Network Policies

The activities of the Arab Lawyers Network are based on a set of accumulated policies that are continuously reviewed and updated, taking into account the protection of clients’ rights and the Network’s rights, as well as adherence to the regulations relevant to its activities, including the following:
First: Terms of Use of the Network Websites
The subscriber shall be obligated to preserve the intellectual property rights of this website, including all its contents, which are owned by Arab Lawyers Network Co. Ltd., including but not limited to the following:
1-1: The rights to collect these legal materials from their various sources, arrange, organize, and present them in the form of encyclopedias of Gulf laws and legislation are reserved to the Arab Lawyers Network.
1-2: The concept of compiling laws and regulations, together with all related legislation, regulatory bylaws, implementing regulations, ministerial resolutions, and circulars, into a single file, is intended to serve lawyers, legal consultants, and all subscribers of the website. This is aimed at facilitating reference to such materials collectively, simplifying research, and enabling the provision of comprehensive legal advice. It also includes the preparation of the legislation’s data in a panel at the beginning of the text, under the title “Identification Card,” and presenting the legislation (law) in accordance with its latest amendment, thereby saving dozens of hours of research.
1-3: The concept and rights relating to the gathering, arrangement, and classification of repealed laws and regulations and incorporating them into the encyclopedia, to facilitate access for those who may need to refer to such repealed legislation.
1-4: The concept and rights relating to the preparation of specialized legal files covering various topics in a single, comprehensive format for specialists.
1-5: The concept of the legal press file, including legal links deemed relevant by the website to any legal news.
1-6: The arrangement of judicial principles and precedents across various judicial bodies in the Gulf States in a manner that facilitates researchers’ access to required information.
1-7: Rights related to drafting contract templates, litigation forms, and other legal templates.
1-8: The subscription applies only to the completed sections of the website and does not extend to incomplete sections or advertisements.

2- The subscription is a personal right granted solely to the subscriber, allowing access to all website documents and services. The subscriber may, for personal use, print or copy documents electronically either directly through the website or via customer service (in the case of group subscriptions via IP Address), subject to the following conditions:
2-1: The purpose of enabling copying and printing is to maximize subscriber benefit and support dissemination of laws and regulations. Such copying or printing must be limited to personal use only. The website owner does not permit use for any other purpose, whether commercial or otherwise.
For entities subscribing via IP Address, copying must be requested through customer service according to agreed procedures and not directly through the website.
2-2: The subscriber must cite the source of the document whenever it is shared or attached to any documents.
2-3: Subscription places the subscriber under an obligation of integrity and direct responsibility for any violations or infringements, including excessive printing or copying beyond the limits approved by the website management under the Fair Use Policy, or any commercial exploitation of the website’s documents.
2-4: Under no circumstances does the website owner permit multiple parties to share one login credential or the hosting of the encyclopedia on a network of devices without prior approval.

3- The subscriber must safeguard their password and must change it immediately if it is compromised in any way.

4- For legal entities, access is limited to the manager or group head. Distribution of login credentials to employees is not permitted. Additional subscriptions may be arranged through a separate agreement.

5- Public libraries or libraries of government entities are not permitted to copy collections of laws and regulations, copy the encyclopedia, or copy any parts of the website for the purpose of displaying them to library visitors. It is only permissible to enable visitors and patrons of the library to access the website through a computer terminal.

6- Students must provide their university name, academic number, and a valid student ID in their own name when applying for subscription.

7- The term “printing” shall mean obtaining the legislation through all forms of printing, whether paper or electronic, which is permitted for subscribers within the limits of the Fair Use Policy.

8- The “Fair Use Policy” means that the maximum level of printing has been set to a rate not exceeding 100 pages per month or 1,200 pages per year.

