Data Management Policy

 

1. Principles and Rationale

 

Background

 

According to the Royal Decree on Criteria and Procedures for Electronic Government Transactions B.E. 2549 (2006), particularly Sections 5, 7, and 8 issued under the authority of Section 35 of the Electronic Transactions Act B.E. 2544 (2001), government agencies are required to establish a written Information Security Policy and Practices to ensure that operations and services are secure, reliable, and internationally recognized.

 

Furthermore, based on the Notification of the Electronic Transactions Commission on Guidelines for Information Security Practices in Government Agencies B.E. 2553 (2010), state agencies must maintain a formal written policy regarding information security.

 

Suratthani Rajabhat University, therefore, has formulated this policy and guidelines to ensure that its information technology systems are managed appropriately, effectively, and securely. The aim is to ensure continuity of service, protect against threats, and comply fully with relevant laws, including preparation for future IT-related legislation, and to prevent issues arising from improper use or malicious threats.

 

Objectives

 

Suratthani Rajabhat University sets forth this Information Security Policy and Practices with the following objectives:

 

2.1 To establish security standards for the use of the university’s IT and communication systems in compliance with relevant laws and regulations.

2.2 To ensure trust in the security and efficiency of the university’s IT systems and communication operations.

2.3 To disseminate the policy and practices to executives, faculty, staff, and students so that they understand, appreciate, and strictly follow them.

2.4 To create a systematic process for regular audit and risk assessment of information and IT systems at least once per year.

2.5 The President, as the Chief Executive Officer (CEO) of the university, is accountable for any risks, damages, or harms to the university or individuals arising from system failures, negligence, or violation of this policy.

2.6 This policy must be reviewed, audited, and updated at least annually or whenever significant changes occur.

 

 

3. Policy Goals

The goals of this policy are:

 

3.1 To promote and support information security in line with the university’s mission and policies.

3.2 To govern IT operations to ensure systems are accurate, complete, and available.

3.3 To raise awareness and understanding among all stakeholders, both internal and external.

3.4 To monitor, assess, and revise the information security policy and practices in response to changing circumstances.

 

4. Components of the Policy

 

 

This Information Security Policy and Practices is structured to align with the university’s strategic approach to information security, comprising:

 

 

Definitions

 

 

 

Part 1: Information Access Control Policy

 

 

1. Information access control within the university

2. User access management

3. User responsibilities

4. Network access control

5. Use of the Internet

6. Server management

7. Electronic mail usage and control

8. Operating system access control

9. Server access control

10. Public computer access control

11. Application and information system access control

12. Traffic log management

13. System administrator responsibilities

14. Use of social networks

15. Physical and environmental security

 

Part 2: Backup and Recovery Policy

 

Part 3: Verification and Information Risk Assessment Policy

 

Part 4: Information Security Awareness Policy

Each section includes objectives, standards, guidelines, and procedures that collectively ensure the university’s IT infrastructure remains secure and resilient. Compliance with this policy is mandatory for all staff, system users, and external agencies that interact with the university’s IT systems.

 

Definitions

The following definitions apply throughout this Information Security Policy and Practices document:

 

1. University refers to Suratthani Rajabhat University.

2. Information Security refers to the security of information and communication technology systems at Suratthani Rajabhat University.

3. Supervisor refers to individuals with decision-making authority according to the University’s administrative structure.

4. Computer and Information Center refers to the Computer and Information Center under the Office of Academic Resources and Information Technology, Suratthani Rajabhat University.

5. Chief Information Officer (CIO) refers to an executive or senior manager assigned by the University President to be responsible for ICT operations, in accordance with the Cabinet Resolution dated June 9, 1998.

6. Director of the Computer Center refers to the Director or Deputy Director of the Office of Academic Resources and Information Technology, responsible for overseeing the Computer and Information Center.

7. Standard means a rule or basis for practical implementation to achieve the intended objective.

8. Procedure refers to detailed, step-by-step instructions that must be followed to achieve the specified standard.

9. Guideline refers to non-compulsory suggestions that help users achieve goals more efficiently.

10. User refers to individuals authorized to access, use, or manage the University’s information technology systems. Their rights and responsibilities vary according to roles assigned by the University:

 

 

 

• 10.1 Executives include the President, Vice Presidents, Deans, Directors of Institutes, Offices, Centers, and equivalent positions.

• 10.2 System Administrators are staff assigned to manage servers, network systems, databases, or information systems.

• 10.3 Officers include civil servants, university employees, government employees, and both permanent and temporary staff.

• 10.4 Students are officially enrolled students of Suratthani Rajabhat University.

 

 

 

1. User Access Rights refer to general, specific, privileged, and other types of access rights related to the University’s information systems.

2. External Agencies refer to outside organizations granted access to the University’s data or assets under specified roles and responsibilities, with confidentiality obligations.

