3.2 Cyber Security Risk Management and Compliance
Risk management is the ongoing process of identifying, analyzing, responding and monitoring and reviewing risks. The cyber security risk management process focusses specifically on managing risks related to cyber security. In order to manage cyber security risks, Member Organizations should:
- identify their cyber security risks - cyber security risk identification;
- determine the likelihood that cyber security risks will occur and the resulting impact - cyber security risk analysis;
- determine the appropriate response to cyber security risks and select relevant controls - cyber security risk response;
- monitor the cyber security risk treatment and review control effectiveness - cyber security risk monitoring and review.
The compliance with the cyber security controls should be subject to periodic review and audit.
3.2.1 Cyber Security Risk Management
Principle
A cyber security risk management process should be defined, approved and implemented, and should be aligned with the Member Organization's enterprise risk management process.
Objective
To ensure cyber security risks are properly managed to protect the confidentiality, integrity and availability of the Member Organization's information assets, and to ensure the cyber security risk management process is aligned with the Member Organization's enterprise risk management process.
Control considerations
1. The cyber security risk management process should be defined, approved and implemented.
2. The cyber security risk management process should focus on safeguarding the confidentiality, integrity and availability of information assets.
3. The cyber security risk management process should be aligned with the existing enterprise risk management process.
4. The cyber security risk management process should be documented and address:
a. risk identification;
b. risk analysis;
c. risk response;
d. risk monitoring and review.
5. The cyber security risk management process should address the Member Organization's information assets, including (but not limited to):
a. business processes;
b. business applications;
c. infrastructure components.
6. The cyber security risk management process should be initiated:
a. at an early stage of the project;
b. prior to critical change;
c. when outsourcing is being considered;
d. when launching new products and technologies.
7. Existing information assets should be periodically subject to cyber security risk assessment based on their classification or risk profile.
8. The cyber security risk management activities should involve:
a. business owners;
b. IT specialists;
c. cyber security specialists;
d. key user representatives.
9. The result of the risk assessment should be reported to the relevant business owner (i.e., risk owner) within the Member Organization;
10. The relevant business owner (i.e., risk owner) within the Member Organization should accept and endorse the risk assessment results.
11. The Member Organization's cyber security risk appetite and risk tolerance should be clearly defined and formally approved.
3.2.1.1 Cyber Security Risk Identification
Principle
Cyber security risk identification should be performed and should include the Member Organization's relevant assets, threats, existing controls and vulnerabilities.
Objective
To find, recognize and describe the Member Organization's cyber security risks.
Control considerations
- Cyber security risk identification should be performed.
- Identified cyber security risks should be documented (in a central register).
- Cyber security risk identification should address relevant information assets, threats, vulnerabilities and the key existing cyber security controls.
3.2.1.2 Cyber Security Risk Analysis
Principle
A cyber security risk analysis should be conducted based on the likelihood that the identified cyber security risks will occur and their resulting impact.
Objective
To analyze and determine the nature and the level of the identified cyber security risks.
Control considerations
- A cyber security risk analysis should be performed.
- The cyber security risk analysis should address the level of potential business impact and likelihood of cyber security threat events materializing.
3.2.1.3 Cyber Security Risk Response
Principle
The cyber security risks of a Member Organization should be treated.
Objective
To ensure cyber security risks are treated (i.e., accepted, avoided, transferred or mitigated).
Control considerations
1. The relevant determined cyber security risks should be treated according to the Member Organization’s risk appetite and cyber security requirements.
2. Cyber security risk response should ensure that the list of risk treatment options are documented (i.e., accepting, avoiding, transferring or mitigating risks by applying cyber security controls).
3. Accepting cyber security risks should include:
a. the consideration of predefined limits for levels of cyber security risk;
b. the approval and sign-off by the business owner, ensuring that:
1. the accepted cyber security risk is within the risk appetite and is reported to the cyber security committee;
2. the accepted cyber security risk does not contradict SAMA regulations.
