Cloud Cybersecurity Controls CCC-1-2020

Cloud computing has been widespread use and spread in large, medium, and small Saudi facilities; due to its features and benefits. However as with any technique in the industry 4.0, many fears and problems about the cloud computing model had appeared, the most prominent are: security challenges, how data will be protected, processed, and transmitted safely, ensuring providing safely infrastructure and information safely and confidently and providing a reliable, secure and flexibles cyberspace, let’s look at the Cloud Cybersecurity Controls which every organization provide or deal with cloud services will need.

The suspicions about the use of this model in national governmental Agencies and institutions, in particular, had been exacerbated according to the absence of unified regularity standards that define controls that obligate cloud service providers to them.

So, National Cybersecurity Authority (NCA) has developed cloud cybersecurity controls (CCC-1-2020) which they are extensions and supplements to the basic controls of cybersecurity.

This controls aims to define the minimum of cloud Cybersecurity for each of cloud services providers and beneficiaries, for enabling them to safely provide and use cloud services and minimize the cyber risks, which supporting business continuity.

This program has been established as an initiative that aims to raise the level of transparency in implementing these practices for cloud services providers all over the world, It represents the right mix of the controls of cloud services component that able to evaluate cloud services according to those standards: PCI DSS, ISO 27001, NIST SP800-53, COBIT, HIPPA, BITS, Fed RAMP, GAAP, and other International standards. Cloud Security Alliance (CSA) and Security Trust and Risk Assurance (STAR) program can be considered as one of the most strong cloud security assurance programs, which it combines the major principles over transparency, accuracy audit, and the harmonization of standards. Security Trust and Risk Assurance (STAR)  enclose transparency of your compliant security dealings with international standards and the ability to review from any auditor and in any special part.

The organizations that use Security Trust and Risk Assurance (STAR) program are considered the best in terms of security practices and verify the security integrity of its cloud-based products all over the world. Cloud security alliance (CSA) and the security trust and Risk assurance (STAR) program provide documentaries about privacy and security records for all controls that are used according to cloud standards. Which this record provides the necessary tools and references for any client who thinks about taking advantage of cloud services, to access the service providers before complaint with him and helping him to make the right decision.

• These Controls are  characterized by adapting with many international standards related to cybersecurity and cloud computing, such as ISO/IEC 27001, FedRAMP, C5, CCM, and cloud security and standard in Singapore  
• Cloud cybersecurity controls are complementary extensions of basic cybersecurity controls.
• These controls provide close attention to the main axes that underpin cybersecurity (strategy, people, procedures, and technology).
• These controls focus on cloud services from service providers’ and beneficiaries’ aspects.

1. As a cloud services provider, implementing and complying to cloud cybersecurity controls gives you a good reputation and takes advantage of work as a service provider for government agencies.
2. Raising the institution’s readiness for the potential cyber risks.
3. Help incompatibility with international regularity standards, because these controls adapt with other related international standards.
4. Ensure Cybersecurity risk management and protect the service provider’s and user’s information and technological assets.
5. Ensure the protection of cloud services provider’s and beneficiary’s data and information.

Discovering loopholes in the right time, and processing it effectively; to prevent potential cyber-attacks, and also to minimize business impact for service providers and users.

Cloud cybersecurity controls (CCC) are prepared to fit cybersecurity service providers and users requirements, regardless of diversity in the nature of their work and size within the scope of work, and it includes: 

1. Any government entity inside or outside the Kingdom of Saudi Arabia (include ministries, authorities, establishments, and others).
2.  Entities and companies affiliated with the government.
3. Services providers who provide cloud computing services for Saudi organizations outside KSA.
4. Private-sector organizations that own, operating and host Critical National Infrastructure

It’s important to note that, implementing these controls are not limited to the entities mentioned above, but also other entities in the Kingdom can use these controls, In fact, National Cybersecurity Authority (NCA) has encouraged to apply those controls in a manner that is appropriate for the establishments outside the scope of the work of the document.

To comply with item 3 of Article 10 of the national cybersecurity authority (NCA) mandate, and as per Royal Decree number 57231, and 10/11/1439 AH, all authorities within the scope of these controls must implement whatever is necessary to ensure continuous and permanent compliance with the Cloud Cybersecurity Controls (CCC).

The national cybersecurity authority (NCA) will give CSPs and CSTs compliance period to implement these controls. Also, it evaluates the compliance of CSPs and CSTs with controls. The evaluation in accordance with the mechanisms deemed selected boy NCA, maybe by self-assessment of CSPs and CSTs, and/ or external assessment by NCA or designated third party.

CCC contains 37 main domains and 96 subdomains for a cloud service provider (CSPs), and 18 main domains and 26 subdomains for cloud service treats (CSTs), Divided into 4 main components as follows:

1.  Cybersecurity governance.
2. Cybersecurity defense
3. Cyber security resilience
4. Third-party cyber security.

1. Make gap analysis.
2. Implementation of Cloud Cybersecurity Control (CCC).
3. Develop and design cybersecurity frameworks.
4. Designing, developing, implementing, and operating security quality systems (ISO).
5. Qualification and recruitment services for qualified security cadres.
6. Special training programs for transmitting knowledge and awareness of human factors at the facility
7. Internal audit
8. Installation and operation of cloud solutions and security solutions.

• When you ask for Renad AlMajed company services You are allowed to benefit from more than 60 experts and consultants to develop and grow your business.
• The company is characterized by flexibility, the accuracy of implementation, and results show quickly, because of its awareness to deep dimensions of the document indicators and axes.
• An expert team of vulnerability assessment.
• Long experience in implementing penetration test field.
• The operation center works 24/7.
• The ability of the company to cover all cybersecurity fields, where the company has previous business in digital transformation, governance, Business continue ISO standards, cloud computing, network security, and information security.