List of contents
Aims
Providing cybersecurity requirements as a way to reduce cyber risks related to the use of the systems and assets of IMSIU while protecting them from internal and external threats while considering the basic objectives of protection, i.e., to maintain the confidentiality, integrity and availability of information.
Furthermore, this policy aims to comply with the relative cybersecurity, legislative and regulatory requirements, which is a legislative requirement stated in Clause No. 2-3-1 of the Basic Terms for Cyber Security (ECC-1:2018) issued by the National Cybersecurity Authority.
Scope of work and applicability
This policy applies to all IT assets, processes and functions at IMSIU. It also accounts for all users of information assets including temporary and permanent employees of IMSIU clients, advisors, suppliers, business partners and employees of contractors; regardless of their geographic location.
Policy Terms
1- General Terms
1-1 Information must be dealt with confidentially according to the specified classification, the data classification policy and the data and information security policy of IMSIU, while maintaining its safety and availability.
1-2 It is prohibited to violate the rights of any person or company protected by copyright, patent or other intellectual property or similar laws or regulations such as, among many others, installing unauthorized or illegal software.
1-3 Prints on common printers should not be left unattended.
1-4 External storage devices must be kept securely and appropriately.
1-5 It is forbidden to use a password of other users, including that of the user's manager or his/her subordinates.
1-6 Safe and neat desk policy must be followed; both the desktop and interface should be free of any classified information.
1-7 Disclosing any information of
IMSIU, including data about systems and networks to any unauthorized entity or party, whether internal or external, is strongly disallowed.
1-8 Broadcasting information of
IMSIU
via the media and social networks without prior permission from the authorized person and the Public Relations Department is prohibited.
1-9 The systems and assets of
IMSIU
shall not be used for personal benefit and purposes or for any other reason that is not related to the work and activities of
IMSIU.
1-10 Connecting personal devices to the internal organizational networks of employees and workers, and to the operating systems of
IMSIU
is prohibited without prior permission from the Cyber Security Administration and should be in accordance with BYOD Policy.
Note: (BYOD: i.e. Bring Your Own Device).
1-11 Any activities intended to bypass the security regulations of
IMSIU,
including anti-virus software, firewall and malware, shall be prohibited without prior permission and in accordance with the procedures adopted by
IMSIU.
1-12 The Department of Cybersecurity reserves the right to monitor work-related systems, networks and personal accounts, and to periodically review them; to track compliance with cybersecurity policies and standards.
1-13 Hosting unauthorized persons to sensitive areas without prior permission is not allowed.
1-14 If information is lost, stolen or leaked, Cyber Security must be informed directly.
2- Protection of computers, Software and Printers
2-1 1The use of external storage devices including flash USB memory or personal mobile devices is prohibited without prior permission from the Cybersecurity Department.
2-2 Any activity that would affect the efficiency and safety of systems and assets without prior permission from cyber security management, including activities that enable the user to obtain more advanced access and privileges, is forbidden.
2-3 3 If the working hours are over or the user is leaving the office for a while, the device must be secured by either locking the screen or signing out.
2-4 Classified information must not be left available in reachable places or to be accessed by unauthorized persons.
2-5 Installing external tools on a computer without prior permission from the Cyber Security Administration is not allowed.
2-6 For any suspicious activity that might harm the UNI's computers, software, printers or assets, the Cyber Security Administration must be notified.
2-7 The password for wired and wireless printers must be set and only shared with university staff, and the printers must be utilized for work purposes only.
2-8 Use of unlicensed software or other copyrighted intellectual property is prohibited.
2-9 Installing and downloading software and tools on the assets of
IMSIU
without prior permission from the Cyber Security Administration are prohibited.
3- Acceptable Internet Use
3-1 For any suspicious websites that must be blocked, the Cyber Security Administration should be informed; Or vice versa.
3-2 Intellectual property rights should not be infringed while downloading information or documents for work purposes.
3-3 A secured and authorized browser must be used to access the internal network or the Internet.
3-4 Technologies that skip Proxy or Firewall to access the Internet are prohibited.
3-5 It is not allowed to use the intranet for unauthorized access to computers, information or services.
3-6 It is not allowed to use the Internet except for work purposes, including downloading media or files and using file-sharing software.
3-7 The Cyber Security Administration should be notified if there are computers connected to the Intranet while their shared folders are not protected.
3-8 Networking devices and tools, such as modems and switches, other than those provided by
IMSIU
are prohibited to use as a source for the Internet.
3-9 The Cyber Security Administration should be notified when a cyber threat is suspected. Additionally, security messages that may be shown during Internet or Intranet surfing must be handled with caution.
3-10 Security screening for the purpose of detecting vulnerabilities is prohibited. This includes testing for penetration or monitoring
IMSIU
networks and systems or those of third parties without prior authorization from the Cyber Security Administration.
3-11 Operating file-sharing sites is prohibited without prior authorization from the Cyber Security Administration.
3-12 Accessing suspicious websites, including hacking sites, is not allowed.
4- Acceptable Use of E-mail and communications system
4-1 Operating e-mail, telephone, fax or electronic facsimile beyond work purposes is forbidden, per the Cyber Security Policies and Standards.
4-2 Sending, circulating, or writing messages containing inappropriate, unacceptable, or illegal, content not to mention circulated messages with internal and external parties, are prohibited.
4-3 Sensitive information sent via email or communication systems must be coded with encryption techniques.
4-4 The UNI's email should not be registered in any other unrelated websites.
4-5 If there are any e-mails that may carry harmful content to the UNI's system and assets, The Cyber Security Administration must be notified.
4-6 IMSIU
reserves the right to disclose the contents of e-mails after obtaining the necessary permits from the competent authority and the Cyber Security Administration in accordance with the relevant procedures and regulations.
4-7 Suspicious or unexpected emails and attachments should not be opened even if they seem to be from reliable sources.
4-8 Personal e-mail accounts, such as Gmail, Hotmail, Yahoo, etc. are prohibited to use in official correspondence or for work purposes.
5- Video Meetings and Web-Based Communications
5-1 Secured passwords must be chosen. It is advisable to maintain the passwords for the systems of
IMSIU
and its assets, and avoid automatically-saved password to log into the UNI systems.
5-2 It is prohibited to make non-work related calls or visual meetings without prior permission.
5-3 For non-business purposes, the office phone number shall not be used in social media applications (e.g. Business WhatsApp).
6- Password Use
6-1 Secured passwords must be chosen. It is advisable to maintain the passwords for the systems of
IMSIU
and its assets, and avoid automatically-saved password to log into the UNI systems.
6-2 Personal account passwords, such as those used for E-mail account and social media websites, shall be different.
6-3 Password sharing is prohibited by any means, including electronic correspondence, voice communications and even written papers. All users must not disclose their password to any other party, including co-workers and IT staff.
6-4 The password should be changed periodically, and in case a new password is provided to the user by the system administrator.
Policy Commimnt
1- The Director of the Cyber Security Administration must ensure that
IMSIU
is adhering to this policy on an annual basis.
2- All employees of
IMSIU
must respectfully commit themselves to this policy.
3- A disciplinary action would be taken against anyone who might violate this policy; in respect to the procedures of the
IMSIU.