SAMA CSF

Control considerations: 1. A cyber security committee should be established and be mandated by the board. 2. The cyber security committee should be headed by an independent senior manager from a control function. 3. The following positions should be represented in the cyber security committee: a. senior managers from all relevant departments (e.g., COO, CIO, compliance officer, heads of relevant business departments); b. Chief information security officer (CISO); c. Internal audit may attend as an “observer. 4. A cyber security committee charter should be developed, approved and reflect: a. committee objectives; b. roles and responsibilities; c. minimum number of meeting participants; d. meeting frequency (minimum on quarterly basis). 5. A cyber security function should be established. 6. The cyber security function should be independent from the information technology function. To avoid any conflict of interest, the cyber security function and information technology function should have separate reporting lines, budgets and staff evaluations. 7. The cyber security function should report directly to the CEO/managing director of the Member Organization or general manager of a control function. 8. A full-time senior manager for the cyber security function, referred to as CISO, should be appointed at senior management level. 9. The Member Organization should : a. ensure the CISO has a Saudi nationality; b. ensure the CISO is sufficiently qualified; c. obtain no objection from SAMA to assign the CISO. 10. The board of the Member Organization should allocate sufficient budget to execute the required cyber security activities.

Control considerations: 1. The cyber security strategy should be defined, approved, maintained and executed. 2. The cyber security strategy should be aligned with: a. the Member Organization’s overall objectives; b. the legal and regulatory compliance requirements of the Member Organization; c. the Banking Sector’s cyber security strategy. 3. The cyber security strategy should address: a. the importance and benefits of cyber security for the Member Organization; b. the anticipated future state of cyber security for the Member Organization to become and remain resilient to (emerging) cyber security threats; c. which and when cyber security initiatives and projects should be executed to achieve the anticipated future state.

Control considerations: 1. The cyber security policy should be defined, approved and communicated. 2. The cyber security policy should be reviewed periodically according to a predefined and structured review process. 3. The cyber security policy should be: a. considered as input for other corporate policies of the Member Organization (e.g., HR policy, finance policy and IT policy); b. supported by detailed security standards (e.g., password standard, firewall standard) and procedures; c. based on best practices and (inter)national standards; d. communicated to relevant stakeholders. 4. The cyber security policy should include: a. a definition of cyber security; b. the Member Organization’s overall cyber security objectives and scope; c. a statement of the board’s intent, supporting the cyber security objectives; d. a definition of general and specific responsibilities for cyber security; e. the reference to supporting cyber security standards and procedures; f. cyber security requirements that ensure: 1. information is classified in a way that indicates its importance to the Member Organization; 2. information is protected in terms of cyber security requirements, in line with the risk appetite; 3. owners are appointed for all information assets; 4. cyber security risk assessments are conducted for information assets; 5. relevant stakeholders are made aware of cyber security and their expected behavior (cyber security awareness program); 6. compliance with regulatory and contractual obligations are being met; 7. cyber security breaches and suspected cyber security weaknesses are reported; 8. cyber security is reflected in business continuity management.

Control considerations: 1. The Board of Directors has the ultimate responsibility for cyber security, including: a. ensuring that sufficient budget for cyber security is allocated; b. approving the cyber security committee charter; c. endorsing (after being approved by the cyber security committee): 1. the cyber security governance; 2. the cyber security strategy; 3. the cyber security policy. 2. The cyber security committee should be responsible for: a. monitoring, reviewing and communicating the Member Organization’s cyber security risk appetite periodically or upon a material change in the risk appetite; b. reviewing the cyber security strategy to ensure that it supports the Member Organization objectives; c. approving, communicating, supporting and monitoring: 1. the cyber security governance; 2. the cyber security strategy; 3. the cyber security policy; 4. cyber security programs (e.g., awareness program, data classification program, data privacy, data leakage prevention, key cyber security improvements); 5. cyber security risk management process; 6. the key risk indicators (KRIs) and key performance indicators (KPIs) for cyber security. 3. The senior management should be responsible for: a. ensuring that standards, processes and procedures reflect security requirements (if applicable); b. ensuring that individuals accept and comply with the cyber security policy, supporting standards and procedures when they are issued and updated; c. ensuring that cyber security responsibilities are incorporated in the job descriptions of key positions and cyber security staff. 4. The CISO should be responsible for: a. developing and maintaining: 1. cyber security strategy; 2. cyber security policy; 3. cyber security architecture; 4. cyber security risk management process; b. ensuring that detailed security standards and procedures are established, approved and implemented; c. delivering risk-based cyber security solutions that address people, process and technology; d. developing the cyber security staff to deliver cyber security solutions in a business context; e. the cyber security activities across the Member Organization, including: 1. monitoring of the cyber security activities (SOC monitoring); 2. monitoring of compliance with cyber security regulations, policies, standards and procedures; 3. overseeing the investigation of cyber security incidents; 4. gathering and analyzing threat intelligence from internal and external sources; 5. performing cyber security reviews; f. conducting cyber security risk assessments on the Members Organization’s information assets; g. proactively supporting other functions on cyber security, including: 1. performing information and system classifications; 2. determining cyber security requirements for important projects; 3. performing cyber security reviews. h. defining and conducting the cyber security awareness programs; i. measuring and reporting the KRIs and KPIs on: 1. cyber security strategy; 2. cyber security policy compliance; 3. cyber security standards and procedures; 4. cyber security programs (e.g., awareness program, data classification program, key cyber security improvements). 5. The internal audit function should be responsible for: a. performing cyber security audits. 6. All Member Organization’s staff should be responsible for: a. complying with cyber security policy, standards and procedures.

