3.4 Third Party Cyber Security
When Member Organizations do rely on, or have to deal with third party services, it is key to ensure the same level of cyber security protection is implemented at the third party, as within the Member Organization.
This paragraph describes how the cyber security requirements between the Member Organization and Third Parties should be organized, implemented and monitored. Third Parties in this Framework are defined as, information services providers, outsourcing providers, cloud computing providers, vendors, suppliers, governmental agencies, etc.
3.4.1 Contract and Vendor Management
Principle
The Member Organization should define, approve, implement and monitor the required cyber security controls within the contract and vendor management processes.
Objective
To ensure that the Member Organization's approved cyber security requirements are appropriately addressed before signing the contract, and the compliance with the cyber security requirements is being monitored and evaluated during the contract life-cycle.
Control Considerations
1. The cyber security requirements should be defined, approved, implemented and communicated within the contract and vendor management processes.
2. The compliance with contract and vendor management process should be monitored.
3. The effectiveness of the cyber security controls within the contract and vendor management process should be measured and periodically evaluated.
4. These contract and vendor management processes should cover:
a. whether the involvement of the cyber security function is actively required (e.g., in case of due diligence);
b. the baseline cyber security requirements which should be applied in all cases;
c. the right to periodically perform cyber security reviews and audits.
5. The contract management process should cover requirements for:
a. executing a cyber security risk assessment as part of the procurement process;
b. defining the specific cyber security requirements as part of the tender process;
c. evaluating the replies of potential vendors on the defined cyber security requirements;
d. testing of the agreed cyber security requirements (risk-based);
e. defining the communication or escalation process in case of cyber security incidents;
f. ensuring cyber security requirements are defined for exiting, terminating or renewing the contract (including escrow agreements if applicable);
g. defining a mutual confidentiality agreement.
6. The vendor management process (i.e., service level management) should cover requirements for:
a. periodic reporting, reviewing and evaluating the contractually agreed cyber security requirements (in SLAs).
3.4.2 Outsourcing
Principle
The Member Organization should define, implement and monitor the required cyber security controls within outsourcing policy and outsourcing process. The effectiveness of the defined cyber security controls should periodically be measured and evaluated.
Objective
To ensure that the Member Organization's cyber security requirements are appropriately addressed before, during and while exiting outsourcing contracts.
Control Considerations
1. The cyber security requirements within the outsourcing policy and process should be defined, approved, implemented and communicated within Member Organization.
2. The cyber security requirements regarding the outsourcing policy and process should be measured and periodically evaluated.
3. The outsourcing process should include:
a. the approval from SAMA prior to material outsourcing;
b. the involvement of the cyber security function;
c. compliance with the SAMA circular on outsourcing.
3.4.3 Cloud Computing
Principle
The Member Organization should define, implement and monitor the required cyber security controls within the cloud computing policy and process for hybrid and public cloud services. The effectiveness of the defined cyber security controls should periodically be measured and evaluated.
Please note that this requirement is not applicable to private cloud services (= internal cloud).
Objective
To ensure that all functions and staff within the Member Organization are aware of the agreed direction and position on hybrid and public cloud services, the required process to apply for hybrid and public cloud services, the risk appetite on hybrid and public cloud services and the specific cyber security requirements for hybrid and public cloud services.
Control Considerations
1. The cyber security controls within the cloud computing policy for hybrid and public cloud services should be defined, approved and implemented and communicated within Member Organization.
2. The compliance with the cloud computing policy should be monitored.
3. The cyber security controls regarding the cloud computing policy and process for hybrid and public cloud services should be periodically measured and evaluated.
4. The cloud computing policy for hybrid and public cloud services should address requirements for:
a. the process for adopting cloud services, including that:
1. a cyber security risk assessment and due diligence on the cloud service provider and its cloud services should be performed;
2. the Member Organization should obtain SAMA approval prior to using cloud services or signing the contract with the cloud provider;
3. a contract should be in place, including the cyber security requirements, before using cloud services;
b. data location, including that:
1. in principle only cloud services should be used that are located in Saudi Arabia, or when cloud services are to be used outside Saudi Arabia that the Member Organization should obtain explicit approval from SAMA;
c. data use limitations, including that:
1. the cloud service provider should not use the Member Organization’s data for secondary purposes;
d. security, including that:
1. the cloud service provider should implement and monitor the cyber security controls as determined in the risk assessment for protecting the confidentiality, integrity and availability of the Member Organization’s data;
e. data segregation, including that:
1. the Member Organization’s data is logically segregated from other data held by the cloud service provider, including that the cloud service provider should be able to identify the Member Organization’s data and at all times should be able to distinguish it from other data.
f. business continuity, including that:
1. business continuity requirements are met in accordance with the Member Organization’s business continuity policy;
g. audit, review and monitoring, including that:
1. the Member Organization has the right to perform a cyber security review at the cloud service provider;
2. the Member Organization has the right to perform a cyber security audit at the cloud service provider;
3. the Member Organization has the right to perform a cyber security examination at the cloud service provider;
h. exit, including that:
1. the Member Organization has termination rights;
2. the cloud service provider has to return the Member Organization’s data on termination;
3. the cloud service provider has to irreversibly delete the Member Organization’s data on termination.