Skip to main content
Back Custom print Text Only Rich Text Print / Save as PDF
Download Original PDF

  • Information Security

    • Cyber Security Framework- Maturity Level 4 Requirements

      Further to Sama's instructions issued by Circular No. 381000091275 dated 28/8/1438 H regarding the Cyber Security Framework and Maturity Level 3.

      We inform you that based on Sama's powers to enhance cybersecurity in the financial sector and raise the level of maturity to face cyber challenges and manage them in a professional and advanced manner, it has been decided for banks the following:

      1-Develop a Roadmap to achieve all the requirements of Maturity Level 4 by the end of the third quarter of 2020G, for all the requirements of the following subdomains in the Information Security Organizational Guide:
       
        3.3.14-Cyber Security Event Management 
        3.3.15-Cyber Security Incident Management
        3.3.16-Threat Management
        3.3.17-Vulnerability Management
      2- Providing the necessary support to the Information Security Management, supplying them with qualified national personnel, technical tools, and appropriate training to perform their role to the fullest extent.
      3- Present the business plan (Roadmap) as mentioned in paragraphs (1) and (2) to the Board of Directors and obtain approval for the plan and the necessary support.
      4-Provide SAMA (Financial Sector IT Risk Supervision Department) with the following:
       
        a-Board-approved plan by the end of the first quarter of 2019G.
       
        b-Quarterly reports starting from the end of the second quarter of 2019G, showing the stages of fulfillment of SAMA's requirements in this regard until they are completed.
        c-A detailed annual report by the bank's internal audit department indicating the extent of compliance with the requirements of the Regulatory Guide compared to the required maturity level, according to the tool to be determined by SAMA.
       

            كما سيقوم البنك المركزي بزيارات ميدانية للتحقق من الالتزام بهذه التعليمات.

    • Follow Reformed Procedures Protection Systems & Information Security

            Referring to SAMA Circular No. 53331/B C/25514 dated 9/12/1433 H regarding the directive for banks operating in the Kingdom to evaluate their security systems and information security, as well as business continuity plans by contracting with specialized international companies in the field of information security. Banks are required to prepare a detailed report on the observations and proposed recommendations for addressing them, and to provide SAMA with a copy of this report.

          Given the importance of addressing all observations mentioned in the aforementioned report in accordance with the regulations and instructions issued by SAMA and best international practices, we hope to form an internal committee of specialists within the bank to monitor the implementation of the corrective actions outlined in the report. This committee should prepare a quarterly follow-up report on the progress of the corrective plan and provide copies of this report to the Board of Directors and SAMA (Banking Supervision Department) starting from the first quarter of the current year 2014.

        

    • Information Security Strategy for the Banking Sector

      • Foreword

        We live in a digital society with high expectations of flawless customer experience, continuous availability of services and effective protection of sensitive data. Information and online services are now strategically important to all public and private organizations, as well as to the broader society.

        Recent cyber incidents globally and regionally have indicated that the number, impact and sophistication of cyber-attacks have increased steadily. It is worth noting that the malicious use of technology could have cross border implications, thereby disrupting both the national and international financial stability.

        The Saudi Central Bank* is proud to announce the Cyber Security Strategy to drive continuous improvement of cyber security and to ensure that the Saudi banking sector is well prepared in the five cyber security domains, namely: identification, protection, detection, response and recovery.

        The strategy recognizes the rate at which the cyber threats are evolving, as well as the changing technology and business landscape. This places a premium on agility and flexibility in cyber security, underpinned by comprehensive intelligence on cyber threats and effective collaboration between SAMA and other member organization.

        We strongly believe that the Cyber Security Strategy will set the sector on strong foundations to address present and future threats.

        Ahmed Al Sheikh

        Deputy Governor for Supervision

        * The Saudi Arabian Monetary Agency was replaced By the name of Saudi Central Bank in accordance with The Saudi Central Bank Law No. (M/36), dated 11/04/1442H, corresponding in 26/11/2020G.

