Contents
Preface
Definitions
Overview of roles, responsibilities, and obligations
References
Policies
Section 1: Acceptable Use Policy
Section 2: Policy on access control and physical security
Section 3: Policy for Managing and Responding to Information Security Incidents
Section 4: Data backup Policy
Section 5: Computer Security Policy
Section 6: Email Security Policy
Section 7: Password Policy
  1. Preface

The set of policies and standards about information and data security aims to establish optimal security practices by implementing controls and procedures that delineate roles and responsibilities. The objective is to enhance the resilience, security, safety, and availability of information, so safeguarding the University of Baghdad systems against tampering and cyber-attacks.

  1. Definitions
Term Definition
Users University of Baghdad employees of all classifications, as well as undergraduate and graduate students.
Risks It refers to any sort of threat that specifically targets any information resource.
Access control Access restrictions refer to the regulations and procedures implemented to limit entry to a property or information resources.
Electronic System A comprehensive electronic system designed to shift conventional work from manual administration to computer-based management, utilizing information technology.
Electronic Mail An account assigned to a user within the email system facilitates the sending and receiving of emails in a user-specific way.
CERT- Cybersecurity Emergency Response Teams This team consists of experts whose primary objective is to ensure the protection and security of critical information infrastructure, handle security breaches, and offer technical support and help in the field of information security within the University of Baghdad.
Information Technology Team A team of IT experts whose primary objective is to offer technical assistance in the realm of computer systems within their designated area of expertise at the university.
Logs All information related to the documentation of user actions within the system
Antivirus software Software applications specifically developed to detect and remove viruses, as well as quarantine files that have been compromised by viruses.
Privileges These are the authorizations given to users to access and utilize information resources or systems in compliance with the rights and licenses extended to the user.
System administrator The person is responsible for supervising the system and its services, executing policies, controls, and instructions internal to the system, and delivering technical assistance to guarantee the enforcement of policies.
POLP-principle of least privilege Access control is the concept of limiting users’ access to just the necessary data and resources for carrying out their everyday activities. The concept in question is alternatively referred to as the principle of minimum privilege, the principle of access limitation, and the principle of least authority.
Servers An advanced computer equipped with powerful and optimized components, designed to efficiently handle information resources over a network.
Physical and environment security Security rules and procedures that oversee and restrict unauthorized entry to a particular site.
Reliability Ensuring the most efficient performance of computer systems
Power Supplies (UPS) A backup power supply is a device that’s designed to safeguard equipment against potential damage in case of a power failure.
Backup Replication of data is the act of copying information onto storage media to recover it in case of damage, loss, or necessity.
Anonymous files Files without any identifiers (e.g.: users or source)
Passwords A secret verification tool is a security mechanism employed to regulate access to specific resources.
Information Security Incidents An event is defined as an incident in an electronic system, service, or network that shows a possible violation of information security policy, failure of protective measures, or previously unidentified circumstances that may be significant to information security.

 

  • Overview of roles, responsibilities, and obligations
  1. University and Formation
  • The cybersecurity policy is the set of minimal requirements that govern behaviors concerning information security and protection within the university.
  • Formulate suitable guidelines and protocols to execute the policy.
  • Delivering the policy to the members of the university community (both staff and students).
  • Assign a liaison member to coordinate with the Cyber Incident Response Team and the IT team in the formation and provide explicit instructions on how to contact them.
  1. Cyber ​​Incident Response Team
  • Ensure a swift reaction to security breaches before they significantly affect the university’s operations. This includes evaluating the damage, determining the severity of the attack, containing it, gathering electronic evidence, managing security breaches, retrieving data, creating a comprehensive incident report, and communicating with the liaison members involved.
  1. Liaison member
  • Continuous communication with the cyber incident response team and reporting any incident.
  1. Information Technology Team
  • Providing technical assistance within the training for activities related to the security and protection of information.
  1. System administrator
  • Executing policies, instructions, and protocols for the information system deployed within the formation.
  • Delivering necessary technical assistance to guarantee the execution of the policy.
  1. Users
  • Completely review and comprehend the policy, examine it frequently, and strictly follow its rules.
  • Utilize maximum effort to strictly follow the policy and associated directives inside the university.
  • Collaborate with the Cyber Security Incident Response Team and the IT Team within the organization and consult them as necessary.

