Identity and Access Management Policy
Document Classification: Restricted
Version: 2.0
Date: 02/11/2025
Reference: National Cybersecurity Authority

Disclaimer:
This template was developed by the National Cybersecurity Authority as an illustrative example. It can be used as a reference guide, adapted and modified by the relevant entities at Najran University to meet applicable legislative and regulatory requirements. This template must be approved by the head of the entity or their designated delegate. The Authority disclaims responsibility for using this template as-is; it is provided solely for illustration.

Table of Contents:

  1. Purpose
  2. Scope
  3. Policy Items
    1. General Provisions
    2. Granting Access Privileges
    3. Sensitive and Critical Access Privileges Requirements
    4. Remote Access Provisioning
    5. Revocation and Modification of Access Privileges
    6. Review of User IDs and Privileges
    7. Password Management
    8. Password Protection
  4. Roles and Responsibilities
  5. Updates and Review
  6. Policy Compliance


1. Purpose:
Define the cybersecurity requirements for managing user identities and access privileges on Najran University’s information and technology assets, ensuring protection against cyber threats by focusing on information confidentiality, integrity, and availability. This policy is aligned with controls and standards issued by the National Cybersecurity Authority and relevant regulatory and legislative requirements.

2. Scope:
This policy applies to all information and technology assets at Najran University and to all employees (permanent, temporary, and contracted).

3. Policy Items:
3.1 General Provisions:

  1. 1-1. Document and approve a mechanism for granting, modifying, revoking, and monitoring access privileges, ensuring its enforcement across Najran University’s information and technology assets.
  2. 1-2. Create user identities in accordance with relevant legislation and regulations applicable to Najran University.
  3. 1-3. Verify user identity using a username and password before granting access privileges to Najran University’s information and technology assets.
  4. 1-4. Ensure the confidentiality of user identities, accounts, and privileges; users (employees, third parties, or others) must keep their credentials private.
  5. 1-5. Approve and periodically review a User Authorization Matrix based on the following access control principles:
    1. Need-to-Know and Need-to-Use
    2. Segregation of Duties
    3. Least Privilege
  6. 1-6. Enforce controls for identity and privilege verification on all information and technology assets through a centralized automated access control system, such as Active Directory – Domain Services, at Najran University.
  7. 1-7. Prohibit the use of generic user accounts to access Najran University’s information and technology assets.
  8. 1-8. Ensure secure session management, including automatic session termination after a specified timeout period, session lockout, and session authenticity checks, in accordance with Najran University’s approved Identity and Access Management standards.
  9. 1-9. Configure systems and sessions to automatically terminate after a specified timeout period, per Najran University’s approved Identity and Access Management standards.
  10. 1-10. Configure systems and sessions to lock out after a set number of failed login attempts, per Najran University’s approved Identity and Access Management standards.
  11. 1-11. Disable inactive user accounts after a predefined period, according to Najran University’s approved Identity and Access Management standards.
  12. 1-12. Configure IAM systems to forward logs to a centralized cybersecurity event monitoring system, in alignment with Najran University’s Security Event Logging and Monitoring Policy.
  13. 1-13. Deny direct database access privileges for sensitive applications, except to authorized Database Administrators, following Najran University’s approved database security procedures.
  14. 1-14. Document and approve Service Account management procedures, disable interactive human logins, and conduct periodic reviews according to Najran University’s approved processes.
  15. 1-15. Manage user privileges based on asset sensitivity and job requirements, considering applicable legislative and regulatory requirements before onboarding or updating a user’s account.
  16. 1-16. Develop continuous KPIs to measure correct and effective use of Identity and Access Management to ensure protection of access requirements.


3.2 Granting Access Privileges:

  1. 2-1-1. Grant access privileges only upon a formal request submitted via an approved form in the Cybersecurity Management system, endorsed by the relevant manager (direct supervisor or system owner), and detailing the system name, request type, privilege, and (if applicable) duration.
  2. 2-1-2. Grant access to Najran University’s information and technology assets only after obtaining the required approvals and considering all roles and responsibilities.
  3. 2-1-3. Follow a standardized procedure to create user identities (User IDs) in a consistent format—for example, first initial + “.” + last name, or a pre-assigned employee number from HR.
  4. 2-1-4. Prevent concurrent logins (Concurrent Logins) from multiple workstations for the same user.
  5. 2-1-5. Limit the number of unsuccessful login attempts based on Najran University’s approved Identity and Access Management standards to mitigate password-guessing attacks.


