SAMA Cyber Security Framework PDF
SAMA Cyber Security Framework PDF
SAMA Cyber Security Framework PDF
Version 1.0
May 2017
Foreword
In view of the ever-growing seriousness of cyber-attacks, we are conscious of the need to stay one-step
ahead. The issuance of a Cyber Security Framework (“Framework”) seeks to support our regulated entities
in their efforts to have an appropriate cyber security governance and to build a robust infrastructure along
with the necessary detective and preventive controls. The Framework articulates appropriate controls
and provide guidance on how to assess maturity level.
The adoption and implementation of the Framework is a vital step for ensuring that Saudi Arabian
Banking, Insurance and Financing Companies sectors can manage and withstand cyber security threats. In
designing the Framework, we have considered the ways that our regulated entities are leveraging
technology and felt that each entity will be able to adopt a common approach for addressing cyber
security. This will ensure cyber security risks are properly managed throughout the sectors
To achieve the above, the full support and oversight from the Board of Directors and Senior
Management are required for its implementation.
The Information Technology Risk team within the Deputyship of Supervision is at your disposal for any
clarifications and we remain committed to guiding our regulated entities in creating a safer cyber
environment.
Ahmed Al Sheikh
Deputy Governor for Supervision
Appendices .......................................................................................................... 39
Appendix A - Overview previous issued SAMA circulars ........................................................................ 40
Appendix B - How to request an Update to the Framework .................................................................. 41
Appendix C – Framework Update request form ..................................................................................... 42
Appendix D - How to request a Waiver from the Framework ................................................................ 43
Appendix E – Framework Waiver request form ..................................................................................... 44
Appendix F - Glossary.............................................................................................................................. 45
The stakes are high when it comes to the confidentiality, integrity and availability of information assets,
and applying new online services and new developments (e.g. Fintech, block chain); while improving
resilience against cyber threats. Not only is the dependency on these services growing, but the threat
landscape is rapidly changing. The Financial Sector recognizes the rate at which the cyber threats and risks
are evolving, as well as the changing technology and business landscape.
SAMA established a Cyber Security Framework (“the Framework”) to enable Financial Institutions
regulated by SAMA (“the Member Organizations”) to effectively identify and address risks related to cyber
security. To maintain the protection of information assets and online services, the Member Organizations
must adopt the Framework.
1. To create a common approach for addressing cyber security within the Member Organizations.
2. To achieve an appropriate maturity level of cyber security controls within the Member Organizations.
3. To ensure cyber security risks are properly managed throughout the Member Organizations.
The Framework will be used to periodically assess the maturity level and evaluate the effectiveness of the
cyber security controls at Member Organizations, and to compare these with other Member
Organizations.
The Framework is based on the SAMA requirements and industry cyber security standards, such as NIST,
ISF, ISO, BASEL and PCI.
The Framework supersedes all previous issued SAMA circulars with regard to cyber security. Please refer
to ‘Appendix A – Overview previous issued SAMA circulars’ for more details.
Confidentiality – Information assets are accessible only to those authorized to have access (i.e.,
protected from unauthorized disclosure or (un)intended leakage of sensitive data).
1.3 Scope
The Framework defines principles and objectives for initiating, implementing, maintaining, monitoring
and improving cyber security controls in Member Organizations.
The Framework provides cyber security controls which are applicable to the information assets of the
Member Organization, including:
Electronic information.
Physical information (hardcopy).
Applications, software, electronic services and databases.
Computers and electronic machines (e.g., ATM).
Information storage devices (e.g., hard disk, USB stick).
Premises, equipment and communication networks (technical infrastructure).
The Framework provides direction for cyber security requirements for Member Organizations and its
subsidiaries, staff, third parties and customers.
For business continuity related requirements please refer to the SAMA Business Continuity Minimum
Requirements.
The Framework has an interrelationship with other corporate policies for related areas, such as physical
security and fraud management. This framework does not address the non-cyber security requirements
for those areas.
1.4 Applicability
The Framework is applicable to all Member Organizations regulated by SAMA, which include the
following:
All domains are applicable for the banking sector. However, for other financial institutions the following
exceptions apply:
Sub-domain (3.1.2) the alignment with cyber security strategy of banking sector is mandatory
when applicable.
Exclude sub-domain (3.2.3). However, if the organization store, process or transmit cardholder
data or deal with SWIFT services, then PCI standard and/or SWIFT Customer Security Controls
Framework should be implemented.
Exclude sub-domain (3.3.12).
1.5 Responsibilities
The framework is mandated by SAMA. SAMA is the owner and is responsible for periodically updating the
Framework.
The Member Organizations are responsible for adopting and implementing the Framework.
1.6 Interpretation
SAMA, as the owner of the Framework, is solely responsible for providing interpretations of the principles,
objectives and control considerations, if required.
SAMA will review the Framework periodically to determine the Framework’s effectiveness, including the
effectiveness of the Framework to address emerging cyber security threats and risks. If applicable, SAMA
will update the Framework based on the outcome of the review.
If a Member Organization considers that an update to the Framework is required, the Member
Organization should formally submit the requested update to SAMA. SAMA will review the requested
update, and when approved, the Framework will be adjusted.
The Member Organization will remain responsible to be compliant with the Framework pending the
requested update.
Please refer to ‘Appendix B – How to request an Update to the Framework’ for the process of requesting
an update to the Framework.
Version control will be implemented for maintaining the Framework. Whenever any changes are made,
the preceding version shall be retired and the new version shall be published and communicated to all
Member Organizations. For the convenience of the Member Organizations, changes to the Framework
shall be clearly indicated.
