Data Management Policy - Part 5: Network Segmentation, Internet Usage, Server and Email Management

Part 5: Network Segmentation, Internet Usage, Server and Email Management

 

4.5 Network Segmentation

4.5.1 Segment internal and external networks and devices; keep documentation current.

4.5.2 Segment networks by service groups, user groups, and operational systems.

4.5.3 Use firewalls to subdivide internal networks into smaller segments.

4.5.4 Use gateways to control internal and external access in accordance with network access policies.

 

4.6 Network Connection Control

4.6.1 Only allow connections from specified IP addresses.

4.6.2 External connections must have intrusion detection systems and malware detection capabilities.

 

4.7 Network Routing Control

4.7.1 Only allow routes among designated IP address groups.

4.7.2 Use gateways to filter network traffic.

4.7.3 Verify source and destination IP addresses.

4.7.4 Control data flow through the network.

4.7.5 Define routing paths aligned with access and service usage policies.

4.7.6 Limit direct routes to servers, restricting alternate routes.

 

4.8 User Authentication for External Connections

4.8.1 Users must always identify themselves with a username.

4.8.2 External users must be pre-approved.

4.8.3 Identity verification must include username and password for all system access.

 

 

Part 5: Use of the Internet

5.1 Internet access must go through University-designated secure systems based on user rights.

5.2 Prohibit personal commercial use of the University’s internet.

5.3 Do not visit inappropriate websites (immoral, national security threats, copyright violations, etc.).

5.4 Downloading software or updates must respect copyright and intellectual property.

5.5 Avoid internet services that consume high bandwidth for prolonged periods.

 

Part 6: Server Management

6.1 Appoint a designated administrator for each server in writing.

6.2 Define procedures for checking server integrity; resolve and log any irregularities.

6.3 Set server clocks to official University time references.

6.4 Enable only necessary services; apply additional security for high-risk services.

6.5 Keep all software up to date to address vulnerabilities.

6.6 Test security and performance before and after any update or maintenance.

6.7 Only system administrators may install or connect servers.

 

Part 7: Email Usage and Control

7.1 Students use student ID-based emails; default password is their national ID, which must be changed upon first login.

7.2 Staff must submit a registration form to use the SRU email system.

7.3 Do not use others’ email addresses to send or read messages.

7.4 Avoid indicating email sensitivity in the subject line.

7.5 Keep email account credentials confidential.

7.6 Always log out after use.

7.7 Carefully check attached links or files to avoid phishing.

7.8 Do not send personal sensitive information (e.g., passwords, ID numbers, credit card numbers) via email.

 

 

Part 8: Operating System Access Control

8.2 Secure Login Procedures

8.2.1 The system must not display critical system details before the login process is completed.

8.2.2 The system should terminate connections from client machines attempting to guess passwords.

8.2.3 Implement time limits to protect passwords from brute-force attempts.

8.2.4 Direct access to the operating system via command-line interfaces should be restricted due to the risk of system damage.

 

8.3 User Identification and Authentication

8.3.1 Users must log into University information systems using their unique usernames and passwords.

8.3.2 Additional authentication methods such as smart cards, RFID, fingerprint readers, or other secure technologies may be implemented.

 

8.4 Password Management System

8.4.1 Limit the number of incorrect password attempts. Accounts should be locked after the set limit, requiring admin intervention to restore access.

8.4.2 Automatically terminate connections when password guessing is detected.

8.4.3 Allow users to change and confirm their own passwords securely.

8.4.4 Store password files separately from application system data.

8.4.5 Hide password input by displaying dots or asterisks instead of characters.

8.4.6 After installation, default usernames must be changed or removed immediately.

 

8.5 Use of System Utilities

8.5.1 Restrict and carefully authorize access to system utilities.

8.5.2 Store unused utilities on external storage if not regularly used.

8.5.3 Log all usage of such utilities.

8.5.4 Remove unnecessary utility software from the system.

8.5.5 All installed software must be legally licensed.

8.5.6 Users are prohibited from copying software for unauthorized distribution.

 

8.6 Session Timeout

8.6.1 Inactive sessions must timeout after a maximum of 30 minutes; for high-risk systems, shorten this to 15 minutes as appropriate.

