STATEMENT OF ​​PURPOSE

The purpose of this Cluster Administrative Policy is to set out the acceptable use of Information resources and/or assets in Eastern Health Cluster. These rules are in place to protect the user (employee, contractor, etc.) and the Cluster from risks including virus attacks, compromise of network systems and services, and legal liabilities when exposed from inappropriate use.

RELATED ​​REFERENCES

  1. Government legislation references:
    1. Essential Cybersecurity Controls; National Cybersecurity Authority, 2018. PDF. <https://www.ncsc.gov.sa/>.
    2. National Anti-Cyber Crime Law – Royal decree M/17 dated on 27.03.2007G.
  2. International references:
    1. ISO/IEC 27001
    2. ISO/IEC 27002.
  3. Internal references:
    1. CAPP 099 Cybersecurity Asset Management Policy.
    2. CAPP 104 Cybersecurity Incident and Threat Management Policy.
    3. CAPP 108 Cybersecurity Compliance Policy.
    4. CAPP 125 Privacy and Data Protection Policy.
    5. CAPP 148 Cybersecurity Policy.
    6. CAPP 261 Data Classification Policy.
    7. CAPP 280 Email Security Policy.

DEFINITIONS/AB​​​BREVIATIONS

Unless specifically defined below, definitions of the terms used in this document are consistent with national Cybersecurity authority (NCA) and international organization for standardization (ISO).

  1. Cybersecurity: is defined as the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies that can be used to protect the member organization's information assets against internal and external threats.

POLICY & PROCED​​URES

1.     This policy applies to all business users including employees, third parties, vendors, and business partners who use and/or interact with Eastern Health Cluster information assets.

 

2.     General Requirements:

    1. All information must be treated according to the specified classification, in alignment with the data classification policy and data protection policy of the organization. This ensures the confidentiality, integrity, and availability of information.
    2. All employees, contractors, and external parties are prohibited from attempting to access data, electronic documents, emails, and software within the organization's information technology systems without authorization.
    3. All employees must recognize that any data stored in the organization's systems is owned by the organization. Therefore, any transfer of this information requires proper authorization and necessary actions.
    4. Employees are prohibited from disclosing any information related to the organization or its work to unauthorized individuals, both internally and externally.
    5. Systems administrators and authorized personnel must not disclose details about systems and networks, including remote access to or communication with the organization's information technology resources, to unauthorized individuals.
    6. Printouts should not be left unattended on shared printers.
    7. All employees should use assigned information technology systems and assets with care, as their security and integrity are their responsibility.
    8. Employees and external contractors are prohibited from copying documents with restricted rights or proprietary software and information owned by the organization.
    9. All employees and contractors must not install unauthorized software (such as freeware or shareware) without approval from the IT management.
    10. Employees should avoid activities that negatively impact the efficiency of the organization's IT resources and refrain from engaging in activities that could result in revocation of privileges.
    11. Employees must take adequate steps to prevent unauthorized access to organization information, including avoiding information leakage.
    12. Personal use of organization resources, including storing personal data, is prohibited. The organization does not guarantee the privacy of personal information stored on its assets used specifically for work purposes.
    13. Sharing user account data (passwords) with others is prohibited, and users are fully responsible for their accounts. Failure to comply may lead to disciplinary action.
    14. Laptops, company-owned mobile devices, and other IT systems must be used in a manner that preserves their confidentiality and protects stored information.
    15. Disabling or bypassing antivirus protection or security features on IT resources is prohibited.
    16. Copying or transferring any classified information is prohibited, including but not limited to CDs, USB drives, and email attachments, without following Cybersecurity guidelines.
    17. External storage media should be securely stored, considering factors like temperature and isolation.
    18. Use of portable media for storing or transferring organization data is only allowed for work purposes with prior authorization from Cybersecurity management. Encrypted and protected storage media should be used.
    19. Cybersecurity management retains the right to monitor and review user accounts, networks, systems, and infrastructure periodically to ensure compliance with this policy.
    20. Users are prohibited from engaging in illegal activities, such as unauthorized access, hacking, or actions that could disrupt asset use.
    21. Immediate reporting to IT management is required in case of equipment damage, loss, or theft.
    22. Unauthorized individuals must not enter restricted areas within the organization.
    23. Capturing photos or videos within the organization Eastern Health Cluster is prohibited.
    24. Unauthorized individuals must not be hosted in sensitive areas without prior permission.
    25. Identification badges must be worn at all times within the organization Eastern Health Cluster.
    26. IT Security Management should be notified in case of information loss, theft, leakage, or suspected cyber threats.

