ACCEPTABLE USAGE POLICY – IT

Version 1.7

Date
July 27th, 2024

Version
1.7

Reviewer
Medhat Adel

Approver
Mohammed Shaheen
Table of Contents
1. Scope ................................................................................................................................................ 3

2. User Acceptance Form .................................................................................................................... 3

3. End-User System Usage Policy ...................................................................................................... 4

4. Network and File Service Usage Policy.......................................................................................... 6

5. Email Services Usage Policy ........................................................................................................... 7

6. Asset Management .......................................................................................................................... 8

7. Patch Management .......................................................................................................................... 9

8. Secure Internet Usage Policy .......................................................................................................... 9

9. Social Media Security Policy ......................................................................................................... 10

10. Mobile Phone Usage Policy ........................................................................................................ 10

11. Off Boarding Policy ...................................................................................................................... 10

12. Incident Management Policy Related to SAUDI ARAMCO ...................................................... 11

13. Disciplinary Action ........................................................................................................................ 11

 3. End-User System Usage Policy

Password Policy Adherence

a. Overview
Passwords are an important aspect of computer security. They are the front line of
protection for user accounts. A poorly chosen password may result in a compromise of ABC’s
entire network. As such, all ABC’s employees (including contractors and vendors with access to
ABC’s systems) are responsible for taking the appropriate steps, as outlined below, to select and
secure their passwords.

b. Purpose
The purpose of this policy is to establish a standard for the creation of strong passwords,
the protection of those passwords, and the frequency of change to secure all assigned assets to
Ashi & Bushnag personnel or accessing Ashi & Bushnag Infrastructure

c. Scope
The scope of this policy includes all personnel who have or are responsible for an account
(or any form of access that supports or requires a password) on any system that resides at any
ABC’s facility, has access to the ABC’s network.

d. Policy

1. General

▪ All system-level passwords (e.g., root, enable, network administrator, application

administration accounts, etc.) must be changed at least every 90 days.
▪ All production system-level passwords must be part of the Information Security administrated
global password management database.
▪ All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least
every 90 days and cannot be reused the past 12 passwords.
▪ Passwords must not be inserted into email messages or other forms of electronic
communication.
▪ All systems must have Account Lockout threshold of 10 invalid login attempts.
▪ All systems must have screen saver settings having automatically locking within 15 minutes of
inactivity.

2. Guidelines

Password Construction Requirements: -

 ▪ Be a minimum length of eight (8) alphanumeric characters and special characters on all
systems.
▪ Not be a dictionary word or proper name.
▪ Not be the same as the User ID.
▪ Expire within a maximum of 90 calendar days.
▪ Not be identical to the previous ten (10) passwords.
▪ Not be transmitted in the clear or plaintext outside the secure location.
▪ Not be displayed when entered.
▪ Ensure passwords are only reset for authorized user.

3. Password Deletion

All passwords that are no longer needed must be deleted or disabled immediately. This includes,
but is not limited to, the following: -
▪ When a user retires, quits, is reassigned, released, dismissed, etc.
▪ Default passwords shall be changed immediately on all equipment.
▪ Contractor accounts, when no longer needed to perform their duties.
When a password is no longer needed, the following procedures should be followed (See User
Account Access Validation Policy for additional information/requirements): -
▪ Employee should notify his or her immediate supervisor.
▪ Contractor should inform his or her point-of-contact (POC).
▪ Supervisor or POC should fill out a password deletion form and send it to [agency’s POC].
▪ [Agency’s POC] will then delete the user’s password and delete or suspend the user’s account
▪ A second individual from the department will check to ensure that the password has been
deleted and user account was deleted or suspended.
▪ The password deletion form will be filed in a secure filing system.

4. Password Protection Standards

Do not use your User ID as your password. Do not share ABC’s passwords with anyone,
including administrative assistants or secretaries. All passwords are to be treated as sensitive,
Confidential ABC’s information.
Here is a list of “do not’s”
▪ Don’t reveal a password over the phone to anyone
▪ Don’t reveal a password in an mail message
▪ Don’t reveal a password to the boss
▪ Don’ talk about a password in front of others
▪ Don’t hint at the format of a password (e.g., “my family name”)
▪ Don’t reveal a password on questionnaires or security forms
▪ Don’t share a password with family members
▪ Don’t reveal a password to a co-worker while on vacation
 ▪ Don’t use the "Remember Password" feature of applications
▪ Don’t write passwords down and store them anywhere in your office.
▪ Don’t store passwords in a file on ANY computer system unencrypted.
If someone demands a password, refer them to this document or have them call [list name
of Information Security Officer (ISO) or Agency POC]. If an account or password is suspected to
have been compromised, report the incident to [name of ISO or POC] and change all passwords.
Password cracking or guessing may be performed on a periodic or random basis by the MSP/FBI
or [ABC’s Security Department or POC]. If a password is guessed or cracked during one of these
scans, the user will be required to change it.

