Information Security Policy (BUE-SEC)

This policy establishes the security baseline for all systems, services and data processed by the BUE Student Record System (SRS), including hosted modules, integrations and any third-party processors acting on behalf of the University.

It applies to every member of staff, contractor, student, alumnus and partner who accesses the SRS or its data.

Access is granted on a least-privilege basis using role-based access control (RBAC). Roles are stored in a dedicated user_roles table and enforced by Row-Level Security at the database tier.

Multi-factor authentication is required for all staff, finance and admin roles. Privileged accounts are reviewed quarterly by the IT Admin and Internal Audit.

Inactive accounts are automatically disabled after 90 days. Off-boarding revokes all entitlements within 24 hours.

Data is classified as Public, Internal, Confidential or Restricted. Student records, grades, financial data, biometric face vectors and national IDs are Restricted by default.

Restricted data must remain encrypted at rest (AES-256) and in transit (TLS 1.2+). Exports of Restricted data require finance/registry approval and are written to the audit log.

All secrets (API keys, service-role keys, signing keys) are stored in the platform secret manager and never committed to source control.

Face biometric vectors are stored in a private bucket with restrictive RLS and rotated on the user's request via the face_vector_cleanup job.

All authentication events, integration calls and administrative actions are logged in audit_log and integrations_log with retention of at least 12 months.

Security incidents must be reported to the CISO within 24 hours. The incident response team triages, contains, eradicates and reports per the BUE-SEC-IR runbook, with a post-incident review within 10 working days.

Production data is backed up continuously with point-in-time recovery for at least 7 days and daily snapshots retained for 30 days.

Disaster recovery exercises are performed twice a year against an RPO of 15 minutes and RTO of 4 hours for the SRS core.

BUE-SEC aligns with ISO/IEC 27001 controls, NIST CSF and the Egyptian Personal Data Protection Law (Law No. 151 of 2020). Annual third-party assessments validate the control set.

Violations may result in disciplinary action up to and including termination, expulsion or referral to law enforcement. Suspected breaches must be reported immediately to security@bue.edu.eg.