3.3.8 IT Incident Management
| No: 43028139 | Date(g): 4/11/2021 | Date(h): 29/3/1443 |
Effective from 2021-11-04 - Nov 03 2021
To view other versions open the versions tab on the right
Principle
IT incident Management process should be established to timely identify, respond and handle IT incidents impacting the Member Organization's information assets and to report relevant incidents to Saudi Central Bank, according to a defined communication protocol.
Control Requirements
| 1. | IT incident management process should be defined, approved, implemented and communicated. | |
| 2. | The effectiveness of the IT incident management process should be measured and periodically evaluated. | |
| 3. | IT incident management process should include the following requirements, but not limited to: | |
| a. | the establishment of a designated team responsible for incident management; | |
| b. | communication plan; | |
| c. | details of key staff who need to be notified; | |
| d. | skilled and (continuously) trained staff; | |
| e. | the prioritization and classification of incidents; | |
| f. | the timely handling of incidents, recording and monitoring progress; | |
| g. | the protection of relevant evidence and loggings; | |
| h. | post-incident activities such as root-cause analysis of the incidents; and | |
| i. | lessons learned. | |
| 4. | IT incident management process should be automated such as through IT service desk. | |
| 5. | ٨ process should be established for documenting the details of incident, steps taken which were successful and which were not successful, should be communicated to the relevant IT staff for hands on experience and also for future reference to enhance efficiency. | |
| 6. | All user requests and IT incident should be logged with the following information but not limited to: | |
| a. | unique reference number; | |
| b. | date and time; | |
| c. | name of the impacted services and systems; | |
| d. | update the relevant owner; and | |
| e. | categorization and prioritization based on the urgency and impact. | |
| 7. | All IT incident should be tracked and resolved as per agreed service level. | |
| 8. | Member organizations relevant teams should be involved (when applicable) to ensure adequate handling of the incident. | |
| 9. | The Member Organizations should inform 'General Department of Cyber Risk Control' immediately upon identification of 'Medium' or above classified incident that have impact on customers, as per Saudi Central Bank BCM Framework. | |
| 10. | The Member Organizations should inform 'General Department of Cyber Risk Control' immediately upon identification of disruption and slowness in the critical and/or application(s) impacting customer. | |
| 11. | Member Organizations should notify 'General Department of Cyber Risk Control' before disclosing any information about the incident to the media. | |
| 12. | The Member Organizations should submit a detail incident report within five (5) days to 'General Department of Cyber Risk Control', including the following details as a minimum: | |
| a. | title of the incident; | |
| b. | identification, classification and prioritization of incident; | |
| c. | logging and monitoring of incident; | |
| d. | resolution and closure of incident; | |
| e. | impact assessment such as financial, data, customer and/or reputational; | |
| f. | date and time of the incident; | |
| g. | name of the impacted services and systems; | |
| h. | root-cause analysis; and | |
| i. | corrective actions with target dates. | |