Control considerations: 1. Cyber security should be integrated into the Member Organization's project management methodology to ensure that cyber security risks are identified and addressed as part of a project. 2. The Member Organization’s project management methodology should ensure that: a. cyber security objectives are included in project objectives; b. the cyber security function is part of all phases of the project; c. a risk assessment is performed at the start of the project to determine the cyber security risks and to ensure that cyber security requirements are addressed either by the existing cyber security controls (based on cyber security standards) or to be developed; d. cyber security risks are registered in the project-risk register and tracked; e. responsibilities for cyber security are defined and allocated; f. a cyber security review is performed by an independent internal or external party.

Control considerations: 1. The cyber security awareness programs should be defined, approved and conducted to promote cyber security awareness and to create a positive cyber security culture. 2. A cyber security awareness program should be defined and conducted for: a. staff of the Member Organization; b. third parties of the Member Organization; c. customers of the Member Organization. 3. The cyber security awareness program should target cyber security behaviors by tailoring the program to address the different target groups through multiple channels. 4. The activities of the cyber security awareness program should be conducted periodically and throughout the year. 5. The cyber security awareness program should at a minimum include: a. an explanation of cyber security measures provided; b. the roles and responsibilities regarding cyber security; c. information on relevant emerging cyber security events and cyber threats (e.g., spear-phishing, whaling). 6. The cyber security awareness program should be evaluated to: a. measure the effectiveness of the awareness activities; b. formulate recommendations to improve the cyber security awareness program. 7. Customer awareness should address for both retail and commercial customers and, at a minimum, include a listing of suggested cyber security mechanisms which customers may consider implementing to mitigate their own risk(s).

Control considerations: 1. Specialist or security-related skills training should be provided to staff in the Member Organization’s relevant functional area categories in line with their job descriptions, including: a. key roles within the organization; b. staff of the cyber security function; c. staff involved in developing and (technically) maintaining information assets; d. staff involved in risk assessments. 2. Education should be provided in order to equip staff with the skills and required knowledge to securely operate the Member Organization’s information assets. 3.2 Cyber Security Risk Management and Compliance Risk management is the ongoing process of identifying, analyzing, responding and monitoring and reviewing risks. The cyber security risk management process focusses specifically on managing risks related to cyber security. In order to manage cyber security risks, Member Organizations should:  identify their cyber security risks – cyber security risk identification;  determine the likelihood that cyber security risks will occur and the resulting impact – cyber security risk analysis;  determine the appropriate response to cyber security risks and select relevant controls – cyber security risk response;  monitor the cyber security risk treatment and review control effectiveness – cyber security risk monitoring and review. The compliance with the cyber security controls should be subject to periodic review and audit.

