Prince Sultan University PSU
Policy Management System
Organization Confidentiality Policy

Policy Code: IT0004
Policy Title: Organization Confidentiality Policy
Owner: Information Technology Center
Responsible Office/Department: Vice President for Academic Affairs
Approved by: University Council
Date Created: February 02, 2017
Recent Review: December 2023
Effective date:

POLICY STATEMENT

Confidential information should not be released, removed by any mean from the PSU premises. They should not be also copied or transmitted by anyone in the university. Any information that is stored on PSU IT resources is confidential. Authorized users cannot borrow or remove any computing or printing equipment, or related technology unless authorized to do so.

BACKGROUND AND JUSTIFICATION

In the course of its operations, PSU accumulates and manages sensitive information, which can be related to its employees, clients, partners, and business strategies. This information is a critical asset, vital to our competitive advantage and reputation. In order to protect these assets and meet legal requirements, a robust Confidentiality Policy is essential. This ensures we prevent unauthorized disclosures and build stakeholder trust.

SCOPE AND PURPOSE

Any authorized user who has access to any confidential information must maintain its confidentiality. The policy addresses any confidential information that has been developed or obtained by PSU faculty and staff.

PRINCIPLES OF THE POLICY

  1. Information Protection: All sensitive information, whether physical or digital, will be protected from unauthorized access, disclosure, alteration, or destruction.
  2. Access Limitation: Access to confidential information is restricted to those with a legitimate business need.
  3. Regular Audits: Periodic audits should be conducted to ensure adherence to confidentiality standards and to identify potential vulnerabilities.
  4. Data Classification: All information will be categorized based on its sensitivity level, guiding its storage, transmission, and access controls.
  5. Training and Awareness: All employees and relevant stakeholders will receive training on the importance of confidentiality and how to uphold it.
  6. Incident Reporting: Any breach or suspected breach of confidentiality will be promptly reported, and corrective actions will be taken.
  7. Continuous Improvement: The confidentiality policy will be periodically reviewed and updated based on evolving risks, regulations, and business needs.
  8. Legal and Regulatory Compliance: The policy will align with relevant local, national, and international laws and regulations regarding data protection and privacy.
  9. Transparency: While maintaining confidentiality, the organization commits to being transparent about its data handling and protection practices with stakeholders.

DEFINITIONS

  1. Confidential Information: All sensitive information, whether physical or digital, will be protected from unauthorized access, disclosure, alteration, or destruction.
  2. Authorized Personnel: Access to confidential information is restricted to those with a legitimate business need.
  3. Data Classification: Periodic audits should be conducted to ensure adherence to confidentiality standards and to identify potential vulnerabilities.
  4. Breach of Confidentiality: All information will be categorized based on its sensitivity level, guiding its storage, transmission, and access controls.
  5. Data Protection Measures: All employees and relevant stakeholders will receive training on the importance of confidentiality and how to uphold it.
  6. Stakeholders: Any breach or suspected breach of confidentiality will be promptly reported, and corrective actions will be taken.
  7. Regulatory Compliance: The confidentiality policy will be periodically reviewed and updated based on evolving risks, regulations, and business needs.
  8. Information Lifecycle: The policy will align with relevant local, national, and international laws and regulations regarding data protection and privacy.
  9. Third-party Entities: While maintaining confidentiality, the organization commits to being transparent about its data handling and protection practices with stakeholders.

RESPONSIBILITIES AND IMPLEMENTATION STRATEGIES

  1. Data Classification and Management:
    1. Categorize information based on sensitivity.
    2. Implement respective access controls and storage protocols.
  2. Access Control:
    1. Grant access to confidential information solely to authorized personnel.
    2. Employ strong authentication methods, such as multi-factor authentication.
  3. Training and Awareness:
    1. Regularly train staff on confidentiality best practices.
    2. Host periodic refresher courses to keep everyone updated.
  4. Data Protection Measures:
    1. Employ encryption for storing and transmitting sensitive data.
    2. Use firewalls, intrusion detection systems, and other cybersecurity tools.
  5. Third-party Management:
    1. Assess and ensure third-party entities uphold similar confidentiality standards.
    2. Define terms clearly in contracts and agreements regarding data access and usage.
  6. Audit and Monitoring:
    1. Perform regular audits to ensure policy compliance.
    2. Use monitoring tools to detect unauthorized access or breaches.
  7. Incident Response:
    1. Establish a clear protocol for reporting and handling confidentiality breaches.
    2. Maintain a rapid response team for immediate action.
  8. Document Management:
    1. Implement secure storage solutions for physical documents.
    2. Mandate secure disposal methods like shredding for confidential paper documents.
  9. Continuous Review:
    1. Periodically review the policy for relevancy and effectiveness.
    2. Adjust strategies based on changing business environments and feedback.
  10. Legal and Regulatory Adherence:
    1. Stay informed about relevant confidentiality laws and regulations.
    2. Update policies and practices in line with any changes to these regulations.

PROCEDURES FOR HANDLING POLICY VIOLATION

Any violation of this policy will result in considering the user to be an Unauthorized User, who is susceptible to disciplinary actions according to the Enforcement section of the ITC Unauthorized Use Policy.

https://www.psu.edu.sa/en/IT0002-unauthorized-use-policy

REFERENCES:

https://www.psu.edu.sa/en/cop005-disciplinary-policy