Prince Sultan University — Information Security Policy (DDT0001)

Prince Sultan University

PSU Policy Template

Information Security Policy

Policy Information
PSU Policy CodeDDT0001
Original Adoption1/11/2022
Policy TitleInformation Security Policy
OwnerDDTET (CSCU)
Responsible Office/DepartmentVice President for Students’ Life
Effective Date1/11/2022
Recent Review Date20/7/2025
Approved ByUniversity Council
Approval Date20/11/2025
Version2.0

POLICY STATEMENT

The Cybersecurity and Compliance Unit at Prince Sultan University is committed to safeguarding the confidentiality, integrity, and availability of information assets. The university recognizes that effective information security is critical to its mission of supporting education, research, and administration. This policy establishes a comprehensive framework to manage information security risks and ensure compliance with ISO/IEC 27001:2022 and the Saudi Personal Data Protection Law (PDPL), protecting against unauthorized access, disclosure, modification, and loss of data.

PSU is committed to meeting all applicable information security, legal, regulatory, and contractual obligations and to the continual improvement of its Information Security Management System (ISMS).

BACKGROUND AND JUSTIFICATION

The increasing reliance on digital technologies exposes Prince Sultan University to evolving cybersecurity threats, including data breaches, cyberattacks, and system failures. Such events can result in reputational damage, financial losses, and non-compliance with legal and regulatory requirements.

This policy aligns PSU’s information security practices with ISO/IEC 27001:2022 standards to ensure a structured approach to managing information security risks. It aims to safeguard information assets, ensure compliance with legal and regulatory requirements (including the Saudi Personal Data Protection Law), and maintain the trust of students, staff, and external stakeholders.

SCOPE AND PURPOSE

This policy applies to:

  1. All IT systems, networks, and applications owned, managed, or connected to PSU.
  2. University employees, students, contractors, vendors, and visitors accessing PSU systems.
  3. Data generated, stored, or processed by PSU, including personal, sensitive, and research data.

The policy aims to:

  1. Protect university information assets from threats and vulnerabilities.
  2. Ensure compliance with regulatory frameworks, including ISO/IEC 27001:2022.
  3. Foster a culture of accountability and awareness of information security practices across PSU.

Framework for Establishing Information Security Objectives

PSU maintains a structured framework for setting, monitoring, and reviewing information security objectives based on risk assessments, regulatory requirements, and audit results. The Cybersecurity and Compliance Unit (CSCU) tracks these objectives and reports progress during the Management Review Meeting.

PRINCIPLES OF THE POLICY

  1. Confidentiality: Safeguard sensitive information by implementing robust access controls to ensure confidentiality.
  2. Integrity: Ensure data accuracy and protect against unauthorized modifications.
  3. Availability: Maintain the accessibility of critical data and systems through resilience measures.
  4. Access Control & Accountability: Enforce role-based access privileges, monitor system activity, and maintain audit trails.
  5. Data Protection & Privacy: Adhere to ISO/IEC 27001 and Saudi PDPL requirements for processing personal data.
  6. Risk Management: Conduct regular risk assessments to identify and address vulnerabilities.
  7. Awareness and Training: Provide ongoing awareness programs to staff, faculty, and students.
  8. Incident Response & Recovery: Maintain an incident response framework and disaster recovery/business continuity plans.
  9. Continuous Improvement: Periodically review and update the policy.

DEFINITIONS

  1. Information Security: The practice of protecting information assets from unauthorized access, disclosure, modification, destruction, or disruption.
  2. Information Asset: Data, systems, or infrastructure valuable to the university.
  3. Personal Data / Sensitive Data: Personal, financial, or research information requiring special protection.
  4. Access Control: Mechanisms to ensure only authorized personnel can access sensitive information.
  5. Data Subject: Individuals whose personal data is collected or processed by PSU.
  6. Incident: Any event compromising the confidentiality, integrity, or availability of PSU’s information assets.

RESPONSIBILITIES

DDTET Management:

  • Provide strategic oversight of the Information Security Policy.
  • Align information security initiatives with university goals and strategic plans.
  • Review and approve risk assessments and mitigation plans.
  • Allocate resources for security controls, tools, and training.
  • Ensure compliance with ISO 27001, NCA, and PDPL requirements.
  • Monitor the overall effectiveness of security programs.
  • Support responses to major security incidents.

Cyber Security and Compliance Unit (CSCU):

  • Implement and enforce the Information Security Policy operationally.
  • Conduct risk assessments and apply necessary safeguards.
  • Perform periodic monitoring of security controls.
  • Coordinate responses to information security incidents.
  • Communicate policies and compliance requirements.
  • Integrate security requirements into onboarding and training programs.

Information Technology Center (ITC):

  • Implement and maintain technical security controls.
  • Manage and secure IT infrastructure and user accounts.
  • Apply access controls and manage authentication systems.

Department Heads:

  • Ensure their teams comply with the Information Security Policy.
  • Reinforce cybersecurity awareness.

Employees and Students:

  • Follow security guidelines and best practices.
  • Promptly report any security incidents.

Exceptions and Exemptions

Requests for exceptions or exemptions to this policy must be formally submitted to the Cybersecurity and Compliance Unit (CSCU).

PROCEDURES FOR HANDLING POLICY VIOLATION

Any violation of this policy must be reported promptly to the Cybersecurity and Compliance Unit (CSCU). CSCU will investigate the incident, assess its impact, and document all technical findings.

REFERENCES

  • ISO/IEC 27001:2022
  • National Cybersecurity Authority (NCA)
  • Saudi Personal Data Protection Law (PDPL)
  • Identity and Access Management Policy
  • Personal Data Protection & Privacy Policy
  • Acceptable Use & Info Handling Policy
  • Incident Response Policy
  • Password policy
  • IT & Security Training Policy
  • Prince Sultan University | Compliance Policies
  • Prince Sultan University | Disciplinary Policy

Appendix

  • Information Security Policy - Terminology and Definitions