Control considerations: 1. The cyber security risk management process should be defined, approved and implemented. 2. The cyber security risk management process should focus on safeguarding the confidentiality, integrity and availability of information assets. 3. The cyber security risk management process should be aligned with the existing enterprise risk management process. 4. The cyber security risk management process should be documented and address: a. risk identification; b. risk analysis; c. risk response; d. risk monitoring and review. 5. The cyber security risk management process should address the Member Organization’s information assets, including (but not limited to): a. business processes; b. business applications; c. infrastructure components. 6. The cyber security risk management process should be initiated: a. at an early stage of the project; b. prior to critical change; c. when outsourcing is being considered; d. when launching new products and technologies. 7. Existing information assets should be periodically subject to cyber security risk assessment based on their classification or risk profile. 8. The cyber security risk management activities should involve: a. business owners; b. IT specialists; c. cyber security specialists; d. key user representatives. 9. The result of the risk assessment should be reported to the relevant business owner (i.e., risk owner) within the Member Organization; 10. The relevant business owner (i.e., risk owner) within the Member Organization should accept and endorse the risk assessment results. 11. The Member Organization’s cyber security risk appetite and risk tolerance should be clearly defined and formally approved. 3.2.1.1 Cyber Security Risk Identification 1. Cyber security risk identification should be performed. 2. Identified cyber security risks should be documented (in a central register). 3. Cyber security risk identification should address relevant information assets, threats, vulnerabilities and the key existing cyber security controls. 3.2.1.2 Cyber Security Risk Analysis 1. A cyber security risk analysis should be performed. 2. The cyber security risk analysis should address the level of potential business impact and likelihood of cyber security threat events materializing. 3.2.1.3 Cyber Security Risk Response 1. The relevant determined cyber security risks should be treated according to the Member Organization’s risk appetite and cyber security requirements. 2. Cyber security risk response should ensure that the list of risk treatment options are documented (i.e., accepting, avoiding, transferring or mitigating risks by applying cyber security controls). 3. Accepting cyber security risks should include: a. the consideration of predefined limits for levels of cyber security risk; b. the approval and sign-off by the business owner, ensuring that: 1. the accepted cyber security risk is within the risk appetite and is reported to the cyber security committee; 2. the accepted cyber security risk does not contradict SAMA regulations. 4. Avoiding cyber security risks should involve a decision by a business owner to cancel or postpone a particular activity or project that introduces an unacceptable cyber security risk. 5. Transferring or sharing the cyber security risks should: a. involve sharing the cyber security risks with relevant (internal or external) providers; b. be accepted by the receiving (internal or external) provider(s); c. eventually lead to the actual transferring or sharing of the cyber security risk. 6. Applying cyber security controls to mitigate cyber security risks should include: a. identifying appropriate cyber security controls; b. evaluating the strengths and weaknesses of the cyber security controls; 1. assessing the cost of implementing the cyber security controls; 2. assessing the feasibility of implementing the cyber security controls; 3. reviewing relevant compliance requirements for the cyber security controls; c. selecting cyber security controls; d. identifying, documenting and obtaining sign-off for any residual risk by the business owner. 7. Cyber security risk treatment actions should be documented in a risk treatment plan. 3.2.1.4 Cyber Risk Monitoring and Review 1. The cyber security treatment should be monitored, including: a. tracking progress in accordance to treatment plan; b. the selected and agreed cyber security controls are being implemented. 2. The design and effectiveness of the revised or newly implemented cyber security controls should be reviewed.

Control considerations: 1. A process should be established for ensuring compliance with relevant regulatory requirements affecting cyber security across the Member Organization. The process of ensuring compliance should: a. be performed periodically or when new regulatory requirements become effective; b. involve representatives from key areas of the Member Organization; c. result in the update of cyber security policy, standards and procedures to accommodate any necessary changes (if applicable).

Control considerations: 1. The Member Organization should comply with: a. Payment Card Industry Data Security Standard (PCI-DSS); b. EMV (Europay, MasterCard and Visa) technical standard; c. SWIFT Customer Security Controls Framework – March 2017.

Control considerations: 1. Cyber security reviews should be periodically performed for critical information assets. 2. Customer and internet facing services should be subject to annual review and penetration tests. 3. Details of cyber security review performed should be recorded, including the results of review, issues identified and recommended actions. 4. The results of cyber security review should be reported to business owner. 5. Cyber security review should be subject to follow-up reviews to check that: a. all identified issues have been addressed; b. critical risks have been treated effectively; c. all agreed actions are being managed on an ongoing basis.

Control considerations: 1. Cyber security audits should be performed independently and according to generally accepted auditing standards and SAMA cyber security framework. 2. Cyber security audits should be performed according to the Member Organization’s audit manual and audit plan. 3.3 Cyber Security Operations and Technology In order to safeguard the protection of the operations and technology of the Member Organization's information assets and its staff, third parties and customers, the Member Organizations have to ensure that security requirements for their information assets and the supporting processes are defined, approved and implemented. The compliance with these cyber security requirements should be monitored and the effectiveness of the cyber security controls should be periodically measured and evaluated in order to identify potential revisions of the controls or measurements.

Control considerations: 1. The human resources process should define, approve and implement cyber security requirements. 2. The effectiveness of the human resources process should be monitored, measured and periodically evaluated. 3. The human resource process should include: a. cyber security responsibilities and non-disclosure clauses within staff agreements (during and after the employment); b. staff should receive cyber security awareness at the start and during their employment; c. when disciplinary actions will be applicable; d. screening and background check; e. post-employment cyber security activities, such as: 1. revoking access rights; 2. returning information assets assigned (e.g., access badge, tokens, mobile devices, all electronic and physical information).

Control considerations: 1. The physical security process should be defined, approved and implemented. 2. The effectiveness of the physical security process should be monitored, measured and periodically evaluated. 3. The physical security process should include (but not limited to): a. physical entry controls (including visitor security); b. monitoring and surveillance (e.g., CCTV, ATMs GPS tracking, sensitivity sensors); c. protection of data centers and data rooms; d. environmental protection; e. protection of information assets during lifecycle (including transport and secure disposal, avoiding unauthorized access and (un)intended data leakage.

