Information Protection Awareness

Information Protection 

Awareness

Contents

Information Security Overview 

Safe Computing Habits 

Social Media 

1- Social Networking Regulations and behavior 

Saudi Aramco Information Security Policies, Resources and References 

4 

4 

6 

6 

11

Information Security

Information Security Overview 

Information security is the practice of preserving the integrity, 

availability, and confidentiality of information system resources 

(includes hardware, software, firmware, information/data, and 

telecommunications). 

Attack against 

Confidentiality 

Interception 

It allows unauthorized 

users to access our data 

or system 


Availability 

Interruption 


users to make the assets 

unavailable 

Confidentiality 

Availability 

DATA 

Integrity 


Integrity 

Modification 


users to change consistency, 

accuracy, and 

trustworthiness of data 

over its entire life cycle. 

4

Safe Computing Habits 

1- Protecting User Accounts & Passwords 

Users must: 

Access Control 

User credentials (such as accounts and 

passwords) are the keys to access Saudi 

Aramco IT resources. Therefore, these 

credentials must be protected. 

• Treat all passwords as confidential. 

• Safeguard their passwords (e.g. by not 

writing down their passwords). 

• Keep their passwords to themselves and 

not share them with anyone, including 

administrative assistants or secretaries. 

• Report to their Computer Security 

Liaison (CSL) or Information Security 

Analyst (ISA) any suspected breach to 

their accounts, and must change their 

passwords immediately. 

2- Multi-Factor Authentication 

3- Remote Access 

Users must only use company-approved 

remote connectivity for accessing the 

corporate network. 

Smart Cards, Tokens and SMS 

Pass-Phrases are examples of multi-factor 

authentication that must be protected, 

users must: 

• Ensure that their mobile number is 

updated and current in the corporate 

phone directory in order to use 

multi-factor authentication and SMS 

services (Pass-Phrase). 

• Safeguard their assigned Smart Cards 

and Tokens. 

•Immediately report lost smart cards or 

tokens to their CSL. 

5

Internet Use 

King Abdulaziz Center supplied Internet 

and email services are available for 

communication on matters directly 

concerned with the business. 

2- Monitoring Internet Access 

Users of the King Abdulaziz Center’s Internet 

services understand and accept that their use 

of the Internet is being monitored and that 

data relating to the sites they have visited will 

be retained within a central database, access 

to which will be strictly controlled. 

For more information, refer to GI-299.210 

(Saudi Aramco Internet Use). 

1- Prohibited Internet Activities 

Users must not under any circumstances 

use Company internet service for 

the following: 

• Browsing internet sites that contain 

pornographic, adult material, gambling, 

prohibited drugs, violence, discrimination, 

offensive, or hate-based web sites, 

and hacker or malicious and harmful web 

sites. 

• Unauthorized access or attempts to 

break into any computer (cracking, 

hacking, etc.), whether of King Abdulaziz 

Center or another entity 

• Interference with or disruption of the 

Center computer or communications 

systems such as consuming the company 

internet bandwidth by massive download 

of non-business materials 

• Conducting or promoting a personal 

business for commercial purposes. 

• Downloading or distribution of copyright 

material or software. 

• Unauthorized passing of any the Center 

sensitive information to external or 

internal sources 

• Non-work related ‘chatting’ or ‘blogging’ 

• Establishing unauthorized connections 

to the corporate network that could allow 

users to gain access to King Abdulaziz 

Center’s systems and information 

6

1- Unacceptable E-Mail Use or behavior 

Examples of behaviors which are 

normally regarded as unacceptable: 

• Send non-business emails to large 

number of recipients or for the user’s 

gain. 

• Send any material in emails that is 

offensive or which is intended to or could 

have the impact of annoying, harassing 

or intimidating another person. 

• Represent (by email) personal opinions 

as those of the Company. 

• Transmit (by email) commercial or 

copyrighted materials belonging to 

parties outside of the Company, or the 

Company itself, without the express 

permission of the relevant party. 