References:

 

  1. Policies

First: Policy for Acceptable Use

  1. Goal: To determine the appropriate utilization of information technology resources and associated systems to safeguard the University of Baghdad personnel (users) from inappropriate uses and practices that may subject them and the institution to hazards such as virus attacks, network malware, application systems, services, and legal consequences.
  2. Scope: This policy applies to all users affiliated with the University of Baghdad.
  3. Procedures:
  • The IT systems and resources of the University of Baghdad must always be used professionally, by the assigned purposes, and under proper accountability.
  • Utilize authorized software to achieve the goals of the University of Baghdad and its assigned responsibilities.
  • It is the responsibility of users to safeguard any user information, which is stored and can be accessed through their user accounts at the University, from any unauthorized use or disclosure.
  • Users must promptly notify the liaison member in the formation or the Cyber Event Response Team of any theft, loss, unauthorized disclosure of information, exposure of vulnerabilities in the systems, potential misuse incidents, or violations of the University of Baghdad policies.
  • Users are prohibited from attempting to access any data or programs in any system without explicit written authorization or approval from the system administrator.
  • It is strictly prohibited to duplicate confidential business-related data onto any portable media, such as a disk drive, flash (USB), or external hard drive, without adequate authorization.
  • University of Baghdad email accounts are exclusively for academic or University-related purposes and are strictly forbidden for personal use, social media communications, or sending chain letters that could damage the University’s reputation.
  • The email system is a University of Baghdad facility intended solely for personal academic use. All communications and documents generated, transmitted, or received through the university’s email system will be the exclusive property of the institution.
  • Users are prohibited from sharing any personal information, including names, addresses, photographs, videos, email addresses, and phone numbers, about other users on social networking platforms without their explicit consent.
  • The user’s secret password in the system must be challenging to deduce and should not be part of a predetermined sequence. It should include symbols, numbers, and letters in accordance with the policies governing passwords.
  • Exceptions to this policy must be explicitly documented and subject to approval by the Cyber Events Response Team.
  • Utilizing the electronic resources of the University of Baghdad, including computers, for endeavors outside its intended use, such as engaging in gaming and leisure activities, is strictly forbidden.
  • Installing and using dubious software or applications known to be infected with viruses, worms, Trojan horses, advertising programs, or any form of malware is strictly forbidden.
  • Refrain from using the worldwide network (Internet) at the University of Baghdad for non-work-related activities.
  • It is imperative to obtain prior written consent from the relevant authorities in the University of Baghdad system before deleting the login records (LOGS) of users or granting or blocking specific rights and privileges.
  • Regularly update antivirus and malware software.
  • Disable (PORTS) and prevent access to superfluous services that malware could use to penetrate systems and media.
  • Perform regular comprehensive scans (SCAN) of devices and systems using anti-virus software.

 

Second: Access Control and Physical Security Policy

  1. Objective: This policy seeks to provide measures and criteria to uphold access control and physical security at the University of Baghdad, so guaranteeing the security, accuracy, confidentiality, and availability of information as required.
  2. Scope: This policy applies to all University of Baghdad users who have been granted permission to access a certain system.
  3. Procedures:
  • Upon entering sensitive domains such as the data center, server room, or locations containing sensitive information, the following information (name, reason for visit, time of entry, time of exit) is documented.
  • The system administrator must regularly review the login logs (LOGS) to verify their absence of any unauthorized access or fraudulent behavior.
  • Individuals with the requisite authorization to access the information systems at the University of Baghdad are strictly prohibited from using or attempting to access an account registered for someone else.
  • If it is required to generate system login accounts for users who are not affiliated with the university, the system administrator must personally monitor their progress and verify the authorized powers and operational effectiveness of the assigned service, after acquiring the relevant authorizations.
  • The necessity to reassess access privileges (authorities) when an employee at the University of Baghdad transitions to a new role or terminates their employment.
  • The system administrator approves access to IT resources or services, considering the employee’s roles and job responsibilities, and ensuring that no authorizations are granted that could potentially enable the user to override system controls beyond reasonable limits.
  • It is advisable to temporarily revoke the user ID after several unsuccessful login attempts, particularly for critically vulnerable systems that are regularly targeted by cyber-attacks.
  • System access is restricted to authorized users exclusively, following the principle of least privilege (POLP).
  • Ensuring physical environment security by limiting entry to high-security locations such as the data center, server rooms, or spaces containing sensitive information, and prohibiting any illegal entry. University of Baghdad personnel and visitors are required to get authorization before visiting these areas, accompanied by an authorized employee. They must refrain from storing or introducing combustible or hazardous substances and must be present in these areas only for work-related reasons.
  • Equipping all secure and vulnerable spaces with efficient fire detection and alarm systems and firefighting equipment commensurate with the room’s size, safeguarding them against theft, flooding, overheating, and other environmental risks, while also including regular inspections of air conditioners to verify their working efficiency.
  • Ensuring uninterrupted operation (Reliability) by regularly maintaining power supplies (UPS) and generators, conducting preventative maintenance, and safeguarding data cables, power lines, and communications (via channels) against any harm, interference, or interception.