3. Information Technology System includes systems that employ IT, computers, and networks to produce, manage, and communicate information. Components include:

 

 

 

• 13.1 Computer Systems comprising hardware, software, and personnel (peopleware) used for data processing.

• 13.2 Computer Networks, including:

   

  • LAN/Intranet: Internal networks connecting computers within the University.

  • Internet: External connections to global internet systems.

   

• 13.3 Data includes personal data, commands, or any processable digital information.

• 13.4 Information refers to processed and organized data made understandable and usable.

 

1. Information System Workspace includes:

 

• 14.1 General Working Area for desktops and laptops

• 14.2 System Administrator Area

• 14.3 IT Equipment or Network Area

• 14.4 Data Storage Area

 

1. Data Owner means an individual authorized to manage and be accountable for specific datasets.

2. Assets refer to data, systems, and IT-related items of value such as network equipment or licensed software.

3. Email refers to the system used for sending and receiving messages including text, images, graphics, video, and audio via computer networks, using protocols such as SMTP, POP3, and IMAP.

4. Account means a registered user ID and password for accessing University IT systems.

5. Password refers to characters used to verify identity and restrict unauthorized access to systems and data.

6. Malicious Code means any code that harms, modifies, or disrupts system operations.

7. Threats are possible or unwanted events that could damage the University’s information systems.

8. Vulnerabilities refer to weaknesses in assets or controls that could be exploited by threats.

9. Information Access or Control refers to permissions or rights granted for accessing or using networks or systems, including external access, and may also define rules to prevent unauthorized access.

 

Part 1: Information Access Control Policy

 

 

 

Objectives

 

 

1. To provide a clear practice framework to ensure information security in controlling access to the University’s information systems.

2. To ensure all users, system administrators, and relevant personnel understand and strictly comply with user account management procedures.

 

 

 

Responsible Units

 

 

1. Computer and Information Center

2. Assigned system administrators

3. Designated officers

 

 

Reference Standards

 

 

• Standards for Information Security in Electronic Transactions

 

Guidelines

1. Information Access Control

1.1 Maintain an inventory or registry of information assets, categorized by resource groups or tasks, and define user groups and their access rights.

 

1.2 Define levels of access rights to University data and information as follows:

 

• No access

• Read-only

• Create

• Input

• Edit

• Delete

• Approve usage

 

 

1.3 Classify University information into six primary types:

 

• Student information

• Personnel information

• Financial and accounting information

• Academic information

• Administrative information

• Computer traffic data

 

 

1.4 Define four levels of data confidentiality:

 

• Confidential: Access only by owners or directly responsible persons

• Internal Use Only: Communicated within subgroups or departments

• Personal: Used solely by designated individuals or units

• Public: Openly accessible within and outside the University

 

 

1.5 Criteria for classifying data confidentiality levels:

 

• Confidential: Only owners or assigned personnel may access

• Internal Use Only: Shared within teams or departments only

• Personal: Individual or assigned staff use only

• Public: Open for public or institutional distribution

 

 

1.6 Define access levels as follows:

 

• Executive-level access

• Operational-level access based on job function

• System administrator access

• Individual-level access

• General user access

 

1.7 Criteria for access level classification:

• Executives: Access granted based on authority and command level

• Operational Staff: Access based on assigned responsibilities

• System Administrators: Access and control as assigned within their roles

 

1.7 Delegation of Access Rights

1.7.4 Individuals may access only their own personal data and other information they have been authorized to access.

1.7.5 General users may access only authorized data and may view, input, edit, or delete data they themselves created.

1.7.6 Special access privileges can only be granted upon approval by the authorized person or data owner.

1.7.7 Delegation of access rights must be approved by the data owner or responsible department.

 

1.8 Primary Responsible Units for Data Access Authorization

Each type of University data shall be assigned to a primary responsible unit as follows:

1.8.1 Student Data – Office of Academic Promotion and Registration

1.8.2 Personnel Data – Personnel Division

1.8.3 Financial and Accounting Data – Finance Division

1.8.4 Academic Data – Office of Academic Promotion and Registration

1.8.5 Administrative Data – Assigned administrative departments

1.8.6 Computer Traffic Data – Computer and Information Center

 

The access permission, privilege settings, and delegation of access must comply with University policies.

 

1.9 Change Management

1.9.1 For any changes affecting current data and information systems:

(1) Develop a change implementation plan, including necessary budgeting.

(2) Notify relevant personnel in advance to allow adequate preparation.

(3) Verify the integrity of data after the change.

 

1.9.2 Source codes and libraries for all information systems must be stored securely, including both current and previous versions, for restoration if needed.

 

1.10 Role-Based Access Rights

1.10.1 Access to the University’s information systems must be granted as follows:

(1) Students gain access upon enrollment and lose access 90 days after graduation or withdrawal.

