Privacy and Policy

Privacy and Policy 2019-12-03T20:57:43+00:00

1        Policy Statement

1.1       Acceptable Usage Policy

1.1.1.    Information Handling    Users    shall    ensure    that    their information assets regardless of its form (electronic or physical)  are  classified appropriately    to    avoid    loss    of confidentiality, integrity and availability of the information.    Users    shall    ensure    that    their information  assets  are  labelled  and stored   securely    with   appropriate protection     measures     to     avoid unauthorized access.    Users    shall    ensure    that    their information  assets  are  distributed  or transferred on a “need to know” basis, taking   into  consideration   adequate protection measures.    Users    shall    ensure    that    their information assets in form of paper are shredded appropriately before disposal.    Unless   permitted,   users   shall   not reproduce   sensitive   or   confidential information   in   any   manner   using equipment     such     as     scanners, photocopiers, photos and printers.

1.1.2.  Information Exchange    Users  shall  not share  or upload  any official  information  on  private  cloud services  without prior  approval  from the Business Owner.    When    information    is    exchanged between two parties  with the use of information  exchange equipment  like mobile, answering machine, electronic mail,     Internet     or    any     other transformation     media,     following controls shall be considered:

  • While using a mobile phone in a public place, ensure that the information is not overheard by any unauthorized person
  • Ensure that fax is sent to the correct fax numbers only
  • Follow the controls on exchange of information or software through the use of electronic mail and Internet as described in the Internet and Email Security Policy.
  • Users shall ensure that any confidential information is not left as a message on an answering machine.
  • Before transferring any confidential information using postal services users shall ensure that it is covered and sealed in a tamper-proof envelope.
  • Before transferring any confidential information using postal services users shall ensure that it is covered and sealed in a tamper-proof envelope.

1.1.3. Clear Desk and Clear Screen Users shall ensure that they lock the computer before leaving their desk. Users shall ensure that they log-off of all applications at the end of their work hours or while leaving for the day.    Users   shall   ensure   that   sensitive information   assets   are   maintained around their desks in a manner that it avoids any unauthorized views.    Users shall ensure that they store paper documents  and  electronic  media  in locked cabinets or other secure storage areas, especially after office hours. Users shall ensure that they do not leave any  paper documents unattended around photocopiers, scanners, or printing facilities.

1.1.4. Desktop/Laptop and Equipment Usage Users  shall  not  try  to  change  any hardware configuration, settings in the operating system or any applications installed on their desktops/laptops. If users require any change in the hardware or software settings, they shall contact the IT Help Desk.    Users shall not install any unauthorized software on their desktop  that is  not essential to STC Channels business. If the users  require additional software, they shall contact the IT Help Desk.    Users  shall  be  responsible  for  the security of their desktops/laptops and will take adequate measures to ensure its physical and logical security.    Whenever connecting their laptops or desktops to the LAN, users shall ensure that the anti-virus agent is running on their machines.    Users shall take adequate measures for physical protection of laptop, like not leaving  laptops  unattended  in  public places or while travelling. Users shall clean the data on a regular basis to remove unwanted data from their desktops/laptops.    Users  must  not  use  STC  Channels information  systems to engage in any hacking activities such as the following:

  • Gaining unauthorized access to any other information systems.
  • Damaging, altering or disrupting the operations of any other information systems.
  • Capturing or obtaining passwords, encryption keys or any other access control mechanism that could permit unauthorized access. STC Channels computers  shall not be loaned  to  third  parties  without  prior management approval. Users  shall  not  accept  any  form  of assistance and free consulting services, free security software via Internet, etc. to improve the security of their systems without first taking approval from the Information Security department.

1.1.5. Antivirus Users shall not disable the installed anti-virus agent or change any settings. This includes settings for periodic system scans; anti-virus server IP address and signature update schedules. Users shall not disrupt the scheduled virus scans in their systems. If the scan is affecting system performance, users shall contact IT Help Desk for resolution. On  suspecting  any  abnormal  system behavior or seeing virus alerts in the system, user shall stop their work and immediately report to IT Help Desk.

