Transcription
Essential Cybersecurity Controls)ECC – 1 : 2018(Sharing Indicator : WhiteDocument Classification: Unclassified
Disclaimer: The following controls will be governed by andimplemented in accordance with the laws of the Kingdom ofSaudi Arabia, and must be subject to the exclusive jurisdictionof the courts of the Kingdom of Saudi Arabia. Therefore, theArabic version will be the binding language for all mattersrelating to the meaning or interpretation of this document.
In the Name of Allah,The Most Gracious,The Most Merciful
Sharing Indicator : WhiteEssential Cybersecurity ControlsTraffic Light Protocol (TLP):This marking protocol is widely used around the world. It has four colors (traffic lights):Red – Personal, Confidential and for Intended Recipient OnlyThe recipient has no rights to share information classified in red with any person outside thedefined range of recipients either inside or outside the organization.Amber – Restricted SharingThe recipient may share information classified in orange only with intended recipients insidethe organization and with recipients who are required to take action related to the sharedinformation.Green – Sharing within The Same CommunityThe recipient may share information classified in green with other recipients inside theorganization or outside it within the same sector or related to the organization. However, it isnot allowed to exchange or publish this information on public channels.White – No Restriction4Document Classification: Unclassified
Sharing Indicator: WhiteEssential Cybersecurity ControlsTable of ContentsExecutive SummaryIntroductionObjectivesScope of Work and ApplicabilityECC Scope of WorkECC Statement of ApplicabilityImplementation and ComplianceEvaluation and Compliance ToolUpdate and ReviewECC Domains and StructureMain DomainsSubdomainsStructureThe Essential Cybersecurity Controls (ECC)1- Cybersecurity Governance2- Cybersecurity Defense3- Cybersecurity Resilience4- Third-Party and Cloud Computing Cybersecurity5- Industrial Control Systems CybersecurityAppendicesAppendix (A): Terms and DefinitionsAppendix (B): List of the 6List of the TablesTable (1): ECC StructureTable (2): Terms and DefinitionsTable (3): List of Abbreviations133036List of the Figures & IllustrationsFigure (1): ECC Main DomainsFigure (2): ECC SubdomainsFigure (3): Controls Coding SchemeFigure (4): ECC Structure11121313Document Classification: Unclassified5
Sharing Indicator : WhiteEssential Cybersecurity ControlsExecutive SummaryThe Kingdom of Saudi Arabia’s Vision 2030 aims at a comprehensive improvement of the nationand its security, economy and citizens’ well-being. One of the essential goals of Vision 2030 iscontinued transformation into the digital world and improvement of the digital infrastructure in order tokeep up with the accelerated global progress in digital services, renewable global networks and IT/OT systems in line with improved computer processing, massive data storage and exchangecapabilities for data, in order to be prepared for handling artificial intelligence and 4th industrialrevolution transformations.This transformation requires easing the flow of information, securing it and preserving theintegrity of all systems. It also requires maintaining and supporting the cybersecurity of the Kingdomin order to protect its vital interests, national security, critical infrastructures, high priority sectorsand governmental services and practices. To accomplish this objective, the National CybersecurityAuthority (NCA) was established, and its mandate was approved as per the Royal Decree number6801, dated 11/2/1439H making it the national and specialized reference for matters related tocybersecurity in the Kingdom.NCA’s mandates and duties fulfill the strategic and regulatory cybersecurity needs related to thedevelopment of cybersecurity national policies, governance mechanisms, frameworks, standards,controls and guidelines.They also fulfill the need to continuously monitor the compliance of organizations to support theimportant role of cybersecurity which has increased with the rise of security risks in cyberspacemore than any time before.NCA’s mandate states that its responsibility for cybersecurity does not absolve any public, privateor other organization from its own cybersecurity responsibilities as confirmed by the Royal Decreenumber 57231, dated 10/11/1439H, which states that “all government organizations must improvetheir cybersecurity level to protect their networks, systems and data, and comply with NCA’s policies,framework, standards, controls and guidelines”From this perspective, NCA developed the Essential Cybersecurity Controls (ECC-1: 2018) to set theminimum cybersecurity requirements for national organizations that are within its scope of ECCimplementation. This document highlights the details of these controls, goals, scope, statement ofapplicability, compliance approach and monitoring.All national organizations must implement all necessary measures to ensure continuous compliancewith the ECC as per item 3 of article 10 of NCA’s mandate and as per the Royal Decree number 57231,dated 10/11/1439H.6Document Classification: Unclassified
