Transcription of Cyber Security Framework Saudi Arabian Monetary Authority
1 Cyber Security Framework Saudi Arabian Monetary Authority Version May 2017 Version Page 2 of 56 Foreword In view of the ever-growing seriousness of Cyber -attacks, we are conscious of the need to stay one-step ahead. The issuance of a Cyber Security Framework ( Framework ) seeks to support our regulated entities in their efforts to have an appropriate Cyber Security governance and to build a robust infrastructure along with the necessary detective and preventive controls. The Framework articulates appropriate controls and provide guidance on how to assess maturity level. The adoption and implementation of the Framework is a vital step for ensuring that Saudi Arabian Banking, Insurance and Financing Companies sectors can manage and withstand Cyber Security threats. In designing the Framework , we have considered the ways that our regulated entities are leveraging technology and felt that each entity will be able to adopt a common approach for addressing Cyber Security .
2 This will ensure Cyber Security risks are properly managed throughout the sectors To achieve the above, the full support and oversight from the Board of Directors and Senior Management are required for its implementation. The Information Technology Risk team within the Deputyship of Supervision is at your disposal for any clarifications and we remain committed to guiding our regulated entities in creating a safer Cyber environment. Ahmed Al Sheikh Deputy Governor for Supervision Version Page 3 of 56 Contents 1 Introduction .. 5 Introduction to the Framework .. 5 Definition of Cyber Security .. 5 Scope .. 6 Applicability .. 6 Responsibilities .. 7 7 Target Audience .. 7 Review, Updates and Maintenance .. 7 Reading Guide .. 7 2 Framework Structure and Features .. 8 Structure .. 8 Principle-based .. 9 Self-Assessment, Review and Audit .. 9 Cyber Security Maturity Model .. 10 Maturity Level 3.
3 10 Maturity Level 4 .. 11 Maturity Level 5 .. 12 3 Control domains .. 13 Cyber Security Leadership and Governance .. 13 Cyber Security Governance .. 13 Cyber Security Strategy .. 14 Cyber Security Policy .. 14 Cyber Security Roles and 15 Cyber Security in Project Management .. 17 Cyber Security Awareness .. 17 Cyber Security Training .. 18 Cyber Security Risk Management and Compliance .. 19 Cyber Security Risk Management .. 19 Regulatory Compliance .. 22 Compliance with (inter)national industry standards .. 22 Cyber Security Review .. 22 Version Page 4 of 56 Cyber Security Audits .. 23 Cyber Security Operations and Technology .. 24 Human Resources .. 24 Physical Security .. 24 Asset Management .. 25 Cyber Security Architecture .. 25 Identity and Access Management .. 26 Application Security .. 27 Change Management .. 27 Infrastructure Security .. 28 29 Bring Your Own Device (BYOD).
4 30 Secure Disposal of Information Assets .. 30 Payment Systems .. 31 Electronic Banking Services .. 31 Cyber Security Event Management .. 33 Cyber Security Incident Management .. 33 Threat Management .. 34 Vulnerability Management .. 35 Third Party Cyber Security .. 36 Contract and Vendor Management .. 36 Outsourcing .. 37 Cloud Computing .. 37 Appendices .. 39 Appendix A - Overview previous issued SAMA circulars .. 40 Appendix B - How to request an Update to the Framework .. 41 Appendix C Framework Update request form .. 42 Appendix D - How to request a Waiver from the Framework .. 43 Appendix E Framework Waiver request form .. 44 Appendix F - Glossary .. 45 Version Page 5 of 56 1 Introduction Introduction to the Framework The current digital society has high expectations of flawless customer experience, continuous availability of services and effective protection of sensitive data. Information assets and online services are now strategically important to all public and private organizations, as well as to broader society.
5 These services are vital to the creation of a vibrant digital economy. They are also becoming systemically important to the economy and to broader national Security . All of which underlines the need to safeguard sensitive data and transactions, and thereby ensure confidence in the overall Saudi Financial Sector. The stakes are high when it comes to the confidentiality, integrity and availability of information assets, and applying new online services and new developments ( Fintech, block chain); while improving resilience against Cyber threats. Not only is the dependency on these services growing, but the threat landscape is rapidly changing. The Financial Sector recognizes the rate at which the Cyber threats and risks are evolving, as well as the changing technology and business landscape. SAMA established a Cyber Security Framework ( the Framework ) to enable Financial Institutions regulated by SAMA ( the Member Organizations ) to effectively identify and address risks related to Cyber Security .