 

3.     Protection of User Devices:

    1. All users must ensure they log out of information systems before leaving the organization at the end of working hours. Additionally, they should lock the system during their short breaks before leaving their workstations.
    2. All users are prohibited from leaving any confidential information on their desks where it could be read, copied, or manipulated without their knowledge. This information should be secured, stored in lockable cabinets, or securely disposed of, such as using a paper shredder.
    3. All users must ensure that screen savers are password-protected. The IT management will set a password-protected screen saver to activate after 5 minutes of device inactivity.
    4. All users should install privacy screens to support the confidentiality of all users in the organization.
    5. All users are prohibited from installing new equipment on laptops or organization devices without permission from the IT management.
    6. All users must ensure that there is no pirated or unauthorized software installed on laptops or organization devices. Only approved and authorized software is allowed to be installed.
    7. Users are only allowed to use equipment that is approved and owned by the organization.
    8. The use of gaming software on any organization systems is not allowed, and it is prohibited to install or transfer such software within the organization's network.
    9. High-level privileges (Admin Privileges) must be securely controlled on all organization devices, and they should not be assigned for regular user usage within the organization.

       

4.     Acceptable Use of Internet and Software:

    1. Internet usage should be limited to work-related purposes only.
    2. Users are prohibited from downloading non-work related media, such as:
      1. Peer-to-peer software and file-sharing software.
      2. Movies, games, music, software, scripts, etc.
    3. Technical staff, contractors, and other parties responsible for technical troubleshooting and operations must obtain permission from the Cybersecurity management before installing and using software on work devices, such as instant messaging or data access control software.
    4. Users must notify the IT management if they suspect security warning messages appearing during usage.
    5. Unlicensed software or other forms of intellectual property are prohibited.
    6. Techniques that bypass proxies or firewalls to access the Internet are prohibited.
    7. Downloading or installing software and tools on organization assets requires prior permission from the Cybersecurity management.
    8. Conducting security assessments to discover vulnerabilities, including penetration testing, monitoring organization networks and systems, external networks and systems, such as port scanning, network reconnaissance, deception, vulnerability scanning, and network monitoring, is prohibited without prior permission from the Cybersecurity management.
    9. Internet users are not allowed to visit pages related to hacking, phishing, peer-to-peer networks, or proxies. Services and known malicious sites should be blocked by the organization.

 

5.     Acceptable Use of Email:

    1. The email system is primarily available for work-related use. Email should be used responsibly in accordance with the email security policy.
    2. The exchange of inappropriate or unacceptable content via the organization's email, whether internal or to external recipients, is not allowed.
    3. All users must report any phishing or malicious email messages to the Cybersecurity management.
    4. All email correspondence should take place within the approved and closed network.
    5. The organization has the right to access or disclose any email communication upon specific request, with necessary authorization from the concerned party within the organization and Cybersecurity management. This is in line with relevant regulations and legislation.
    6. The use of the organization's systems for generating or distributing chain emails is prohibited.
    7. The circulation of Cybersecurity warning email messages is restricted to the relevant authority only, which is the Cybersecurity management, or sending an urgent warning on a non-existent virus.
    8. The IT management must ensure that all incoming and outgoing email messages include a disclaimer about the organization.
    9. Users should not open suspicious emails, links, attachments, or any unexpected emails, even from a trusted source.
    10. The Cybersecurity management should be notified if there is suspicion of email messages containing content that may harm the organization's systems or assets.
    11. The organization's email address should not be registered on any non-work-related websites.
    12. Encryption techniques should be used when sending sensitive information through email or communication systems.

 

6.     Online Communications and Video Conferencing

    1. All users must ensure they use approved equipment from the organization for their online communications and video conferencing.
    2. Online communications and video conferences should be conducted solely for work purposes.
    3. Security measures for both physical and virtual meetings should be observed.