Control considerations: 1. The asset management process should be defined, approved and implemented. 2. The effectiveness of the asset management process should be monitored, measured and periodically evaluated. 3. The asset management process should include: a. a unified register; b. ownership and custodianship of information assets; c. the reference to relevant other processes, depending on asset management; d. information asset classification, labeling and handling; e. the discovery of new information assets.

Control considerations: 1. The cyber security architecture should be defined, approved and implemented. 2. The compliance with the cyber security architecture should be monitored. 3. The cyber security architecture should include: a. a strategic outline of cyber security capabilities and controls based on the business requirements; b. approval of the defined cyber security architecture; c. the requirement of having qualified cyber security architects; d. design principles for developing cyber security controls and applying cyber security requirements (i.e., the security-by-design principle); e. periodic review of the cyber security architecture.

Control considerations: 1. The identity and access management policy, including the responsibilities and accountabilities, should be defined, approved and implemented. 2. The compliance with the identity and access policy should be monitored. 3. The effectiveness of the cyber security controls within the identity and access management policy should be measured and periodically evaluated. 4. The identity and access management policy should include: a. business requirements for access control (i.e., need-to-have and need-to-know); b. user access management (e.g., joiners, movers, leavers): 1. all identified user types should be covered (i.e., internal staff, third parties); 2. changes of job status or job positions for internal staff (e.g. joiner, mover and leaver) should be instigated by the human resources department; 3. changes for external staff or third parties should be instigated by the appointed accountable party; 4. user access requests are formally approved in accordance with business and compliance requirements (i.e., need-to-have and need-to-know to avoid unauthorized access and (un)intended data leakage)); 5. changes in access rights should be processed in a timely manner; 6. periodically user access rights and profiles should be reviewed; 7. an audit trail of submitted, approved and processed user access requests and revocation requests should be established; c. user access management should be supported by automation; d. centralization of the identity and access management function; e. multi-factor authentication for sensitive and critical systems and profiles; f. privileged and remote access management, which should address: 1. the allocation and restricted use of privileged and remote access, specifying: a. multi-factor authentication should be used for all remote access; b. multi-factor authentication should be used for privilege access on critical systems based on a risk assessment; 2. the periodic review of users with privileged and remote accounts; 3. individual accountability; 4. the use of non-personal privileged accounts, including: a. limitation and monitoring; b. confidentiality of passwords; c. changing passwords frequently and at the end of each session.

Control considerations: 1. The application cyber security standards should be defined, approved and implemented. 2. The compliance with the application security standards should be monitored. 3. The effectiveness of the application cyber security controls should be measured and periodically evaluated. 4. Application development should follow the approved secure system development life cycle methodology (SDLC). 5. The application security standard should include: a. secure coding standards; b. the cyber security controls implemented (e.g., configuration parameters, events to monitor and retain [including system access and data], identity and access management); c. the segregation of duties within the application (supported with a documented authorization matrix); d. the protection of data aligned with the (agreed) classification scheme (including privacy of customer data and, avoiding unauthorized access and (un)intended data leakage); e. vulnerability and patch management; f. back-up and recovery procedures; g. periodic cyber security compliance review.

Control considerations: 1. The change management process should be defined, approved and implemented. 2. The compliance with the change management process should be monitored. 3. The effectiveness of the cyber security controls within the change management process should be measured and periodically evaluated. 4. The change management process should include: a. cyber security requirements for controlling changes to information assets, such as assessing the impact of requested changes, classification of changes and the review of changes; b. security testing, which should (if applicable) include: 1. penetration testing; 2. code review if applications are developed internally; 3. code review of externally developed applications and if the source code is available 4. a code review report (or equivalent, such as an independent assurance statement) in case the source code cannot be provided; c. approval of changes by the business owner; d. approval from the cyber security function before submitting to Change Advisory Board (CAB); e. approval by CAB; f. post-implementation review of the related cyber security controls; g. development, testing and implementation are segregated for both the (technical) environment and involved individuals; h. the procedure for emergency changes and fixes; i. fall-back and roll-back procedures.