      • 1 The Importance of Cyber Security

        • 1.1 The Rationale for Cyber Security

          Public cyber incident disclosures over the past few years have indicated that the number, impact and sophistication of cyber-attacks have increased steadily. This trend is especially true within the global banking sector and the Kingdom of Saudi Arabia. At the same time, as mentioned in the foreword, banking customers have ever increasing expectations for service availability, privacy, usability — expectations that can only be met via information technology and its continual innovation. This innovation often results in new business models that increase reliance on third parties and external resources, complicating governance and supply chains. As a result of these trends, the Saudi Arabian banking sector ("the Sector") must improve cyber security throughout its ecosystem to counter malicious threats while also delivering on its promise to provide safe and efficient transaction services to its customers. The strategy contained in this document has been developed to achieve these objectives in a structured way, based on international best practices.

        • 1.2 Challenges and Threat Landscape

          Today's threat landscape is diverse and advanced. Threat actors, ranging from individual hackers and insiders to organised groups, exploit sophisticated attacks. Their goals are diverse from espionage, financial gain to online (h)activism. The most significant cyber security threats and challenges to the Saudi banking sector which have been considered when developing the strategy ("the Strategy") are summarised below:

           

      • 2. The Cyber Security Strategy Highlights

        Cyber security is defined as the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies that can be used to protect the member organization's information assets against internal and external threats.

        • 2.1 Mission, Vision, Objectives and Governing Rules

          The table below illustrates the mission, vision, objectives and governing rules for cyber security within the Saudi banking sector.

        • 2.2 Scope

          In order to fulfil the mission, SAMA has collaborated with the Banking Committee for Information Security (BCIS) to develop this Strategy, which is applicable to the whole Saudi banking sector, including:

          • the Saudi Central Bank* ;
          • all organizations affiliated with SAMA ("the Member Organizations");
          • all banks operating in Saudi Arabia;
          • all banking subsidiaries of Saudi banks situated within Saudi Arabia or abroad;
          • subsidiaries of foreign banks situated in Saudi Arabia.

          The "Saudi Arabian Monetary Agency" was replaced By the "Saudi Central Bank" in accordance with The Saudi Central Bank Law No. (M/36), dated 11/04/1442H, corresponding in 26/11/2020G.

        • 2.3 Governance

          A robust governance structure will be put in place to direct, monitor and evaluate efforts related to the execution of Strategy. The governance structure will ensure that all parties involved are fully aware of their roles and responsibilities in the execution and the maintenance of the Strategy.

          The parties involved and their role and responsibilities are summarized below:

        • 2.4 Principles for Implementation

          The implementation of the Strategy will be through a comprehensive set of strategic streams which together achieve the objectives of the Strategy.

          A 5-year roadmap will set out how the strategic streams will be taken forward but will also recognize the need for the Strategy to be periodically evaluated under the governance of SAMA. Where necessary, the Strategy will be refined and new initiatives are to be defined if required.

          The challenge of building a trustworthy, resilient and secure Saudi banking sector requires an integrated and collaborative approach in a number of domains:

          • State of the art capabilities in identification, protection, detection, response and recovery.
          • An organizational culture that promotes safe and appropriate use of information and online services among stakeholders.
          • A deep understanding of dependencies on national critical infrastructure and online services, and seamless cooperation with national authorities to reduce the cyber security risks.

          A successful cyber security strategy is founded on collaboration. All parties involved must join forces by contributing to effective community intelligence sharing and collectively coordinating responses to emerging cyber threats and attacks across the Saudi banking sector.

          The implementation of the Strategy will be governed by the following rules when scoping, approving and taking forward the strategic streams and initiatives:  GOVERNING 

          GOVERNING 

          RULES

          1.   Defining leadership and responsibilities.
          2.   Adopting a risk-based approach.
          3.   Implementing a defense in depth approach.
          4.   Investing in and utilizing national talents and skills.
          5.   Aligning with national and international initiatives.
          6.   Collaborating with partners.