For each domain, several subdomains are defined. A subdomain focusses on a specific cyber security topic.
Per subdomain, the Framework states a principle, objective and control considerations.
A principle summarizes the main set of required cyber security controls related to the subdomain.
The objective describes the purpose of the principle and what the set of required cyber security
controls are expected to achieve.
The control considerations reflects the mandated cyber security controls that should be considered.
Control considerations have been uniquely numbered throughout the Framework. Where applicable, a
control consideration can consist of up to 4 levels.
The control considerations are numbered according to the following numbering system:
2.2 Principle-based
The Framework is principle based, also referred to as risk based. This means that it prescribes key cyber
security principles and objectives to be embedded and achieved by the Member Organization. The list of
mandated control considerations provides additional direction and should be considered by the Member
Organization in achieving the objectives. When a certain control consideration cannot be tailored or
implemented, the Member Organization should consider applying compensating controls, pursuing an
internal risk acceptance and requesting a formal waiver from SAMA.
Please refer to Appendix D for details for the – How to request a Waiver from the Framework – process.
Please refer to ’2.4 Cyber Security Maturity Model’ for more details about the cyber security maturity
model.
The objective of the Framework is to create an effective approach for addressing cyber security and
managing cyber security risks within the Financial Sector. To achieve an appropriate cyber security
maturity level, the Member Organizations should at least operate at maturity level 3 or higher as
explained below.
The cyber security documentation should clearly indicate “why”, “what” and “how” cyber security
controls should be implemented. The cyber security documentation consists of cyber security policies,
cyber security standards and cyber security procedures.
The cyber security policy should be endorsed and mandated by the board of the Member Organization
and stating “why” cyber security is important to the Member Organization. The policy should highlight
which information assets must be protected and “what” cyber security principles and objectives should
be established.
Based on the cyber security policy, cyber security standards must be developed. These standards define
“what“ cyber security controls must be implemented, such as security and system parameters,
segregation of duties, password rules, monitoring events and back-up and recovery rules. The standards
support and reinforce the cyber security policy and are to be considered as cyber security baselines.
The step-by-step tasks and activities that should be performed by staff, third parties or customers of the
Member Organization are detailed in the cyber security procedures. These procedures prescribe “how”
the cyber security controls, tasks and activities have to be executed in the operating environment and
support the safeguarding of the information assets of the Member Organization according to the cyber
security policy and standards.
The process in the context of this framework is defined as a structured set of activities designed to
accomplish the specified objective. A process may include policies, standards, guidelines, procedures,
activities and work instructions, as well as any of the roles, responsibilities, tools and management
controls required to reliably deliver the output.
The actual progress of the implementation, performance and compliance of the cyber security controls
should be periodically monitored and evaluated using key performance indicators (KPIs).
To develop and maintain the cyber security policy and to execute the cyber security activities across the
Member Organization, an independent cyber security function should be established.
Objective
To direct and control the overall approach to cyber security within the Member Organization.
Control considerations
1. A cyber security committee should be established and be mandated by the board.
2. The cyber security committee should be headed by an independent senior manager from a control
function.
3. The following positions should be represented in the cyber security committee:
a. senior managers from all relevant departments (e.g., COO, CIO, compliance officer, heads of
relevant business departments);
b. Chief information security officer (CISO);
c. Internal audit may attend as an “observer.
4. A cyber security committee charter should be developed, approved and reflect:
a. committee objectives;
b. roles and responsibilities;
c. minimum number of meeting participants;
d. meeting frequency (minimum on quarterly basis).
5. A cyber security function should be established.
6. The cyber security function should be independent from the information technology function. To
avoid any conflict of interest, the cyber security function and information technology function should
have separate reporting lines, budgets and staff evaluations.
7. The cyber security function should report directly to the CEO/managing director of the Member
Organization or general manager of a control function.
8. A full-time senior manager for the cyber security function, referred to as CISO, should be appointed
at senior management level.
9. The Member Organization should :
a. ensure the CISO has a Saudi nationality;
b. ensure the CISO is sufficiently qualified;
Objective
To ensure that cyber security initiatives and projects within the Member Organization contribute to the
Member Organization’s strategic objectives and are aligned with the Banking Sector’s cyber security
strategy.
Control considerations
1. The cyber security strategy should be defined, approved, maintained and executed.
2. The cyber security strategy should be aligned with:
a. the Member Organization’s overall objectives;
b. the legal and regulatory compliance requirements of the Member Organization;
c. the Banking Sector’s cyber security strategy.
3. The cyber security strategy should address:
a. the importance and benefits of cyber security for the Member Organization;
b. the anticipated future state of cyber security for the Member Organization to become and remain
resilient to (emerging) cyber security threats;
c. which and when cyber security initiatives and projects should be executed to achieve the
anticipated future state.
Objective
To document the Member Organization’s commitment and objectives of cyber security, and to
communicate this to the relevant stakeholders.
Control considerations
1. The cyber security policy should be defined, approved and communicated.
2. The cyber security policy should be reviewed periodically according to a predefined and structured
review process.
3. The cyber security policy should be:
a. considered as input for other corporate policies of the Member Organization (e.g., HR policy,
finance policy and IT policy);
b. supported by detailed security standards (e.g., password standard, firewall standard) and
procedures;
c. based on best practices and (inter)national standards;
d. communicated to relevant stakeholders.
Objective
To ensure that relevant stakeholders are aware of the responsibilities with regard to cyber security and
apply cyber security controls throughout the Member Organization.
