3.1 Cyber Security Leadership and Governance
The ultimate responsibility for cyber security rests with the board of the Member Organization. The board of the Member Organization can delegate its cyber security responsibilities to a cyber security committee (or a senior manager from a control function). The cyber security committee could be responsible for defining the cyber security governance and setting the Member Organization's cyber security strategy. The cyber security committee can also be responsible for defining a cyber security policy and ensuring the operational effectiveness of this cyber security policy.
To develop and maintain the cyber security policy and to execute the cyber security activities across the Member Organization, an independent cyber security function should be established.
3.1.1 Cyber Security Governance
Principle
A cyber security governance structure should be defined and implemented, and should be endorsed by the board.
Objective
To direct and control the overall approach to cyber security within the Member Organization.
Control considerations
1. A cyber security committee should be established and be mandated by the board.
2. The cyber security committee should be headed by an independent senior manager from a control function.
3. The following positions should be represented in the cyber security committee:
a. senior managers from all relevant departments (e.g., COO, CIO, compliance officer, heads of relevant business departments);
b. Chief information security officer (CISO);
c. Internal audit may attend as an “observer.
4. A cyber security committee charter should be developed, approved and reflect:
a. committee objectives;
b. roles and responsibilities;
c. minimum number of meeting participants;
d. meeting frequency (minimum on quarterly basis).
5. A cyber security function should be established.
6. The cyber security function should be independent from the information technology function. To avoid any conflict of interest, the cyber security function and information technology function should have separate reporting lines, budgets and staff evaluations.
7. The cyber security function should report directly to the CEO/managing director of the Member Organization or general manager of a control function.
8. A full-time senior manager for the cyber security function, referred to as CISO, should be appointed at senior management level.
9. The Member Organization should :
a. ensure the CISO has a Saudi nationality;
b. ensure the CISO is sufficiently qualified;
c. obtain no objection from SAMA to assign the CISO.
10. The board of the Member Organization should allocate sufficient budget to execute the required cyber security activities.
3.1.2 Cyber Security Strategy
Principle
A cyber security strategy should be defined and aligned with the Member Organization's strategic objectives, as well as with the Banking Sector's cyber security strategy.
Objective
To ensure that cyber security initiatives and projects within the Member Organization contribute to the Member Organization's strategic objectives and are aligned with the Banking Sector's cyber security strategy.
Control considerations
1. The cyber security strategy should be defined, approved, maintained and executed.
2. The cyber security strategy should be aligned with:
a. the Member Organization's overall objectives;
b. the legal and regulatory compliance requirements of the Member Organization;
c. the Banking Sector's cyber security strategy.
3. The cyber security strategy should address:
a. the importance and benefits of cyber security for the Member Organization;
b. the anticipated future state of cyber security for the Member Organization to become and remain resilient to (emerging) cyber security threats;
c. which and when cyber security initiatives and projects should be executed to achieve the anticipated future state.
3.1.3 Cyber Security Policy
Principle
A cyber security policy should be defined, approved and communicated.
Objective
To document the Member Organization's commitment and objectives of cyber security, and to communicate this to the relevant stakeholders.
Control considerations
1. The cyber security policy should be defined, approved and communicated.
2. The cyber security policy should be reviewed periodically according to a predefined and structured review process.
3. The cyber security policy should be:
a. considered as input for other corporate policies of the Member Organization (e.g., HR policy, finance policy and IT policy);
b. supported by detailed security standards (e.g., password standard, firewall standard) and procedures;
c. based on best practices and (inter)national standards;
d. communicated to relevant stakeholders.
4. The cyber security policy should include:
a. a definition of cyber security;
b. the Member Organization's overall cyber security objectives and scope;
c. a statement of the board's intent, supporting the cyber security objectives;
d. a definition of general and specific responsibilities for cyber security;
e. the reference to supporting cyber security standards and procedures;
f. cyber security requirements that ensure:
1. information is classified in a way that indicates its importance to the Member Organization;
2. information is protected in terms of cyber security requirements, in line with the risk appetite;
3. owners are appointed for all information assets;
4. cyber security risk assessments are conducted for information assets;
5. relevant stakeholders are made aware of cyber security and their expected behavior (cyber security awareness program);
6. compliance with regulatory and contractual obligations are being met;
7. cyber security breaches and suspected cyber security weaknesses are reported;
8. cyber security is reflected in business continuity management.
3.1.4 Cyber Security Roles and Responsibilities
Principle
Responsibilities to implement, maintain, support and promote cyber security should be defined throughout the Member Organization. Additionally, all parties involved in cyber security should understand and take their role and responsibilities.
Objective
To ensure that relevant stakeholders are aware of the responsibilities with regard to cyber security and apply cyber security controls throughout the Member Organization.
Control considerations
1. The Board of Directors has the ultimate responsibility for cyber security, including:
a. ensuring that sufficient budget for cyber security is allocated;
b. approving the cyber security committee charter;
c. endorsing (after being approved by the cyber security committee):
1. the cyber security governance;
2. the cyber security strategy;
3. the cyber security policy.
