Logical Access Management Policy

The purpose of this policy is to ensure proper logical access control to the information systems and data at UTAS-Sur. 

This policy applies to all members of UTAS-Sur, whether on a temporary or permanent basis as well as any third parties working with or contracted by the university, it covers all environments where the university’s information systems are operated.  

Information Systems and Educational Technologies Center.

‏Assistant Vice Chancellor for UTAS – Sur.

Any violation of this policy by all members or third parties (suppliers, contractors, business partners, etc.) will be subject to disciplinary and legal actions in accordance with the laws of the Sultanate of Oman, including regulations related to cybersecurity, university’s policies, labor laws, and electronic transactions. 

 Access Control: 

• Members must only be granted access to necessary information systems to perform their duties. 

• Access permissions must be assigned using user groups rather than granting direct access to individual users. 

• Each user must obtain authorization from the owners (system administrator) before accessing university information systems. 

 

Password and User Authentication: 

• All user accounts must have a unique username and password. 

• Users are strictly prohibited from sharing their credentials with others. 

• Passwords must adhere to strong security guidelines, including length and complexity requirements. 

• Passwords must be changed every 180 days, with recommendations for a 90-day change cycle. 

• The system must enforce an automatic password reset upon first login. 

• Passwords must be encrypted in storage and transmission. 

 

Privileged Account Management: 

• Administrative and high-privilege accounts must be limited to a small number of authorized personnel. 

• Role-based access control (RBAC) should be implemented to prevent excessive access permissions. 

• System administrators must conduct periodic reviews of privileged accounts to ensure compliance. 

 

User Access Review and Revocation: 

• User access rights must be reviewed regularly to ensure they align with job responsibilities. 

• Access rights must be revoked immediately upon employee resignation, termination, or role change. 

 

Secure Remote Access: 

• Remote access to university information systems must be granted only when necessary and must follow strict security protocols. 

• All remote access activities must be monitored and logged. 

• Using VPN for remote access 

This policy shall take effect from the approval date.