SAMA CSF compliance: 4 effective domains

According to Gartner, cybersecurity is one of the top risks to the business in the Middle East, and Saudi Arabia is the highly targeted one due to its quick adoption of effective digital practices. This is attracting significant cybersecurity concerns and financial institutions are the hotspots of these threats.

Hence, to battle against the cyber threats and improve cybersecurity resilience many Saudi Arabia government entities are working to defend today’s cyber threats and established a unique SAMA CSF Framework. 

Why SAMA Framework?

SAMA is the central bank of Saudi Arabia that created a cybersecurity framework version 1.0 in May 2017. The newer version 2.0 was published in July 2018 to act as a safeguard against the threats that are growing multifold. This framework was made especially for the banks and companies in the financial sector.

In today’s time, everyone wants flawless customer service, continuous availability of services, and effective protection of sensitive data. So, SAMA created a framework by the amalgamation of best practices from a variety of other government frameworks such as NIST CSF, PCI DSS, and a few others.

Adoption of the framework is a vital step for Saudi Arabian government so that they can manage and properly withstand if not all but most cyber threats.

How does the Framework work?

The framework is a tiered process of assessing cyber threats and providing a comprehensive approach to tackle them. It is used to enable financial institutions regulated by SAMA to identify and address risks related to cybersecurity and also maintain the safety of information assets and online services, it is mandated to be implemented of every member organization. The framework is not so much of a technological one, but a managerial one. Not only does the framework provide direction for cybersecurity requirements for Member Organizations but its subsidiaries, staff, third parties, and customers.

The framework will be used to periodically assess a company’s cybersecurity vulnerabilities and then place you in one of the ‘Maturity Level’ groups (0, 1, 2, 3, 4, 5). The framework then gives recommendations for your cybersecurity needs.

Your Organization’s Maturity Level = The Security Of Your Organization’s Network.

A higher maturity level is a win-win situation.

The framework laid down works on four major Cyber Security Domains:

1. Cybersecurity Leadership and Governance – The board of the member organization is responsible for setting and defining the cybersecurity governance and policy and ensuring the operational effectiveness of the policy. The main objective of this domain is to control the overall approach of cybersecurity within the organization.
2. Cybersecurity Risk Management and Compliance – Risk management is an ongoing and never-ending process of identifying, analyzing, responding, monitoring and finally reviewing the risks. The main objective of this domain is to ensure that cybersecurity is properly managed to protect the confidentiality and integrity of member organizations.
3. Cybersecurity Operations and Technology – This domain is specially made to have a check if the assets, staff, third parties have their security requirements defined, approved and also implemented. It takes care of human resources, physical security, asset management, cybersecurity architecture, identity management etc. 
4. Third-Party Cybersecurity – Third Parties are information services providers, outsourcing providers, cloud computing providers, vendors, suppliers, governmental agencies, etc. When member organizations rely on third-party providers, it becomes equally important that there is a uniformity in the cybersecurity protection between the third party and the member organization.

Who needs to implement it?

• All Banks and Insurance companies operating in Saudi Arabia.
• All Financing companies in Saudi Arabia.
• All Credit Bureaus in Saudi Arabia.
• The Financial Market Structure.

The framework is applicable for all Member Organizations regulated by SAMA that are mentioned above. 

The framework applies to the various information assets of the Member Organizations 

1. Electronic Information.
2. Physical information.
3. Applications, software, electronic services and databases.
4. Computers and electronic machines. (ATM)
5. Information storage and retrieval devices. (Hard disk, USB stick)
6. Premises, equipment and communication networks. 

SAMA has created a very defined approach for Middle East Cybersecurity threats that will ensure that your risks are managed not only within your organization but with every party you are associated with.