Implementing SAMA Cyber Security Framework
Cyber security is defined as the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies that can be used to protect the member organization’s information assets against internal and external threats.
SAMA established a Cyber Security Framework to enable Financial Institutions affiliated with SAMA (“the Member Organizations”) to effectively identify and address risks related to cyber security. To maintain the protection of information assets and online services, the Member Organizations must adopt the Framework.
The Framework will be used to periodically assess the maturity level and evaluate the effectiveness of the cyber security controls at Member Organizations, and to compare these with other Member Organizations.
The Framework supersedes all previous issued SAMA circulars with regard to cyber security.
The applicability of (SAMA Cyber security Framework)?
The Framework is applicable to all Member Organizations affiliated with SAMA, which include the following:
- All Banks operating in Saudi Arabia;
- All Insurance and/or Reinsurance Companies operating in Saudi Arabia;
- All Financing Companies operating in Saudi Arabia;
- All Credit Bureaus operating In Saudi Arabia;
- The Financial Market Infrastructure
The Framework defines principles and objectives for initiating, implementing, maintaining, monitoring and improving cyber security controls in Member Organizations.
The Framework provides cyber security controls which are applicable to the information assets of the Member Organization, including:
- Electronic information.
- Physical information (hardcopy).
- Applications, software, electronic services and databases.
- Computers and electronic machines (e.g., ATM).
- Information storage devices (e.g., hard disk, USB stick).
- Premises, equipment and communication networks (technical infrastructure).
The Framework is structured around four main domains, namely:
- Cyber Security Leadership and Governance.
- Cyber Security Risk Management and Compliance.
- Cyber Security Operations and Technology.
- Third Party Cyber Security.
Cyber Security Maturity Model
The cyber security maturity level will be measured with the help of a predefined cyber security maturity model. The cyber security maturity model distinguishes 6 maturity levels (0, 1, 2, 3, 4 and 5), which are summarized in the table below. In order to achieve levels 3, 4 or 5, a Member Organization must first meet all criteria of the preceding maturity levels.
- No documentation.
- There is no awareness or attention for certain cyber security control.
- Cyber security controls are not in place. There may be no awareness of the particular risk area or no current plans to implement such cyber security controls.
- Cyber security controls is not or partially defined.
- Cyber security controls are performed in an inconsistent way.
- Cyber security controls are not fully defined
Repeatable but informal-2:
- The execution of the cyber security control is
- Based on an informal and unwritten, though standardized, practice.
Structured and formalized-3:
- Cyber security controls are defined, approved and implemented in a structured and formalized way.
- The implementation of cyber security controls can be demonstrated.
Managed and measurable-4:
- The effectiveness of the cyber security controls are periodically assessed and improved when necessary.
- This periodic measurement, evaluations and opportunities for improvement are documented.
- Cyber security controls are subject to a continuous improvement plan.
Renad Almajed Group (RMG) is one of the first Saudi companies to successfully implement a framework approved by (SAMA Cyber security Framework) The company provides a package of services summarized by:
- Conduct maturity assessment.
- Implement the cyber security framework approved by the Saudi Arabian Monetary Agency.
- Providing training and knowledge transfer services.