8.6.2 Systems should automatically terminate sessions and disconnect applications when inactive.

8.6.3 Devices in high-risk locations must shut down automatically after a defined idle period.

 

8.7 Limitation of Connection Time

 

 

8.7.1 Set connection time limits for high-risk or critical information systems, such as a maximum of 3 hours per session during official hours only.

8.7.2 Adjust connection time based on the risk level of the access location.

8.7.3 High-risk systems used in public or off-campus locations must have restricted connection windows.

 

Part 9: Server Access Control

 

9.1 Unit heads must designate authorized personnel with access rights to server operating systems.

9.2 Users must log in with their own credentials.

9.3 System details must not be displayed before a login is successfully completed.

9.4 Servers must be configured to disconnect users attempting to guess passwords.

9.5 System administrators must immediately suspend services upon detecting unusual or insecure usage.

9.6 Installation of unauthorized or externally sourced software is prohibited.

9.7 Server administrators must routinely inspect systems for unauthorized software or data.

9.8 All servers must have malware protection software installed.

9.9 Clearly define roles and procedures for handling malware, including reporting, analysis, remediation, and recovery.

9.10 Regularly follow news and updates about new malware threats.

9.11 Raise awareness among administrators and users on how to prevent and respond to malware incidents.

 

Part 10: Public Computer Access Control

10.1 Users must authenticate themselves using their personal username and password.

10.2 The system must not display critical system information before successful login.

10.3 The system must be configured to terminate connections upon detection of password guessing attempts.

10.4 The system must limit user permissions for installing, modifying, or deleting programs or data on the machine.

 

Part 11: Application and Information Access Control

 

11.1 Access Restrictions

11.1.1 User Access Restrictions

 

• (1) Users may only access information as authorized.

• (2) Personal data access must be appropriately restricted.

• (3) Users must immediately log out of the system after use.

 

 

11.1.2 Personnel Classification for Information System Roles

University IT personnel are classified into three groups with clearly defined written responsibilities:

 

1. System Administrators

2. System Developers

3. System Users

 

11.1.3 Logging Information Access Activities

System activity logs must include:

 

• (1) Username

• (2) Login timestamp

• (3) Logout timestamp

• (4) Significant system events

• (5) Successful and unsuccessful login attempts

• (6) Successful and unsuccessful resource access attempts

• (7) Use of special privileges (e.g., admin rights)

• (8) File access and actions (open, close, read, write)

• (9) IP address of the accessing device

• (10) Disabling of intrusion prevention systems

• (11) Disabling of critical systems

 

 

11.1.4 Secure Transmission of Sensitive Data

Data transmitted via public networks should use standard encryption protocols such as SSL, VPN, or XML Encryption.

 

11.1.5 Contractor (Outsource) Control

 

• (1) Contractors must meet clearly defined qualifications (e.g., verified experience, references, certifications, technical readiness).

• (2) Service contracts must include scope of work and deliverables in detail.

• (3) The University must monitor and verify contractor operations (e.g., quality assurance, random inspections).

• (4) Access control for contractors must follow the same standards as external users, with audit trails and use of test data instead of real data.

• (5) Clear criteria and processes must be defined for acceptance of deliverables.

 

 

11.2 Protection of High-Impact or Critical Systems

11.2.1 Systems such as HR, student information, and financial systems must be isolated and clearly identified for their importance to the University.

 

**11.2.2 Environmental controls for these systems must include:

 

• (1) Separate, secured rooms with limited access only for authorized personnel

• (2) Physically and logically separate systems from other IT systems

• (3) Protection from resource shortages

• (4) Monitoring systems for unauthorized data access attempts

 

11.3 Mobile Device and Remote Access Controls

11.3.1 Mobile Device Usage Guidelines (for personal and university-owned devices)

 

• (1) Secure or physically anchor devices in public or high-risk areas

• (2) Enable automatic screen lock or shut down when idle

• (3) Set secure passwords for portable computers

• (4) Do not share portable devices with others

• (5) Use antivirus software before accessing external media

• (6) Do not store critical University data on portable/mobile devices unless encrypted

• (7) Do not use portable devices as wireless access points within the University

• (8) Protect portable devices from malware, use legal and trusted software, and keep systems updated

• (9) Have incident response plans for lost/stolen devices (e.g., BIOS lock, file/hard disk encryption, tracking software)

 

 

11.3.2 Data Backup and Recovery

 

• (1) Users are responsible for backing up their data onto appropriate backup media such as CDs, DVDs, or external hard drives.

