Part 2: User Access Management
2.1 User Awareness
2.1.1 Develop training courses to raise awareness about information security.
2.1.2 Train users to correctly access and use information systems, and to understand the risks and impacts of improper or careless data usage.
2.1.3 Display informational posters or short tips about good practices in an easily understandable format.
2.2 User Account Classification
University information system accounts must be created to control access to University systems and information. Each user must be assigned a unique account, with no duplication. Users are categorized into four groups:
2.2.1 University executives
2.2.2 University staff, guest lecturers, researchers, and institutional guests
2.2.3 University students
2.2.4 Other authorized individuals
2.3 User Registration
2.3.1 Students – Each new student receives an account after the Office of Academic Promotion and Registration inputs their data into the student information system.
2.3.2 University personnel – Including guest lecturers, researchers, and institutional guests, accounts are created by the Computer and Information Center after the Personnel Division or related faculty/department enters their data.
2.3.3 Other accounts requested by departments – The requesting department must:
(1) Download and complete the designated request form, and submit it to the Computer and Information Center.
(2) The Computer and Information Center will create the account as per the form and notify the responsible person via email or phone.
(3) The requesting unit will be held responsible for any damage caused by misuse of the issued account.
(4) To change the responsible person for an account, written notice signed by a department executive is required, stating the old and new responsible persons, their account names, and contact details.
(5) To cancel an account, the responsible department must send a signed written request specifying the number of accounts to be terminated.
2.3.4 Other authorized individuals – For example, those working in independent organizations, may apply for an account by contacting the Computer and Information Center. They must present a letter of approval from a faculty-level administrator or higher, along with a copy of their national ID or passport with a certified true copy.
2.4 Account Management
2.4.1 Personnel account management must be done through designated representatives. The department head must submit the representative’s name in writing to the director of the Computer and Information Center, including:
-
Department name
-
Full name of the representative
-
Username
-
Email
-
Phone number
2.4.2 To change the department representative, the department must notify the Computer and Information Center in writing, signed by the department head, and include the previous and new representative’s information.
2.5 User Privileges Management
2.5.1 If a staff member resigns or changes roles, their system access rights must be immediately updated or revoked.
2.5.2 Any request to change user privileges must be in writing and include reasons and necessity.
-
Must be signed by the department head
-
Sent to the relevant primary responsible unit
-
A copy must be retained by both the requester and approver
-
The primary unit must forward approval to the system administrator
2.5.3 System administrators have authority to suspend access rights if a user violates the access control policy.
2.5.4 For special privileges, strict control must be enforced and approved by the University President or authorized delegate. Considerations include:
-
Strict usage monitoring
-
Time-limited access with automatic deactivation
-
Mandatory password changes after use or every 3 months for prolonged access
2.6 Password Management
2.6.1 System administrators must define secure password setting and changing procedures.
2.6.2 Temporary passwords must be complex and unique.
2.6.3 Temporary passwords should not be sent via email. Alternative secure delivery methods must be used.