           

          • 2.4.1 Shared Responsibilities

            The execution of the Strategy is a shared effort between SAMA and Member Organizations. The implementation will be overseen by a Program Board comprising SAMA and representative members of BCIS when delegated. Individual Project Teams will be constituted by the Program Board to take forward execution of strategic streams assigned by the Program Board. Each Project Team will include representatives of the Saudi banking sector and other relevant stakeholders, with SAMA coordinating liaison with relevant government agencies.

            The Member Organizations, through BCIS, will act as an Advisory Board for the Program Board, and through the Program Board individual Project Teams.

            The figure below illustrates the proposed program structure for implementing the Strategy:

          • 2.4.2 Management Commitment and Funding

            Shared responsibility implies that the boards of Member Organizations must commit to the strategic directions and timelines within this Strategy, while also being prepared to commit the required resources and funding.

          • 2.4.3 Integrated Planning

            Effective initiation, definition, approval and implementation of strategic streams depends on careful prioritization and planning to ensure availability of the required resources and achievement of realistic timescales. This process will ensure engagement with relevant stakeholders within and outside the Saudi banking sector, while also avoiding duplication and overlap between strategic streams. The Program Board will ensure that integrated planning is aligned with, and agreed by, relevant stakeholders.

          • 2.4.4 Monitor Progress and Improvements

            Effective monitoring of the execution of the Strategy, and associated strategic streams, is vital to successful achievement of the objectives and necessary improvements in cyber security. To achieve this, the Program Board will implement a performance management which will embrace:

            1. The execution of the strategic streams and the underlying initiatives (i.e. during the initiation, definition, approval and implementation phases).
            2. The adoption of the agreed directions or solutions by the Member Organizations.

            Project initiation plans will be prepared for all strategic streams defining the scope, objectives, proposed approach, stakeholder engagement, dependency management, resourcing assumptions, risks and mitigation.

            The progress of each strategic stream, and underlying initiatives, will be measured against key performance indicators (KPIs), such as:

            • Progress against defined milestones and scope.
            • Resources consumed (e.g. spend to date, level of effort).
            • Quality of deliverables.
            • Project management risks.
            • Level of adoption by Member Organizations.

          • 2.5 Maintaining and Evaluating the Cyber Security Strategy

            The Strategy will be maintained and periodically evaluated by SAMA to ensure continuous improvement, including its continued relevance to emerging cyber security threats and risks. If applicable, SAMA will update the Strategy based on the outcome of the evaluation, this may include adjustments to existing strategic streams and initiatives, or the creation of new strategic streams and initiatives.

      • 3 The Cyber Security Strategic Objectives, Streams and Initiatives

        • 3.1 Objective 1: Proactively Protect Saudi Banking Sector Critical Information Assets

          In order to achieve a stable and resilient Saudi banking sector, SAMA and the Member Organizations will identify and protect critical information assets. This should include but not be limited to:

          • The identification of critical Saudi banking sector information assets supporting the delivery of essential services and capabilities.
          • The analysis of key interdependencies with other sectors.
          • The adoption of appropriate cyber security controls.

          This will be supported by the creation of a strategic threat and capability analysis to collect and analyze the strategic and emerging cyber security threats and vulnerabilities, allowing the determination of potential attack scenarios and patterns, and forming the basis for identifying necessary enhancements in cyber security controls.

          To build a sector-wide view of strategic cyber security risks to the Banking Sector, a periodic banking sector-wide strategic Cyber security risk assessment will be conducted. This will support the development of a banking sector-wide cyber action plans to address possible strategic and emerging cyber security risks.