(2) Personnel receive access based on their assigned duties, which is revoked upon termination.

(3) Executives receive access based on assigned responsibilities and lose access upon leaving their roles.

(4) External parties are granted temporary access within a defined scope and duration.

 

1.10.2 Access restrictions by role:

(1) Students – limited to permitted systems only.

(2) Personnel – based on standard rights and assigned duties.

(3) Executives – based on responsibilities and roles.

(4) External parties – as specifically authorized.

 

1.11 Time-Based Access Control

 

1.11.1 System access may occur during:

(1) Official hours: 08:30–17:00

(2) After-hours: Post 17:00

(3) Public holidays and weekends

1.11.2 For high-risk or sensitive systems, stricter session timeouts must be enforced to prevent unauthorized access.

 

1.12 Revocation of Access Rights

Access rights shall be revoked under the following conditions:

1.12.1 Expired user account

1.12.2 Changes in assigned access level

1.12.3 Suspension due to disciplinary or security concerns

 

1.13 Annual Review of Access Rights

1.13.1 System administrators must print a list of users by department and submit it annually to the access-requesting units for review. The review will confirm whether any names should be removed or revised.

1.13.2 Departments must report necessary changes back to system administrators.

1.13.3 System owners must routinely verify user qualifications and access rights. Any updates must be applied promptly to reflect appropriate levels of system access.

 

1.14 Access Channels

 

Access to systems and data may occur via:

1.14.1 Internal University network

1.14.2 External network (e.g., VPN, remote login)

1.14.3 Designated secured platforms provided by the University

 

Part 2: User Access Management

 

2.1 User Awareness

2.1.1 Develop training courses to raise awareness about information security.

2.1.2 Train users to correctly access and use information systems, and to understand the risks and impacts of improper or careless data usage.

2.1.3 Display informational posters or short tips about good practices in an easily understandable format.

 

2.2 User Account Classification

University information system accounts must be created to control access to University systems and information. Each user must be assigned a unique account, with no duplication. Users are categorized into four groups:

2.2.1 University executives

2.2.2 University staff, guest lecturers, researchers, and institutional guests

2.2.3 University students

2.2.4 Other authorized individuals

 

2.3 User Registration

2.3.1 Students – Each new student receives an account after the Office of Academic Promotion and Registration inputs their data into the student information system.

 

2.3.2 University personnel – Including guest lecturers, researchers, and institutional guests, accounts are created by the Computer and Information Center after the Personnel Division or related faculty/department enters their data.

 

2.3.3 Other accounts requested by departments – The requesting department must:

(1) Download and complete the designated request form, and submit it to the Computer and Information Center.

(2) The Computer and Information Center will create the account as per the form and notify the responsible person via email or phone.

(3) The requesting unit will be held responsible for any damage caused by misuse of the issued account.

(4) To change the responsible person for an account, written notice signed by a department executive is required, stating the old and new responsible persons, their account names, and contact details.

(5) To cancel an account, the responsible department must send a signed written request specifying the number of accounts to be terminated.

 

2.3.4 Other authorized individuals – For example, those working in independent organizations, may apply for an account by contacting the Computer and Information Center. They must present a letter of approval from a faculty-level administrator or higher, along with a copy of their national ID or passport with a certified true copy.

 

2.4 Account Management

2.4.1 Personnel account management must be done through designated representatives. The department head must submit the representative’s name in writing to the director of the Computer and Information Center, including:

 

• Department name

• Full name of the representative

• Username

• Email

• Phone number

2.4.2 To change the department representative, the department must notify the Computer and Information Center in writing, signed by the department head, and include the previous and new representative’s information.

 

2.5 User Privileges Management

2.5.1 If a staff member resigns or changes roles, their system access rights must be immediately updated or revoked.

2.5.2 Any request to change user privileges must be in writing and include reasons and necessity.

 

• Must be signed by the department head

• Sent to the relevant primary responsible unit

• A copy must be retained by both the requester and approver

• The primary unit must forward approval to the system administrator

 

2.5.3 System administrators have authority to suspend access rights if a user violates the access control policy.

2.5.4 For special privileges, strict control must be enforced and approved by the University President or authorized delegate. Considerations include:

 

• Strict usage monitoring

• Time-limited access with automatic deactivation

• Mandatory password changes after use or every 3 months for prolonged access

 

2.6 Password Management

2.6.1 System administrators must define secure password setting and changing procedures.

2.6.2 Temporary passwords must be complex and unique.

2.6.3 Temporary passwords should not be sent via email. Alternative secure delivery methods must be used.

 

Part 3: User Responsibilities and Device Protection

3.1 Use of User Accounts and Passwords

3.1.1 Users must protect and maintain the confidentiality of their user accounts and passwords. Each individual must use their own personal account and must not share or disclose their password to others.