Control considerations: 1. The infrastructure security standards should be defined, approved and implemented. 2. The compliance with the infrastructure security standards should be monitored. 3. The effectiveness of the infrastructure cyber security controls should be measured and periodically evaluated. 4. The infrastructure security standards should cover all instances of infrastructure available in the main datacenter(s), the disaster recovery data site(s) and office spaces. 5. The infrastructure security standards should cover all instances of infrastructure (e.g., operating systems, servers, virtual machines, firewalls, network devices, IDS, IPS, wireless network, gateway servers, proxy servers, email gateways, external connections, databases, file-shares, workstations, laptops, tablets, mobile devices, PBX). 6. The infrastructure security standard should include: a. the cyber security controls implemented (e.g., configuration parameters, events to monitor and retain [including system access and data], data-leakage prevention [DLP], identity and access management, remote maintenance); b. the segregation of duties within the infrastructure component (supported with a documented authorization matrix); c. the protection of data aligned with the (agreed) classification scheme (including privacy of customer data and, avoiding unauthorized access and (un)intended data leakage); d. the use of approved software and secure protocols; e. segmentation of networks; f. malicious code/software and virus protection (and applying application whitelisting and APT protection); g. vulnerability and patch management; h. DDOS protection (where applicable); this should include: 1. the use of scrubbing services; 2. specification of the bandwidth agreed; 3. 24x7 monitoring by Security Operating Center (SOC), Service Provider (SP) and scrubbing provider; 4. testing of DDOS scrubbing (minimum twice a year); 5. DDOS services should be implemented for the main datacenter(s) as well as the disaster recovery site(s); i. back-up and recovery procedures; j. periodic cyber security compliance review.

Control considerations: 1. A cryptographic security standard should be defined, approved and implemented. 2. The compliance with the cryptographic security standard should be monitored. 3. The effectiveness of the cryptographic security controls should be measured and periodically evaluated. 4. The cryptographic security standard should include: a. an overview of the approved cryptographic solutions and relevant restrictions (e.g., technically, legally); b. the circumstances when the approved cryptographic solutions should be applied; c. the management of encryption keys, including lifecycle management, archiving and recovery.

Control considerations: 1. The BYOD cyber security standard should be defined, approved and implemented. 2. The compliance with the BYOD cyber security standard should be monitored. 3. The effectiveness of the BYOD cyber security controls should be measured and periodically evaluated. 4. The BYOD standard should include: a. responsibilities of the user (including awareness training); b. information regarding the restrictions and consequences for staff when the Member Organization implements cyber security controls on their personal devices; for example when using modified devices (jailbreaking), terminating the employment or in case of loss or theft of the personal device; c. the isolation of business information from personal information (e.g., containerization); d. the regulation of corporate mobile applications or approved “public” mobile applications; e. the use of mobile device management (MDM); applying access controls to the device and business container and encryption mechanisms on the personal device (to ensure secure transmission and storage).

Control considerations: 1. The secure disposal standard and procedure should be defined, approved and implemented. 2. The compliance with the secure disposal standard and procedure should be monitored. 3. The effectiveness of the secure disposal cyber security controls should be measured and periodically evaluated. 4. Information assets should be disposed in accordance with legal and regulatory requirements, when no longer required (i.e. meeting data privacy regulations to avoid unauthorized access and avoid (un)intended data leakage). 5. Sensitive information should be destroyed using techniques to make the information non-retrievable (e.g., secure erase, secure wiping, incineration, double crosscut, shredding). 6. The Member Organization should ensure that third party service providers used for secure disposal, transport and storage comply with the secure disposal standard and procedure and the effectiveness is periodically measured and evaluated.

Control considerations:  For Saudi Arabian Riyal Interbank Express (SARIE) information, please refer to the SARIE Information Security Policy, Version Issue 1.0 - June 2016.  For mada information, please refer to the following sections in the mada Rules and Standards Technical Book (see appendix A):  Part IIIa - Security Framework, Version Issue 6.0.0 - May 2016  Part IIIb - HSM Requirements, Version Issue 6.0.0 - May 2016  SAMA CA IPK Certificate Procedures, Version Issue 6.0.1 – October 2016

