First: Preface

  1. Introduction

The regulations and procedures for the management and development of electronic systems constitute a fundamental document that delineates the operational frameworks, specifies roles and responsibilities, and outlines the requisite practices to be adhered to and executed by the officials of electronic systems associated with the University of Baghdad, irrespective of their authority, to ensure the security and safety of electronic systems. The University of Baghdad’s policies and controls align with the information and data security standards established by the General Secretariat of the Council of Ministers, with provisions for periodic updates as required.

  1. Goals

This policy aims to establish processes and regulations for protecting electronic systems and associated servers, minimizing the risk of illegal access and outlining mechanisms for addressing such incidents.

  1. Scope

All systems and their servers that deliver a specific service to the University of Baghdad and its officials, as well as individuals, authorized to access the system with varying permissions.

 

Second: Definitions

System Manager An IT specialist is responsible for administering and monitoring the system and its server and executing policies, regulations, and guidelines.
System Programmer Expert in programming, tasked with system programming and updates.
System Technicians A team of personnel responsible for administrative duties related to system functioning.
Servers A computer equipped with high-performance and efficient components, designed to handle information resources on the network.
Asset Inventory Records Records in which all university properties are recorded
Operating System The system that manages everything related to computer memory and the operations performed on it, software and hardware
Operating System Version Operating system version
Scope A flexible set of software components that help developers accelerate the software development stage until the production-publishing stage
API-Application Programming Interface Linking systems and services they provide with each other
Logs All information related to recording user activity within systems and servers
Information Security Manager An employee responsible for information security at the University of Baghdad
Firewall Security and protection devices of both software and hardware types, determine and reduce the ability to intrude on or access systems
Permissions These are the permissions granted to users to enter and use information resources or systems according to the rights and licenses granted to the user
User The employees working at the University of Baghdad in various categories in addition to undergraduate and graduate students
USER PROFILE A set of settings and information related to the user, containing essential information used to identify the individual, such as his name, age, personal photo, individual characteristics and other information
REMOTE ACCESS Access to a device or network from anywhere
ACCESS POINTS It is a network device used to expand the coverage of an existing network and to increase the number of users who can connect to it
Encrypted Converting data from an explicit readable form to an implicit and ambiguous form to ensure confidentiality
BACKUP The process of copying information onto storage media to retrieve it in the event of damage, loss or when required.
External Provider A party not within the structure of the University of Baghdad that provides a specific electronic service to the university
Segregation of Duties A principle that requires the presence of more than one person to complete a task. It is an administrative control element used to prevent fraud, sabotage, theft, misuse of information and other security breaches
2FA A secure method for managing identity and access, as it requires two forms of identification to access resources and data
Programming Languages A collection of instructions and commands made following specific syntax standards for these languages, enabling the computer to comprehend and execute the necessary operations.

 

Third: General roles, responsibilities, and duties

  1. University and Formation:

Implementing the regulations and procedures for electronic systems management at the University of Baghdad is regarded as the fundamental practice for system management within the institution. Formulating suitable guidelines and procedures for policy execution. Communicating the policy to personnel involved in the systems.

  1. System Manager:

Overseeing and supervising the system and its server, identifying system technicians as needed, and granting them authority based on the operational requirements of the system.

  1. System Programmer:

Developing and maintaining the system.

  1. System Technicians:

Administrative responsibilities for the system’s operations, including data entry and modification, among others. Their authority is typically delineated within their work area on the system’s front end.