3.1.2 Users must change their password immediately if they suspect it may have been exposed or compromised.

 

3.2 Password Usage

3.2.1 Users must change their password periodically as specified by the University.

3.2.2 Passwords must not be based on identifiable personal information, such as first or last names, nicknames, parent names, department names, or dictionary words. Passwords must contain at least 8 characters, combining letters (uppercase/lowercase), numbers, and special symbols.

3.2.3 Do not use automatic password-saving features in software applications.

3.2.4 Do not write down or store passwords in visible or easily accessible places.

3.2.5 Avoid using the same password across multiple systems with access privileges.

3.2.6 Keep your account credentials strictly confidential.

 

3.3 Device Protection When Unattended

3.3.1 Users must enable screen saver or screen lock mechanisms requiring a password after inactivity.

3.3.2 Users must lock their device or computer when unattended.

3.3.3 System administrators must raise awareness among users regarding protective measures.

 

3.4 Equipment Placement and Protection

 

3.4.1 Devices must be placed in suitable areas to prevent loss or unauthorized use.

3.4.2 Sensitive equipment should be stored in secure locations.

3.4.3 Regular inspections of IT environments must be conducted, including monitoring temperature and humidity levels to protect equipment integrity.

 

3.5 Information Asset Control and Computer Usage

3.5.1 Documents, data, storage media, and computers must be stored securely.

3.5.2 Access to data or information assets must be restricted to owners or designated individuals with written authorization.

3.5.3 Measures must be taken to securely erase or overwrite sensitive data on storage devices before allowing others to use them.

3.5.4 Back up and delete stored data before sending a computer for repair to prevent unauthorized access.

3.5.5 Users may apply encryption for confidential information, following the Official Secrets Act B.E. 2544.

3.5.6 Establish guidelines for data/document retention and destruction in compliance with applicable laws and University regulations.

3.5.7 All software installed on University computers must be legally licensed. Users are prohibited from copying or using the software for personal devices or sharing it with others.

3.5.8 Important University data must not be stored on personal computers or devices.

3.5.9 Data stored on any media must be cleared before replacement or transfer.

3.5.10 Data must be securely deleted or formatted before equipment is destroyed, replaced, or disposed of.

Part 4: Data Backup and Network Access Control

 

3.5.11 Inactive Data Deletion and Archiving

Data that has not been accessed for over 5 years must be removed from the database and backed up onto external hard drives or designated backup media. These backups must be stored securely in locations that minimize the risk of data leakage. Any deletion or destruction of electronic data must be approved by an authorized officer before removal from the system.

 

3.6 Protection Against Malicious Software

3.6.1 Users must install and regularly update antivirus and anti-malware software.

 

3.6.2 Operating systems, web browsers, and all applications must be regularly updated to address security vulnerabilities.

 

3.6.3 Before transmitting data over networks or using any storage media, users must scan for malware.

 

3.6.4 Users must scan executable files (e.g., .exe, .bat, .vbs, .doc.exe) before opening them.

 

 

4. Network Access Control

 

4.1 Accessing the University Network

4.1.1 Network access must be authenticated using University-issued accounts.

4.1.2 Users may only access services permitted by their account privileges.

4.1.3 External access to the University network must be strictly necessary and secured with enhanced measures.

4.1.4 Servers exposed to the internet must be registered with the Computer and Information Center.

4.1.5 Access to shared networks and device ports must be strictly controlled.

4.1.6 Network inspection tools may be used only with administrator approval.

4.1.7 Temporary accounts must be issued for users without a University account, with identity verification enforced.

 

4.2 Wireless LAN Access Control

4.2.1 Users must register for wireless LAN access and be approved by the Computer Center or network owner.

 

4.2.2 Wireless LAN administrators must:

(1) Assign access rights based on users’ job roles and review them periodically.

(2) Register all access points with administrator approval.

(3) Limit wireless signal coverage to avoid signal leakage and external access.

(4) Change the SSID from the default value.

(5) Change default admin usernames/passwords on access points to strong credentials.

(6) Encrypt connections using protocols like WPA2 or better.

(7) Use firewalls between wireless and internal networks.

(8) Regularly monitor the wireless network with software/hardware tools and report suspicious activity immediately.