Control considerations: 1. The cyber security standards for electronic banking services should be defined, approved and implemented. 2. The compliance with cyber security standards for electronic banking services should be monitored. 3. The effectiveness of the cyber security standard for electronic banking services should be measured and periodically evaluated. 4. Electronic banking services security standard should cover: a. use of brand protection measures to protect online services including social media. b. online, mobile and phone banking: 1. use of official application stores and websites (applicable for online and mobile banking); 2. use of detection measures and take-down of malicious apps and websites (applicable for online and mobile banking); 3. use of sandboxing (applicable for online and mobile banking); 4. use of non-caching techniques (applicable for online and mobile banking); 5. use of communication techniques to avoid ‘man-in-the-middle’-attacks (applicable for online and mobile banking); 6. use of multi-factor authentication mechanisms: a. multi-factor authentication should be used during the registration process for the customer in order to use of electronic banking services; b. multi-factor authentication should be implemented for all electronic banking services available to customers; c. the use of hard and soft tokens should be password protected; d. revoking the access of customers after 3 successive incorrect passwords or invalid PINs; e. the process for changing the customer mobile number should only be done from either a branch or ATM; f. the processes for requesting and activating of the multi-factor authentication should be done through different delivery channels; g. multi-factor authentication should be implemented for the following processes: 1. sign-on; 2. adding or modifying beneficiaries; 3. adding utility and government payment services; 4. high-risk transactions (when it exceeds predefined limits); 5. password reset; 7. the processes for adding and activating beneficiaries should be done through different delivery channels (applicable for mobile and online banking); 8. high availability of the electronic banking services should be ensured; 9. scheduled downtime of the electronic banking services should be timely communicated to SAMA and customers; 10. contractual agreements between the Member Organization and the customer addressing the roles, responsibilities and liabilities for both the Member Organization and the customers; 11. obtaining approval of SAMA before launching a new electronic banking service. c. ATMs and POSs: 1. prevention and detection of exploiting the ATM/POS application and infrastructure vulnerabilities (e.g., cables, (USB)-ports, rebooting); 2. cyber security measures, such as hardening of operating systems, malware protection, privacy screens, masking of passwords or account numbers (e.g., screen and receipt), geo-blocking (e.g., disable cards per default for outside GCC countries, disable magnetic strip transactions), video monitoring (CCTV), revoking cards after 3 successive invalid PINs, anti-skimming solutions (hardware/software), and PIN-pad protection; 3. remote stopping of ATMs in case of malicious activities. d. SMS instant notification services: 1. SMS messages should not contain sensitive data (e.g., account balance - except for credit cards); 2. SMS alert should be sent to both mobile numbers (old and new) when the customer’s mobile number has been changed; 3. SMS notification should be sent to the customer’s mobile number when requesting a new multi-factor authentication mechanism. 4. SMS notification should be sent to the customer’s mobile number for all retail and personal financial transactions. 5. SMS notification should be sent to the customer’s mobile number when beneficiaries are added, modified and activated.

Control considerations: 1. The security event management process should be defined, approved and implemented. 2. The effectiveness of the cyber security controls within the security event management process should be measured and periodically evaluated. 3. To support this process a security event monitoring standard should be defined, approved and implemented. a. the standard should address for all information assets the mandatory events which should be monitored, based on the classification or risk profile of the information asset. 4. The security event management process should include requirements for: a. the establishment of a designated team responsible for security monitoring (i.e., Security Operations Center (SOC)); b. skilled and (continuously) trained staff; c. a restricted area to facilitate SOC activities and workspaces; d. resources required continuous security event monitoring activities (24x7); e. detection and handling of malicious code and software; f. detection and handling of security or suspicious events and anomalies; g. deployment of security network packet analysis solution; h. adequately protected logs; i. periodic compliance monitoring of applications and infrastructure cyber security standards j. automated and centralized analysis of security loggings and correlation of event or patterns (i.e., Security Information and Event Management (SIEM)); k. reporting of cyber security incidents; l. independent periodic testing of the effectiveness of the security operations center (e.g., red- teaming).

Control considerations: 1. The cyber security incident management process should be defined, approved, implemented and aligned with the enterprise incident management process. 2. The effectiveness of the cyber security controls within the cyber security incident management process should be measured and periodically evaluated. 3. The standard should address the mandatory and suspicious security events which should be responded to. 4. The security incident management process should include requirements for: a. the establishment of a designated team responsible for security incident management; b. skilled and (continuously) trained staff; c. sufficient capacity available of certified forensic staff for handling major incidents (e.g., internal staff or contracting an external forensic team); d. a restricted area to facilitate the computer emergency response team (CERT) workspaces; e. the classification of cyber security incidents; f. the timely handling of cyber security incidents, recording and monitoring progress; g. the protection of relevant evidence and loggings; h. post-incident activities, such as forensics, root-cause analysis of the incidents; i. reporting of suggested improvements to the CISO and the Committee; j. establish a cyber security incident repository. 5. The Member Organization should inform ‘SAMA IT Risk Supervision’ immediately when a medium or high classified security incident has occurred and identified. 6. The Member Organization should obtain ‘no objection’ from ‘SAMA IT Risk Supervision’ before any media interaction related to the incident. 7. The Member Organization should submit a formal incident report ‘SAMA IT Risk Supervision’ after resuming operations, including the following incident details: a. title of incident; b. classification of the incident (medium or high); c. date and time of incident occurred; d. date and time of incident detected; e. information assets involved; f. (technical) details of the incident; g. root-cause analysis; h. corrective activities performed and planned; i. description of impact (e.g., loss of data, disruption of services, unauthorized modification of data, (un)intended data leakage, number of customers impacted); j. total estimated cost of incident; k. estimated cost of corrective actions.

Control considerations: 1. The threat intelligence management process should be defined, approved and implemented. 2. The effectiveness of the threat intelligence management process should be measured and periodically evaluated. 3. The threat intelligence management process should include: a. the use of internal sources, such as access control, application and infrastructure logs, IDS, IPS, security tooling, Security Information and Event Monitoring (SIEM), support functions (e.g., Legal, Audit, IT Helpdesk, Forensics, Fraud Management, Risk Management, Compliance); b. the use of reliable and relevant external sources, such as SAMA, government agencies, security forums, (security) vendors, security organizations and specialist notification services; c. a defined methodology to analyze the threat information periodically; d. the relevant details on identified or collected threats, such as modus operandi, actors, motivation and type of threats; e. the relevance of the derived intelligence and the action-ability for follow-up (for e.g., SOC, Risk Management); f. sharing the relevant intelligence with the relevant stakeholders (e.g., SAMA, BCIS members).