Control considerations
1. The Board of Directors has the ultimate responsibility for cyber security, including:
a. ensuring that sufficient budget for cyber security is allocated;
b. approving the cyber security committee charter;
c. endorsing (after being approved by the cyber security committee):
1. the cyber security governance;
2. the cyber security strategy;
3. the cyber security policy.
2. The cyber security committee should be responsible for:
a. monitoring, reviewing and communicating the Member Organization’s cyber security risk appetite
periodically or upon a material change in the risk appetite;
b. reviewing the cyber security strategy to ensure that it supports the Member Organization
objectives;
c. approving, communicating, supporting and monitoring:
1. the cyber security governance;
2. the cyber security strategy;
3. the cyber security policy;
4. cyber security programs (e.g., awareness program, data classification program, data privacy,
data leakage prevention, key cyber security improvements);
Objective
To ensure that the all the Member Organization’s projects meet cyber security requirements.
Control considerations
1. Cyber security should be integrated into the Member Organization's project management
methodology to ensure that cyber security risks are identified and addressed as part of a project.
2. The Member Organization’s project management methodology should ensure that:
a. cyber security objectives are included in project objectives;
b. the cyber security function is part of all phases of the project;
c. a risk assessment is performed at the start of the project to determine the cyber security risks and
to ensure that cyber security requirements are addressed either by the existing cyber security
controls (based on cyber security standards) or to be developed;
d. cyber security risks are registered in the project-risk register and tracked;
e. responsibilities for cyber security are defined and allocated;
f. a cyber security review is performed by an independent internal or external party.
Objective
To create a cyber security risk-aware culture where the Member Organization’s staff, third parties and
customers make effective risk-based decisions which protect the Member Organization’s information.
Control considerations
1. The cyber security awareness programs should be defined, approved and conducted to promote cyber
security awareness and to create a positive cyber security culture.
2. A cyber security awareness program should be defined and conducted for:
a. staff of the Member Organization;
b. third parties of the Member Organization;
c. customers of the Member Organization.
3. The cyber security awareness program should target cyber security behaviors by tailoring the program
to address the different target groups through multiple channels.
4. The activities of the cyber security awareness program should be conducted periodically and
throughout the year.
5. The cyber security awareness program should at a minimum include:
a. an explanation of cyber security measures provided;
b. the roles and responsibilities regarding cyber security;
c. information on relevant emerging cyber security events and cyber threats (e.g., spear-phishing,
whaling).
6. The cyber security awareness program should be evaluated to:
Objective
To ensure that staff of the Member Organization are equipped with the skills and required knowledge to
protect the Member Organization’s information assets and to fulfil their cyber security responsibilities.
Control considerations
1. Specialist or security-related skills training should be provided to staff in the Member Organization’s
relevant functional area categories in line with their job descriptions, including:
a. key roles within the organization;
b. staff of the cyber security function;
c. staff involved in developing and (technically) maintaining information assets;
d. staff involved in risk assessments.
2. Education should be provided in order to equip staff with the skills and required knowledge to
securely operate the Member Organization’s information assets.
The compliance with the cyber security controls should be subject to periodic review and audit.
Objective
To ensure cyber security risks are properly managed to protect the confidentiality, integrity and
availability of the Member Organization’s information assets, and to ensure the cyber security risk
management process is aligned with the Member Organization’s enterprise risk management process.
Control considerations
1. The cyber security risk management process should be defined, approved and implemented.
2. The cyber security risk management process should focus on safeguarding the confidentiality,
integrity and availability of information assets.
3. The cyber security risk management process should be aligned with the existing enterprise risk
management process.
4. The cyber security risk management process should be documented and address:
a. risk identification;
b. risk analysis;
c. risk response;
d. risk monitoring and review.
5. The cyber security risk management process should address the Member Organization’s information
assets, including (but not limited to):
a. business processes;
b. business applications;
c. infrastructure components.
6. The cyber security risk management process should be initiated:
a. at an early stage of the project;
b. prior to critical change;
c. when outsourcing is being considered;
d. when launching new products and technologies.
Objective
To find, recognize and describe the Member Organization’s cyber security risks.
Control considerations
1. Cyber security risk identification should be performed.
2. Identified cyber security risks should be documented (in a central register).
3. Cyber security risk identification should address relevant information assets, threats, vulnerabilities
and the key existing cyber security controls.
Objective
To analyze and determine the nature and the level of the identified cyber security risks.
Control considerations
1. A cyber security risk analysis should be performed.
2. The cyber security risk analysis should address the level of potential business impact and likelihood of
cyber security threat events materializing.
Objective
To ensure cyber security risks are treated (i.e., accepted, avoided, transferred or mitigated).
Objective
To ensure that the cyber security risk treatment is performed according to the treatment plans. To ensure
that the revised or newly implemented cyber security controls are effective.
Control considerations
1. The cyber security treatment should be monitored, including:
a. tracking progress in accordance to treatment plan;
b. the selected and agreed cyber security controls are being implemented.
2. The design and effectiveness of the revised or newly implemented cyber security controls should be
reviewed.
Objective
To comply with regulations affecting cyber security of the Member Organization.
Control considerations
1. A process should be established for ensuring compliance with relevant regulatory requirements
affecting cyber security across the Member Organization. The process of ensuring compliance should:
a. be performed periodically or when new regulatory requirements become effective;
b. involve representatives from key areas of the Member Organization;
c. result in the update of cyber security policy, standards and procedures to accommodate any
necessary changes (if applicable).
Objective
To comply with mandatory (inter)national industry standards.