          The strategic streams for objective 1 are shown below:

          • 3.1.1 Critical Information Assets

            This strategic stream should include the following initiatives but should not be limited to these initiatives if required:

            1.  
            		Identify the Saudi Banking sector critical information assets.
            1.  
            		Perform a cyber security risk assessment for the identified critical information assets to address the cyber security risks within the Saudi banking sector.
            1.  
            		Select appropriate cyber security controls and develop cyber security standards.
            1.  
            		Establish and implement a continuous monitoring capability to ensure compliance with the developed cyber security standards.
            1.  
            		For the identified critical information assets under the authority of SAMA:
              
            •  
            		 Perform a gap analysis to determine their compliance with cyber security standards;
              
            •  
            		 Implement the required cyber security controls in order to comply with cyber security standards.
            1.  
            		For identified systems at the Member Organizations which are connected to the identified critical information assets:
              
            •  
            		Perform a gap analysis to determine their compliance with cyber security standards;
              
            •  
            		Implement the required cyber security controls in order to comply with cyber security standards.
            1.  
            		Determine the interdependencies of the identified Saudi banking sector critical information assets with other sectors (national and international), as an input into objective 4 'Understand and Manage the Interdependencies (section 3.4).

             

             

          • 3.1.2 Strategic Cyber Threat and Attack Scenarios

            This strategic stream should include the following initiatives but should not be limited to these initiatives if required:

            1. Establish an effective approach to periodically determine the Saudi banking sector-wide strategic threats, vulnerabilities and interdependencies.
            2. Determine the Saudi banking sector-wide strategic threats, vulnerabilities and interdependencies and translate these into strategic threat and attack scenarios.
            3. Incorporate the strategic threat and attack scenarios into the threat and vulnerability management processes of the Member Organizations. These scenarios will also be used as an input into strategic stream 3.1.3 'Strategic Risk Assessment'.

          • 3.1.3 Strategic Cyber security risk assessment

            This strategic stream should include the following initiatives but should not be limited to these initiatives if required:

            1. Establish an effective strategic cyber security risk assessment approach and framework to periodically determine the Saudi banking sector-wide strategic cyber security risks.
            2. Perform a periodic strategic cyber security risk assessment to identify Saudi banking sector-wide strategic cyber security risks.
            3. Develop and execute a Banking Sector-wide treatment plan to address the strategic cyber security risks.
            4. Establish a cyber security risk and control repository capability.

        • 3.2 Objective 2: Detect, Respond to and Recover from Cyber Security Incidents

          Situational awareness is necessary to effectively detect, respond to and recover from cyber security incidents. The creation of a Banking Cyber Security Centre (BCSC) will provide a focus for the necessary monitoring and detection capabilities. The BCSC will also support mutual and immediate sharing of detected suspicious events between the BCSC and Member Organizations.

          A Saudi Banking sector threat intelligence capability will also be established, providing a platform for intelligence sharing between Member Organizations. This platform will also be used to aggregate and share common threat intelligence from preferred threat intelligence providers. Threat intelligence sharing is essential to maintain a proactive posture to counter emerging cyber security threats.

          To ensure an effective response to a major cyber security incident, it is vital that all relevant parties know what to do and have a clear understanding of their roles and responsibilities. This will be achieved through the creation of a Saudi banking sector-wide cyber security incident management process. These processes will be rehearsed periodically to ensure that all relevant stakeholders are familiar with the agreed incident management procedures, as well as contributing to the training of relevant staff. The lessons from exercises and incidents will be used to continuously improve the incident management process. In addition, a Saudi banking sector-wide cyber security crisis management process will be established. The cyber security crisis management process will ensure that response and communication procedures within and beyond the Saudi banking sector-wide are in place to deal with a serious incident. These processes will also be periodically exercised.

          The strategic streams for objective 2 are shown below:

          • 3.2.1 Cyber Security Monitoring and Detection

            This strategic stream should include the following initiatives but should not be limited to these initiatives if required:

            1. Establish an effective Saudi banking sector-wide cyber security monitoring and detection capability (i.e. BCSC), including people, processes and technology.
            2. Establish an effective Saudi banking sector-wide capability for Member Organizations to connect to the BCSC, including people, processes and technology, for sharing analysis' of suspicious events, rulesets and use cases.

          • 3.2.2 Cyber Threat intelligence Sharing

            This strategic stream should include the following initiatives but should not be limited to these initiatives if required:

            1. Establish an effective Saudi banking sector-wide shared cyber threat intelligence capability, including people, processes and technology.
            2. Establish an effective Saudi banking sector-wide capability for Member Organizations to connect to the shared cyber threat intelligence capability, including people, processes and technology, for sharing cyber threat intelligence.