 

Third: Policy for the Management and Response to Information Security Incidents

    1. Goal: The purpose of this policy is to guarantee effective management and professionalism in the face of information security incidents, to minimize or eliminate any harm to users, information systems, and associated devices at the University of Baghdad.
    2. Scope: This provision encompasses all information generated or received by the University of Baghdad, regardless of its use in the workplace, storage on portable devices and media, transmission from the workplace either physically or electronically, or remote access. It also includes all users at the University of Baghdad, as well as information systems and associated devices and components that are managed, maintained, or processed by the University of Baghdad.
    3. Categories of Data Security Events: Users of Baghdad University should be knowledgeable of several categories of data security events, such as:
      • Successful attempts to gain illegal access
      • Service denial
      • Unauthorized utilization of resources such as system hardware or data storage
      • Unauthorized modifications to systems
      • Loss or theft of information and equipment
      • Unanticipated circumstances
      • Fallible human actions
      • Attacks by adversaries

Procedures:

  • It’s required to promptly notify the liaison member or the cyber incident response team of any events to ensure prompt implementation of necessary steps and measures, as well as to initiate an investigation into the incident.
  • After acquiring the necessary authorizations, the cyber incident response team establishes the protocols to be implemented to address incidents.
  • It is the responsibility of all information users to report any legitimate, suspected, threatening, or possible cyber security issues and aid in investigations as necessary.
  • All data must be categorized based on their respective categories, which include:
  1. Public data refers to information that is either publicly available or intended for public use, and if made public, does not provide any adverse consequences for the University of Baghdad.
  2. Restricted data: Information of a highly confidential character relevant to the University of Baghdad. Permitted access should be restricted to personnel who require this information for their specific responsibilities within the University of Baghdad.
  • Confidential data refers to information that, if compromised or exposed, would bring substantial detrimental effects to the University of Baghdad. Access to such data should be strictly limited.
  • Incidents are categorized as follows:
  1. Serious/major breach or incident: Breaches or incidents involving sensitive information on a significant magnitude pose considerable risks to the University of Baghdad.
  2. Moderately serious incident: Breaches or occurrences involving sensitive information of a moderate magnitude pose moderate risks to the University of Baghdad.
  • Incidents of low significance or minor severity pertain to personal or internal data of an individual or small scale, where the hazards to the University of Baghdad are little and insignificant.
  • The cyber incident response team assesses the incident by means of a formal report to ascertain its classification as either intentional or unintentional, or an internal or external breach. This evaluation includes all pertinent information and details about the incident, such as the reporting party and the nature of the data involved.
  • Ensure the preservation of secrecy throughout the occurrence of the incident and only notify pertinent personnel to avoid the exposure of proprietary information.
  • The functions of incident response management should encompass the following:
  • Data assessment, containment, and recovery: Conduct a comprehensive investigation of all security occurrences, generate a comprehensive incident report, and perform a thorough incident assessment analysis to ascertain if they constitute cyber breaches.
  • A comprehensive risk assessment and incident scope analysis is conducted for all security incidents.
  1. Incident notification and communications: Documented communication strategies with senior leadership are included for all significant or moderately severe security situations.
  2. Assessment and response: Every security incident that is classified as critical or moderately significant undergoes a post-incident analysis to gather suitable documentation, analysis, and suggestions on how to reduce future risks and exposure.