General Provisions
1- The website administration shall have the right to suspend or cancel the subscription at any time, at its sole discretion, if it is established that the subscriber has violated the terms of this agreement, without prejudice to any of its other rights against the subscriber.
2- In the event of (abnormal) use of the website by exceeding the (Fair Use Policy), the subscriber acknowledges that they are in breach of the terms of this agreement and agrees to the website’s reports and their technical evidentiary value against them and third parties. The website shall have the right, in addition to any other rights stipulated in this agreement or under applicable laws and regulations, to immediately suspend the subscription without the subscriber being entitled to claim any remaining value thereof. The website shall also have the right to seek any other compensation it deems appropriate for any damages, whether direct or indirect.
3- The website administration shall have the right to take any measures it deems appropriate in the event of exceeding the (Fair Use Policy), ranging from disabling the copy and print features to any other measures it may deem necessary, particularly in cases of repeated violations of the Fair Use Policy limits.
4- The website administration shall have the right to change, delete, or amend any content on the website as it deems appropriate to achieve its interests and objectives or in relation to public interest. It shall also have the right to amend the terms of use and adjust pricing, while preserving the rights of subscribers.
5- The website management is committed to ensuring the accuracy of the legal materials published and subjects them to continuous review and monitoring. The subscriber acknowledges that the nature of digital operations, and any technical circumstances beyond the management’s control, may affect certain content. Accordingly, the Company’s liability is limited to proven gross errors directly resulting from its negligence, while the subscriber retains the right to compensation in accordance with the compensation policy set out in this document.
6- The subscriber acknowledges that subscription to the website may be completed as follows:
6-1: Paid subscription via Visa or MasterCard through the website, which is activated automatically upon payment.
6-2: Subscription may also be completed by transferring or depositing the subscription amount into the company’s accounts, subject to the following:
6-2-1: The deposit slip must include the full name of the applicant, their username, or their email address so that the administration can activate the subscription.
6-2-2: The administration will receive the subscription request; however, the subscription will not be activated until the administration receives a copy of the deposit slip via fax number 0097167478979.
The subscriber’s acknowledgment of the subscription method, means, and details releases the website from any consequences resulting from failure to comply with the above.

7- The subscriber acknowledges the usage instructions, including:
7-1: The subscriber may view their data and the remaining duration of their subscription and may update their information as desired.
7-2: If the subscriber forgets their password, they may reset it by clicking “Forgot Password,” entering their username and email address, and sending it to the administration. A message will then be sent to their email containing their password, provided the details match.
7-3: The website administration shall notify the subscriber of the upcoming expiration of their subscription within a reasonable period to allow renewal.
7-4: Applicable to subscribers of (Legal Grounds Service), whereby the subscriber acknowledges that they have reviewed the description of this service.

8- Any dispute arising between the subscriber and the website administration shall be referred to arbitration through the Riyadh Chamber of Commerce at its headquarters, and the provisions of this agreement shall govern the resolution of such dispute. This agreement shall be governed by the regulations and legislation in force in the Kingdom of Saudi Arabia.

Second: Usage Policy
Preamble
The Acceptable Use Policy aims to define acceptable practices regarding the use of company resources and data to ensure the confidentiality, integrity, and availability of information.
This policy applies to any individual, entity, or process interacting with company resources or client data.

Third: Acceptable Use Policy
- Employees are responsible for complying with the company’s policies when using the company’s data resources during official working hours or outside working hours. If requirements or responsibilities are unclear, assistance should be requested from the direct manager or the IT Department.
- Employees must immediately report any incidents, damages, or violations affecting the company’s assets or information to their direct manager or a member of the IT team.
Such incidents include, but are not limited to, the following:

- Technical incident: Any event harmful to information that results in failure, interruption, or loss of the company’s data resources.
- Data incident: Any potential loss, theft, or breach of company data.
- Unauthorized access incident: Any unauthorized access to the company’s data resources.
- Violation of company policies: Any potential breach of this policy or any other company policies, standards, or procedures.

- Employees must not intentionally engage in any activities aimed at:

- Intimidating, threatening, impersonating, or harming others.
- Degrading the performance of the company’s or its clients’ assets or data.
- Denying authorized employees access to the company’s data.
- Attempting to obtain additional resources or privileges beyond those assigned to them.