• Reveal or publicize in emails any sensitive 

information which includes, but is 

not limited to financial information, 

databases and the information that 

include computer network access codes, 

customer information and business 

relationships. 

• Send unsolicited bulk email (SPAM) from 

Saudi Aramco’s email servers except as 

authorized to do so in the course of your 

work 

E-mail Use 

Use of email by King Abdulaziz 

Center’s employees is permitted and 

encouraged where such use is suitable 

for business purposes and supports 

the goals and objectives of the Center 

and its business divisions 

2- Monitoring E-Mail 

Users of King Abdulaziz Center’s email services 

understand and accept that their use of 

email is being monitored and that data 

relating to email will be retained within a 

central database, access to which will be 

strictly controlled. Details of specific email 

activity will only be disclosed to third parties 

as part of an ongoing and appropriately 

authorized investigation. 

7

1- Social Networking Regulations and 

behavior 

Social Media 

The Center staff must be aware that 

their actions captured through 

images, videos, blogs, or comments 

can affect our company’s image 

• Information published on social 

networking sites should not disclose 

Saudi Aramco’s intellectual property, 

trade secrets, or customer data and 

should comply with the company’s 

confidentiality and disclosure of proprietary 

data policies. 

• Personal blogs should have clear 

disclaimers that the views expressed by 

the author in the blog is the author’s 

alone and do not represent the views of 

the Center. 

• Discussions or comments must not 

contain negative remarks involving 

religion, politics, ethnic groups/cultures, 

family lifestyles, or the Government of 

Saudi Arabia. 

2- Monitoring E-Mail 

Users of King Abdulaziz Center’s email 

services understand and accept that their 

use of email is being monitored and that 

data relating to email will be retained 

within a central database, access to which 

will be strictly controlled. Details of 

specific email activity will only be 

disclosed to third parties as part of an 

ongoing and appropriately authorized 

investigation. 

8

1- Social Engineering – Phishing 

Phishing is an e-mail intended to 

convince you to handover personal 

details or perform an action in order to 

have control over your account or install 

spyware or other malicious software on 

your PC or network. 

2- Social Engineering – Pre-texting 

Social Engineering 

The purpose of social engineering 

is to secretly install spyware 

or other malicious software or 

trick you into handing over your 

passwords or other sensitive 

financial or personal information 

The attacker communicating over the 

phone or via e-mail would claim not to 

have time to go through normal channels 

because of an emergency or because he 

is afraid of getting in trouble. The attacker 

may also ask for help changing a 

password, claim to have forgotten the 

system password or claim to be a 

helpdesk or technical support agent who 

needs help getting an employee's user ID 

and password for a test or password reset. 

3- Social Engineering – Baiting 

The attacker leaves a malware infected 

on CD-ROM, DVD, or USB flash drive in a 

location sure to be found (bathroom, 

elevator, sidewalk, parking lot), gives it a 

legitimate looking and curiosity-piquing 

label, and simply waits for the victim to 

use the device. 

9

Proper responses 

• Never hand over information unless sure of whom 

it is going to. 

• Do not respond to suspicious e-mails 

• Do not click links or downloads in suspicious 

e-mails and do not forward to friends. 

• Do not connect suspicious USBs to The Center’s 

computer 

• Do not open found CDs or DVD on The Center’s 

computer 

• Report suspicious emails to anti-spam@aramco.com 

and the Center Information Protection 

Group 

PHISHING 

Username 

Password 

10

Protected Sensitive Information 

User Must: 

• Secure the Center information according to its classification. 

• Not duplicate, transmit, or disclose any sensitive information 

without authorization. 

• Encrypt sensitive information stored in removable media. 

• Encrypt emails that contain sensitive information. 

• Use secure information sharing mechanisms with any third party. 

• Securely dispose or sanitize electronic storage devices/media used 

for storing non-public information. 

• Securely destroy or shred paper records containing protected data. 

