Security Policy Document.

An Information Security Policy document is a crucial component of any organization's efforts

to safeguard its data, systems, and assets. It provides a framework for defining the rules,
guidelines, and best practices that ensure the confidentiality, integrity, and availability of
sensitive information. Below, we'll outline the key components of an Information Security
Policy document and then create an Access Control Policy for Dedan Kimathi University.

Components of an Information Security Policy Document:

1. Policy Statement: This is the introduction of the document and should clearly articulate the
organization's commitment to information security. It should express the importance of
protecting information assets and the responsibilities of all employees and stakeholders.

2. Purpose and Objectives: Define the purpose of the policy and outline the specific
objectives it aims to achieve. This may include safeguarding sensitive data, ensuring
compliance with relevant regulations, and minimizing security risks.

3. Scope: Specify the scope of the policy, detailing the information, systems, and resources it
covers. It's important to clarify what is within the policy's jurisdiction and what is not.

4. Roles and Responsibilities: Describe the roles and responsibilities of individuals and
departments involved in implementing and enforcing the policy. This includes the Chief
Information Security Officer (CISO), IT administrators, and end-users.

5. Access Control Policy: Define the rules and guidelines for granting, revoking, and
managing access to information systems and data. This will be the main focus of the Access
Control Policy section.
6. Data Classification and Handling: Explain how data should be classified based on
sensitivity and how it should be handled, stored, and transmitted accordingly.

7. Incident Response: Outline procedures for reporting and responding to security incidents
or breaches, including incident escalation and notification processes.

8. Training and Awareness: Explain the organization's commitment to educating employees

about security best practices and the procedures they should follow to maintain information
security.

9. Physical Security: Describe the physical security measures in place to protect information
assets, including data centres, access controls, and surveillance.

10. Technical Security: Detail the technical security measures such as firewalls, encryption,
intrusion detection systems, and antivirus software that the organization employs.

11. Compliance: Ensure the policy addresses compliance with relevant laws, regulations, and
industry standards.

12. Policy Review and Updates: Specify the schedule and process for reviewing and updating
the policy to adapt to evolving security threats and technologies.

Access Control Policy for Dedan Kimathi University.

1. Purpose and Objectives

- The purpose of this Access Control Policy is to ensure the confidentiality, integrity, and
availability of Dedan Kimathi University's information assets.
 - The objectives are to control and monitor access to university resources, prevent
unauthorized access, and enable legitimate users to perform their duties efficiently.

2. Scope

- This policy applies to all university employees, contractors, and external parties granted
access to the university's information systems and data.

3. Access Control Guidelines

- Access to university information systems and data will be based on the principle of least
privilege, meaning individuals will be granted access only to the resources necessary for their
roles.

- Authentication mechanisms such as strong passwords, multi-factor authentication, and

biometric verification will be implemented to verify the identity of users.

- Access rights will be reviewed regularly, and access privileges will be revoked or
modified when no longer needed.

- The university will maintain an access control list that documents authorized users and
their access levels.

4. User Responsibilities

- All users are responsible for safeguarding their access credentials and reporting any
suspicious activity or potential security breaches immediately.

- Unauthorized sharing of access credentials are strictly prohibited.

5. Monitoring and Enforcement

- The university will implement continuous monitoring of access logs to detect and respond
to any unauthorized access or suspicious behaviour.
 - Violations of this policy will result in disciplinary action, including suspension of access
privileges and legal action when appropriate.

6. Exceptions

- Access control exceptions must be approved by the appropriate authority and documented
for auditing purposes.

7. Policy Review

- This Access Control Policy will be reviewed annually or as needed to adapt to changing
security threats and technologies.

8. Incident Response:

-If a security incident occurs, the university isolates the affected systems, notifies their
incident response team, conducts an investigation, and communicates with those affected.
Then Corrective measures will be taken to prevent future incidents.

9. Data Encryption:

-Sensitive data is encrypted on the servers and during transmission to ensure confidentiality
and integrity.

10. Remote Access:

-Remote access will require VPN and multi-factor authentication, with strong password
policies. The university monitors access and take immediate action against unauthorized
attempts.

11. Data Classification:

-Data is classified as either public, internal, confidential, or highly confidential, with

corresponding access controls.
12. Acceptable Use Policy:

-Users are prohibited from personal use of resources, downloading unauthorized software,
and accessing restricted websites.

13. Physical Security:

-The university’s data centres and server rooms have biometric access, surveillance,
monitoring, and environmental controls to safeguard against physical threats.

By implementing this Access Control Policy, Dedan Kimathi University aims to maintain the
highest standards of information security and protect its valuable assets from unauthorized
access.