5. Application Development Standards

Application developers must ensure their programs contain the following security precautions: -
▪ Should support authentication of individual users, not groups.
▪ Should not store passwords in clear text or in any easily reversible form.
▪ Should provide some sort of role management, such that one user can take over the function
of another without having to know the other’s password.
▪ Should support Terminal Access Controller Access Control System+ (TACACS+), Remote
Authentication Dial-In User Service (RADIUS), and/or X.509 with Lightweight Directory Access
Protocol (LDAP) security retrieval, wherever possible.

6. Remote Access Users

Access to the ABC’s networks via remote access is to be controlled by using either Virtual Private
Network (in which a password and user id are required) or a form of advanced authentication (i.e.,
Biometrics, Tokens, Public Key Infrastructure (PKI), Certificates, etc.).

7. Penalties

Any employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.

Other Related Resources: -

▪ Physical Protection Policy (Required)
▪ User Account – Access Validation Policy (Required)

4. Network and File Service Usage Policy

Data Access and Storing

1. Any employee must not write down, electronically store, or disclose any password or
authentication code that is used to access Assets or Critical Facilities.
2. Users can access their files from the server only using the user id allotted to them by the
Information Technology Department.
3. Users should use passwords, which are hard to guess.
4. Users should not reveal their password to anyone else in COMPANY or outside.
5. Company users should remember their passwords but should not write down their
passwords.
6. All users should note that they shall be solely responsible to COMPANY for any misuse of
their passwords by anyone inside/ outside COMPANY.
7. Disclosing of Saudi Aramco data is strictly prohibited. User is responsible to protect the
confidentiality of Aramco’s information and technology assets as per existing cybersecurity
policies and requirements.
8. Installation and use of any VPN or remote access software is prohibited.

5. Email Services Usage Policy

1. ABC email system is made available primarily for work-related use. Users should use the
email in a responsible manner and according to ABC Communications Security Policy
2. Two-Factor authentication will be enforced on all remote access, including access from the
Internet to Third Party Company computing resources.
3. User should not use his/her personal emails for work related activities. Users must inform
personnel, in keeping with Company Policy, that using personal email to share and transmit
ABC data is strictly prohibited.
4. User should not share or exchange information/data in form of files and documents that may
cause legal liability or harm the reputation of ABC.
5. User should not use his/her business email provided by ABC email system for any personal
use including but not limited to registering on public websites, internet services, social
platforms, etc.
6. User should make proper arrangements when he/she goes on leave, including assigning a
corresponding person to receive incoming emails and take authorized actions if required in
accordance with respective business roles. User shall configure Out of Office (OoO) message
while on vacation or leave. However, I acknowledge that the same shall be practiced with
caution. Outsiders can misuse excess of information about one’s absence. Complete
information (like returning date, phone number, etc.) shall be sent ONLY within the ABC
(internal) domain. However, name and e-mail address of point of contact details can be sent
to outside of ABC domain
7. At the time of resignation, the User should not send a parting email to all Users of Ashi and
Bushnag Co. for Contracting (Closed Joint Stock) which is strictly prohibited.
8. Use of the email service is checked by the Information Technology Department to ensure that
no illegal/offensive/criminal activities are being discussed over the corporate mail system.
9. Users who need to communicate with other users in Ashi & Bushnag. Company or with
persons outside the company will be provided with an email service.
10. User will promptly report all suspected security vulnerabilities or related issues through email
to Cybersecurity Department.
11. User shall follow and obey information classification tagging while sharing ABC business
related information/data internally or externally
12. Email service will be supplied only by the Information Technology Department.
13. Such email services access will be controlled through a user id and password.
14. In the light of this monitoring ensure that all communication is restricted to business use. User
should not send e-mails that have offensive content (including offensive comments about
gender, sexual orientation, pornography, etc.).
15. ABC management has the authority to intercept, disclose, or aid in intercepting or disclosing
email communication.
16. User should not use ABC systems to produce or distribute chain emails.
17. User should not forward or divert emails from ABC business email account to any non-ABC
users email accounts
18. Using personal email to share and send Saudi Aramco data is strictly prohibited.

6. Asset Management

1. Software applications will be role-based access controlled (RBAC) to ensure that only
authorized users have access to specific functions and data.
2. Regular audits will be conducted to review user access levels and adjust permissions
as necessary.
3. All authorized users must change their passwords every 90 days and cannot reuse
any of their last 12 passwords.
4. Multi-factor authentication (MFA) must be enabled for all software applications,
especially those accessing sensitive data.
5. All hardware assets, such as servers, workstations, and mobile devices, must be
secured in a physically safe environment.
6. Access to hardware assets should be restricted to authorized personnel only.
7. Only an authorized user will have access to his/her asset and will ensure that his/her
password is not compromised.
 7. Patch Management

1. Set the update mode to automate the update of patches or do it manually. The anti-virus and
other security components need to be checked and updated to the latest version or should be
automated.
2. If the OS is windows the patch management tools should be set in a way that it automatically
download the latest Microsoft security patches. The patches will be reviewed and applied as
proper.
3. Periodical reviews on the supplier website who supplies servers, PC tablets, printers,
Switches routers, and other peripherals check firmware patches.
4. It user’s responsibility to check all the patches update periodically as trained and take
ownership of all automatic updates starting from operating systems, software, anti-virus,
workstation, patches, drivers of devices.

