Skip to main content
Back Custom print Text Only Rich Text Print / Save as PDF
Download Original PDF

  • 3 Control Requirements

    • 3.1 Cyber Security Leadership and Governance

      Control IDControl requirement description
      3.1.1.Entities should develop a robust Cyber Security Governance structure that is supported with appropriate resources to oversee and control overall approach to cyber security.
      3.1.2.Entities should define, approve, implement and communicate cyber security policies and procedures that is supported by detailed security standards (e.g. password standard, firewall standard).
      3.1.3.Entities should periodically review and update cyber security policies, procedures and standards taking into consideration the evolving cyber threat landscape.
      3.1.4.Entities should incorporate cyber security requirements in their new and/or existing business operating model, including at least:
       a.evaluation of cyber security and fraud risks that could target business operating model; and
       b.adoption and evaluation of cyber security measures for the protection against adversarial attacks (e.g. model stealing, malicious inputs, and poisoning attack).
      3.1.5.Entities should establish and implement strong password policy for users’ access to its information assets, such as:
       a.change of password upon first logon, minimum password length and history and password complexity;
       b.revoking the access after the three successive incorrect passwords; and
       c.use non-caching techniques.
      3.1.6.Entities should execute comprehensive IT and cyber security risk assessments covering (infrastructure, network, applications, and systems) and the controls implemented to address the identified risks. The identified risks should be documented in a central register, and periodically monitored and reviewed.
      Ref. to other SAMA Framework(s)
      Cyber Security Framework
      - 3.1.1 Cyber Security Governance
      - 3.1.3 Cyber Security Policy
      - 3.2.1 Cyber Security Risk Management

    • 3.2 Cyber Security Operations and Technology

      Control IDControl requirement description
      3.2.1.Entities should establish identity and access management process to govern the logical accesses to the information assets according to need-to-have and need-to-know principles.
      3.2.2.Entities should establish change management process to ensure that changes to the entities information assets are classified, tested and approved before their deployment into production environments. The change management process should also include cyber security requirements for controlling changes to information assets.
      3.2.3.Entities should establish and maintain a secure network architecture that address taking into consideration the following:
       a.segmentation of networks, according to the functionality of services and the adoption of network security systems (e.g. firewalls) to control the network traffic between segments; and
       b.availability.
      3.2.4.Entities should adopt secure and robust cryptography algorithms and ensure that the application and server communications are encrypted using secure protocols.
      3.2.5.Entities should periodically conduct comprehensive vulnerability assessment (VA) covering both the application and infrastructure layers of the Entities technology landscape.
      3.2.6.Entities should conduct penetration testing (PT) twice a year as a minimum or after major/ critical change to comprehensively evaluate its cyber security defense capability.
      3.2.7.Entities should ensure up-to-date and relevant patches are tested, applied and installed in a timely manner to avoid security breaches due to existing vulnerabilities in the applications and infrastructure.
      3.2.8.In addition to secure System Development Life Cycle (herein “Secure SDLC”) process entities should implement shielding techniques (such as but not limited to code obfuscation, white box cryptography and anti-tampering) in the application design.
      3.2.9.Entities should implement effective brand protection controls to detect and defend against targeted attacks by continuously monitoring the online services such as apps, social media accounts and websites and proactively takedown malicious activities.
      3.2.10.Entities should ensure that endpoints (both personal, if allowed, and corporate) are secured through implementation of a minimum set of cyber security requirements such as the following, but not limited to:
       a.the real time protection for the endpoints (e.g. antivirus and antimalware);
       b.implementation of behavioural-based and/or signature-based solutions;
       c.ensuring anti-malware signatures are up-to-date and the systems are regularly scanned for malicious files or anomalous activities; and
       d.in case of mobile devices:
        i.separation and encryption of entities data; and
        ii.secure wiping of stored entities data in cases of device loss, theft or decommissioning in alignment with the Secure Information Asset Disposal process.
      3.2.11.Entities should establish and implement a process to collect, process, review and retain security logs to facilitate continuous security monitoring. These logs should provide sufficient details and should be retained securely for a period of one year as a minimum.
      3.2.12.Entities should ensure applications and infrastructure components are integrated with a security information and event management (SIEM) solution.
      3.2.13.Entities should ensure continuous security monitoring and analysis of cyber security events to promptly detect and respond to cyber security incidents.
      3.2.14.Entities should develop Cyber Security Incident Management process to timely identify, respond and contain cyber security incidents impacting the Entities information assets.
      3.2.15.Entities should implement session timeout configurations with reasonable timeframe; in-active sessions should not exceed 5 minutes for applications and underlying infrastructure.
      3.2.16.Entities should immediately inform SAMA (F.S.Cybersecurity@SAMA.GOV.SA) in case any of the following incidents classified as medium or above has occurred and identified for:
       a.Cyber security;
       b.Fraud;
       c.All disruptive incidents.
      Ref. to other SAMA Framework(s)
      Cyber Security Framework
      - 3.3.5 Identity and Access Management
      - 3.3.6 Application Security
      - 3.3.7 Change Management      		- 3.3.8 Infrastructure Security
      - 3.3.9 Cryptography
      - 3.3.13 Electronic Banking Services      		- 3.3.14 Cyber Security Event Management
      - 3.315 Cyber Security Incident Management
      - 3.3.17 Vulnerability Management

    • 3.3 Resilience

      Control IDControl requirement description
      3.3.1.The Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) should be defined, approved, communicated, implemented and periodically reviewed to enable the entities to continue delivering its critical services, at an acceptable pre-defined level.
      3.3.2.Entities should define and implement its backup and restoration requirements considering the following, but not limited to:
       a.legal and regulatory requirements;
       b.Critical and customer data;
       c.business requirements;
       d.schedule of the backup (daily, weekly, monthly, etc.);
       e.protection of confidential data stored in back up media through applying encryption techniques;
       f.storage of backup media offline or at an offsite location; and
       g.secure destruction of backup data.
       h.restoration tests.
      Ref. to other SAMA Framework(s)
      Business Continuity Management Framework
      - 2.5 Business Continuity Plan
      - 2.6 Disaster Recovery Plan
      - 2.7 Cyber Resilience