Data Types and Protections 

All Information and data related to 

the operations and activities of King 

Abdulaziz Center and its employees, 

regardless of the form or media in 

which the information is recorded 

or maintained must be protected 

Data Classification 

and Handling of Sensitive 

Information 

The Data Owner is responsible for 

classifying information or data 

and assigning it the appropriate 

classification in accordance with 

corporate policies 

11

Classification Categories Summary Table 

Classification level 

Non-Business Use 

information 

Public information 

Use And Rules 

Information that does not relate to the Company’s 

business or operation 

Company information approved by Public Relation 

Department (PRD) and intended for general distribution 

inside and outside the Company. 

Company General Use 

information 

Material designed for distribution to Company and 

contractor employees that will be used in Company-related 

business functions. 

Confidential information 

Company information intended for disclosure/release 

to limited Company and Contractor employees that 

will be used in Company related business function on 

a need-to-know basis. 

Government Confidential 

information 

Disclosure may impact the security of not only the 

Company but also the Kingdom; or may negatively 

impact the Kingdom’s political interests, foreign 

relations, income and/or the business environment 

generally. 

12

User Must: 

• Ensure that important business 

data in their workstations/laptops is 

backed up. 

• Exercise due diligence to protect 

backup data when stored in removable 

media (USB flash drive or External 

hard drive). 

Password 

Passwords are the primary means 

of security for computer users. 

Backup of Business 

Data 

All devices containing vital 

company information should be 

backed up regularly to minimize 

business disruption in the event 

of loss or physical damage 

User Must: 

• Use a lengthy password that is not less 

than seven characters and difficult to 

guess 

• Use a combination of numbers, characters 

and symbols (such as # or @) 

• Do not use personal information, such 

as a phone number or the name of a 

relative 

13

Proper Use and Protection 

of IT Assets 

Users are responsible for taking 

all reasonable measures to 

appropriately use and secure all 

Company assets assigned for 

their use regardless of the 

location 

Reporting Security 

Incidents 

The reporting of a computing 

incident must be done promptly to 

ensure that the appropriate measures 

can be taken to protect King 

Abdulaziz Center resources. 

User Must: 

• Use IT assets for business only. 

• Store IT assets in a hidden location 

when left unattended in a vehicle. 

• Not leave mobile devices unsecured 

in any office overnight. 

• Use PIN codes to protect Company’s 

mobile devices. 

• Safeguard hardcopies of business 

documents according to their data 

classification. 

• Report lost or stolen IT assets to 

their CSL. 

If any user suspects a computer 

security incident, implicating 

an individual, they must 

contact the The Center Information 

Protection Group (ISA 

and AISA) 

14

Mandatory E-Learning 

Training 

The e-learning courses are 

designed to assist all staff in 

understanding Saudi Aramco key 

information security policies, 

secure practices and the acceptable 

use of computer assets. 

In order to develop and raise the 

information security culture 

within the Center, two e-learning 

courses are mandated to be taken 

by all staff 

• Phishing Assessment (00005776) 

• Information Security Essentials 

(40059587) 

Include: 

Violations 

Users hold in violation to what is 

mentioned in this booklet will be 

subject to disciplinary actions 

• Suspending or revoking of access (e.g. 

internet access, extranet access, 

privilege access … etc.) 

• Removing of assigned IT assets (e.g. 

laptop, mobile device … etc.) 

• Forcing user to attend IT security 

training (e-learning) 

• Delivering an IT security related 

presentation 

• Corrective Guidance Report 

(SA2004-) 

• Warning Notice (SA3247-) 

• Dismissal Warning Notice (SA3248-) 

15

Saudi Aramco Information Security Policies, 

Resources and References 

The following documentations are also applicable to Information 

Protection within Saudi Aramco: 

• Data Protection and Retention Policy (INT7-) 

• Information Protection General Instructions 

• Information Protection Manual 

• Process Automation Networks & Systems Security (SAEP99-) 

• Process Automation Networks Connectivity (SAES-Z010-) 

• Saudi Aramco Computer Use Policy (SA9595-) 

• Saudi Aramco Computer Use Agreement (Non-Employee) 

(SA9696-) 

16

Information Protection 

Awareness 

Technology Operation Support Division-Information Protection Group

Information Protection Awareness

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?