Cybersecurity regulatory framework for service providers in communication and information technology sector

According to the kingdom vision to 2030, and the enhancement of cybersecurity becomes very important to increase the trust in digitally and to secure the national infrastructure safety and endurance in different sectors, and because of considering communication, information technology, and the postal sector is one if the main structure of economic growth, where it supports the main competitive ability of national economy through high-speed broadband, electronic services, and information assets; communication and information technology commission has developed a comprehensive cybersecurity framework (regulatory framework) aims to increase the level of maturity of cybersecurity in communication and information technology sector in the Kingdom of Saudi Arabia, the framework aims to:

  • Organize and enable cybersecurity practices to the service providers in communication, information technology, and the postal sector.
  • Raising the maturity level of cybersecurity in the communication and information technology sector.
  • Adopt risk management methodology to achieve cybersecurity requirements.
  • Ensure the confidentiality, safety, and availability of service provided to the customers.
The regulatory framework for cybersecurity Cybersecurity regulatory framework for service providers in communication and information technology sector Renad Al Majd Group for Information Technology RMG

The importance of implementing a cybersecurity regulatory framework for service providers in the communication and information technology sector

The importance of implementing cybersecurity regulatory framework to service providers in the communication and information technology sector represented in:

  • Saving time through providing a clear structure and methodology to take procedures related to cyber security.
  • Determining weaknesses and shortcomings, to keep enhancing cybersecurity practices of communication, information technology, and Postal Service providers.
  • Increase the level of trust in information technology, physical services, and assets to communication, information technology, and postal service providers.
  • Processing monitoring and evaluating cyber security risks
  • Use of security standards for software development.
  • Consistency in the interpretation of security needs across different layers of work.
  • The framework provides a common language and methodology to manage cybersecurity risks.

The compliance to regulatory and legislative requirements, Which opens new business avenues for the organization such as governmental entities, where working with them requires proof of the professionalism of your work, and the security of your information.

The scope of implementing cybersecurity regularity framework for service providers in the communication and information technology sector.

Implementing this framework rules on service providers in communication, information technology, and the postal sector they submission the authority as the regular of the sector and especially licensed service providers or registries to provide services.

Service providers in the communication and information technology sector are divided to:

  • Service providers in the communication and information technology sector are classified as critical national infrastructure.
  • Service providers in the communication and information technology sector are not classified as critical national infrastructure.

Who has to implement the framework?

  • Information technology and communication service provider licensed by communication ad information technology commission.
  • Postal service providers are licensed by the communication and information technology commission.
  • Service providers in the communication and information technology sector are classified as critical national infrastructure.
  • Service providers in the communication and information technology sector are not classified as critical national infrastructure.

 

Note: the authority is following up the compliance f service providers of requirements and controls through different ways.

  • Self-commitment models.
  • Commitment workshops.
  • Field inspections.
  • Proactive or reporting audits.

Cybersecurity regulatory framework for service providers in communication and information technology sector stages:

First: Before cybersecurity regulatory framework enters into implementation.

  • Generalize cybersecurity regulatory framework to service providers in communication, information technology, and the postal sector.
  • Define service provider’s severity level through “determining service providers category form to determine the required compliance level”.
  • Provide service providers with objectives to comply with the framework according to the level of risk.
  • Evaluating the reality assessment model for measuring cybersecurity maturity level.

Second: After cybersecurity regulatory framework enters into implementation.

  • Generalize enters the framework into implementation to service providers in communication, information technology, and postal sector dated 30/5/2021.
  • Request ”self-assessment to measure service provider compliance to cybersecurity requirements” during 20 working days of enters into implementation.
  • The authority carries out audits and inspections to some of service providers according to self-assessment analysis results.

The regulatory framework for cybersecurity Cybersecurity regulatory framework for service providers in communication and information technology sector Renad Al Majd Group for Information Technology RMG

 

The component of the Cybersecurity regulatory framework controls for service providers in communication, and information technology sector.