- Employees must not download, install, or run security software or tools that detect or exploit weaknesses in the company’s systems. By way of example and not limitation: employees must not run password-cracking programs, packet sniffers, port scanners, or any other unauthorized and unapproved software within the company.
- All projects, assets, intellectual property, and recorded data within the company, including reports, drawings, diagrams, software code, data, writings, technical information, and correspondence developed for the benefit of the company, shall be the exclusive property of the company.
- Encryption must be used in a manner that allows authorized company personnel to have prompt access to all data.
- The company’s assets, resources, and data are provided to facilitate company operations and must not be used for personal financial gain.
- Employees are expected to cooperate in incident investigations, including any governmental investigations.
- Employees must not intentionally access, create, store, or transmit any materials that the company considers offensive or inappropriate.

Fourth: Access Management Policy
- Employees are permitted to use only the company resources assigned to them by the company’s IT Department, and must not attempt to access any data or programs on the company’s systems for which they do not have explicit authorization or approval.
- All remote access connections to the company’s internal networks and environments must be conducted through Virtual Private Networks (VPNs) approved and provided by the company’s IT Department.
- Employees must not disclose any access credentials or connection information related to any individual within the company to any unauthorized person.
- Employees must not share personal authentication information, including:

- Account passwords
- Personal Identification Numbers (PINs)
- Smartcards
- Digital Certificates

- Access cards or keys that are no longer required must be returned to the company’s security personnel or direct managers.
- Loss or theft of access cards, security tokens, or keys must be reported to security personnel and company management as soon as possible.

Fifth: Authentication and Employee Password Policy
- All employees must maintain the confidentiality of their personal authentication information and passwords.
- All passwords must be selected in accordance with the following rules:

- All requirements must be met, including minimum length, complexity, and reuse history.
- Passwords must not be easily associated with the account owner by using items such as username, surname, relatives’ names, date of birth, etc.
- Passwords must not be the same as those used for personal purposes.
- Unique passwords must be used for each system.

- Passwords must meet the following standards:

- Must not be less than 8 characters, consisting of numbers, alphabetic letters, and special characters.
- Password validity must not exceed 90 days.
- Screen saver must activate after 5 minutes of inactivity.

- Passwords for user accounts must not be disclosed to any person.
- Company support staff must not request user account passwords.
- If the security or confidentiality of a password is in doubt, it must be changed immediately.
- Employees must not bypass password entry through the use of password-saving programs.

Sixth: Office and Screen Security Policy
- Employees must log out of applications or network services when they are no longer needed.
- Employees must log out of or lock computers and laptops when leaving the workplace.
- Confidential information must be removed or placed in a locked drawer or filing cabinet when the employee is absent or at the end of the workday.
- Personal belongings such as phones, wallets, and keys must be removed or placed in a locked drawer or filing cabinet when the employee is absent from the workplace.
- Filing cabinets containing confidential information must be locked when not in use.
- Laptops must be secured using a cable lock or placed in a drawer or cabinet when the employee is absent from the workplace or at the end of the day.
- Passwords must not be written down near the computer or in any easily accessible location.
- Copies of documents containing confidential information must be promptly removed from printers, photocopiers, and similar devices.

Seventh: Data Security
- Employees must use approved encrypted communication methods when transmitting confidential information over international information networks (the Internet).
- Only approved cloud computing applications may be used to share, store, and transfer confidential or internal information.
- Information must be shared, processed, transferred, stored, and disposed of appropriately based on its sensitivity.
- Employees must not conduct confidential discussions in public places, through unsecured communication channels, or in open offices.
- All electronic storage media containing confidential information must be disposed of securely; please contact the IT Department for guidance or assistance.

Eighth: Email Policy
- Automatic forwarding of emails outside the company’s internal systems (Auto Forwarding) is prohibited.
- Electronic communications must not contain anything that harms the reputation of the company or any of its clients.
- Employees are responsible for the accounts assigned to them and for any actions taken using those accounts.
- Employees must not use personal email accounts to send or receive confidential information relating to the company or any of its clients.
- Company email must not be used for any personal purposes.
- Company email must not be used for any unethical or socially inappropriate correspondence or any communication that violates applicable laws and regulations.
- Email must not be used to disclose any confidential company information.
- Employees must exercise caution when replying to messages, clicking links, or opening attachments included in electronic communications.

