MAPPING SAMA CYBERSECURITY FRAMEWORK TO KINGDOM OF SAUDI ARABIA NCA ESSENTIAL CYBERSECURITY CONTROLS

DOMAIN-1: CYBER SECURITY LEADERSHIP AND GOVERNANCE

The ultimate responsibility for cyber security rests with the board of the Member Organization. The board of the Member Organization can delegate its cyber security responsibilities to a cyber security committee (or a senior manager from a control function). The cyber security committee could be responsible for defining the cyber security governance and setting the Member Organization’s cyber security strategy.

The cyber security committee can also be responsible for defining a cyber security policy and ensuring the operational effectiveness of this cyber security policy. To develop and maintain the cyber security policy and to execute the cyber security activities across the member Organization, an independent cyber security function should be established.

DOMAIN-2: CYBER SECURITY RISK MANAGEMENT AND COMPLIANCE

Risk management is the ongoing process of identifying, analyzing, responding and monitoring and reviewing risks. The cyber security risk management process focusses specifically on managing risks related to cyber security. In order to manage cyber security risks, Member Organizations should:

· identify their cyber security risks — cyber security risk identification;

· determine the likelihood that cyber security risks will occur and the resulting impact — cyber security risk analysis;

· determine the appropriate response to cyber security risks and select relevant controls — cyber security risk response;

· monitor the cyber security risk treatment and review control effectiveness — cyber security risk monitoring and review.

• Compliance with the cyber security controls should be subject to periodic review and audit.

DOMAIN-3: CYBER SECURITY OPERATIONS AND TECHNOLOGY

In order to safeguard the protection of the operations and technology of the Member Organization’s information assets and its staff, third parties, and customers, the Member Organizations have to ensure that security requirements for their information assets and the supporting processes are defined, approved, and implemented.

Compliance with these cyber security requirements should be monitored and the effectiveness of the cyber security controls should be periodically measured and evaluated in order to identify potential revisions of the controls or measurements.

DOMAIN-4 THIRD PARTY CYBER SECURITY

When Member Organizations do rely on, or have to deal with third party services, it is key to ensure the same level of cyber security protection is implemented at the third party, as within the Member Organization.

This paragraph describes how the cyber security requirements between the Member Organization and Third Parties should be organized, implemented and monitored. Third Parties in this Framework are defined as, information services providers, outsourcing providers, cloud computing providers, vendors, suppliers, governmental agencies, etc.