          • 3.2.3 Cyber Security Incident Management

            This strategic stream should include the following initiatives but should not be limited to these initiatives if required:

            1. Establish an effective Saudi banking sector-wide cyber security incident management process, including supporting incident response procedures and forensic process.
            2. Identify incident response capabilities that are required to support the defined cyber security incident management process.
            3. Implement required capabilities, either by arranging this internally (within the Saudi banking sector) or by formalizing joint service agreements with third parties to ensure on-demand availability of the required capabilities.
            4. Periodically rehearse the Saudi banking sector-wide incident response procedures.
            5. Establish a cyber security incident repository capability.

          • 3.2.4 Cyber Security Crisis Management

            This strategic stream should include the following initiatives but should not be limited to these initiatives if required:

            1. Establish an effective cyber security crisis management process, including supporting procedures.
            2. Conduct Saudi banking sector-wide cyber security crisis management exercises.

        • 3.3 Objective 3: Foster a Cyber Security Culture

          Cyber security is not only about technology. The effectiveness of technological measures largely depends on a security culture in which all stakeholders are sufficiently aware of cyber security risks. Awareness and the proper attitude in organizations are vital to foster a cyber security culture.

          Raising awareness and investing in education are effective ways to improve the cyber security culture. Therefore, a Saudi banking sector-wide education program and awareness campaign will be developed and delivered.

          SAMA has the ambition to be at the forefront of building and maintaining a skilled cyber security workforce. It is recognized that it will be difficult to create and maintain a sufficient national cadre of skilled cyber security professionals. Therefore, a Saudi banking sector-wide cyber security training and talent management program will be developed and implemented to ensure the development of such a national cadre.

          In addition, a code of practice will be developed which ensures that contracting processes preserve and build cyber security knowledge within the Saudi banking sector by ensuring appropriate knowledge transfer from contractors or consultants.

          The strategic streams for objective 3 are shown below:

          • 3.3.1 Education and Awareness

            This strategic stream should include the following initiatives but should not be limited to these initiatives if required:

            1. Establish an effective Saudi banking sector-wide education program and awareness campaign on cyber security.
            2. Contribute to broader cyber security awareness through education institutions and community action.
            3. Formalize joint service agreements with third parties to provide education programs and awareness campaign services.

          • 3.3.2 National Training Capabilities and Talent Management

            This strategic stream should include the following initiatives but should not be limited to these initiatives if required:

            1. Establish an effective Saudi banking sector-wide training program on cyber security skills for relevant cyber security professionals.
            2. Formalize joint service agreements with third parties to provide such training courses.
            3. Develop a Saudi banking sector-wide code of practice on the retention and talent development of cyber security professionals.
            4. Engage with colleges and universities to develop and implement cyber security curricula and educational programs at the graduate and post-graduate levels.
            5. Establish a periodic award for the best cyber security research or thesis relevant for the Saudi banking sector.
            6. Establish a periodic award for best cyber security professional within the Saudi banking sector.

          • 3.3.3 Contracting Cyber Security Services

            This strategic stream should include the following initiatives but should not be limited to these initiatives if required:

            1. Develop a Saudi banking sector-wide code of practice specifying requirements for knowledge transfer in cyber security service contracts.

        • 3.4 Objective 4: Understand and Manage Interdependencies

          The interconnected and distributed nature of the internet allows malicious actors to cross national and international boundaries. To counter cyber security threats, the Saudi banking sector must have an effective approach to national and international collaboration.

          Engagement strategies and relationships will be developed and maintained with key national authorities and international organizations to promote cyber security information (e.g., threat intelligence) sharing, enable cyber security investigations and support cyber security operations.

          The strategic streams for objective 4 are shown below:

          • 3.4.1 National Interdependencies

            This strategic stream should include the following initiatives but should not be limited to these initiatives if required:

            1. Develop and establish a national relationship management process to promote cyber security information sharing, enable cyber security investigations, and support cyber security operations.
            2. Engage periodically with national authorities to identify and address cyber security threats and coordinate actions to improve cyber security on a national level.

