Your access and use of SAMA Regulatory Rulebook and its content is considered as an acceptance and approval of commitment by you without any limitation or condition to the following:
SAMA Regulatory Rulebook is a platform that aims to assist the regulated entities to access SAMA regulatory content adeptly and efficiently.
SAMA Regulatory Rulebook is still on its development and soft launch stage. SAMA is not liable for its contents and does not warrant or represent that (the Services related to the platform, information or material presented in the platform) is displayed free of any inaccuracies, omissions, or errors (“Faults”). SAMA accepts no liability for any loss, claim or damage resulting from any use of the platform, and any decisions made, or actions taken based on the information contained in or generated by the platform.
SAMA Regulatory Rulebook has no legal effect and it does not aim to amend or revoke any legal provisions. The Rulebook still Contains some documents under review, including translated versions. Therefore, SAMA Regulatory content circulated through SAMA official channels remains in force.
Without prejudice to the terms of use of SAMA website Hereby, you acknowledge that any illegal, unauthorized use and/or any breach of any of these provisions may result in legal actions against you.
Effective from Jan 01 2022 - Dec 31 2021 To view other versions open the versions tab on the right
Control ID
Control requirement description
3.1.1.
Entities should develop a robust Cyber Security Governance structure that is supported with appropriate resources to oversee and control overall approach to cyber security.
3.1.2.
Entities should define, approve, implement and communicate cyber security policies and procedures that is supported by detailed security standards (e.g. password standard, firewall standard).
3.1.3.
Entities should periodically review and update cyber security policies, procedures and standards taking into consideration the evolving cyber threat landscape.
3.1.4.
Entities should incorporate cyber security requirements in their new and/or existing business operating model, including at least:
a.
evaluation of cyber security and fraud risks that could target business operating model; and
b.
adoption and evaluation of cyber security measures for the protection against adversarial attacks (e.g. model stealing, malicious inputs, and poisoning attack).
3.1.5.
Entities should establish and implement strong password policy for users’ access to its information assets, such as:
a.
change of password upon first logon, minimum password length and history and password complexity;
b.
revoking the access after the three successive incorrect passwords; and
c.
use non-caching techniques.
3.1.6.
Entities should execute comprehensive IT and cyber security risk assessments covering (infrastructure, network, applications, and systems) and the controls implemented to address the identified risks. The identified risks should be documented in a central register, and periodically monitored and reviewed.