 

11.4 Teleworking

11.4.1 Remote system users must be authorized by the Chief Information Officer (CIO) and connect through a VPN system specified by the University, with proper authentication before accessing the system.

11.4.2 Communication systems between the telework location and internal systems must be secured.

11.4.3 Physical security measures must be implemented at telework locations to prevent unauthorized access or theft of equipment and remote intrusion into the system.

11.4.4 Remote users must not allow family, friends, or others to access the University’s information systems at their telework locations.

11.4.5 Personal devices used for remote access must have appropriate antivirus protection and firewalls installed.

11.4.6 The types of tasks allowed for teleworking, working hours, classification of permissible data, and accessible systems/services must be clearly defined.

 

12. Traffic Log Management

12.1 Each unit must assign a traffic log custodian and establish a Log Server to collect traffic data, ready for submission to the University’s traffic log custodian upon request.

12.2 Define methods for transferring traffic data from storage media to the unit’s centralized Log Server.

12.3 Log activities of servers and network systems, including user operations and intrusion prevention systems. Records should include usernames, source/destination IP addresses, protocols, and port numbers to support auditing, as per the Computer Crime Act.

12.4 Regularly audit user activity logs.

12.5 Implement methods to prevent modification or destruction of traffic data and restrict access only to authorized personnel.

 

 

 

13. Responsibilities of System Administrators

 

 

 

13.1 System Administrator Roles

 

 

Divided into three groups:

 

1. Network Administrator

2. Server Administrator

3. Application Administrator

 

 

13.2 Responsibilities of Network Administrators

 

 

13.2.1 Maintain and inspect network devices and communication channels regularly. Immediately disable unused or unnecessary connections.

13.2.2 Retain only essential traffic data to identify users from session start to end. Data must be securely stored per legal retention periods using the following methods:

 

• (1) Confidential storage with access controls to preserve integrity and prevent unauthorized changes.

• (2) Logs must identify users individually.

• (3) Logs must be timestamped accurately.

 

 

 

 

13.3 Responsibilities of Server Administrators

 

 

13.3.1 Monitor and maintain server functionality. Promptly address and mitigate any anomalies or threats. If the issue is caused by policy violations, notify the user to stop immediately or suspend access if necessary.

13.3.2 Install and update software patches to maintain server security.

13.3.3 Install appropriate anti-malware software.

13.3.4 Conduct server security checks.

13.3.5 Maintain and update server user account systems.

 

 

 

13.4 Responsibilities of Application Administrators

 

 

13.4.1 Maintain and update user accounts in application systems.

13.4.2 Keep an up-to-date inventory of information systems and related equipment.

 

 

 

13.5 System Administrator Governance

 

 

13.5.1 Do not access user data without valid reasons.

13.5.2 Do not violate user privacy or access personal data without cause.

13.5.3 Do not disclose confidential information obtained through duties without justification.

 

 

 

14. Use of Social Networks

 

 

14.1 Social network use must primarily serve official University purposes.

14.2 Users must not disclose sensitive or confidential University information on social networks.

14.3 Users must refrain from posting comments or messages that may harm the University’s reputation.

14.4 If users realize that a previous post might negatively affect the University, they must notify the Computer and Information Center promptly for appropriate actions.

 

 

15. Physical and Environmental Security

 

 

 

15.1 Physical Environment Management

 

 

15.1.1 Define the importance level of areas and classify usage zones accordingly.

15.1.2 Install intrusion prevention systems to comprehensively cover critical areas.

15.1.3 Regularly test physical intrusion prevention systems to ensure functionality.

 

 

15.2 Physical Access Control

 

 

15.2.1 Unrelated individuals are not allowed in critical areas.

15.2.2 Access to areas where important data is stored or processed must be restricted.

15.2.3 A clear access authorization mechanism for outsiders entering critical areas is required.

15.2.4 Authentication methods such as access cards or passwords must be used to control entry to critical zones (e.g., data centers).

