SAMA Cybersecurity Framework Checklist

The Saudi Arabian Monetary Authority was formed in 2017 to strengthen the organization’s resilience against cyber threats by implementing several security best practices and standards. It applies to all banks, financial institutions, insurance companies, etc.

SAMA Objectives aim to safeguard the following:

• Electronic data
• Physical details
• Electronic devices
• Applications
• Computers and other electronic machines
• Software used by a financial institute
• Data storage equipment

What are the Maturity Levels as per SAMA?

There are six maturity levels according to SAMA. These are decided based on the existing security-maturity level in the organization. Look at the list below and decide where your organization belongs

• Level 0 or non-existent:
  •  No documentation to support the implementation of security controls,
  • No awareness of cybersecurity controls. (no implementation of awareness efforts)

• Level 1 or Ad-hoc:
  • Null or partial pre-defined security controls
  • Non-standard cybersecurity controls
  • Poorly defined CSC that are incapable of complete risk mitigation

• Level 2 or Repeatable but Informal
  • Unorganized Cybersecurity controls without formal adherence, frequently repeated controls with little scope to test the controls
  • Overlapping objectives for controls

• Level 3 or Structured and Formalized
  • Well-defined, completely structured, and formally approved controls
  • Adopted on a large school
  • Implementation of GRC tools
  • Well-defined performance indicators
  • Regularly evaluated controls

• Level 4 or Managed and Measurable
  • Implemented controls are regularly reviewed to check the efficacy
  • Controls are measured against the latest trends and indicators
  • Reviews and test results are used to make the controls more robust

• Level 5 or Adaptive
  • Large-scale, enterprise-wide adoption of cybersecurity measures
  • Continued focus on compliance and CSC efficiency
  • Control effectiveness is measured against peer and sector data

What Are SAMA Control Domains?

The core of SAMA is based on four domains with several further subdomains, with each subdomain focusing on a specific topic. Three key subdomains are:

• The Principal – The main reason why security control exists
• The Objective – explains the goals of the principle and what a particular CSC aims to achieve
• The Control Consideration – the mandatory control that must be considered for specific domains.

The Four levels of Control Consideration are as follows:

Cybersecurity Leadership and Governance

• The governing body of members or a structured security committee must be responsible for maintaining a robust cybersecurity program
• They must state the governance standards that are acceptable for cybersecurity review
• Well-defined cybersecurity standards must be provided for members
• A cybersecurity policy must be drafted
• They must discover viable operational practices to improve the effectiveness of the controls
• An independent cybersecurity function must be present to draft, maintain, and administer the policies implemented

Cybersecurity Risk Management and Compliance

• Cybersecurity risk mitigation is a continual procedure. The authorities must:
• Detect threats and risks early or predict them
• Understand the probabilities of cybersecurity risk
• Perform risk analysis regularly
• Draft a viable, result-oriented response
• Monitor risk treatment and examine the CSC effectiveness regularly
• Adhere to the defined cybersecurity controls
• Accurately define, approve, and deploy risk management procedures to protect the confidentiality and integrity of mission-critical details of the organization.
• It is mandatory to adhere to globally accepted standards and the cybersecurity compliance process must be periodically conducted to update cybersecurity policy.

Cybersecurity Operations and Technology

• SAMA mandates member institutes to safeguard critical operations and technology of employees, members, and third-party vendors along with their own.
• Well-defined, thorough controls to ensure that technologies used at work are not introducing threats to the system.
• Employees must be screened at the outset and appropriate measures must be adopted throughout their lifecycles
• Ironclad security measures should be adopted to prevent security threats to physical assets
• Eliminate the possibility of unauthorized access to member’s physical assets through adequate security controls via advanced monitoring and surveillance technology, environmental protection, protecting data center tools, supervision of data access, and analyzing access control measures.

Third-Party Cybersecurity

This control domain focuses on security control for third-party services. Member institutes are recommended the following controls to ensure security for third-party resources from cybersecurity threats:

• Incorporate risk evaluation into procurement
• Have well-defined security requirements
• Test third-party vendor security controls
• Follow SAMA regulations if you outsource technology or HR.
• Get SAMA approval prior to using any cloud service
• Ensure that the cloud service provider doesn’t use data for personal purposes
• Conduct cybersecurity audits for cloud providers regularly
• Allow termination rights to member companies

Also Read : SAMA Cybersecurity Framework

While financial services entities in Saudi Arabia must adhere to SAMA compliance requirements and the requirements are stringent, it’s not that difficult. Here’s how you can be compliant:

• Know where your data is stored, how it’s accessed and shared
• Arrange and classify data according to priority and risk
• Use the right data encryption software to protect your data.

A comprehensive data protection program is the best solution for your organization. It may not be possible for you to pull precious resources away from core tasks to focus on data protection. Entrust these activities to a compliance consultancy expert like Wattlecorp, ensure adherence to SAMA Compliance requirements, and continue doing what you do best – serving your customers and growing your business.

As an organization with in-depth expertise in compliance requirements and industry knowledge, Wattlecorp is your key to staying compliant with all required regulations.