1.1.6. Internet Usage All critical hosts that need an internet connection shall be connected through proxy for updating, patching and maintenance purposes.    Internet access is provided to users for the  fulfilment  of  job  responsibilities. Users shall access Internet for business purposes only and refrain from using Internet  for personal or non-business activities.    Users shall not connect  Internet  data cards  to  their  machines  unless  and otherwise  approved  by  Information Security department.     Installing  chat  software  for  chatting, talking  and  attaching  files  is  strictly

prohibited unless authorized.    The browsing of adult content via STC Channels  computers  or  networks  is strictly prohibited. This includes content obtained via web sites, email attachments, CD-ROMs and file sharing networks. Users shall not use Internet facilities to:

  • Download or distribute malicious software or tools or to deliberately propagate any virus.
  • Violate any copyright or license agreement by downloading or distributing protected material.
  • Upload files, software or data belonging to STC Channels to any Internet site without authorization of the owner of the file/ software/ data.
  • Post views or opinions in public on behalf of STC Channels unless authorized by executive management.
  • Conduct illegal or unethical activities including gambling, accessing obscene material or misrepresenting STC Channels.
  • Carry out port scanning, security scanning, and network monitoring or using any technology which circumvents the security of host computer. Users  are  responsible  for  protecting their Internet account and password. Users shall be held responsible for any misuse of Internet access originating from their account. Users shall not download and install, execute or store computer  games on any STC Channels facilities. User’s  internet  bandwidth  quota  is determined by IT Operations based upon resources availability.

1.1.7. E-mail Usage STC Channels provides electronic mail facility to support business communication requirements.    As far as possible STC Channels official mail shall not be used in any way for personal usage and/or communication. The   e-mail message   including all attached files is limited to a 10 MB of file size for transmission.    Users  owning the e-mail account  are responsible for the content of the e-mail originated, from their account to other users inside or outside STC Channels. Users are prohibited from sending or forwarding:

  • E-mails with offensive, racist or obscene remarks.
  • E-mails containing messages that may damage the reputation of STC Channels.
  • E-mails that contains viruses or worms.
  • Chain e-mails like e-mails forwarded from a chain of people usually containing virus hoaxes, jokes, charitable fund-raising campaigns, political advocacy efforts, religious beliefs and others.
  • E-mails containing any illegally acquired document, software or other information.
  • The E-mail exchanges with third parties shall contain a disclaimer against contractual obligations or similar commitments during usual business communications.    Users shall protect their e-mail account on  the  server  through  strong  and complex passwords and shall not share their password or account with anyoneelse.     Users  shall  not  configure  Automatic forwarding of electronic mail to external mail addresses.    Users shall not subscribe to mailing lists using   STC  Channels   official   email account unless for business need.    Users shall restrain from revealing their e-mail accounts  or email accounts  of any other user in STC Channels to any website,  mailing  list,  newsgroups  or discussion boards without appropriate authorization.  Users shall refrain from opening e-mail attachments unless and until they trust and expect the sender of e-mail or have mutually exchanged e-mails previously.  Users   shall   not   forward   sensitive business    information    over    non- corporate    e-mails.    In-case    such information   needs   to   be   shared, appropriate   authorization   from  the respective   manager/business   owner shall be received and necessary controls such   as  encryption   and  password protection shall be implemented  prior to sharing.  STC  Channels  reserves  the  right  to monitor email messages communications to ensure that email usage is as per this policy and probable data leakage is contained.  In  case  of any  misuse  of the  e-mail system is detected, STC Channels can terminate the user e-mail account and take other disciplinary action.  Users   shall   promptly   report   all suspected  security  vulnerabilities   or incidents that they notice with the Email system to the IT Help Desk.  Users sending approved andconfidential information to authorized entities shall make sure that email encryption is applied prior sending.

1.1.8. Telephones and Voice Mail Unauthorized recording or duplication of voice mails that are stored in answering machines and voice mail systems are strictly prohibited. All voice mail messages  that are one month older shall be deleted.    Users shall be careful about using STC Channels telephone for personal calls. They   shall   keep   the   call   brief, particularly during office hours.  Users are responsible to use telephone and voice service for business need; and not to personal usage/calls.

1.1.9. Social Media Usage Users shall behave in a way on social media sites that preserves the reputation of STC Channels if authorized to represent STC Channels. Users shall restrain from posting content on social media sites that are of the following nature, but not limited to:

  • Profane language.
  • Comments that promote discrimination.
  • Comments that promotes illegal activity.
  • Comments that violates any legal or intellectual property rights. Users shall observe the finest moral principles in his/her behavior and conduct on social media sites. Users shall use STC Channels corporate resources in an honest and transparent manner and avoid wastage of time in using social media sites. While managing personal accounts for social media sites, users shall not post their official company contact details for correspondence. In all cases, it shall be employee’s responsibility to ensure that his/her personal behavior on social media sites does not harm the reputation of STC Channels or any other entities in any way.