Control considerations: 1. The vulnerability management process should be defined, approved and implemented. 2. The effectiveness of the vulnerability management process should be measured and periodically evaluated. 3. The vulnerability management process should include: a. all information assets; b. frequency of performing the vulnerability scan (risk-based); c. classification of vulnerabilities; d. defined timelines to mitigate (per classification); e. prioritization for classified information assets; f. patch management and method of deployment. 3.4 Third Party Cyber Security When Member Organizations do rely on, or have to deal with third party services, it is key to ensure the same level of cyber security protection is implemented at the third party, as within the Member Organization. This paragraph describes how the cyber security requirements between the Member Organization and Third Parties should be organized, implemented and monitored. Third Parties in this Framework are defined as, information services providers, outsourcing providers, cloud computing providers, vendors, suppliers, governmental agencies, etc.

Control considerations: 1. The cyber security requirements should be defined, approved, implemented and communicated within the contract and vendor management processes. 2. The compliance with contract and vendor management process should be monitored. 3. The effectiveness of the cyber security controls within the contract and vendor management process should be measured and periodically evaluated. 4. These contract and vendor management processes should cover: a. whether the involvement of the cyber security function is actively required (e.g., in case of due diligence); b. the baseline cyber security requirements which should be applied in all cases; c. the right to periodically perform cyber security reviews and audits. 5. The contract management process should cover requirements for: a. executing a cyber security risk assessment as part of the procurement process; b. defining the specific cyber security requirements as part of the tender process; c. evaluating the replies of potential vendors on the defined cyber security requirements; d. testing of the agreed cyber security requirements (risk-based); e. defining the communication or escalation process in case of cyber security incidents; f. ensuring cyber security requirements are defined for exiting, terminating or renewing the contract (including escrow agreements if applicable); g. defining a mutual confidentiality agreement. 6. The vendor management process (i.e., service level management) should cover requirements for: a. periodic reporting, reviewing and evaluating the contractually agreed cyber security requirements (in SLAs).

Control considerations: 1. The cyber security requirements within the outsourcing policy and process should be defined, approved, implemented and communicated within Member Organization. 2. The cyber security requirements regarding the outsourcing policy and process should be measured and periodically evaluated. 3. The outsourcing process should include: a. the approval from SAMA prior to material outsourcing; b. the involvement of the cyber security function; c. compliance with the SAMA circular on outsourcing.