4. Avoiding cyber security risks should involve a decision by a business owner to cancel or postpone a particular activity or project that introduces an unacceptable cyber security risk.
5. Transferring or sharing the cyber security risks should:
a. involve sharing the cyber security risks with relevant (internal or external) providers;
b. be accepted by the receiving (internal or external) provider(s);
c. eventually lead to the actual transferring or sharing of the cyber security risk.
6. Applying cyber security controls to mitigate cyber security risks should include:
a. identifying appropriate cyber security controls;
b. evaluating the strengths and weaknesses of the cyber security controls;
1. assessing the cost of implementing the cyber security controls;
2. assessing the feasibility of implementing the cyber security controls;
3. reviewing relevant compliance requirements for the cyber security controls;
c. selecting cyber security controls;
d. identifying, documenting and obtaining sign-off for any residual risk by the business owner.
7. Cyber security risk treatment actions should be documented in a risk treatment plan.
3.2.1.4 Cyber Risk Monitoring and Review
Principle
The progress cyber security risk treatment should be monitored and the effectiveness of revised or newly implemented cyber security controls should be reviewed.
Objective
To ensure that the cyber security risk treatment is performed according to the treatment plans. To ensure that the revised or newly implemented cyber security controls are effective.
Control considerations
1. The cyber security treatment should be monitored, including:
a. tracking progress in accordance to treatment plan;
b. the selected and agreed cyber security controls are being implemented.
2. The design and effectiveness of the revised or newly implemented cyber security controls should be reviewed.
3.2.2 Regulatory Compliance
Principle
A process should be established by the Member Organization to identify, communicate and comply with the cyber security implications of relevant regulations.
Objective
To comply with regulations affecting cyber security of the Member Organization.
Control considerations
1. A process should be established for ensuring compliance with relevant regulatory requirements affecting cyber security across the Member Organization. The process of ensuring compliance should:
a. be performed periodically or when new regulatory requirements become effective;
b. involve representatives from key areas of the Member Organization;
c. result in the update of cyber security policy, standards and procedures to accommodate any necessary changes (if applicable).
3.2.3 Compliance with (Inter)national Industry Standards
Principle
The Member Organization should comply with mandatory (inter)national industry standards.
Objective
To comply with mandatory (inter)national industry standards.
Control considerations
1. The Member Organization should comply with:
a. Payment Card Industry Data Security Standard (PCI-DSS);
b. EMV (Europay, MasterCard and Visa) technical standard;
c. SWIFT Customer Security Controls Framework - March 2017.
3.2.4 Cyber Security Review
Principle
The cyber security status of the Member Organization’s information assets should be subject to periodic cyber security review.
Objective
To ascertain whether the cyber security controls are securely designed and implemented, and the effectiveness of these controls is being monitored.
Control considerations
1. Cyber security reviews should be periodically performed for critical information assets.
2. Customer and internet facing services should be subject to annual review and penetration tests.
3. Details of cyber security review performed should be recorded, including the results of review, issues identified and recommended actions.
4. The results of cyber security review should be reported to business owner.
5. Cyber security review should be subject to follow-up reviews to check that:
a. all identified issues have been addressed;
b. critical risks have been treated effectively;
c. all agreed actions are being managed on an ongoing basis.
3.2.5 Cyber Security Audits
Principle
The cyber security status of the Member Organization’s information assets should be subject to thorough, independent and regular cyber security audits performed in accordance with generally accepted auditing standards and SAMA cyber security framework.
Objective
To ascertain with reasonable assurance whether the cyber security controls are securely designed and implemented, and whether the effectiveness of these controls is being monitored.
Control considerations
- Cyber security audits should be performed independently and according to generally accepted auditing standards and SAMA cyber security framework.
- Cyber security audits should be performed according to the Member Organization’s audit manual and audit plan.