.
1.1.12. Mobile Computing Devices
- stc channels employees may use their mobile devices to access the following company-owned resources internet, e-mail, contacts, meeting reminders, documents, calendars, etc.
- Smart phones and tablets that are not on the stc channels list of supported devices are not allowed to connect to the network.
- If the mobile device is a stc channels property, then the device shall be fitted with an irremovable security tag (sticker) to identify the device by a unique number.
- Wireless connection such as Ethernet, Bluetooth of the mobile device is not allowed when it is connected to stc channels network. It must be disabled unless that device as access point is authorized by IT inside stc channels premises.
- stc channels highly confidential data shall never be stored on the mobile device, unless it has an approval from the business owner and being encrypted by strong encryption.
- In order to prevent unauthorized access, devices shall be password protected using the features of the device and a strong password to access stc channels network.
- The device shall lock itself with a password or PIN if it is idle for five minutes.
- After five failed login attempts, the device shall lock. The mobile device users shall contact IT Help Desk to regain access.
- A lost, stolen, misplaced Mobile Computing Device should be reported to IT Help desk immediately.
- The employee is expected to use his or her devices in an ethical manner at all times and adhere to the stc channels acceptable use policy as outlined.
1.1.13. Bring your own devices (BYOD)
- stc channels shall allow the use of personal devices (e.g., smartphones, tablets, laptops) for business purposes, the use should be supported by a defined, approved and implemented information security standard, additional staff agreements and an information security awareness training.
- Ensure that business and sensitive information of stc channels is securely handled by staff and protected during transmission and storage, when using personal devices.
- The BYOD information security standard should be defined, approved, implemented, and the compliance with the information security standard should be monitored.
- Effectiveness of the BYOD Information security controls should be measured and periodically evaluated.
- Information regarding the restrictions and consequences for staff when stc channels implements Information security controls on personal devices.
- BYOD Infrastructure shall isolate business Information from personal information. And if applicable, the use of mobile device management (MDM) applying access controls to the device and business container and encryption mechanisms on the personal device.
1.1.14. Logging and Monitoring
- Users shall be made aware that all activities on the IT resources is continuously monitored and periodically audited and these records are archived. If necessary, these records shall be used as evidence in any legal or disciplinary action.
- Logging retention period must be online for 90 days and in archive for 5 years.
- In the ordinary course of stc channels business, email and web browsing are surveyed, archived and logged by system administrators to monitor network efficiency, provide virus protection, filter spam mail, enforcement of data security and compliance.
2. Enforcement and Compliance
Violations against this policy will be subject to disciplinary actions in accordance with HR policies, Anti-cybercrime law, or other pertinent Saudi Arabian laws and regulations.
Information Security management has to approve any exceptions if needed. Otherwise, it will be considered as deliberate violations (Non-compliance) of this policy, subsequently penalties shall be applicable.