Control considerations
1. The Member Organization should comply with:
a. Payment Card Industry Data Security Standard (PCI-DSS);
b. EMV (Europay, MasterCard and Visa) technical standard;
c. SWIFT Customer Security Controls Framework – March 2017.
Objective
To ascertain whether the cyber security controls are securely designed and implemented, and the
effectiveness of these controls is being monitored.
Control considerations
1. Cyber security reviews should be periodically performed for critical information assets.
2. Customer and internet facing services should be subject to annual review and penetration tests.
3. Details of cyber security review performed should be recorded, including the results of review, issues
identified and recommended actions.
4. The results of cyber security review should be reported to business owner.
5. Cyber security review should be subject to follow-up reviews to check that:
a. all identified issues have been addressed;
Objective
To ascertain with reasonable assurance whether the cyber security controls are securely designed and
implemented, and whether the effectiveness of these controls is being monitored.
Control considerations
1. Cyber security audits should be performed independently and according to generally accepted
auditing standards and SAMA cyber security framework.
2. Cyber security audits should be performed according to the Member Organization’s audit manual and
audit plan.
The compliance with these cyber security requirements should be monitored and the effectiveness of the
cyber security controls should be periodically measured and evaluated in order to identify potential
revisions of the controls or measurements.
Objective
To ensure that Member Organization staff’s cyber security responsibilities are embedded in staff
agreements and staff are being screened before and during their employment lifecycle.
Control considerations
1. The human resources process should define, approve and implement cyber security requirements.
2. The effectiveness of the human resources process should be monitored, measured and periodically
evaluated.
3. The human resource process should include:
a. cyber security responsibilities and non-disclosure clauses within staff agreements (during and
after the employment);
b. staff should receive cyber security awareness at the start and during their employment;
c. when disciplinary actions will be applicable;
d. screening and background check;
e. post-employment cyber security activities, such as:
1. revoking access rights;
2. returning information assets assigned (e.g., access badge, tokens, mobile devices, all electronic
and physical information).
Objective
To prevent unauthorized physical access to the Member Organization information assets and to ensure
its protection.
Control considerations
1. The physical security process should be defined, approved and implemented.
Objective
To support the Member Organization in having an accurate and up-to-date inventory and central insight
in the physical / logical location and relevant details of all available information assets, in order to support
its processes, such as financial, procurement, IT and cyber security processes.
Control considerations
1. The asset management process should be defined, approved and implemented.
2. The effectiveness of the asset management process should be monitored, measured and periodically
evaluated.
3. The asset management process should include:
a. a unified register;
b. ownership and custodianship of information assets;
c. the reference to relevant other processes, depending on asset management;
d. information asset classification, labeling and handling;
e. the discovery of new information assets.
Objective
To support the Member Organization in achieving a strategic, consistent, cost effective and end-to-end
cyber security architecture.
Control considerations
1. The cyber security architecture should be defined, approved and implemented.
2. The compliance with the cyber security architecture should be monitored.
3. The cyber security architecture should include:
a. a strategic outline of cyber security capabilities and controls based on the business requirements;
Objective
To ensure that the Member Organization only provides authorized and sufficient access privileges to
approved users.
Control considerations
1. The identity and access management policy, including the responsibilities and accountabilities, should
be defined, approved and implemented.
2. The compliance with the identity and access policy should be monitored.
3. The effectiveness of the cyber security controls within the identity and access management policy
should be measured and periodically evaluated.
4. The identity and access management policy should include:
a. business requirements for access control (i.e., need-to-have and need-to-know);
b. user access management (e.g., joiners, movers, leavers):
1. all identified user types should be covered (i.e., internal staff, third parties);
2. changes of job status or job positions for internal staff (e.g. joiner, mover and leaver) should
be instigated by the human resources department;
3. changes for external staff or third parties should be instigated by the appointed accountable
party;
4. user access requests are formally approved in accordance with business and compliance
requirements (i.e., need-to-have and need-to-know to avoid unauthorized access and
(un)intended data leakage));
5. changes in access rights should be processed in a timely manner;
6. periodically user access rights and profiles should be reviewed;
7. an audit trail of submitted, approved and processed user access requests and revocation
requests should be established;
c. user access management should be supported by automation;
d. centralization of the identity and access management function;
e. multi-factor authentication for sensitive and critical systems and profiles;
f. privileged and remote access management, which should address:
1. the allocation and restricted use of privileged and remote access, specifying:
a. multi-factor authentication should be used for all remote access;
b. multi-factor authentication should be used for privilege access on critical systems based
on a risk assessment;
2. the periodic review of users with privileged and remote accounts;
3. individual accountability;
Objective
To ensure that sufficient cyber security controls are formally documented and implemented for all
applications, and that the compliance is monitored and its effectiveness is evaluated periodically within
the Member Organization.
Control considerations
1. The application cyber security standards should be defined, approved and implemented.
2. The compliance with the application security standards should be monitored.
3. The effectiveness of the application cyber security controls should be measured and periodically
evaluated.
4. Application development should follow the approved secure system development life cycle
methodology (SDLC).
5. The application security standard should include:
a. secure coding standards;
b. the cyber security controls implemented (e.g., configuration parameters, events to monitor and
retain [including system access and data], identity and access management);
c. the segregation of duties within the application (supported with a documented authorization
matrix);
d. the protection of data aligned with the (agreed) classification scheme (including privacy of
customer data and, avoiding unauthorized access and (un)intended data leakage);
e. vulnerability and patch management;
f. back-up and recovery procedures;
g. periodic cyber security compliance review.