Ninth: Devices and Software Policy
- All devices must receive formal approval from the IT Department before connecting to the company’s networks.
- Software installed on company equipment must be approved by the IT Department and installed by IT personnel.
- Employees must not allow family members or other non-employees to access the company’s data resources.

Tenth: Internet Usage Policy
- The Internet must not be used to exchange confidential or internal company information unless confidentiality and integrity are ensured and the recipient’s identity is verified.
- The Internet and company resources must be used only for business-related purposes. Unauthorized activities include, but are not limited to:

- Entertainment games.
- Personal social media.
- Live streaming.
- Pornographic content.

- All policies applicable to internet use outside the company’s network must also be adhered to when using company computers.

Eleventh: Company Employees’ Mobile Device Usage Policy
- The use of personal mobile devices to connect to the company’s network is a privilege granted to employees only after formal approval by the IT Department.
- All mobile devices must have approved antivirus and anti-spyware software installed, with the personal firewall enabled.
- Confidential company information must not be stored on any personally owned mobile device.
- Any theft or loss of a mobile device used to create, store, or access confidential or internal information must be reported to company management immediately.
- All mobile devices must maintain up-to-date versions of all software and applications.
- All use of mobile devices related to company information resources may be monitored at the discretion of the company’s IT Department.
- IT Department support for personal mobile devices is limited to assisting with compliance with this policy. IT support may not assist in resolving device usage issues.
- The company reserves the right to revoke personal mobile device usage privileges in the event of non-compliance with the requirements set out in this policy.

Twelfth: Privacy Policy Between the Company and Its Employees
- Information created, sent, received, or stored on the company’s resources, assets, and devices is not private and may be accessed by the company’s IT personnel at any time, upon direction from executive management or human resources, without the knowledge of the user or the resource owner.

Thirteenth: Removable Media
- All use of removable media must be approved by the company’s IT Department prior to use.
- Personally owned removable media must not be used to store company information.
- Employees must not connect removable media from an unknown source without prior approval from the company.
- Any loss or theft of removable media containing company information must be reported to company management immediately.

Fourteenth: Social Media
- Communication via social media must be conducted in accordance with all relevant company policies.
- Employees are responsible for the content they publish online.
- Creating any public social media account intended to represent the company, including accounts that could reasonably be perceived as official company accounts, requires approval from the company’s communications departments.
- When discussing the company or matters related to the company, you must:
- Identify yourself by your name. Identify yourself as a representative of the company. Clarify that you are speaking in your personal capacity and not on behalf of the company, unless expressly authorized. Employees must not misrepresent their role within the company.
- When posting content related to the company on a personal platform, a disclaimer must be included. An example of a disclaimer is: “The views and content expressed are my personal opinion and do not necessarily reflect the position or opinion of the company.”
- Content published online must not violate any applicable laws (such as copyright, fair use, financial disclosure, and privacy laws).
- Personal information belonging to clients must not be published online.
- Employees authorized to publish, review, or approve content on the company’s social media platforms must follow the company’s social media management procedures.

Fifteenth: Patch Management Policy
Preamble
The Patch Management Policy document at Arab Lawyers Network aims to establish the rules governing updates in order to protect the company’s assets and properties, and includes the following:
1- All company digital assets must be updated and enhanced against any vulnerabilities.
2- The scope of patching and updates includes, but is not limited to: operating systems, applications, database systems, software components, etc.
3- All company systems and digital assets must remain continuously updated as quickly as possible.
4- Patches and updates must be examined to verify their compatibility with all system components before implementation.
5- Patches must be successfully tested on non-production systems before being deployed to production systems.
6- Backups of critical system data must be taken before installing new patches.
7- Updates to user devices are a shared responsibility between the employee and the IT Department.