          • 3.4.2 International Interdependencies

            This strategic stream should include the following initiatives but should not be limited to these initiatives if required:

            1. Develop and establish an international relationship management process to promote cyber security information sharing, enable cyber security investigations, and support cyber security operations.
            2. Engage periodically with international organizations to identify and address cyber security threats and coordinate actions to improve cyber security on a national and international level.

        • 3.5 Objective 5: Maintain an Adaptive Cyber Security Framework

          Objectives 1-4 will be underpinned by the creation of a cyber security framework which will provide the basis for effectively protecting information assets throughout the Saudi banking sector.

          The framework will be mandated by SAMA and will be applicable to all Member Organizations, it will be based on national and international good practice. It will be kept under continuous review in the light of emerging cyber threats and developments.

          An implementation approach and process for periodic self-assessments will be established to direct, monitor progress and evaluate the adoption of the cyber security framework by the Member Organizations.

          The strategic streams for objective 5 are shown below:

          • 3.5.1 Cyber Security Framework

            This strategic stream should include the following initiatives but should not be limited to these initiatives if required:

            1. Establish an effective Saudi banking sector-wide cyber security framework, detailing cyber security objectives, controls and compliance measures based on national and international good practices.
            2. Establish an effective and adaptive governance framework and implementation approach to direct, monitor and evaluate the adoption of, and compliance with the cyber security framework.
            3. Adopt the cyber security framework, governance structure and implementation approach, including performing periodic self-assessments and demonstrating the level of compliance.
            4. Maintain and continuously improve the cyber security framework based on changes in regulations, technologies, emerging cyber security threats and newly released national and international good practices.

            • 3.5.2 Periodic Self-Assessments and Reviews

              This strategic stream should include the following initiatives but should not be limited to these initiatives if required:

              1. Mandate the governance framework and implementation approach to direct, monitor the progress and evaluate the adoption of, and compliance with, the cyber security framework across the Saudi banking sector (including ambition and anticipated implementation timelines).
              2. SAMA, or (appointed) third party, undertakes periodic reviews at Member Organizations and challenges the self-assessments and level of compliance with the cyber security framework.
              3. SAMA, or (appointed) third party, undertakes thematic reviews and assessments periodically on cyber security controls at Member Organizations.

      • Appendices

        • Appendix A - Glossary

           

          Term

          		 Description

          Availability

          		 Ensuring timely and reliable access to and use of information. (NIST IR 7298 Glossary of Key information Security Terms)

          Code of practice

          		 Document that recommends practices or procedures for the design,  implementation, maintenance or utilization of documents, structures or products. (NIST IR 89-4194)

          Confidentiality

          		 Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. (NIST IR 7298 Glossary of Key Information Security Terms)

          Cyber security

          		 Cyber security is defined as the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practice assurance, and technologies that can be used to protect the member organization's information assets against internal and external threats.

          Cyber security awareness

          		 Activities which seek to focus an individual's attention on a cyber security issues. (NIST IR 7298 Glossary of Key Information Security Terms)

          Cyber security awareness program

          		 A program that explains proper rules of behavior for the safe and secure use of IT System and information. The program communicates cyber security policies and procedures that need to be followed.

          Cyber security control

          		 The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the Confidentiality, integrity, and availability of the system and its information.(NIST IR 7298 Glossary of Key Information Security Terms)

          Cyber security framework 

          		 Document detailing cyber security objectives, controls and compliance measures based on national and international good practices.

          Cyber security governance

          		 A set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction for cyber security, ensuring that cyber security objectives are achieved, ascertaining that information risks Are managed appropriately and verifying that the enterprise's resources are used responsibly.

          Cyber Security incident

          		 An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system process, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

          Cyber security incident management

          		 The monitoring and detection of security events on an information systems and the execution of proper responses to those events.

          Cyber security program

          		 Top-down management structure and mechanism for coordinating security activities throughout the organization.