 

Fourth: Essential regulations and procedures

  1. Documenting the servers located at the University of Baghdad (LOCAL SERVER) in the asset inventory records.
  2. Recording and documenting the following information for each server:
  • Operating System / Version
  • Primary functions and applications
  • Recipients of server services
  1. The operating system on the servers requires approval and licensing.
  2. Implementing the domain (FRAMEWORK) for each sanctioned electronic system.
  3. Prohibiting the upload of any data or systems not affiliated with the University of Baghdad onto its servers.
  4. The systems on the servers of the University of Baghdad are the university’s property and may not be utilized or benefitted from by any other governmental or civil entity without prior authorization.
  5. Any electronic system developed must establish a programming interface (API – Application Programming Interface) with the central database of the University of Baghdad and prevent data duplication across numerous databases.
  6. Periodically install and update security measures on the operating system and all components of the server and electronic system.
  7. Establishing a technical committee dedicated to evaluating and assessing every new system prior to its approval.
  8. Ongoing surveillance of server and system logs (LOGS) by the system administrator.
  9. Adhering to optimal international standards throughout system development to mitigate security risks and programming faults.
  10. Conducting a comprehensive assessment of all systems and applications for security vulnerabilities with established techniques in penetration testing and security analysis, in collaboration with the information security manager.
  11. The responsibilities of the system administrator encompass configuring the settings of connected devices for safe operation, as well as installing and overseeing system protection measures such as firewalls, intrusion detection and prevention systems, antivirus and malware solutions, and enforcing the cybersecurity policy.
  12. The system must be multi-tiered, incorporating specific commands and permissions based on roles and responsibilities, as managed by the system administrator.
  13. The user profile in the system is exclusively handled by the account owner, unless intervention by the system administrator is necessitated, after the acquisition of requisite approvals from the pertinent party or through a written or electronic request from the account holder.
  14. All responsibilities and authorities allocated to employees shall be suspended or modified upon their transition to a different position or job location, or upon the cessation of their services.
  15. Should authorized individuals remotely access these servers, the access points must be encrypted and secure, with caution shown while connecting to networks in public venues such as cafes, restaurants, and airports.
  16. Regularly create backup copies of the servers (BACKUP), considering the quantity and geographical distribution of the spatial storage of these backups, with a defined protocol for storing copies in external locations as required, in accordance with the cybersecurity and data backup policy.
  17. Commitment to ensuring that the servers are situated in an environment accessible solely to authorized users within the University of Baghdad.
  18. Should an external supplier be engaged to deliver a certain service to the University of Baghdad, the subsequent criteria must be fulfilled:
  • Securing the requisite permits from the Director of Information Security at the University of Baghdad.
  • The engagement of an external provider must stem from a contractual agreement between the University of Baghdad (the beneficiary) and the external provider, ensuring that the latter possesses a high level of efficiency and security. Additionally, a non-disclosure agreement must be executed, prohibiting the external provider from revealing any proprietary information belonging to the University of Baghdad without authorization.
  • The information services for which an external provider is engaged must be indispensable and crucial.
  • Establishing and recording the requisite standards to assess, oversee, and evaluate the efficacy of the services supplied under the external contract.
  • Ensuring the implementation of the “separation of duties” principle between the University of Baghdad and the external supplier, while refraining from granting full authority.
  • The identities and details of individuals authorized by the external provider and permitted to access the system must be recorded and verified with the University of Baghdad (the beneficiary), ensuring the availability of permanent communication channels with them.
  • Establish and document the requisite standards for measuring, monitoring, and evaluating the efficacy of the outsourced services, along with the procedures for monitoring and reporting potential security incidents.
  1. Some systems may necessitate the activation of the two-step verification (2FA), contingent upon the consent of the system administrator.
  2. It is advisable to configure the system to temporarily disable the login account after a specified number of consecutive erroneous login attempts.
  3. Emergency adjustments are permitted, typically associated with abrupt and unforeseen modifications by the system administrator.
  4. Refrain from utilizing programming languages that lack ongoing security patches.
  5. Utilize an internationally recognized encryption algorithm or a locally developed encryption algorithm, contingent upon approval from the university administration and in collaboration with the Information Security Director.
  6. Complete commitment to the policy of protecting user data and ensuring cybersecurity within the systems.
FacebookXLinkedinWhatsappTelegramPrintShortlink