 

4.3 Device Identification

4.3.1 Devices connecting to the network must receive assigned IP addresses.

4.3.2 MAC address logs must be maintained via DHCP servers or Layer 3 switch ARP tables.

 

4.4 Securing Network Management Ports

4.4.1 Limit access to network configuration ports/IP addresses.

4.4.2 Set strong passwords for direct device access.

4.4.3 External connections to these ports must be through secure channels like VPN.

4.4.4 Critical network equipment must be stored in secured rooms.

4.4.5 Disable unused ports or services on network devices.

4.4.6 Perform regular weekly inspections to close unnecessary ports.

 

4.5 Network Segregation

4.5.1 Network diagrams must be created clearly outlining boundaries and areas of access.

Part 5: Network Segmentation, Internet Usage, Server and Email Management

 

4.5 Network Segmentation

4.5.1 Segment internal and external networks and devices; keep documentation current.

4.5.2 Segment networks by service groups, user groups, and operational systems.

4.5.3 Use firewalls to subdivide internal networks into smaller segments.

4.5.4 Use gateways to control internal and external access in accordance with network access policies.

 

4.6 Network Connection Control

4.6.1 Only allow connections from specified IP addresses.

4.6.2 External connections must have intrusion detection systems and malware detection capabilities.

 

4.7 Network Routing Control

4.7.1 Only allow routes among designated IP address groups.

4.7.2 Use gateways to filter network traffic.

4.7.3 Verify source and destination IP addresses.

4.7.4 Control data flow through the network.

4.7.5 Define routing paths aligned with access and service usage policies.

4.7.6 Limit direct routes to servers, restricting alternate routes.

 

4.8 User Authentication for External Connections

4.8.1 Users must always identify themselves with a username.

4.8.2 External users must be pre-approved.

4.8.3 Identity verification must include username and password for all system access.

 

 

Part 5: Use of the Internet

5.1 Internet access must go through University-designated secure systems based on user rights.

5.2 Prohibit personal commercial use of the University’s internet.

5.3 Do not visit inappropriate websites (immoral, national security threats, copyright violations, etc.).

5.4 Downloading software or updates must respect copyright and intellectual property.

5.5 Avoid internet services that consume high bandwidth for prolonged periods.

 

Part 6: Server Management

6.1 Appoint a designated administrator for each server in writing.

6.2 Define procedures for checking server integrity; resolve and log any irregularities.

6.3 Set server clocks to official University time references.

6.4 Enable only necessary services; apply additional security for high-risk services.

6.5 Keep all software up to date to address vulnerabilities.

6.6 Test security and performance before and after any update or maintenance.

6.7 Only system administrators may install or connect servers.

 

Part 7: Email Usage and Control

7.1 Students use student ID-based emails; default password is their national ID, which must be changed upon first login.

7.2 Staff must submit a registration form to use the SRU email system.

7.3 Do not use others’ email addresses to send or read messages.

7.4 Avoid indicating email sensitivity in the subject line.

7.5 Keep email account credentials confidential.

7.6 Always log out after use.

7.7 Carefully check attached links or files to avoid phishing.

7.8 Do not send personal sensitive information (e.g., passwords, ID numbers, credit card numbers) via email.

 

 

Part 8: Operating System Access Control

8.2 Secure Login Procedures

8.2.1 The system must not display critical system details before the login process is completed.

8.2.2 The system should terminate connections from client machines attempting to guess passwords.

8.2.3 Implement time limits to protect passwords from brute-force attempts.

8.2.4 Direct access to the operating system via command-line interfaces should be restricted due to the risk of system damage.

 

8.3 User Identification and Authentication

8.3.1 Users must log into University information systems using their unique usernames and passwords.

8.3.2 Additional authentication methods such as smart cards, RFID, fingerprint readers, or other secure technologies may be implemented.

 

8.4 Password Management System

8.4.1 Limit the number of incorrect password attempts. Accounts should be locked after the set limit, requiring admin intervention to restore access.

8.4.2 Automatically terminate connections when password guessing is detected.

8.4.3 Allow users to change and confirm their own passwords securely.

8.4.4 Store password files separately from application system data.

8.4.5 Hide password input by displaying dots or asterisks instead of characters.

8.4.6 After installation, default usernames must be changed or removed immediately.

 

8.5 Use of System Utilities

8.5.1 Restrict and carefully authorize access to system utilities.

8.5.2 Store unused utilities on external storage if not regularly used.

8.5.3 Log all usage of such utilities.

8.5.4 Remove unnecessary utility software from the system.

8.5.5 All installed software must be legally licensed.

8.5.6 Users are prohibited from copying software for unauthorized distribution.

 

8.6 Session Timeout

8.6.1 Inactive sessions must timeout after a maximum of 30 minutes; for high-risk systems, shorten this to 15 minutes as appropriate.

8.6.2 Systems should automatically terminate sessions and disconnect applications when inactive.

8.6.3 Devices in high-risk locations must shut down automatically after a defined idle period.

 

8.7 Limitation of Connection Time

 

 

8.7.1 Set connection time limits for high-risk or critical information systems, such as a maximum of 3 hours per session during official hours only.

