Information Security Policies

The purpose of this policy is to ensure the protection of the university’s information assets, maintain their confidentiality, integrity, and availability, and ensure that information security measures align with the university’s operational procedures. It also aims to raise awareness among employees about the importance of information security within UTAS-Sur. 

This policy applies to all members of UTAS-Sur, whether on a temporary or permanent basis as well as any third parties working with or contracted by the university, it covers all environments where the university’s information systems are operated.  

Information Systems and Educational Technologies Center.

‏Assistant Vice Chancellor for UTAS – Sur.

Any violation of this policy by all members or third parties (suppliers, contractors, business partners, etc.) will be subject to disciplinary and legal actions in accordance with the laws of the Sultanate of Oman, including regulations related to cybersecurity, university’s policies, labor laws, and electronic transactions. 

• The university must be considering information security a fundamental component in achieving its operational goals. 

• The protection of the university’s information assets is an essential priority, ensuring their confidentiality, integrity, and availability to authorized personnel only. 

• The university seeks to implement a comprehensive information security framework to safeguard critical systems and data from internal and external threats. 

• The university’s information security policies aim to ensure compliance with national laws and cybersecurity regulations in the Sultanate of Oman. 

• All employees must adhere to established security controls to prevent unauthorized access, data breaches, or cyber threats. 

• Employees are prohibited from sharing sensitive information outside the university network without appropriate authorization. 

• Security measures shall be continuously reviewed and updated in accordance with evolving cybersecurity threats and best practices. 

• The usage of removable storage devices (such as USB drives) and unapproved external storage media shall be restricted to prevent unauthorized access and data leakage. 

• Awareness and training programs should be conducted to educate employees about all information security incidents and vulnerabilities. 

• The university shall establish a mechanism for classifying its information assets and determining the level of confidentiality required for different types of data. Access to classified information shall be restricted to authorized personnel only, based on their responsibilities. 

• The university shall apply security classifications to its data based on the level of sensitivity and impact of potential breaches. 

• The university shall ensure that all security controls are in place to protect against unauthorized access, data breaches, security vulnerabilities, and cyber threats. 

• All members shall be required to comply with security guidelines for handling confidential information, including printed documents, emails, and digital files. 

• The university shall implement a comprehensive information security risk management framework to identify threats, vulnerabilities, and risks to its information assets, ensuring appropriate mitigation strategies are in place. 

• Regular risk assessments shall be conducted to evaluate potential security threats and their impact on the university’s operations. 

• Security measures shall be continuously improved in alignment with evolving cybersecurity threats and best practices. 

• The university shall develop and enforce policies that restrict unauthorized use of information systems, ensuring that security protocols are followed. 

• Security incidents shall be documented and analyzed to prevent future occurrences, with corrective actions taken as necessary. 

• Employees shall be made aware of their responsibilities regarding information security through mandatory training and awareness programs. 

This policy shall take effect from the approval date.