6 To maintain the protection of information assets and online services, the Member Organizations must adopt the Framework . The objective of the Framework is as follows: 1. To create a common approach for addressing Cyber Security within the Member Organizations. 2. To achieve an appropriate maturity level of Cyber Security controls within the Member Organizations. 3. To ensure Cyber Security risks are properly managed throughout the Member Organizations. The Framework will be used to periodically assess the maturity level and evaluate the effectiveness of the Cyber Security controls at Member Organizations, and to compare these with other Member Organizations. The Framework is based on the SAMA requirements and industry Cyber Security standards, such as NIST, ISF, ISO, BASEL and PCI. The Framework supersedes all previous issued SAMA circulars with regard to Cyber Security . Please refer to Appendix A Overview previous issued SAMA circulars for more details.
7 Definition of Cyber Security Cyber Security is defined as the collection of tools, policies, Security concepts, Security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies that can be used to protect the member organization's information assets against internal and external threats. The general Security objectives comprise the following: Confidentiality Information assets are accessible only to those authorized to have access ( , protected from unauthorized disclosure or (un)intended leakage of sensitive data). Version Page 6 of 56 Integrity Information assets are accurate, complete and processed correctly ( , protected from unauthorized modification, which may include authenticity and non-repudiation). Availability Information assets are resilient and accessible when required ( , protected from unauthorized disruption). Scope The Framework defines principles and objectives for initiating, implementing, maintaining, monitoring and improving Cyber Security controls in Member Organizations.
8 The Framework provides Cyber Security controls which are applicable to the information assets of the Member Organization, including: Electronic information. Physical information (hardcopy). Applications, software, electronic services and databases. Computers and electronic machines ( , ATM). Information storage devices ( , hard disk, USB stick). Premises, equipment and communication networks (technical infrastructure). The Framework provides direction for Cyber Security requirements for Member Organizations and its subsidiaries, staff, third parties and customers. For business continuity related requirements please refer to the SAMA Business Continuity Minimum Requirements. The Framework has an interrelationship with other corporate policies for related areas, such as physical Security and fraud management. This Framework does not address the non- Cyber Security requirements for those areas. Applicability The Framework is applicable to all Member Organizations regulated by SAMA, which include the following: All Banks operating in Saudi Arabia; All Insurance and/or Reinsurance Companies operating in Saudi Arabia; All Financing Companies operating in Saudi Arabia; All Credit Bureaus operating In Saudi Arabia; The Financial Market Infrastructure All domains are applicable for the banking sector.
9 However, for other financial institutions the following exceptions apply: Sub-domain ( ) the alignment with Cyber Security strategy of banking sector is mandatory when applicable. Exclude sub-domain ( ). However, if the organization store, process or transmit cardholder data or deal with SWIFT services, then PCI standard and/or SWIFT Customer Security Controls Framework should be implemented. Exclude sub-domain ( ). Version Page 7 of 56 Exclude sub-domain ( ). However, if the organization provides online services for customers, a Multi Factor Authentication capability should be implemented. Responsibilities The Framework is mandated by SAMA. SAMA is the owner and is responsible for periodically updating the Framework . The Member Organizations are responsible for adopting and implementing the Framework . Interpretation SAMA, as the owner of the Framework , is solely responsible for providing interpretations of the principles, objectives and control considerations, if required.
10 Target Audience The Framework is intended for senior and executive management, business owners, owners of information assets, CISOs and those who are responsible for and involved in defining, implementing and reviewing Cyber Security controls within the Member Organizations. Review, Updates and Maintenance The Framework will be reviewed and maintained by SAMA. SAMA will review the Framework periodically to determine the Framework s effectiveness, including the effectiveness of the Framework to address emerging Cyber Security threats and risks. If applicable, SAMA will update the Framework based on the outcome of the review. If a Member Organization considers that an update to the Framework is required, the Member Organization should formally submit the requested update to SAMA. SAMA will review the requested update, and when approved, the Framework will be adjusted. The Member Organization will remain responsible to be compliant with the Framework pending the requested update.
