3.2.1 Cyber Security Risk Management
Principle
A cyber security risk management process should be defined, approved and implemented, and should be aligned with the Member Organization's enterprise risk management process.
Objective
To ensure cyber security risks are properly managed to protect the confidentiality, integrity and availability of the Member Organization's information assets, and to ensure the cyber security risk management process is aligned with the Member Organization's enterprise risk management process.
Control considerations
1. The cyber security risk management process should be defined, approved and implemented.
2. The cyber security risk management process should focus on safeguarding the confidentiality, integrity and availability of information assets.
3. The cyber security risk management process should be aligned with the existing enterprise risk management process.
4. The cyber security risk management process should be documented and address:
a. risk identification;
b. risk analysis;
c. risk response;
d. risk monitoring and review.
5. The cyber security risk management process should address the Member Organization's information assets, including (but not limited to):
a. business processes;
b. business applications;
c. infrastructure components.
6. The cyber security risk management process should be initiated:
a. at an early stage of the project;
b. prior to critical change;
c. when outsourcing is being considered;
d. when launching new products and technologies.
7. Existing information assets should be periodically subject to cyber security risk assessment based on their classification or risk profile.
8. The cyber security risk management activities should involve:
a. business owners;
b. IT specialists;
c. cyber security specialists;
d. key user representatives.
9. The result of the risk assessment should be reported to the relevant business owner (i.e., risk owner) within the Member Organization;
10. The relevant business owner (i.e., risk owner) within the Member Organization should accept and endorse the risk assessment results.
11. The Member Organization's cyber security risk appetite and risk tolerance should be clearly defined and formally approved.
3.2.1.1 Cyber Security Risk Identification
Principle
Cyber security risk identification should be performed and should include the Member Organization's relevant assets, threats, existing controls and vulnerabilities.
Objective
To find, recognize and describe the Member Organization's cyber security risks.
Control considerations
- Cyber security risk identification should be performed.
- Identified cyber security risks should be documented (in a central register).
- Cyber security risk identification should address relevant information assets, threats, vulnerabilities and the key existing cyber security controls.
3.2.1.2 Cyber Security Risk Analysis
Principle
A cyber security risk analysis should be conducted based on the likelihood that the identified cyber security risks will occur and their resulting impact.
Objective
To analyze and determine the nature and the level of the identified cyber security risks.
Control considerations
- A cyber security risk analysis should be performed.
- The cyber security risk analysis should address the level of potential business impact and likelihood of cyber security threat events materializing.
3.2.1.3 Cyber Security Risk Response
Principle
The cyber security risks of a Member Organization should be treated.
Objective
To ensure cyber security risks are treated (i.e., accepted, avoided, transferred or mitigated).
Control considerations
1. The relevant determined cyber security risks should be treated according to the Member Organization’s risk appetite and cyber security requirements.
2. Cyber security risk response should ensure that the list of risk treatment options are documented (i.e., accepting, avoiding, transferring or mitigating risks by applying cyber security controls).
3. Accepting cyber security risks should include:
a. the consideration of predefined limits for levels of cyber security risk;
b. the approval and sign-off by the business owner, ensuring that:
1. the accepted cyber security risk is within the risk appetite and is reported to the cyber security committee;
2. the accepted cyber security risk does not contradict SAMA regulations.
4. Avoiding cyber security risks should involve a decision by a business owner to cancel or postpone a particular activity or project that introduces an unacceptable cyber security risk.
5. Transferring or sharing the cyber security risks should:
a. involve sharing the cyber security risks with relevant (internal or external) providers;
b. be accepted by the receiving (internal or external) provider(s);
c. eventually lead to the actual transferring or sharing of the cyber security risk.
6. Applying cyber security controls to mitigate cyber security risks should include:
a. identifying appropriate cyber security controls;
b. evaluating the strengths and weaknesses of the cyber security controls;
1. assessing the cost of implementing the cyber security controls;
2. assessing the feasibility of implementing the cyber security controls;
3. reviewing relevant compliance requirements for the cyber security controls;
c. selecting cyber security controls;
d. identifying, documenting and obtaining sign-off for any residual risk by the business owner.
7. Cyber security risk treatment actions should be documented in a risk treatment plan.
3.2.1.4 Cyber Risk Monitoring and Review
Principle
The progress cyber security risk treatment should be monitored and the effectiveness of revised or newly implemented cyber security controls should be reviewed.
Objective
To ensure that the cyber security risk treatment is performed according to the treatment plans. To ensure that the revised or newly implemented cyber security controls are effective.
Control considerations
1. The cyber security treatment should be monitored, including:
a. tracking progress in accordance to treatment plan;
b. the selected and agreed cyber security controls are being implemented.
2. The design and effectiveness of the revised or newly implemented cyber security controls should be reviewed.