Objective
To ensure that all change in the information assets within the Member Organization follow a strict change
control process.
Objective
To support that all cyber security controls within the infrastructure are formally documented and the
compliance is monitored and its effectiveness is evaluated periodically within the Member Organization.
Control considerations
1. The infrastructure security standards should be defined, approved and implemented.
2. The compliance with the infrastructure security standards should be monitored.
3. The effectiveness of the infrastructure cyber security controls should be measured and periodically
evaluated.
4. The infrastructure security standards should cover all instances of infrastructure available in the main
datacenter(s), the disaster recovery data site(s) and office spaces.
5. The infrastructure security standards should cover all instances of infrastructure (e.g., operating
systems, servers, virtual machines, firewalls, network devices, IDS, IPS, wireless network, gateway
servers, proxy servers, email gateways, external connections, databases, file-shares, workstations,
laptops, tablets, mobile devices, PBX).
6. The infrastructure security standard should include:
3.3.9 Cryptography
Principle
The use of cryptographic solutions within the Member Organizations should be defined, approved and
implemented.
Objective
To ensure that access to and integrity of sensitive information is protected and the originator of
communication or transactions can be confirmed.
Control considerations
1. A cryptographic security standard should be defined, approved and implemented.
2. The compliance with the cryptographic security standard should be monitored.
3. The effectiveness of the cryptographic security controls should be measured and periodically
evaluated.
4. The cryptographic security standard should include:
a. an overview of the approved cryptographic solutions and relevant restrictions (e.g., technically,
legally);
b. the circumstances when the approved cryptographic solutions should be applied;
c. the management of encryption keys, including lifecycle management, archiving and recovery.
Objective
To ensure that business and sensitive information of the Member Organization is securely handled by
staff and protected during transmission and storage, when using personal devices.
Control considerations
1. The BYOD cyber security standard should be defined, approved and implemented.
2. The compliance with the BYOD cyber security standard should be monitored.
3. The effectiveness of the BYOD cyber security controls should be measured and periodically evaluated.
4. The BYOD standard should include:
a. responsibilities of the user (including awareness training);
b. information regarding the restrictions and consequences for staff when the Member Organization
implements cyber security controls on their personal devices; for example when using modified
devices (jailbreaking), terminating the employment or in case of loss or theft of the personal
device;
c. the isolation of business information from personal information (e.g., containerization);
d. the regulation of corporate mobile applications or approved “public” mobile applications;
e. the use of mobile device management (MDM); applying access controls to the device and business
container and encryption mechanisms on the personal device (to ensure secure transmission and
storage).
Objective
To ensure that the Member Organization’s business, customer and other sensitive information are
protected from leakage or unauthorized disclosure when disposed.
Control considerations
1. The secure disposal standard and procedure should be defined, approved and implemented.
2. The compliance with the secure disposal standard and procedure should be monitored.
3. The effectiveness of the secure disposal cyber security controls should be measured and periodically
evaluated.
4. Information assets should be disposed in accordance with legal and regulatory requirements, when
no longer required (i.e. meeting data privacy regulations to avoid unauthorized access and avoid
(un)intended data leakage).
5. Sensitive information should be destroyed using techniques to make the information non-retrievable
(e.g., secure erase, secure wiping, incineration, double crosscut, shredding).
Objective
To ensure the Member Organization safeguards the confidentiality and integrity of shared banking
systems.
Control considerations
For Saudi Arabian Riyal Interbank Express (SARIE) information, please refer to the SARIE
Information Security Policy, Version Issue 1.0 - June 2016.
For mada information, please refer to the following sections in the mada Rules and Standards
Technical Book (see appendix A):
Part IIIa - Security Framework, Version Issue 6.0.0 - May 2016
Part IIIb - HSM Requirements, Version Issue 6.0.0 - May 2016
SAMA CA IPK Certificate Procedures, Version Issue 6.0.1 – October 2016
Objective
To ensure the Member Organization safeguards the confidentiality and integrity of the customer
information and transactions.
Control Considerations
1. The cyber security standards for electronic banking services should be defined, approved and
implemented.
2. The compliance with cyber security standards for electronic banking services should be monitored.
3. The effectiveness of the cyber security standard for electronic banking services should be measured
and periodically evaluated.
4. Electronic banking services security standard should cover:
a. use of brand protection measures to protect online services including social media.
b. online, mobile and phone banking:
1. use of official application stores and websites (applicable for online and mobile banking);
2. use of detection measures and take-down of malicious apps and websites (applicable for
online and mobile banking);
Objective
To ensure timely identification and response to anomalies or suspicious events within regard to
information assets.
Control considerations
1. The security event management process should be defined, approved and implemented.
2. The effectiveness of the cyber security controls within the security event management process should
be measured and periodically evaluated.
3. To support this process a security event monitoring standard should be defined, approved and
implemented.
a. the standard should address for all information assets the mandatory events which should be
monitored, based on the classification or risk profile of the information asset.
4. The security event management process should include requirements for:
a. the establishment of a designated team responsible for security monitoring (i.e., Security
Operations Center (SOC));
b. skilled and (continuously) trained staff;
c. a restricted area to facilitate SOC activities and workspaces;
d. resources required continuous security event monitoring activities (24x7);
e. detection and handling of malicious code and software;
f. detection and handling of security or suspicious events and anomalies;
g. deployment of security network packet analysis solution;
h. adequately protected logs;
i. periodic compliance monitoring of applications and infrastructure cyber security standards
j. automated and centralized analysis of security loggings and correlation of event or patterns (i.e.,
Security Information and Event Management (SIEM));
k. reporting of cyber security incidents;
l. independent periodic testing of the effectiveness of the security operations center (e.g., red-
teaming).