 

7.     Password Usage

    1. All users of the information system within the organization must bear the responsibility of selecting and maintaining a secure password in accordance with the password policy of the organization.
    2. Users are prohibited from writing their passwords in email messages or electronic communications.
    3. The information system within the organization must not be used for the following purposes:
      1. Disclosing passwords over the phone to anyone.
      2. Disclosing passwords to anyone, including IT managers, family members, colleagues, or supervisors.
      3. Disclosing passwords over the internet.
      4. Writing passwords on paper or on a phone.
      5. Sharing passwords with anyone else.
    4. Users of the information system within the organization are responsible for any activity related to their access rights.
    5. Users are not allowed to obtain or possess any passwords, decryption keys, or access mechanisms that may lead to unauthorized access. Users may be held accountable for any activities conducted through their accounts.
    6. Users of the information system within the organization should choose different passwords for their accounts within the organization compared to their personal accounts, such as social media or personal email accounts (e.g., Yahoo, Gmail, Hotmail, etc.).
    7. Users are required to change their password immediately upon receiving a temporary password from the system administrator.

       

8.     Exceptions

    1. If a waiver to this policy is required without viable and secure alternative, then the requester shall duly fill, sign, and submit the Policy Exception Request Form to Cybersecurity Department.
    2. The requester shall include in the request a detailed description of the scope, business justification, and time period.
    3. Cybersecurity Department shall review the request, identify the risk and compensating controls in accordance with Cluster risk management framework, and may require the requester to consent on the identified risks and compensating controls. Furthermore, Cybersecurity Department may consult internal and external related legal and regulatory bodies.
    4. The requester shall implement the exception after approval is obtained from the head of Cybersecurity Department.
    5. Cybersecurity Department shall monitor approved exceptions and revoke them after expiration.

       

9.     Compliance

    1. Compliance with Cluster Cybersecurity policies and associated controls is mandatory on Cluster offices, hospitals, healthcare institutions, staff members, contractors, partners, and services providers who have access to the Cluster information and information processing facilities.
    2. Cluster's line managers shall exercise due diligence to ensure compliance through continuous enforcement and self-assessment within their area of responsibility.
    3. Compliance assessments shall be regularly and independently performed by Cybersecurity Department to measure, analyze, and evaluate Cluster's adherence to Cybersecurity policies and associated controls. Cybersecurity Department shall monitor Cluster's compliance and oversee the implementation of corrective actions by their respective owners.

       

10.   Violations

    1. The Cybersecurity Department is responsible for technically verifying any violation to the provisions of this policy. The Cybersecurity Department will report the violator to Legal Affairs.
    2. Legal Affairs are responsible will investigate the reported violation and will expose the violator to disciplinary and legal actions. Disciplinary actions shall be consistent with the severity of the violation, as determined by the investigation.

       

11.   Communication

    1. Enquiry, feedback, and incidents related to this policy can be communicated to Cybersecurity Department through any of the following channels:
      1. Enquiry and feedback can be sent through email to CS-Policies@echo.sa
      2. Incidents can be reported by email to ER-EHC-CSC@moh.gov.sa

RESPONSIBILITIES​​

  1. Cluster business users/staff, including third parties and business partners, are responsible for complying with the provisions of this policy.
  2. Executive managers of departments, departments' heads, and advisers are responsible to:

     

     
    1. Disseminate this policy to all employees within the organization or department.
    2. Report any violations or non-compliance with this policy to the Cybersecurity Administration.
    3. Ensure the adherence of all employees under their jurisdiction to the provisions of this policy and report any security incidents to the Cybersecurity Administration.
  3. The General Digital Health Management is responsible to adhere to this policy, implement the controls mentioned therein, and report any security incidents to the Cybersecurity Management.
  4. The Cybersecurity Management is responsible for:
    1. Endorsing the policy to the appropriate authority and work towards its implementation.
    2. Approving the procedures and guidelines to ensure necessary compliance with the security requirements of the organization's operations.
    3. Ensuring alignment between this policy and the organization's operations.
    4. Resolving any conflicts arising from this policy.
    5. Providing the necessary resources to identify, purchase, and implement technical solutions to meet the policy's requirements for asset usage wherever possible.
    6. Disseminating the Cybersecurity compliance policy to all departments, employees, and authorized users of the organization or those who will be granted access to the technical and informational assets.
    7. Coordinating with relevant departments to monitor compliance and execution.
    8. Reviewing, revising and updating this policy whenever there are changes in legislative and regulatory requirements. Any changes should be documented and approved by the authorized entity within the organization.

ATTA​​CHMENTS

None.

SUMMARY OF CHA​NGES

This policy has been extensively revised.

 

 

​ ​