Sixteenth: Network Asset Management Policy
Preamble
The Asset Management Policy document at Arab Lawyers Network aims to establish rules for controlling the hardware, equipment, software, applications, and data used by the company for itself and for the benefit of its clients. It includes the following:
1- All hardware, equipment, software, and applications must be approved and procured through the company’s IT Department.
2- All company website administration pages must be protected by usernames and passwords.
3- Software used by company employees must be properly licensed and have valid licenses.
4- Installation of software on company servers is the responsibility of the IT Department.
5- Only authorized cloud computing applications - approved by department managers - may be used to share, store, and transfer confidential or internal information.
6- Multi-factor authentication must be used when dealing with cloud services.
7- The IT Department is responsible for the periodic maintenance and repair of the company’s software assets, with all maintenance activities recorded.
8- No company assets or property may be removed from company premises without approval from company management.
9- Confidential company data must be transferred either by a designated company employee or by a delivery representative approved by the IT Department.
10- Company assets and property must be returned to the IT Department upon termination of any employee’s employment.
11- The use of employees’ personal mobile devices to connect to the company network is a privilege granted only after formal approval from the IT Department.
12- All mobile devices granted access to company data must maintain up-to-date versions of all operating systems and applications.

Seventeenth: Data Masking Policy
- Any data containing confidential or internal information must be adequately masked or rendered unusable before disposal or reuse, through the IT Department team.

Eighteenth: Backup Policy
1- Backup servers must be protected with usernames and passwords and remain under the custody of the IT Department only.
2- Backup processes must be repeated based on the importance of the data, its rate of renewal, and frequency of change.
3- Backup and data restoration operations must be documented in records maintained by the company’s IT Department.
4- Backups must be tested regularly to ensure they can be restored when needed.
5- Multiple copies of highly important data must be stored on separate media to reduce risks related to data corruption or loss.
6- Backup tapes must contain at least the following identifying information, which can be easily identified through labels:

- System name
- Creation date
- Responsible person’s contact details

Nineteenth: Access Control Policy
Preamble
The Access Control and Management Policy document aims to ensure the security of systems and data by defining principles and mechanisms for granting permissions, regulating access, and implementing authentication and identity verification procedures. This policy contributes to protecting sensitive data, reducing security risks, and ensuring compliance with regulatory requirements. By properly implementing the policy, a secure and reliable environment for information and operations within the company is established. It includes the following:
1. Access Management Policy for Internal Company Resources:
- Employees are permitted to use only the resources assigned to them by the company’s IT Department, and they must not attempt to access any data or programs on company systems for which they do not have explicit authorization or approval.
- All remote access connections to the company’s internal networks and environments must be conducted through approved Virtual Private Networks (VPNs) provided by the company’s IT Department.
- Employees must not disclose any access information or communication data related to any company personnel to any unauthorized person.
- Employees must not share personal authentication information, including:

- Account passwords
- Personal Identification Numbers (PINs)
- Smartcards
- Digital Certificates

- Access cards or keys that are no longer required must be returned to the company’s security personnel or direct managers.
- The loss or theft of access cards, security tokens, or keys must be reported to security personnel and company management as soon as possible.
2. Access Management Policy for Cloud Services:
- The use of cloud services by any party is not permitted without the knowledge and approval of the company’s IT Department.
- Default settings of cloud services must not be left unreviewed or unchanged.
- Cloud storage locations must never be left open, as this may allow hackers to view content simply by accessing the storage URL.
- If the cloud service provider offers configurable security controls, they must be used. Failure to select appropriate security options may expose both the user and the company to risk.
- Strong passwords must be used, consisting of a mix of letters, numbers, and special characters.
- All devices used to access cloud data must be secured, including smartphones and tablets. If data is synchronized across multiple devices, any one of them may become a weak point, exposing both the user and the company to risk.
- Cloud data must not be accessed via public Wi-Fi networks, especially if strong authentication is not in place. A Virtual Private Network (VPN) must be used to secure access to cloud services.
- Two-Factor Authentication (2FA) must be enabled for every login to any cloud service.
- Any cloud account must be disabled if it is no longer in use.