Control considerations
1. The cyber security incident management process should be defined, approved, implemented and
aligned with the enterprise incident management process.
2. The effectiveness of the cyber security controls within the cyber security incident management
process should be measured and periodically evaluated.
3. The standard should address the mandatory and suspicious security events which should be
responded to.
4. The security incident management process should include requirements for:
a. the establishment of a designated team responsible for security incident management;
b. skilled and (continuously) trained staff;
c. sufficient capacity available of certified forensic staff for handling major incidents (e.g., internal
staff or contracting an external forensic team);
d. a restricted area to facilitate the computer emergency response team (CERT) workspaces;
e. the classification of cyber security incidents;
f. the timely handling of cyber security incidents, recording and monitoring progress;
g. the protection of relevant evidence and loggings;
h. post-incident activities, such as forensics, root-cause analysis of the incidents;
i. reporting of suggested improvements to the CISO and the Committee;
j. establish a cyber security incident repository.
5. The Member Organization should inform ‘SAMA IT Risk Supervision’ immediately when a medium or
high classified security incident has occurred and identified.
6. The Member Organization should obtain ‘no objection’ from ‘SAMA IT Risk Supervision’ before any
media interaction related to the incident.
7. The Member Organization should submit a formal incident report ‘SAMA IT Risk Supervision’ after
resuming operations, including the following incident details:
a. title of incident;
b. classification of the incident (medium or high);
c. date and time of incident occurred;
d. date and time of incident detected;
e. information assets involved;
f. (technical) details of the incident;
g. root-cause analysis;
h. corrective activities performed and planned;
i. description of impact (e.g., loss of data, disruption of services, unauthorized modification of data,
(un)intended data leakage, number of customers impacted);
j. total estimated cost of incident;
k. estimated cost of corrective actions.
Objective
To obtain an adequate understanding of the Member Organization’s emerging threat posture.
Control considerations
1. The threat intelligence management process should be defined, approved and implemented.
2. The effectiveness of the threat intelligence management process should be measured and periodically
evaluated.
3. The threat intelligence management process should include:
a. the use of internal sources, such as access control, application and infrastructure logs, IDS, IPS,
security tooling, Security Information and Event Monitoring (SIEM), support functions (e.g., Legal,
Audit, IT Helpdesk, Forensics, Fraud Management, Risk Management, Compliance);
b. the use of reliable and relevant external sources, such as SAMA, government agencies, security
forums, (security) vendors, security organizations and specialist notification services;
c. a defined methodology to analyze the threat information periodically;
d. the relevant details on identified or collected threats, such as modus operandi, actors, motivation
and type of threats;
e. the relevance of the derived intelligence and the action-ability for follow-up (for e.g., SOC, Risk
Management);
f. sharing the relevant intelligence with the relevant stakeholders (e.g., SAMA, BCIS members).
Objective
To ensure timely identification and effective mitigation of application and infrastructure vulnerabilities in
order to reduce the likelihood and business impact for the Member Organization.
Control considerations
1. The vulnerability management process should be defined, approved and implemented.
2. The effectiveness of the vulnerability management process should be measured and periodically
evaluated.
3. The vulnerability management process should include:
a. all information assets;
b. frequency of performing the vulnerability scan (risk-based);
c. classification of vulnerabilities;
d. defined timelines to mitigate (per classification);
e. prioritization for classified information assets;
f. patch management and method of deployment.
This paragraph describes how the cyber security requirements between the Member Organization and
Third Parties should be organized, implemented and monitored. Third Parties in this Framework are
defined as, information services providers, outsourcing providers, cloud computing providers, vendors,
suppliers, governmental agencies, etc.
Objective
To ensure that the Member Organization’s approved cyber security requirements are appropriately
addressed before signing the contract, and the compliance with the cyber security requirements is being
monitored and evaluated during the contract life-cycle.
Control Considerations
1. The cyber security requirements should be defined, approved, implemented and communicated
within the contract and vendor management processes.
2. The compliance with contract and vendor management process should be monitored.
3. The effectiveness of the cyber security controls within the contract and vendor management process
should be measured and periodically evaluated.
4. These contract and vendor management processes should cover:
a. whether the involvement of the cyber security function is actively required (e.g., in case of due
diligence);
b. the baseline cyber security requirements which should be applied in all cases;
c. the right to periodically perform cyber security reviews and audits.
5. The contract management process should cover requirements for:
a. executing a cyber security risk assessment as part of the procurement process;
b. defining the specific cyber security requirements as part of the tender process;
c. evaluating the replies of potential vendors on the defined cyber security requirements;
d. testing of the agreed cyber security requirements (risk-based);
e. defining the communication or escalation process in case of cyber security incidents;
f. ensuring cyber security requirements are defined for exiting, terminating or renewing the contract
(including escrow agreements if applicable);
g. defining a mutual confidentiality agreement.
6. The vendor management process (i.e., service level management) should cover requirements for:
a. periodic reporting, reviewing and evaluating the contractually agreed cyber security requirements
(in SLAs).
Objective
To ensure that the Member Organization’s cyber security requirements are appropriately addressed
before, during and while exiting outsourcing contracts.
Control Considerations
1. The cyber security requirements within the outsourcing policy and process should be defined,
approved, implemented and communicated within Member Organization.
2. The cyber security requirements regarding the outsourcing policy and process should be measured
and periodically evaluated.
