NCA CSCC (CS Controls for Sensitive Systems)

What is NCA CSCC-1 :2019? And how to implement it in your organization?

Any successful organization, regardless of the nature of its work, has multiple systems that are integrated and interactive with each other, such as computer systems, electronic systems, and mechanical systems. Every system has a role in the organization, but some of these systems have more important roles than others. 

It’s called a critical system, and its protection considers an integral part of an organization’s strategy towards its survival.

According to the importance of these systems and the urgent need to keep them safe from unauthorized access; The competent authorities had seeking to provide protection to it through providing the necessary tools and means to protect the information from external and internal risks.

So after lunched the Essential cybersecurity Controls by NCA’s in the Kingdom. In 2019, also developed Critical Systems Cybersecurity Controls (CSCC-1-2019), to set the minimum requirements of Critical Systems  Cybersecurity Controls inside national institutions.

What are the critical systems?

Any system or network whose failure, unauthorized change to its operation, unauthorized access to it, or to the data stored or processed by it; may result in a negative impact on the organization’s businesses and services’ availability, or cause negative economic, financial, security, or social impacts on the national level.

Some of the Kingdom critical systems: communication systems, medical controls, traffic systems, air traffic controls, car controls systems, and customer accounts in the bank system.

When do we consider the system is critical?

We identified a system as a critical system when the failure, unauthorized changing to its operation, unauthorized access to it, or to data and information stored or processed, lead to one or more of these results: 

  1. Negative impact on national security.
  2. Exposing the human life and his safety to danger. 
  3. Negative impact on reputation. 
  4. Significant financial loss. 
  5. Unauthorized disclosure of data that classified as top-secret or secret. 
  6. Negative impact on the services provided to a large number of users.

The importance of Critical Systems Cybersecurity Controls

  1. National institutions any cloud infrastructure and information processing equipment from cyber attacks.
  2. Protect technology and information assets.
  3. Achieving regularity and legislation requirement
  4. Inclusion of Cybersecurity controls within institutions projects management missing methodologies.
  5. Prevent unauthorized access, and restrict access to technology and information assets.
  6. Managing and processing cybersecurity risks effectively and minimizing their impact.
  7. Evaluate how effective cybersecurity abilities are in institutions.

Ensure the availability of cyber security requirements in the management of business continuity of facilities.

The scope of Critical Systems Cybersecurity Controls

Every facility that owns and operates critical systems have to comply to these applicable controls including: 

  • All governmental entities inside and outside the Kingdom.
  • Companies and institutions affiliated (wholly or partially) to governmental agencies.
  • Private sector companies/ institutions.

Implementing Critical Systems Cybersecurity Controls (NCA CSCC)

In order to comply with item 3 of Article 10 of National Cybersecurity Authority NCA’s mandate, and as peer the Royal Decree number 57231, dated 10/11/1439 H, And Royal Decree number 7732, dated  12/2/1440 H, All organizations within the scope of Critical Systems Cybersecurity Controls CSCC, must:

  1. Identify the organization’s critical systems.
  2. Implement all necessary measures to comply with these controls on the identified critical systems; within the compliance, a period defined by NCA to assess and manage cybersecurity risks during this defined period to minimize potential risks.
  3. Implement what achieves continuous and permanent compliance, after the defined compliance period.

It is worth mentioning that, these controls are an extension to Essential Cybersecurity Controls (ECC), that issued by National Cybersecurity Authority (NCA), where the compliance of Critical Systems Cybersecurity Controls (CSCC) can’t be achieved without the compliance of ECC.

How can Renad AlMajed for information technology company (RMG) helps you?

Renad AlMajed company provide these services to help organizations to make the right and appropriate evaluation and implementation of NCA’s standards: 

  1. Gap analysis, maturity assessment, and penetration test.
  2. Implementing Critical Systems Cybersecurity Controls (CSCC).
  3. Design, implement, develop, and operate quality security systems (ISO).
  4. Design and develop the necessary cybersecurity frameworks.
  5. Recruiting and training qualified security workforces, and establishing internal cybersecurity sector.
  6. Special training program to transmit knowledge, and awareness of the human factor in the facility.
  7. Audit and review quality, governance, and risk management system in the facilities. 
  8. Insulting and everything security solutions (physical and electronic).
  9. Make a comprehensive and detailed to review of the state of cybersecurity in your organization. 
  10. Providing substantive advice.

Why do you choose Renad AlMajed for information technology (RMG)?

  1. When you ask Renad AlMajed services, you can benefit from more than 60 experts and consultants in cybersecurity, information technology, and ISO standards.
  2. The company is characterized by flexibility, accuracy of implementation, and showing results quickly, because of being aware of the deep dimensions for axes and indicators mentioned in the document.
  3. The company has an expert team in implementing a vulnerability assessment.
  4. Long experience in implementing a penetration test.
  5. The operation sender works 24/7.
  6. Work according to high standards in providing services, add customize the service based on business needs.