15.2.5 Log entry and exit times of visitors and keep records for later review.

15.2.6 Maintain records of all equipment brought in and out.

15.2.7 Visitors must be supervised until their mission is complete to prevent property loss and unauthorized access.

15.2.8 External personnel must be controlled when bringing in computers or work-related equipment.

15.2.9 Visitors must be made aware of and follow the relevant rules during their visit.

15.2.10 Contractors and visitors must wear visible ID badges at all times while on-site.

15.2.11 Monitor and oversee the work of external personnel while they are in critical areas.

15.2.12 Regularly review or revoke access rights to critical zones.

 

 

15.3 Delivery Access Areas

 

 

15.3.1 Restrict access to product delivery or loading zones to prevent unauthorized entry.

15.3.2 Limit personnel who may access delivery areas.

15.3.3 Physically separate delivery zones from other University areas.

15.3.4 Inspect hazardous items before moving them to operational zones.

15.3.5 Register and count items delivered by vendors to comply with procurement and asset management regulations.

 

 

15.4 System Documentation Security

 

 

15.4.1 Store information system-related documents in secure locations.

15.4.2 Allow access to these documents only to authorized personnel.

15.4.3 Control access to documents published on public networks (e.g., internet) to prevent unauthorized modification or access.

 

 

15.5 Transport of University Assets Off-Site

 

 

15.5.1 Obtain authorization before removing University assets from the premises.

15.5.2 Record details of the removal and return of University-owned equipment.

15.5.3 University personnel must treat University assets with the same care as personal property.

 

 

15.6 Operational Support Systems

 

 

15.6.1 Ensure IT systems are supported by adequate infrastructure, including:

 

• (1) Uninterruptible Power Supply (UPS)

• (2) Backup generators

• (3) Ventilation systems

• (4) Air conditioning and humidity control systems

• (5) Fire protection systems

 

 

15.6.2 Regularly inspect and test all support systems to ensure reliability and minimize system failure risk.

15.6.3 Install alert systems to notify when support systems malfunction or shut down.

15.6.4 Create floor plans for IT systems and ensure relevant personnel are informed.

 

Backup and Recovery Policy

 

1. Disaster Recovery Site (DR Site)

1.1 Prepare an inventory of critical network and information systems that require backup sites, and review the inventory at least once a year.

1.2 The backup site must be located separately from the main system and must include the following controls:

 

• 1.2.1 Access control systems that allow entry only for authorized personnel

• 1.2.2 Backup power systems

• 1.2.3 Proper air conditioning and humidity control systems

• 1.2.4 Fire prevention systems

• 1.2.5 Adequate lighting systems

• 1.2.6 Backup communication or network systems

• 1.2.7 Alert systems in case support systems malfunction or shut down

  1.3 Implement continuous maintenance plans for all backup systems.

 

---

 

2. Data Backup

2.1 Prepare an inventory of all critical information systems in each department to be backed up and review it at least annually.

2.2 Define specific backup methods for each system.

2.3 Set appropriate backup frequencies; systems with high importance or frequent changes must have more frequent backups.

2.4 Record data backup activities including: responsible personnel, date/time, file names, and success/failure status.

2.5 Ensure all related components of the system are backed up, such as software, databases, configuration files, and related devices.

2.6 Store backup data at the designated backup site.

2.7 Implement physical protection for the backup location.

2.8 Prepare contingency plans for cases where electronic means are not possible:

 

• 2.8.1 Define roles and responsibilities of involved personnel

• 2.8.2 Assess risks and define measures to mitigate them (e.g., prolonged power outage, fire, earthquake, protests)

• 2.8.3 Establish procedures for information system recovery

• 2.8.4 Establish procedures for data backup and test recovery of backup data

• 2.8.5 Review and update the emergency preparedness plan annually to ensure alignment with real usage scenarios

 

---

 

3. Data Recovery

3.1 Develop standard procedures for data recovery and regularly assess their effectiveness.

3.2 Regularly verify the integrity and accessibility of backup data.

3.3 Use the most up-to-date backup data (latest version) as appropriate for recovery.

3.4 Test data recovery from backups at least once per year.

 

---

 

4. System Readiness Testing

4.1 Test the readiness of the backup system, backup data, and emergency preparedness plans at least once per year.