3. The outsourcing process should include:
a. the approval from SAMA prior to material outsourcing;
b. the involvement of the cyber security function;
c. compliance with the SAMA circular on outsourcing.
Please note that this requirement is not applicable to private cloud services (= internal cloud).
Objective
To ensure that all functions and staff within the Member Organization are aware of the agreed direction
and position on hybrid and public cloud services, the required process to apply for hybrid and public cloud
services, the risk appetite on hybrid and public cloud services and the specific cyber security requirements
for hybrid and public cloud services.
Control Considerations
1. The cyber security controls within the cloud computing policy for hybrid and public cloud services
should be defined, approved and implemented and communicated within Member Organization.
2. The compliance with the cloud computing policy should be monitored.
3. The cyber security controls regarding the cloud computing policy and process for hybrid and public
cloud services should be periodically measured and evaluated.
4. The cloud computing policy for hybrid and public cloud services should address requirements for:
a. the process for adopting cloud services, including that:
1. a cyber security risk assessment and due diligence on the cloud service provider and its cloud
services should be performed;
The framework refers to the following SAMA circulars or documents with regard to Payment Systems:
For Saudi Arabian Riyal Interbank Express (SARIE) information, please refer to the SARIE
Information Security Policy, Version Issue 1.0 - June 2016.
For mada information, please refer to the following sections in the mada Rules and Standards
Technical Book (see appendix A):
Part IIIa - Security Framework, Version Issue 6.0.0 - May 2016
Part IIIb - HSM Requirements, Version Issue 6.0.0 - May 2016
SAMA CA IPK Certificate Procedures, Version Issue 6.0.1 – October 2016
The framework refers to the following SAMA circulars or documents with regard to outsourcing and
business continuity management:
Rules on outsourcing, 424-BCS-34720, 20/7/2008;
Business Continuity Framework, 381000058504, 01/06/1438H
Below the illustration of the process for requesting an update to the Framework.
Detail information supported by pros and cons about the suggested update.
The request should first be approved by CISO before submitting to cyber security committee.
The request should be approved by Member Organization’s cyber steering committee.
The request should be sent formally in writing to SAMA via the Member Organization’s CEO or
managing director to the deputy governor of Supervision.
‘SAMA IT Risk Supervision’ will evaluate the request and informs the Member Organization.
The current Framework remains applicable while the requested update is being considered, processed
and if applicable is approved and processed.
The Saudi Arabian Monetary Authority (SAMA) will consider requests from a member organization (MO)
to update its Cyber Security Framework based on the information submitted using the form below. A
separate form must be completed for each requested update. Please note that all required fields must be
properly filled in before SAMA will begin the review process
Requestor Information
REQUESTOR'S SIGNATURE* REQUESTOR'S POSITION* DATE*
x
REQUESTOR'S NAME* MEMBER ORGANIZATION OF REQUESTOR*
FRAMEWORK SECTION*:
PURPOSE OF REQUESTED UPDATE (including detailed information on its pros and cons)*:
PROPOSAL*:
Approvals
1. MO’s CISO APPROVAL* DATE*
Below the illustration of the process for requesting a waiver from the Framework.
Detail description about the reasons that the bank could not meet the required control.
Details description about the available or suggested compensating controls.
The waiver request should first be approved by CISO before submitting to cyber security committee.
The waiver request should approved by the members of Member Organization’s cyber security
committee.
The waiver request should be signed by the CISO and relevant (business) owner.
The waiver request should be formally issued in writing to SAMA via the Member Organization’s CEO
or managing director to the deputy governor of Supervision.
‘SAMA IT Risk Supervision’ will evaluate the waiver request and informs the Member Organization.
The current Framework remains applicable while the requested waiver is being evaluated and
processed, until the moment of granting the waiver.
The Saudi Arabian Monetary Authority (SAMA) will consider requests for waiver from a member
organization (MO) from its Cyber Security Framework based on the information submitted using the form
below. A separate form must be completed for each requested waiver. Please note that all required fields
must be properly filled in before SAMA will begin the review process.
Requestor Information
REQUESTOR'S SIGNATURE* REQUESTOR'S POSITION* DATE*
x
REQUESTOR'S NAME* MEMBER ORGANIZATION OF REQUESTOR*
FRAMEWORK CONTROL*:
Approvals
1. MO’s CISO APPROVAL* DATE*
Term Description
Access management is the process of granting authorized users the right to use a
Access management
service, while preventing access to non-authorized users.
A solution that monitors an ATM or POS environment for illegally mounted
Anti-skimming solution
intrusion mechanisms (both hard- and software).
Any software or set of computer programs that are used by business users to
Business applications
perform various business functions.
The capability of an organization to continue delivery of IT and business services
Business continuity at acceptable predefined levels following a disruptive incident. (ISO 22301:2012
Societal security -- Business continuity management systems)
Bring your own device (BYOD) refers to personally owned devices (laptops,
BYOD tablets, and smart phones) that employees and contractors are permitted to use
to carry out business functions.
Closed-circuit television (CCTV) is the use of video cameras to transmit a signal to
CCTV
a specific place, on a limited set of monitors.
The Chief Executive Officer (CEO) is the executive with the chief decision-making
CEO
authority in an organization.
A computer emergency response team (CERT) is a group of experts that handle
CERT
computer security incidents.
The controlled identification and implementation of required changes within
Change management
a business or information systems.
Chief information officer (CIO). A senior-level executive responsible for the
CIO
information technology and computer systems that support enterprise goals.