8.7.2 Adjust connection time based on the risk level of the access location.

8.7.3 High-risk systems used in public or off-campus locations must have restricted connection windows.

 

Part 9: Server Access Control

 

9.1 Unit heads must designate authorized personnel with access rights to server operating systems.

9.2 Users must log in with their own credentials.

9.3 System details must not be displayed before a login is successfully completed.

9.4 Servers must be configured to disconnect users attempting to guess passwords.

9.5 System administrators must immediately suspend services upon detecting unusual or insecure usage.

9.6 Installation of unauthorized or externally sourced software is prohibited.

9.7 Server administrators must routinely inspect systems for unauthorized software or data.

9.8 All servers must have malware protection software installed.

9.9 Clearly define roles and procedures for handling malware, including reporting, analysis, remediation, and recovery.

9.10 Regularly follow news and updates about new malware threats.

9.11 Raise awareness among administrators and users on how to prevent and respond to malware incidents.

 

Part 10: Public Computer Access Control

10.1 Users must authenticate themselves using their personal username and password.

10.2 The system must not display critical system information before successful login.

10.3 The system must be configured to terminate connections upon detection of password guessing attempts.

10.4 The system must limit user permissions for installing, modifying, or deleting programs or data on the machine.

 

Part 11: Application and Information Access Control

 

11.1 Access Restrictions

11.1.1 User Access Restrictions

 

• (1) Users may only access information as authorized.

• (2) Personal data access must be appropriately restricted.

• (3) Users must immediately log out of the system after use.

 

 

11.1.2 Personnel Classification for Information System Roles

University IT personnel are classified into three groups with clearly defined written responsibilities:

 

1. System Administrators

2. System Developers

3. System Users

 

11.1.3 Logging Information Access Activities

System activity logs must include:

 

• (1) Username

• (2) Login timestamp

• (3) Logout timestamp

• (4) Significant system events

• (5) Successful and unsuccessful login attempts

• (6) Successful and unsuccessful resource access attempts

• (7) Use of special privileges (e.g., admin rights)

• (8) File access and actions (open, close, read, write)

• (9) IP address of the accessing device

• (10) Disabling of intrusion prevention systems

• (11) Disabling of critical systems

 

 

11.1.4 Secure Transmission of Sensitive Data

Data transmitted via public networks should use standard encryption protocols such as SSL, VPN, or XML Encryption.

 

11.1.5 Contractor (Outsource) Control

 

• (1) Contractors must meet clearly defined qualifications (e.g., verified experience, references, certifications, technical readiness).

• (2) Service contracts must include scope of work and deliverables in detail.

• (3) The University must monitor and verify contractor operations (e.g., quality assurance, random inspections).

• (4) Access control for contractors must follow the same standards as external users, with audit trails and use of test data instead of real data.

• (5) Clear criteria and processes must be defined for acceptance of deliverables.

 

 

11.2 Protection of High-Impact or Critical Systems

11.2.1 Systems such as HR, student information, and financial systems must be isolated and clearly identified for their importance to the University.

 

**11.2.2 Environmental controls for these systems must include:

 

• (1) Separate, secured rooms with limited access only for authorized personnel

• (2) Physically and logically separate systems from other IT systems

• (3) Protection from resource shortages

• (4) Monitoring systems for unauthorized data access attempts

 

11.3 Mobile Device and Remote Access Controls

11.3.1 Mobile Device Usage Guidelines (for personal and university-owned devices)

 

• (1) Secure or physically anchor devices in public or high-risk areas

• (2) Enable automatic screen lock or shut down when idle

• (3) Set secure passwords for portable computers

• (4) Do not share portable devices with others

• (5) Use antivirus software before accessing external media

• (6) Do not store critical University data on portable/mobile devices unless encrypted

• (7) Do not use portable devices as wireless access points within the University

• (8) Protect portable devices from malware, use legal and trusted software, and keep systems updated

• (9) Have incident response plans for lost/stolen devices (e.g., BIOS lock, file/hard disk encryption, tracking software)

 

 

11.3.2 Data Backup and Recovery

 

• (1) Users are responsible for backing up their data onto appropriate backup media such as CDs, DVDs, or external hard drives.

 

11.4 Teleworking

11.4.1 Remote system users must be authorized by the Chief Information Officer (CIO) and connect through a VPN system specified by the University, with proper authentication before accessing the system.

11.4.2 Communication systems between the telework location and internal systems must be secured.

11.4.3 Physical security measures must be implemented at telework locations to prevent unauthorized access or theft of equipment and remote intrusion into the system.

11.4.4 Remote users must not allow family, friends, or others to access the University’s information systems at their telework locations.

11.4.5 Personal devices used for remote access must have appropriate antivirus protection and firewalls installed.

11.4.6 The types of tasks allowed for teleworking, working hours, classification of permissible data, and accessible systems/services must be clearly defined.

 

12. Traffic Log Management

12.1 Each unit must assign a traffic log custodian and establish a Log Server to collect traffic data, ready for submission to the University’s traffic log custodian upon request.

