SAMA - Cybersecurity Framework In Brief

Cyber Security has for long been a huge threat for businesses around the world. It is considered to be one of the top risks that businesses are exposed to in the Middle East. More so, in Saudi Arabia, Cyber Security is seen as a major threat for its widespread adoption of advanced technology across industries.

Studies suggest that Saudi Arabia is one of the most highly-targeted countries for cyber-attacks. So, to build strong Cyber Security resilience, the governing bodies and regulatory entities of Saudi Arabia established a stringent Cyber Security framework and guideline to help businesses strengthen their security postures.

The Saudi Arabian Monetary Authority (SAMA) which is the central bank of Saudi Arabia established the SAMA-Cyber Security Framework as a defense against the growing cyber threats. Covering the highlights of the framework in today’s article, we have briefly explained what the framework constitutes and to whom is it applicable.

What is SAMA –Cyber Security Framework

The Saudi Arabian Monetary Authority established the Cyber Security Framework in the year 2017 to guide organizations in effectively identifying and addressing Cyber Security risks. The framework encompasses best practices of various other industry standards, regulatory and compliance frameworks including the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cyber Security (NIST CSF), Payment Card Industry Data Security Standard (PCI DSS), and ISO 27001/27002 Information Security Management Standards and Basel II International Convergence of Capital Measurement and Capital Standards.

Overall, it is a comprehensive Cyber Security Framework that helps Member organizations secure information assets and online services. The framework laid down is based on four major Cyber Security ‘domains’ namely

  • Leadership and Governance, 
  • Risk Management and Compliance, 
  • Operations and Technology, 
  • Third-Party considerations

Objective of the Cyber Security Framework

SAMA’s Cyber Security Framework is established with an aim to aid Financial Institutions regulated by SAMA to effectively tackle the growing risks related to Cyber Security. The framework outlined and which is expected to be followed by Financial Institutions or the Member organization helps protect the information assets and online services.

The framework has mandated the implementation of the requirements to ensure the Financial Institutes can manage and withstand Cyber Security threats. Given below are the objectives of establishing Cyber Security Framework by the SAMA – 

  • To create a common approach for addressing Cyber Security within the Member Organizations. 
  • To achieve an appropriate maturity level of Cyber Security controls within the Member Organizations. 
  • To ensure Cyber Security risks are properly managed throughout the Member Organizations.

The Framework will be used as a guide to periodically assess the maturity level and evaluate the effectiveness of the Cyber Security controls implemented by the Member Organizations.

Scope of the Cyber Security Framework

The Framework is like a guideline that aids Financial Institutions or Member Organizations initiate, implement, maintain, monitor and improve Cyber Security controls. The Cyber Security Framework outlines implementing effective Cyber Security controls that apply to the information assets of Member Organization. This would typically include –

  • Electronic Information
  • Physical information (hardcopy)
  • Applications, software, electronic services, and databases.
  • Computers and electronic machines (e.g., ATM). 
  • Information storage devices (e.g., hard disk, USB stick).
  • Premises, equipment, and communication networks (technical infrastructure). 

The Framework provides direction for achieving various Cyber Security Objectives for Member Organizations, their subsidiaries, staff, third parties, and customers. The Framework aligns with corporate policies such as physical security and fraud management.

Applicability of the Cyber Security Framework

The Cyber Security Framework applies to all Member Organizations regulated by SAMA, which includes the following: 

  • All Banks operating in Saudi Arabia; 
  • All Insurance and/or Reinsurance Companies operating in Saudi Arabia; 
  • All Financing Companies operating in Saudi Arabia; 
  • All Credit Bureaus operating In Saudi Arabia;
  • The Financial Market Infrastructure 

The Framework is applicable for all domains in the banking sector. However, for other financial institutions the following exceptions apply: 

  • Sub-domain (3.1.2) the alignment with the Cyber Security strategy of the banking sector is mandatory when applicable. 
  • Exclude sub-domain (3.2.3) However, if the organization store, process or transmit cardholder data or deal with SWIFT services, then PCI standard and/or SWIFT Customer Security Controls Framework should be implemented. 
  • Exclude sub-domain (3.3.12). Version 1.0 Page 7 of 56.
  • Exclude sub-domain (3.3.13). However, if the organization provides online services for customers, a Multi-Factor Authentication capability should be implemented.

Overview of the Cyber Security Framework and its Base Principles

SAMA provides detailed directives and indicates the Cyber Security domains and subdomains, including a reference to the applicable section of the Framework. Given below is a visual overview of the Cyber Security framework. 

SAMA

The SAMA Cyber Security Framework is risk-based and provides clear Cyber Security principles and objectives to be embedded and achieved by the Member Organization. Further, the list of mandated control considerations provides additional direction to Member Organizations that should be considered when achieving the objectives.

In case of scenarios wherein certain controls cannot be tailored or implemented, the Member Organization is expected to apply alternate controls, pursuing an internal risk acceptance, and requesting a formal waiver from SAMA. 

Conclusion

The Cyber Security Framework clearly outlines the expectations of SAMA in terms of Cyber Security, of the entities that it regulates. The motive behind establishing the Framework is to ensure that financial institutes are aware of the nature and scope of their information assets and the potential Cyber Security risks that their critical assets are exposed to during the course of its regular operation and adoption of the latest technology in business.

The process of implementing the Framework also provides a mechanism for Financial Institutes to guard themselves against new evolving Cyber Security risks that may develop in the future with the adoption of advanced technology.

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.