The requirements of cybersecurity for service providers are not classified as critical national infrastructure divided to six domains.

The regulatory framework for cybersecurity Cybersecurity regulatory framework for service providers in communication and information technology sector Renad Al Majd Group for Information Technology RMG

Each domain is divided to more specialized sectors that combine between cybersecurity controls related to the specific top and have common objectives, they are: 

Domain

Control

Governance.

  • Cybersecurity strategy.
  • Cybersecurity management.
  • Cybersecurity compliance.
  • Cybersecurity audit.
  • Cybersecurity training and awareness.
  • Customer cybersecurity awareness.
  • Cybersecurity in project management.
  • Cybersecurity in human resources.

Assets management.

  • Asset discovery.
  • Asset classification.
  • Bring Your Own Device.
  • Acceptable use of information assets.
  • Asset maintenance.
  • Secure disposal of assets.

Cybersecurity risk management.

 

  • Cybersecurity risk assessment.
  • Cybersecurity risk treatment and monitoring.

Logical security.

  • Cryptographic.
  • Change management.
  • Vulnerability management.
  • Patch management.
  • Network security.
  • Logging and monitoring.
  • Identify and access management.
  • Application whitelisting.
  • Incident management.
  • Malware handling.
  • Information protection.
  • Backup and recovery management.
  • Configuration management and hardening.
  • Secure software development.
  • Email and web browser protection.
  • Penetration testing.

Physical security.

  • Protection of physical information assets.
  • Physical access management.

Third-party security.

  • Cloud services.
  • Outsourcing services.

 

Requirements structure

Requirements Structure table consist of:

  • Department number.
  • Department.
  • Control number.
  • Control
  • Compliance level: include three levels in controls requirement which it:
  1. Level 1: includes the basic controls.
  2. Level 2: includes advanced requirements
  3. Level 3: includes requirements that are focusing on efficiency monitoring and contentious improvement to the controls in levels one and two.

References.

How can Renad AlMajed for information technology company (RMG) help you?

Renad AlMajed company Was able to be one of the earliest companies that implement a cybersecurity regularity framework for service providers in the communication, information technology, and postal sector Because of the group of experts and consultants it has who work with professionalism and dedication, the company provide many services, such as:

  • Gap analysis, maturity assessment, and penetration test.
  • Design, develop, implement and operate appropriate security quality systems to your organization.
  • Make a comprehensive audit and review to your organization’s cybersecurity situation.
  • Develop and formulate a cybersecurity strategy for your organization.
  • Training and recruiting security cadre, and establishing internal cybersecurity office and department.
  • Providing awareness campaigns and training courses of cybersecurity that aim of knowledge transportation and enhancing their employee’s skills.
  • Implementing cybersecurity regularity framework for service providers in communication, information technology, and the postal sector.
  • Audit and review quality systems, and ensure their compliance to regularity and legislative requirements.
  • Insulting and operating security solutions (physical and electronic).
  • Develop and implement an appropriate security incident response methodology, and security reporting system.

Why do you choose Renad AlMajed for information technology company (RMG)?

  1. When you ask for Renad AlMajed services, you are allowed to benefit of more than 60 experts and consultants in the fields of cybersecurity, information technology, and ISO standards.
  2. The company is characterized by flexibility, the accuracy of implementation, and results show quickly, because of the awareness of the deep dimensions axes and indicators that mentioned in the document.
  3. An expert team in a vulnerability assessment.
  4. Long experience of a penetration test.
  5. The security incidents need a quick react, because of that we have an operation center works 24/7 to provide the appropriate support all-time without interruption.
  6. Working based on transparency, we provide an integrated and clear work plan, that involves budget, schedule, and working mechanism before start implementing the project.
  7. High standards in providing services and customized the framework based on business needs.

CONTACT US TODAY AND WE WILL BE HAPPY TO SERVE YOU