12.2 Define methods for transferring traffic data from storage media to the unit’s centralized Log Server.

12.3 Log activities of servers and network systems, including user operations and intrusion prevention systems. Records should include usernames, source/destination IP addresses, protocols, and port numbers to support auditing, as per the Computer Crime Act.

12.4 Regularly audit user activity logs.

12.5 Implement methods to prevent modification or destruction of traffic data and restrict access only to authorized personnel.

 

 

 

13. Responsibilities of System Administrators

 

 

 

13.1 System Administrator Roles

 

 

Divided into three groups:

 

1. Network Administrator

2. Server Administrator

3. Application Administrator

 

 

13.2 Responsibilities of Network Administrators

 

 

13.2.1 Maintain and inspect network devices and communication channels regularly. Immediately disable unused or unnecessary connections.

13.2.2 Retain only essential traffic data to identify users from session start to end. Data must be securely stored per legal retention periods using the following methods:

 

• (1) Confidential storage with access controls to preserve integrity and prevent unauthorized changes.

• (2) Logs must identify users individually.

• (3) Logs must be timestamped accurately.

 

 

 

 

13.3 Responsibilities of Server Administrators

 

 

13.3.1 Monitor and maintain server functionality. Promptly address and mitigate any anomalies or threats. If the issue is caused by policy violations, notify the user to stop immediately or suspend access if necessary.

13.3.2 Install and update software patches to maintain server security.

13.3.3 Install appropriate anti-malware software.

13.3.4 Conduct server security checks.

13.3.5 Maintain and update server user account systems.

 

 

 

13.4 Responsibilities of Application Administrators

 

 

13.4.1 Maintain and update user accounts in application systems.

13.4.2 Keep an up-to-date inventory of information systems and related equipment.

 

 

 

13.5 System Administrator Governance

 

 

13.5.1 Do not access user data without valid reasons.

13.5.2 Do not violate user privacy or access personal data without cause.

13.5.3 Do not disclose confidential information obtained through duties without justification.

 

 

 

14. Use of Social Networks

 

 

14.1 Social network use must primarily serve official University purposes.

14.2 Users must not disclose sensitive or confidential University information on social networks.

14.3 Users must refrain from posting comments or messages that may harm the University’s reputation.

14.4 If users realize that a previous post might negatively affect the University, they must notify the Computer and Information Center promptly for appropriate actions.

 

 

15. Physical and Environmental Security

 

 

 

15.1 Physical Environment Management

 

 

15.1.1 Define the importance level of areas and classify usage zones accordingly.

15.1.2 Install intrusion prevention systems to comprehensively cover critical areas.

15.1.3 Regularly test physical intrusion prevention systems to ensure functionality.

 

 

15.2 Physical Access Control

 

 

15.2.1 Unrelated individuals are not allowed in critical areas.

15.2.2 Access to areas where important data is stored or processed must be restricted.

15.2.3 A clear access authorization mechanism for outsiders entering critical areas is required.

15.2.4 Authentication methods such as access cards or passwords must be used to control entry to critical zones (e.g., data centers).

15.2.5 Log entry and exit times of visitors and keep records for later review.

15.2.6 Maintain records of all equipment brought in and out.

15.2.7 Visitors must be supervised until their mission is complete to prevent property loss and unauthorized access.

15.2.8 External personnel must be controlled when bringing in computers or work-related equipment.

15.2.9 Visitors must be made aware of and follow the relevant rules during their visit.

15.2.10 Contractors and visitors must wear visible ID badges at all times while on-site.

15.2.11 Monitor and oversee the work of external personnel while they are in critical areas.

15.2.12 Regularly review or revoke access rights to critical zones.

 

 

15.3 Delivery Access Areas

 

 

15.3.1 Restrict access to product delivery or loading zones to prevent unauthorized entry.

15.3.2 Limit personnel who may access delivery areas.

15.3.3 Physically separate delivery zones from other University areas.

15.3.4 Inspect hazardous items before moving them to operational zones.

15.3.5 Register and count items delivered by vendors to comply with procurement and asset management regulations.

 

 

15.4 System Documentation Security

 

 

15.4.1 Store information system-related documents in secure locations.

15.4.2 Allow access to these documents only to authorized personnel.

15.4.3 Control access to documents published on public networks (e.g., internet) to prevent unauthorized modification or access.