11.9.7. Users shall be careful of three main security concerns related to social media sites – Spear phishing, Social Engineering, and Web Application Attacks.

1.1.10. Password Usage Users shall not disclose their passwords with anyone inside or outside STC Channels. Passwords shall not be communicated via email unless e-mail communication is encrypted. Passwords shall never be written down or stored in an unprotected fashion (including mobile or similar devices) without encryption. Users are accountable and liable for all actions originating from their accounts and shall take due care to secure their account credentials by not sharing account details with anyone.

1.1.11. Document and Storage Security All documents containing sensitive information shall be marked as per the Asset Management Policy. Confidential documents and media shall not be kept unattended in the user’s work area, near printers or fax machines and shall be stored with appropriate physical security. Users shall ensure that whenever sensitive documents are printed, the printouts are collected immediately.

1.1.12. Mobile Computing Devices STC Channels employees may use their mobile devices to access the following company-owned resources internet, e-mail, contacts, meeting reminders, documents, calendars, etc. Smart phones and tablets that are not on the STC Channels list of supported devices are not allowed to connect to the network. If the mobile device is a STC Channels property, then the device shall be fitted with an irremovable security tag (sticker) to identify the device by a unique number. Wireless connection such as Ethernet, Bluetooth of the mobile device is not allowed when it is connected to STC Channels network. It must be disabled unless that device as access point is authorized by IT inside STC Channels premises. STC Channels highly confidential data shall never be stored on the mobile device, unless it has an approval from the business owner and being encrypted by strong encryption. In order to prevent unauthorized access, devices shall be password protected using the features of the device and a strong password to access STC Channels network. The device shall lock itself with a password or PIN if it is idle for five minutes. After five failed login attempts, the device shall lock. The mobile device users shall contact IT Help Desk to regain access. A lost, stolen, misplaced Mobile Computing Device should be reported to IT Help desk immediately. The employee is expected to use his or her devices in an ethical manner at all times and adhere to the STC Channels acceptable use policy as outlined.

1.1.13. Bring your own devices (BYOD) STC Channels shall allow the use of personal devices (e.g., smartphones, tablets, laptops) for business purposes, the use should be supported by a defined, approved and implemented information security standard, additional staff agreements and an information security awareness training. Ensure that business and sensitive information of STC Channels is securely handled by staff and protected during transmission and storage, when using personal devices. The BYOD information security standard should be defined, approved, implemented, and the compliance with the information security standard should be monitored. Effectiveness of the BYOD Information security controls should be measured and periodically evaluated. Information regarding the restrictions and consequences for staff when STC Channels implements Information security controls on personal devices. BYOD Infrastructure shall isolate business Information from personal information. And if applicable, the use of mobile device management (MDM) applying access controls to the device and business container and encryption mechanisms on the personal device.

1.1.14. Logging and Monitoring Users shall be made aware that all activities on the IT resources is continuously monitored and periodically audited and these records are archived. If necessary, these records shall be used as evidence in any legal or disciplinary action. Logging retention period must be online for 90 days and in archive for 5 years. In the ordinary course of STC Channels business, email and web browsing are surveyed, archived and logged by system administrators to monitor network efficiency, provide virus protection, filter spam mail, enforcement of data security and compliance.

1.2. Enforcement and Compliance

Violations against this policy will be subject to disciplinary actions in accordance with HR policies, Anti-cybercrime law, or other pertinent Saudi Arabian laws and regulations.

1.3. Exception

Information Security management has to approve any exceptions if needed. Otherwise, it will be considered as deliberate violations (Non-compliance) of this policy, subsequently penalties shall be applicable.

1.4. Separability Clause

Any sections or subsections or parts of this policies that are deemed inconsistent with governmental regulations or are deemed obsolete or superseded by subsequent pronouncement or policies of a competent authority such as the BOD, shall cease to be in effect to the exclusion of the other functional parts hereof which shall remain in force and effect unless thereby revoked.

1.5. Governing Law & Jurisdiction

The context of this policy, including resolution of disputes arising therefrom, shall be governed by, and construed, under the laws of the Kingdom of Saudi Arabia without reference to conflict of law principles.