 

Fourth: Data Backup Policy

  1. Goal: The purpose of this policy is to implement controls and mechanisms for data backup plans and programs that safeguard the information of the University of Baghdad and ensure the uninterrupted provision of services associated with the systems.
  2. Scope: Encompasses all information, programs, databases, applications, and network resources owned by the University of Baghdad.
  3. Procedures:
  • Consistently create backups of the systems to guarantee uninterrupted business operations and regularly verify the accuracy and security of the restored copies through testing administered exclusively by authorized individuals.
  • 2. Secure duplicates and records of backup files in a secure location (ideally utilizing local cloud storage and given the level of secrecy and significance of the data) that can be accessed within a reasonable timeframe to guarantee uninterrupted system operations.
  • 3. Correct the date of the backups and verify the duplicated information.
  • 4. Seek authorization from the system administrator to recover data from backup media and files that would serve as substitutes for the existing data.
  • 5. Determine and record the presence of critical devices with adequate capacity and speed for the purpose of backup.

 

Fifth: Computer Security Policy

  1. Goal: To establish a secure computer environment.
  2. Scope: This policy applies to all computers located on the University of Baghdad premises and to all authorized users using or accessing them.
  3. Procedure:
  • Deactivate both stationary and portable computers momentarily when leaving the workplace and power them off entirely at the conclusion of the workday.
  • The Information Technology (IT) team or its counterpart in the administrative hierarchy oversees overseeing and implementing computer anti-virus software.
  • The user is obligated to notify the IT staff of any instance of malicious or virus-like behavior.
  • Disabling the anti-virus software on the computer is not within the rights of any user.
  • Avoid accessing dubious websites, installing compromised software, or downloading data from unfamiliar origins.
  • Once it is verified that the computer has sustained damage, such as a virus or malware, it is necessary to detach the device from any network within the institution. Subsequently, all viruses or suspicious files must be eliminated with the assistance of the IT team before resuming work.
  • The Cyber Incident Response Team and management specifically review any exceptions to this policy, which are then approved and remain valid for a specified duration. If deemed essential, these exceptions must be re-evaluated and re-approved.
  • Activate the password to authorize access to the computer. The user assumes liability in case the password is revealed and not saved correctly.
  • It is imperative to examine portable storage media with anti-virus software before commencing its usage.

                                                                                                           

Sixth: Electronic Mail Security Policy

  1. Goal: To determine the best practices for utilizing the email system to guarantee that users are knowledgeable about the permissible and impermissible applications of their email system from a security standpoint, and emphasize the essential prerequisites for the secure communication of email.
  2. Scope: This policy applies to all individuals who have been authorized to use the university email system by possessing a university account situated inside the University of Baghdad domain.
  3. Procedures:
  • Users are advised to refrain from opening attachments or electronic links originating from unfamiliar or untrusted sources and to conduct a virus scan on any items transmitted or received.
  • Users must refrain from automatically forwarding non-university emails (FORWARD) to the university email system.
  • Users are prohibited from using external email systems for their university-related tasks.
  • Maintain the confidentiality of the password and refrain from sharing it with anybody else.
  • Refrain from disseminating lists of email addresses and passwords to users, regardless of whether the password is temporary.

 

Seventh: Password Policy

  1. Goal: Securing system components against unauthorized access by establishing protection criteria and selecting efficient passwords.
  2. Scope: This policy applies to all passwords stored in the Computer Systems of the University of Baghdad.
  3. Procedure:
  • Ensuring the security of passwords and refraining from revealing them under any circumstances, with the user assuming the repercussions in case of their exposure.
  • Consider the following factors when selecting a password:
  1. It should be difficult to reasonably deduce, such as an individual’s name, date of birth, or phone number, among other things.
  2. It should not be a commonly used term.
  3. It should not be derived from a particular sequence, such as successive letters or numbers in a logical order.
  4. The text should consist of letters, numbers, and symbols, and it is advisable to avoid repetition.
  5. The duration should be sufficient and within the parameters of the system controls.
  6. Consider its periodic modification
  7. Refrain from using it across several accounts and login systems.
  8. Passwords are categorized as sensitive information.
  9. In the event of concerns regarding deliberate or accidental password exposure, it is imperative to promptly reset the password and notify the system administrator.
FacebookXLinkedinWhatsappTelegramPrintShortlink