Responsibility for controlling the access to and the accounting, safeguarding, and
Custodianship
destruction of information according to an organization's security policy .
Cyber security incident The monitoring and detection of security events on an information systems and
management the execution of proper responses to those events.
A set of criteria for the provision of security services. It defines and constrains the
Cyber security policy activities of a data processing facility in order to maintain a condition of security
for systems and data. (NISTIR 7298r2 Glossary of Key Information Security Terms)
Double crosscut A technique using saws or blades to cut media into confetti-sized bits.
The description of an enterprise’s entire set of information systems: how they are
configured, how they are integrated, how they interface to the external
Enterprise architecture environment at the enterprise’s boundary, how they are operated to support the
enterprise mission, and how they contribute to the enterprise’s overall security
posture. (NISTIR 7298r2 Glossary of Key Information Security Terms)
The methods and processes used by an enterprise to manage risks to its mission
and to establish the trust necessary for the enterprise to support shared missions.
It involves the identification of mission dependencies on enterprise capabilities,
the identification and prioritization of risks due to defined threats, the
Enterprise risk management
implementation of countermeasures to provide both a static risk posture and an
effective dynamic response to active threats; and it assesses enterprise
performance against threats and adjusts countermeasures as necessary. (NISTIR
7298r2 Glossary of Key Information Security Terms)
Business procedures and measures, undertaken when events have triggered the
Fall-back
execution of either a business continuity plan or a contingency plan.
The practice of gathering, retaining, and analyzing computer-related data for
Forensics investigative purposes in a manner that maintains the integrity of the data.
(NISTIR 7298r2 Glossary of Key Information Security Terms)
Documentation that is written, approved by the senior leadership and
Formally documented
disseminated to relevant parties.
Interface providing compatibility between networks by converting transmission
Gateway server speeds, protocols, codes, or security measures. It directs, but does not filter,
connections between networks. See also ‘Proxy server’.
Members of the Gulf Cooperation Council (GCC), a political and economic alliance
GCC countries of the Kingdom of Bahrain, the State of Kuwait, the Sultanate of Oman, the State
of Qatar, the Kingdom of Saudi Arabia and the United Arab Emirates.
Personal devices Devices, like a smart phone, that are not owned or issued by the organization.
The physical protection of facilities that host information assets against
Physical security
intentional and unintentional security events.
A password consisting only of decimal digits. (NISTIR 7298r2 Glossary of Key
PIN
Information Security Terms)
An information system account with approved authorizations to perform security-
Privileged account / access relevant functions that ordinary users are not authorized to perform. (NISTIR
7298r2 Glossary of Key Information Security Terms)
A server that services the requests of its clients by forwarding those requests to
Proxy server other servers. It directs and filters connections between networks. See also
‘Gateway server’.
Services that are rendered over a network that is open to the public. Public cloud
Public cloud service providers own and operate the infrastructure at their data center and access is
generally via the Internet.
An exercise, reflecting real-world conditions, that is conducted as a simulated
adversarial attempt to compromise organizational missions and/or business
Red-teaming
processes to provide a comprehensive assessment of the security capability of the
information system and organization.
The ability to continue to: (i) operate under adverse conditions or stress, even if
in a degraded or debilitated state, while maintaining essential operational
Resilience
capabilities; and (ii) recover to an effective operational posture in a time frame
consistent with mission needs.
A measure of the extent to which an organization is threatened by a potential
circumstance or event, and typically a function of: (i) the adverse impacts that
Risk
would arise if the circumstance or event occurs; and (ii) the likelihood of
occurrence. (NISTIR 7298r2 Glossary of Key Information Security Terms)
The amount and type of risk that an organization is willing to take in order to meet
Risk appetite their strategic objectives. Also refer to 'Risk tolerance'. (ISO/Guide 73:2009 Risk
management — Vocabulary)
A description of any set of risks that relate to the whole organization, part of the
organization, or as otherwise defined. The risk profile will outline the number of
Risk profile
risks, type of risk and potential effects of risks. (ISO/Guide 73:2009 Risk
management — Vocabulary)
A process to modify risk that can involve avoiding the risk by deciding not to start
or continue with the activity that gives rise to the risk; taking or increasing risk in
order to pursue an opportunity; removing the risk source; changing the likelihood;
changing the consequences; sharing the risk with another party or parties; and
Risk treatment
retaining the risk by informed decision. Risk treatments that deal with negative
consequences are sometimes referred to as “risk mitigation”, “risk elimination”,
“risk prevention” and “risk reduction”. Risk treatments can create new risks or
modify existing risks. (ISO/Guide 73:2009 Risk management — Vocabulary)
The shared values, beliefs, knowledge, attitudes and understanding about risk
Risk-aware culture within an organization. In a strong risk culture people proactively identify, discuss
and take responsibility for risks. (Institute of Risk Management)
A document that describes a uniform set of rules and guidelines for developing
computer software that protects against the accidental introduction of security
Secure coding standard
vulnerabilities. Examples includes OWASP's Secure Coding Practices and the
Software Engineering Institute's Secure Coding Standards.
The disposing of equipment and media that minimizes the risk of unwanted
Secure disposal disclosure. See also 'Secure erase', 'Secure wiping', 'Incineration', and 'Double
crosscut'.
A soft token (a.k.a. a virtual token) is a software version of a hard token. Soft
tokens are typically generated by a central server that runs security software and
Soft token sent to users' devices. Some hard tokens are used in combination with other
security measures to further enhance security (known as multi-factor
authentication). See also 'Hard token'.
Strategy Refer to 'Cyber security strategy'.