3.3 Sensitive and Critical Access Privileges Requirements:

  1. 2-2-1. Assign system administrator (Sys ID) privileges based on job functions, ensuring segregation of duties.
  2. 2-2-2. Enable password history tracking (Password History) to record the number of password changes.
  3. 2-2-3. Change default or specialized account names with critical or privileged access (e.g., “Admin,” “Root,” “Sys ID”) before deployment to production.
  4. 2-2-4. Prohibit the use of privileged or critical accounts for Internet access.
  5. 2-2-5. Enforce Multi-Factor Authentication (MFA) for user accounts with critical or privileged access to technical assets, in accordance with Najran University’s approved standards.
  6. 2-2-6. Employ Privilege Access Management (PAM) solutions to protect sensitive technologies and critical privileges.
  7. 2-2-7. Require MFA for accessing sensitive systems, and monitor adherence by Najran University staff.


3.4 Remote Access Provisioning:

  1. 2-3-1. Grant remote access to information and technology assets only after prior approval from the Cybersecurity Management Department, using MFA and secure, approved channels.
  2. 2-3-2. Continuously record and monitor logs for all remote access sessions to information and technology assets.


3.5 Revocation and Modification of Access Privileges:

  1. 2-4-1. Upon a user’s role change or termination at Najran University, HR must immediately notify IT to disable or update the user’s accounts and privileges, ideally through automated workflows.
  2. 2-4-2. Prevent deletion of a user’s event logs or premature deactivation of their privileges; logs must be retained per Najran University’s Security Event Logging and Monitoring Policy.


3.6 Review of User IDs and Privileges:

  1. 2-5-1. Review all User IDs and their usage on sensitive systems at least annually.
  2. 2-5-2. Review all user privileges (User Profiles) and their usage on sensitive information and technology assets at least annually.


3.7 Password Management:

  1. 2-6-1. Implement a strong password policy for all accounts at Najran University, in accordance with the approved Identity and Access Management standards and relevant regulatory requirements.
  2. 2-6-2. Notify users prior to password expiration.
  3. 2-6-3. Prohibit reuse of previously used passwords.
  4. 2-6-4. Configure systems to force users to change their password on first login.
  5. 2-6-5. Change all default passwords on information and technology assets before production deployment.
  6. 2-6-6. Replace default SNMP community strings such as “Community,” “Public,” “Private,” and “System” with unique, secure passwords.


3.8 Password Protection:

  1. 2-7-1. Store and transmit all passwords for information and technology assets using approved encryption methods in accordance with Najran University’s Encryption Policy.
  2. 2-7-2. Implement password masking when users enter credentials on screens (Password Mask).
  3. 2-7-3. Disable the “Remember Password” feature on Najran University’s systems and applications.
  4. 2-7-4. Prevent use of dictionary-based or well-known passwords through defined controls.
  5. 2-7-5. Deliver user passwords via secure, reliable, and approved methods.
  6. 2-7-6. When a user requests password reset via phone or any other method, verify the user’s identity before resetting the password, and use approved security questions if needed.
  7. 2-7-7. Protect service account and privileged or sensitive account passwords by storing them securely in sealed envelopes within a locked safe or using a Privilege Access Management solution.


4. Roles and Responsibilities:

  • Chief Cybersecurity Officer: Policy owner.
  • Cybersecurity Management: Review and update the policy.
  • Digital Transformation Agency and Knowledge Resources: Execute the policy.
  • Cybersecurity Management: Measure compliance with the policy.


5. Updates and Review:
The Cybersecurity Management Department shall review this policy annually or whenever there are changes to university policies, regulatory procedures, or relevant legislative and regulatory requirements.

6. Policy Compliance:

  • The Cybersecurity Management Department must regularly verify Najran University’s adherence to this policy.
  • All Najran University personnel must comply with this policy.
  • Any violation of this policy may result in disciplinary action according to Najran University’s procedures.