2. The cyber security committee should be responsible for:
a. monitoring, reviewing and communicating the Member Organization's cyber security risk appetite periodically or upon a material change in the risk appetite;
b. reviewing the cyber security strategy to ensure that it supports the Member Organization objectives;
c. approving, communicating, supporting and monitoring:
1. the cyber security governance;
2. the cyber security strategy;
3. the cyber security policy;
4. cyber security programs (e.g., awareness program, data classification program, data privacy, data leakage prevention, key cyber security improvements);
5. cyber security risk management process;
6. the key risk indicators (KRIs) and key performance indicators (KPIs) for cyber security.
3. The senior management should be responsible for:
a. ensuring that standards, processes and procedures reflect security requirements (if applicable);
b. ensuring that individuals accept and comply with the cyber security policy, supporting standards and procedures when they are issued and updated;
c. ensuring that cyber security responsibilities are incorporated in the job descriptions of key positions and cyber security staff.
4. The CISO should be responsible for:
a. developing and maintaining:
1. cyber security strategy;
2. cyber security policy;
3. cyber security architecture;
4. cyber security risk management process;
b. ensuring that detailed security standards and procedures are established, approved and implemented;
c. delivering risk-based cyber security solutions that address people, process and technology;
d. developing the cyber security staff to deliver cyber security solutions in a business context;
e. the cyber security activities across the Member Organization, including:
1. monitoring of the cyber security activities (SOC monitoring);
2. monitoring of compliance with cyber security regulations, policies, standards and procedures;
3. overseeing the investigation of cyber security incidents;
4. gathering and analyzing threat intelligence from internal and external sources;
5. performing cyber security reviews;
f. conducting cyber security risk assessments on the Members Organization's information assets;
g. proactively supporting other functions on cyber security, including:
1. performing information and system classifications;
2. determining cyber security requirements for important projects;
3. performing cyber security reviews.
h. defining and conducting the cyber security awareness programs;
i. measuring and reporting the KRIs and KPIs on:
1. cyber security strategy;
2. cyber security policy compliance;
3. cyber security standards and procedures;
4. cyber security programs (e.g., awareness program, data classification program, key cyber security improvements).
5. The internal audit function should be responsible for:
a. performing cyber security audits.
6. All Member Organization's staff should be responsible for:
a. complying with cyber security policy, standards and procedures.
3.1.5 Cyber Security in Project Management
Principle
Cyber security should be addressed in project management and project governance.
Objective
To ensure that the all the Member Organization's projects meet cyber security requirements.
Control considerations
1. Cyber security should be integrated into the Member Organization's project management methodology to ensure that cyber security risks are identified and addressed as part of a project.
2. The Member Organization's project management methodology should ensure that:
a. cyber security objectives are included in project objectives;
b. the cyber security function is part of all phases of the project;
c. a risk assessment is performed at the start of the project to determine the cyber security risks and to ensure that cyber security requirements are addressed either by the existing cyber security controls (based on cyber security standards) or to be developed;
d. cyber security risks are registered in the project-risk register and tracked;
e. responsibilities for cyber security are defined and allocated;
f. a cyber security review is performed by an independent internal or external party.
3.1.6 Cyber Security Awareness
Principle
A cyber security awareness program should be defined and conducted for staff, third parties and customers of the Member Organization.
Objective
To create a cyber security risk-aware culture where the Member Organization's staff, third parties and customers make effective risk-based decisions which protect the Member Organization's information.
Control considerations
1. The cyber security awareness programs should be defined, approved and conducted to promote cyber security awareness and to create a positive cyber security culture.
2. A cyber security awareness program should be defined and conducted for:
a. staff of the Member Organization;
b. third parties of the Member Organization;
c. customers of the Member Organization.
3. The cyber security awareness program should target cyber security behaviors by tailoring the program to address the different target groups through multiple channels.
4. The activities of the cyber security awareness program should be conducted periodically and throughout the year.
5. The cyber security awareness program should at a minimum include:
a. an explanation of cyber security measures provided;
b. the roles and responsibilities regarding cyber security;
c. information on relevant emerging cyber security events and cyber threats (e.g., spear-phishing, whaling).
6. The cyber security awareness program should be evaluated to:
a. measure the effectiveness of the awareness activities;
b. formulate recommendations to improve the cyber security awareness program.
7. Customer awareness should address for both retail and commercial customers and, at a minimum, include a listing of suggested cyber security mechanisms which customers may consider implementing to mitigate their own risk(s).
3.1.7 Cyber Security Training
Principle
Staff of the Member Organization should be provided with training regarding how to operate the Member Organization's systems securely and to address and apply cyber security controls.
Objective
To ensure that staff of the Member Organization are equipped with the skills and required knowledge to protect the Member Organization's information assets and to fulfil their cyber security responsibilities.
Control considerations
1. Specialist or security-related skills training should be provided to staff in the Member Organization's relevant functional area categories in line with their job descriptions, including:
a. key roles within the organization;
b. staff of the cyber security function;
c. staff involved in developing and (technically) maintaining information assets;
d. staff involved in risk assessments.
2. Education should be provided in order to equip staff with the skills and required knowledge to securely operate the Member Organization's information assets.