 

 

15.5 Transport of University Assets Off-Site

 

 

15.5.1 Obtain authorization before removing University assets from the premises.

15.5.2 Record details of the removal and return of University-owned equipment.

15.5.3 University personnel must treat University assets with the same care as personal property.

 

 

15.6 Operational Support Systems

 

 

15.6.1 Ensure IT systems are supported by adequate infrastructure, including:

 

• (1) Uninterruptible Power Supply (UPS)

• (2) Backup generators

• (3) Ventilation systems

• (4) Air conditioning and humidity control systems

• (5) Fire protection systems

 

 

15.6.2 Regularly inspect and test all support systems to ensure reliability and minimize system failure risk.

15.6.3 Install alert systems to notify when support systems malfunction or shut down.

15.6.4 Create floor plans for IT systems and ensure relevant personnel are informed.

 

Backup and Recovery Policy

 

1. Disaster Recovery Site (DR Site)

1.1 Prepare an inventory of critical network and information systems that require backup sites, and review the inventory at least once a year.

1.2 The backup site must be located separately from the main system and must include the following controls:

 

• 1.2.1 Access control systems that allow entry only for authorized personnel

• 1.2.2 Backup power systems

• 1.2.3 Proper air conditioning and humidity control systems

• 1.2.4 Fire prevention systems

• 1.2.5 Adequate lighting systems

• 1.2.6 Backup communication or network systems

• 1.2.7 Alert systems in case support systems malfunction or shut down

  1.3 Implement continuous maintenance plans for all backup systems.

 

---

 

2. Data Backup

2.1 Prepare an inventory of all critical information systems in each department to be backed up and review it at least annually.

2.2 Define specific backup methods for each system.

2.3 Set appropriate backup frequencies; systems with high importance or frequent changes must have more frequent backups.

2.4 Record data backup activities including: responsible personnel, date/time, file names, and success/failure status.

2.5 Ensure all related components of the system are backed up, such as software, databases, configuration files, and related devices.

2.6 Store backup data at the designated backup site.

2.7 Implement physical protection for the backup location.

2.8 Prepare contingency plans for cases where electronic means are not possible:

 

• 2.8.1 Define roles and responsibilities of involved personnel

• 2.8.2 Assess risks and define measures to mitigate them (e.g., prolonged power outage, fire, earthquake, protests)

• 2.8.3 Establish procedures for information system recovery

• 2.8.4 Establish procedures for data backup and test recovery of backup data

• 2.8.5 Review and update the emergency preparedness plan annually to ensure alignment with real usage scenarios

 

---

 

3. Data Recovery

3.1 Develop standard procedures for data recovery and regularly assess their effectiveness.

3.2 Regularly verify the integrity and accessibility of backup data.

3.3 Use the most up-to-date backup data (latest version) as appropriate for recovery.

3.4 Test data recovery from backups at least once per year.

 

---

 

4. System Readiness Testing

4.1 Test the readiness of the backup system, backup data, and emergency preparedness plans at least once per year.

 

 

Verification and Information Risk Assessment Policy

 

 

 

1. Verification of Information Security Policy Implementation

 

 

Conduct audits and verification of compliance with the University’s information security policies. Identify any non-compliant or at-risk systems and report to the University’s IT Security Committee for further action.

 

 

2. Risk Assessment Guidelines

 

 

Assess information security risks covering:

2.1 Risks from human errors, such as accidental data deletion or misconfigurations

2.2 Risks from internal threats, such as intentional data breaches by staff

2.3 Risks from external threats, such as cyberattacks or hacking attempts

2.4 Risks due to data or software loss

2.5 Risks from hardware failures or system malfunctions

2.6 Risks from physical damage, such as fire, flood, or equipment theft

 

 

3. Risk Assessment Methodology

 

 

Establish procedures for identifying risks and evaluating the potential severity of impacts. The assessment should consider:

 

4.1 The probability level of each identified risk

4.2 The severity level of potential consequences

4.3 The threats or events that could trigger the risk

4.4 Vulnerabilities or weaknesses that may be exploited

 

 

4. Reporting

 

 

Audit results and compliance with the University’s Information Security Policy must be included in the ICT performance monitoring and evaluation reports.

 

---

 

Part 4: Information Security Awareness Policy

 

Objective

 

To disseminate the policy and guidelines to all staff and relevant stakeholders, ensuring they understand and recognize the importance of information security and can apply it correctly.

Responsible Parties

1. Computer and Information Center

2. Assigned training units

3. Assigned system administrators

4. Designated officers

 

Standards Referenced

Standards for Electronic Transaction Security

Implementation Guidelines

1. Develop training courses related to information security awareness, integrating policy guidelines into the department’s regular training programs.

2. Educate users to raise awareness of threats and the consequences of careless or unintentional system usage, and establish preventive measures where applicable.

3. Conduct regular training on the safe use of University information systems, especially when changes or updates are made.

4. Provide user manuals for secure information system usage and publish them on the department’s website.

5. Deliver security best practices and warnings in easily digestible formats (e.g., posters, brochures, website updates), rotating topics regularly.

6. Encourage participation and hands-on implementation through monitoring, evaluation, and needs assessments from users.