3.1.1 Cyber Security Governance

No: 381000091275

Date(g): 24/5/2017 | Date(h): 28/8/1438

Status: In-Force

Principle

A cyber security governance structure should be defined and implemented, and should be endorsed by the board.

Objective

To direct and control the overall approach to cyber security within the Member Organization.

Control considerations

1.	A cyber security committee should be established and be mandated by the board.
2.	The cyber security committee should be headed by an independent senior manager from a control function.
3.	The following positions should be represented in the cyber security committee:
	a.	senior managers from all relevant departments (e.g., COO, CIO, compliance officer, heads of relevant business departments);
	b.	Chief information security officer (CISO);
	c.	Internal audit may attend as an “observer.
4.	A cyber security committee charter should be developed, approved and reflect:
	a.	committee objectives;
	b.	roles and responsibilities;
	c.	minimum number of meeting participants;
	d.	meeting frequency (minimum on quarterly basis).
5.	A cyber security function should be established.
6.	The cyber security function should be independent from the information technology function. To avoid any conflict of interest, the cyber security function and information technology function should have separate reporting lines, budgets and staff evaluations.
7.	The cyber security function should report directly to the CEO/managing director of the Member Organization or general manager of a control function.
8.	A full-time senior manager for the cyber security function, referred to as CISO, should be appointed at senior management level.
9.	The Member Organization should :
	a.	ensure the CISO has a Saudi nationality;
	b.	ensure the CISO is sufficiently qualified;
	c.	obtain no objection from SAMA to assign the CISO.
10.	The board of the Member Organization should allocate sufficient budget to execute the required cyber security activities.

Soft Launch