          Cyber security review

          		 Independent review and examination of security-related records and activities to provide limited assurance that system controls are adequate and that established policies and operational procedures are compliant. (NIST IR 7298 Glossary of Key Information Security Terms)

          Cyber security risk assessments

          		 The process of identifying risks to organizational operations, organizational assets, individuals, other organizations, and the nation, arising through the operation of an information system. A part of risk management, it incorporates. threat and vulnerability analyses and considers mitigations provided by security controls planned or in place. (NIST IR 7298 Glossary of Key Information Security Terms)

          Cyber security strategy

          		 A high-level plan, consisting of projects and initiatives, to mitigate cyber security risks while complying with legal, statutory, contractual, and internally prescribed requirements.

          Cyber security threat

          		 Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. (NIST IR 7298 Glossary of Key Information Security Terms)

          Incident management

          		  Refer to 'Cyber security incident management'.

          Incident management plan

          		 The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber-attack against an organizations information system(s). Also Refer to 'Cyber security incident management'. (NIST IR 7298 Glossary of Key Information Security Terms) 

          Integrity

          		 Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. (NIST IR 7298 Glossary of Key Information Security Terms)

          Key performance indicator

          		 A type of performance measurement that evaluate the success of an organization or of a particular activity in which it engages. Numerical threshold(s) are typically used to categorize performance.

          Member organization

          		  Organizations affiliated with SAMA.

          Resilience

          		 The ability to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs.

          Risk

          		 A measure of the extent to which an organization is threatened by a potential. Circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. (NIST IR 7298 Glossary of Key Information Security Terms)

          Threat

          		  Refer to 'Cyber security threat'

          Threat intelligence

          		 Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging Menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard. (Gartner)

          Threat landscape

          		 
          1. An overview of threats, together with current and emerging trends.
          2. A collection of threats in a particular domain or context, with information on identified Vulnerable assets, threats, risks, threat actors and observed trends.(ENISA)

          TOM

          		 A target operating model (TOM) is a desired operating model that visualizes (i.e.  using a model or collection of models, maps, tables and charts) how the organization operates so as to deliver value to its customers or beneficiaries.

          Vulnerability

          		 Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. (NIST IR 7298 Glossary of Key Information Security Terms)

          Vulnerability management

          		 Vulnerability management is the cyclical practice of identifying, classifying, remediating mitigating vulnerabilities. Also refer to 'Vulnerability'

           

        • Appendix B- Detailed Initiatives Objectives and Expected Outcome

           

           

           

           

           

           

           

           

           

    • Cyber Security Strategy of the Saudi Banking Sector - Draft

    • Information Security Committee

      As you are aware, the Saudi Banking sector is highly dependant on Information Technology, which has helped banks to provide a wide range of products and services. However, information Technology carries benefits as well as security threats and challenges

      Security issues that are of most concern to SAMA include the disclosure of confidential information, unauthorized access to systems, challenge introduced by the internet and open networks, viruses and threats to system operations, as well as direct loss of funds. Potential damages to the banking system from security breaches also include possible loss of customer confidence, hence affecting its overall reputation.

      Therefore, SAMA wishes to create an Information Security Committee of the Banks on the following basis:

      • Committee mandate would be to include all aspects of Information Security.
      • Each bank should be represented by one senior manager who would be designated Information Security Officer.
      • SAMA would act as an observer in this committee.
      • The committee would meet on a 2 monthly basis.

      The committee should elect, on a rotational basis, one of its members as the Chairman and another member as a secretary for a period of one year. The Chairman will be responsible for calling meetings, preparing agendas in consultation with another banks while the secretary will maintain record of discussions.

      In this regard, SAMA would like to nominate Mr. Waleed Al Shubaili and Mr. Abdulrahman Al Shetwey as observers.

      Please nominate your Bank’s representative at your earliest convenience to Mr. Ali Al Ghaith at Fax No. 466 2299.

      The first meeting is schedule to be held at the Bankers Club at the Institute of Banking (IOB) on Saturday 1st June 2002 at 10 a.m.