3.3.15 Cyber Security Incident Management
| No: 381000091275 | Date(g): 24/5/2017 | Date(h): 28/8/1438 |
Effective from May 24 2017 - May 23 2017
To view other versions open the versions tab on the right
Principle
The Member Organization should define, approve and implement a cyber security incident management that is aligned with the enterprise incident management process, to identify, respond to and recover from cyber security incidents. The effectiveness of this process should be measured and periodically evaluated.
Objective
To ensure timely identification and handling of cyber security incidents in order to reduce the (potential) business impact for the Member Organization.
Control considerations
| 1. | The cyber security incident management process should be defined, approved, implemented and aligned with the enterprise incident management process. | |
| 2. | The effectiveness of the cyber security controls within the cyber security incident management process should be measured and periodically evaluated. | |
| 3. | The standard should address the mandatory and suspicious security events which should be responded to. | |
| 4. | The security incident management process should include requirements for: | |
| a. | the establishment of a designated team responsible for security incident management; | |
| b. | skilled and (continuously) trained staff; | |
| c. | sufficient capacity available of certified forensic staff for handling major incidents (e.g., internal staff or contracting an external forensic team); | |
| d. | a restricted area to facilitate the computer emergency response team (CERT) workspaces; | |
| e. | the classification of cyber security incidents; | |
| f. | the timely handling of cyber security incidents, recording and monitoring progress; | |
| g. | the protection of relevant evidence and loggings; | |
| h. | post-incident activities, such as forensics, root-cause analysis of the incidents; | |
| i. | reporting of suggested improvements to the CISO and the Committee; | |
| j. | establish a cyber security incident repository. | |
| 5. | The Member Organization should inform ‘SAMA IT Risk Supervision' immediately when a medium or high classified security incident has occurred and identified. | |
| 6. | The Member Organization should obtain ‘no objection' from ‘SAMA IT Risk Supervision' before any media interaction related to the incident. | |
| 7. | The Member Organization should submit a formal incident report ‘SAMA IT Risk Supervision' after resuming operations, including the following incident details: | |
| a. | title of incident; | |
| b. | classification of the incident (medium or high); | |
| c. | date and time of incident occurred; | |
| d. | date and time of incident detected; | |
| e. | information assets involved; | |
| f. | (technical) details of the incident; | |
| g. | root-cause analysis; | |
| h. | corrective activities performed and planned; | |
| i. | description of impact (e.g., loss of data, disruption of services, unauthorized modification of data, (un)intended data leakage, number of customers impacted); | |
| j. | total estimated cost of incident; | |
| k. | estimated cost of corrective actions. | |