Control considerations: 1. The cyber security controls within the cloud computing policy for hybrid and public cloud services should be defined, approved and implemented and communicated within Member Organization. 2. The compliance with the cloud computing policy should be monitored. 3. The cyber security controls regarding the cloud computing policy and process for hybrid and public cloud services should be periodically measured and evaluated. 4. The cloud computing policy for hybrid and public cloud services should address requirements for: a. the process for adopting cloud services, including that: 1. a cyber security risk assessment and due diligence on the cloud service provider and its cloud services should be performed; 2. the Member Organization should obtain SAMA approval prior to using cloud services or signing the contract with the cloud provider; 3. a contract should be in place, including the cyber security requirements, before using cloud services; b. data location, including that: 1. in principle only cloud services should be used that are located in Saudi Arabia, or when cloud services are to be used outside Saudi Arabia that the Member Organization should obtain explicit approval from SAMA; c. data use limitations, including that: 1. the cloud service provider should not use the Member Organization’s data for secondary purposes; d. security, including that: 1. the cloud service provider should implement and monitor the cyber security controls as determined in the risk assessment for protecting the confidentiality, integrity and availability of the Member Organization’s data; e. data segregation, including that: 1. the Member Organization’s data is logically segregated from other data held by the cloud service provider, including that the cloud service provider should be able to identify the Member Organization’s data and at all times should be able to distinguish it from other data. f. business continuity, including that: 1. business continuity requirements are met in accordance with the Member Organization’s business continuity policy; g. audit, review and monitoring, including that: 1. the Member Organization has the right to perform a cyber security review at the cloud service provider; 2. the Member Organization has the right to perform a cyber security audit at the cloud service provider; 3. the Member Organization has the right to perform a cyber security examination at the cloud service provider; h. exit, including that: 1. the Member Organization has termination rights; 2. the cloud service provider has to return the Member Organization’s data on termination; 3. the cloud service provider has to irreversibly delete the Member Organization’s data on termination. Appendices Appendix A - Overview previous issued SAMA circulars The Framework Supersedes the following previously issued SAMA circulars:  Assessment of protection and information security systems for all banks, 25514-MAT-53331, 25/10/2012;  Enhance monitoring controls over ATMs, 49616-MAT-24388, 8/9/2012;  Requirements to reduce DoS/DDoS attacks, 361000033746, 24/12/2014;  Cards Cloning, 361000078157, 19/3/2015;  Independency of Information Security, 361000036797, 30/12/2014;  Caution from electronic fraud, 17722-MAT, 29/6/2011;  Confidentiality of banking information, 341000065707, 6/4/2013;  SAMA regulation about mobile banking, 341000096665, 16/6/2013;  Using forged ATM cards to withdrawals from client accounts, 644/MAT/33043, 24/6/2009;  Token service, 341000071570, 18/4/2013;  E-Banking Rules, 11231-MAG-23612, 9/4/2010;  Multi-factor authentication, 789/MAT/40690, 6/8/2009. The framework refers to the following SAMA circulars or documents with regard to Payment Systems:  For Saudi Arabian Riyal Interbank Express (SARIE) information, please refer to the SARIE Information Security Policy, Version Issue 1.0 - June 2016.  For mada information, please refer to the following sections in the mada Rules and Standards Technical Book (see appendix A):  Part IIIa - Security Framework, Version Issue 6.0.0 - May 2016  Part IIIb - HSM Requirements, Version Issue 6.0.0 - May 2016  SAMA CA IPK Certificate Procedures, Version Issue 6.0.1 – October 2016 The framework refers to the following SAMA circulars or documents with regard to outsourcing and business continuity management:  Rules on outsourcing, 424-BCS-34720, 20/7/2008;  Business Continuity Framework, 381000058504, 01/06/1438H Appendix B - How to request an Update to the Framework Below the illustration of the process for requesting an update to the Framework.  Detail information supported by pros and cons about the suggested update.  The request should first be approved by CISO before submitting to cyber security committee.  The request should be approved by Member Organization’s cyber steering committee.  The request should be sent formally in writing to SAMA via the Member Organization’s CEO or managing director to the deputy governor of Supervision.  ‘SAMA IT Risk Supervision’ will evaluate the request and informs the Member Organization.  The current Framework remains applicable while the requested update is being considered, processed and if applicable is approved and processed. Appendix C – Framework Update request form Request to Update the SAMA Cyber Security Framework A submission to the deputy governor of SAMA IT Risk Supervision The Saudi Arabian Monetary Authority (SAMA) will consider requests from a member organization (MO) to update its Cyber Security Framework based on the information submitted using the form below. A separate form must be completed for each requested update. Please note that all required fields must be properly filled in before SAMA will begin the review process Requestor Information REQUESTOR'S SIGNATURE* x REQUESTOR'S POSITION* DATE* REQUESTOR'S NAME* MEMBER ORGANIZATION OF REQUESTOR* FRAMEWORK SECTION*: PURPOSE OF REQUESTED UPDATE (including detailed information on its pros and cons)*: PROPOSAL*: Approvals 1. MO’s CISO APPROVAL* DATE* 2. MO’S CYBER SECURITY COMMITTEE APPROVAL* APPROVER’S POSITION* DATE* * Denotes required fields Appendix D - How to request a Waiver from the Framework Below the illustration of the process for requesting a waiver from the Framework.  Detail description about the reasons that the bank could not meet the required control.  Details description about the available or suggested compensating controls.  The waiver request should first be approved by CISO before submitting to cyber security committee.  The waiver request should approved by the members of Member Organization’s cyber security committee.  The waiver request should be signed by the CISO and relevant (business) owner.  The waiver request should be formally issued in writing to SAMA via the Member Organization’s CEO or managing director to the deputy governor of Supervision.  ‘SAMA IT Risk Supervision’ will evaluate the waiver request and informs the Member Organization.  The current Framework remains applicable while the requested waiver is being evaluated and processed, until the moment of granting the waiver. Appendix E – Framework Waiver request form Request for Waiver from the SAMA Cyber Security Framework A submission to the deputy governor of SAMA IT Risk Supervision The Saudi Arabian Monetary Authority (SAMA) will consider requests for waiver from a member organization (MO) from its Cyber Security Framework based on the information submitted using the form below. A separate form must be completed for each requested waiver. Please note that all required fields must be properly filled in before SAMA will begin the review process. Requestor Information REQUESTOR'S SIGNATURE* x REQUESTOR'S POSITION* DATE* REQUESTOR'S NAME* MEMBER ORGANIZATION OF REQUESTOR* FRAMEWORK CONTROL*: DETAILED DESCRIPTION OF WHY CONTROL CANNOT BE IMPLEMENTED*: DETAILED DESCRIPTION OF AVAILABLE OR SUGGESTED COMPENSATING CONTROLS*: Approvals 1. MO’s CISO APPROVAL*