8. Secure Internet Usage Policy

1. Users who need to access the internet will be provided with internet services by the
Information Technology Department.
2. All Cloud services are accessed via MFA (Multi-Factor Authentication) under the supervision
of ABC IT Department and pre-approval is needed for ABC IT management to allow such
services.
3. User should not download any shareware or freeware or any other software from the internet.
4. Users should not change the internet connection settings by themselves.
5. User should use the internet service connection for the official work only and that too
judiciously.
6. Users should not use internet service for doing personal chat or going to sports-oriented sites
or use internet services for any personal purpose.
7. Users should not access sites not connected with Ashi and Bushnag Co. for Contracting
(Closed Joint Stock)
8. Users are busy not downloading audio or video files onto the company network as this will be
because of congestion in the internet traffic.
9. Streaming of audio and video is also prohibited.
10. All the users will have updated anti-virus installed in the systems.
11. Anyone without the Antivirus system will not be provided the internet access.
12. Any users who have a laptop and have Ashi and Bushnag Co. for Contracting
(Closed Joint Stock) information should and must have an anti-virus always installed with
complete components up and running.
13. Scheduled scans will be configured and should so in the task.
14. Installed anti-virus software to determine the last updates and full system scan that were
performed well monitored.
15. Users are personally responsible for protecting the data and information on the IT resources
being used by them. Users should not switch off any tools/services from the IT resource setup
by information technology department like antivirus, firewalls etc.

9. Social Media Security Policy

Ashi and Bushnag Co. for Contracting (Closed Joint Stock) will perform users to take a
yearly mandatory Cybersecurity training that addresses acceptable use and good computing
practices. Training will be addressed on the following topics: -

1. Internet and social media security.

2. Cybersecurity Acceptable Use.
3. Social Engineering and phishing emails.
4. Sharing credentials (i.e., username and password).
5. Data Security

10. Mobile Phone Usage Policy

1. Corporate phones will abide by the internet usage policy from the network firewall.
2. Corporate phones will have MDM and anti-virus installed.
3. Personal phones will follow the internet usage policy and will be connected via a firewall.
4. Any web or App policy will be implied as per the Ashi and Bushnag Co. for Contracting
(Closed Joint Stock) norms and conditions.
5. IMs and other social apps will be blocked.

11. Off Boarding Policy

Review & Revoke

1. User credentials no longer need their access or are transferred, re-assigned, retired, resigned,
or no longer associated.
2. Review & Revoke Access form should be used mandatorily whenever any COMPANY user is
going on Annual leave, Transferred, resigned retired, or no longer associated with
COMPANY.
3. COMPANY must inform Saudi Aramco when a user-provided with SAUDI ARAMCO user
credentials no longer need and their access or are transferred, re-assigned, retired, resigned,
or no longer associated with the company.
4. All assets related to ARAMCO will be retrieved or revoked whenever any employee is
resigning, retired, or terminated.
5. Review & Revoke Access form will be maintained mandatorily for all assets used to process
or store Saudi Aramco data and information to sanitize by the end of the DATA LIFE CYCLE,
or by the end of the retention period as stated in the contract If defined; This includes all data
copies such as backup copies ay any sites of COMPANY.
6. Ashi and Bushnag Co. for Contracting (Closed Joint Stock) will certify in writing to Saudi
Aramco that the data has been sanitized.

12. Incident Management Policy Related to SAUDI ARAMCO

Notify Aramco of the Incident

1) Initials Notification of Incident.

a) Ashi and Bushnag Co. for Contracting (Closed Joint Stock) will notify Saudi Aramco
Security Operations Center (SOC) within two (2) hours of the discovery of any such
incident
b) All notifications should be communicated to SOC via the Saudi Aramco Security Hotline
at +966 (13)-880-0000.
2) Subsequent notification of Incident
After the initial notification of the Ashi and Bushnag Co. for Contracting (Closed Joint Stock)
notification will be notified to Saudi Aramco of all incidents stemming from the initial incident
via the communication method agreed with SOC during the notification
3) Review and Identify
4) Immediate review of all recent changes and modifications to information system users and
access privileges for unauthorized modifications.
5) Conduct a thorough review of the Ashi and Bushnag Co. for Contracting (Closed Joint Stock)
information systems for evidence of compromise.

13. Disciplinary Action

 The mentioned guidelines in the document must be always followed to not only safeguard
the company’s confidential information but also protect self-information leading to bad characters
inside and outside the organization.
Anyone not complying or adhering to the SOPS defined in the document will be dealt with the
following: -
1. Verbal warning
2. Corrective Actions/Counseling
3. Official written reprimand
4. Disciplinary meeting with the appropriate supervisor or manager
5. Final written warning
6. Detraction of benefits
7. Indefinite suspension or demotion
8. Termination