Twentieth: Password Policy
Purpose
The Acceptable Password Policy document at Arab Lawyers Network aims to protect accounts and personal information by defining requirements for password strength and complexity, and ensuring periodic password changes. This policy provides guidelines for company employees on how to choose secure passwords and avoid using easily guessable personal information. By complying with this policy, we can enhance the overall security of company assets and protect users’ sensitive information.
1- Passwords used for accessing the company network must be selected in accordance with the following principles:

1- Passwords must be changed every 90 days.
2- Passwords must be at least 8 characters long.
3- Passwords must include a balance of letters, numbers, and special characters (!@#$%^&*_+=?/~’;’,<>|).
4- Passwords must not be easily associated with the account owner, such as the username, relatives’ names, date of birth, etc.
5- Passwords must not consist of dictionary words or abbreviations.
6- Passwords must not be reused for a period of one year.

2- System-Level Passwords
All system-level passwords must comply with the following principles:

1- Passwords must be changed at least every 6 months.
2- All Admin accounts must have a minimum length of 12 characters and must include at least three of the following four elements: uppercase letters, lowercase letters, numbers, and special characters.
3- Passwords for accounts that do not expire must comply with the same requirements as Admin accounts.
4- Administrators must not bypass password policies for the sake of convenience.

3- Password Protection
1- The same password must not be used for multiple accounts.
2- Passwords must not be shared with anyone. All passwords must be treated as sensitive and confidential company information.
3- Passwords must not be included in emails or other electronic communications.
4- Passwords must not be disclosed over the phone to anyone.
5- Passwords must not be disclosed in surveys or security forms.
6- Passwords must not be shared with anyone, including colleagues, managers, or family members, even during leave.
7- Passwords must not be written down and stored anywhere in the office. Passwords must not be stored in a file on a computer or mobile device (phone, tablet) unless encrypted.
8- If there is any suspicion regarding the security of an account, the password must be changed immediately. If passwords are discovered or compromised, the IT Department must be notified.
9- Password entry must not be bypassed using auto-login, remember-me features, embedded scripts, or hardcoded passwords in client software. Some exceptions may be allowed for specific applications (e.g., automated backup processes) with IT Department approval.
10- Computers must not be left unattended without a password-protected screensaver or without logging out of the device.

Twenty-First: Subscription Cancellation, Suspension, and Termination Policy
1- The subscriber may request cancellation before account activation. In such case, the company is entitled to deduct administrative fees from the subscription amount.
2- After activation of the subscription and commencement of service use, the annual subscription fee is non-refundable. The subscription shall remain valid until the end of the paid term.
3- The company may suspend the subscription without refund in the following cases:

- Misuse of the account or sharing of login credentials.
- Violation of intellectual property rights of the content.
- Use of the service in a manner that harms the system or other subscribers.

4- The company shall not be liable for any delay or service interruption resulting from circumstances beyond its control, such as:

- General technical failures, including internet cable outages and similar incidents.
- Natural disasters resulting in internet service disruption.
- Telecommunication service outages.

5- In the event the subscriber is unable to access the Arab Lawyers Network encyclopedias or the service is completely halted due to technical reasons attributable to the company, the company shall compensate the subscriber by extending the subscription period by a duration equal to the number of days during which the service could not be used.
6- The compensation period shall be calculated based on the actual number of days during which the service was fully interrupted or inaccessible, and shall be added to the subscription period at no additional cost.
7- Compensation for downtime includes the following cases:

1. Technical or software failures leading to the suspension of servers or databases of the encyclopedias.
2. Service interruption resulting from defects in the company’s technical infrastructure, operating systems, or security systems.
3. Unscheduled maintenance or major updates requiring service suspension beyond normal maintenance limits.
4. Technical failures preventing the subscriber from logging into their account or accessing content in full.
5. Any major technical or operational failure attributable to the company’s systems resulting in the inability to utilize the encyclopedias generally.

8- Compensation shall not apply in the following cases:

1. Temporary service interruption for scheduled maintenance that has been announced in advance.
2. Failures or interruptions resulting from the subscriber’s internet connection, devices, or software.
3. Force majeure events or circumstances beyond the company’s control, such as natural disasters or general telecommunications failures.
4. Account suspension due to the subscriber’s violation of the terms of use or misuse of the service.