Sharing Indicator: WhiteEssential Cybersecurity ControlsIntroductionThe National Cybersecurity Authority (referred to in this document as “The Authority” or“NCA”) developed the essential cybersecurity controls (ECC – 1: 2018) after conducting acomprehensive study of multiple national and international cybersecurity frameworks andstandards, studying related national decisions, law and regulatory requirements, reviewingand leveraging cybersecurity best practices, analyzing previous cybersecurity incidents andattacks on government and other critical organizations, and surveying and consideringopinions of multiple national organizations.The Essential Cybersecurity Controls consist of the following: 5 Cybersecurity Main Domains.29 Cybersecurity Subdomains.114 Cybersecurity Controls.These cybersecurity controls are linked to related national and international law and regulatoryrequirements.Document Classification: Unclassified7
Sharing Indicator : WhiteEssential Cybersecurity ControlsObjectivesThe main objective of these controls is to set the minimum cybersecurity requirements forinformation and technology assets in organizations. These requirements are based on industryleading practices which will help organizations minimize the cybersecurity risks that originatefrom internal and external threats. The following key objectives must be focused on in order toprotect the organization’s information and technology assets: ConfidentialityIntegrityAvailabilityThese controls take into consideration the following four main cybersecurity pillars: 8StrategyPeopleProcessesTechnologyDocument Classification: Unclassified
Essential Cybersecurity ControlsSharing Indicator: WhiteScope of Work and ApplicabilityECC Scope of WorkThese controls are applicable to government organizations in the Kingdom of Saudi Arabia(including ministries, authorities, establishments and others) and its companies and entities, aswell as private sector organizations owning, operating or hosting Critical National Infrastructures(CNIs), which are all referred to herein as “The Organization”. The NCA strongly encourages allother organizations in the Kingdom to leverage these controls to implement best practices toimprove and enhance their cybersecurity.ECC Statement of ApplicabilityThese controls have been developed after taking into consideration the cybersecurity needs ofall organizations and sectors in the Kingdom of Saudi Arabia. Every organization must complywith all applicable controls in this document.Applicability to implement these cybersecurity controls depends on the organization’s businessand its use of certain technologies. For example: Controls in subdomain 4-2 (Cloud Computing and Hosting Cybersecurity) are applicableand must be implemented by organizations currently using or planning to use cloud computingand hosting services. Controls in main domain 5 (Industrial Control Systems Cybersecurity) are applicableand must be implemented by organizations currently using or planning to use industrial controlsystems.Document Classification: Unclassified9
Sharing Indicator : WhiteEssential Cybersecurity ControlsImplementation and ComplianceTo comply with item 3 of article 10 of NCA’s mandate and as per the Royal Decree number 57231dated 10/11/1439H, all organizations within the scope of these controls must implement whatevernecessary to ensure continuous compliance with the controls.NCA evaluates organizations’ compliance with the ECC through multiple means such as self-assessments by the organizations, periodic reports of the compliance tool or on-site audits.Assessment and Compliance ToolNCA will issue a tool (ECC-1: 2018 Assessment and Compliance Tool) to organize the processof evaluation and compliance measurement against the ECC.Update and ReviewNCA will periodically review and update the ECC as per the cybersecurity requirements andrelated industry updates. NCA will communicate and publish the updated version of ECC forimplementation and compliance.10Document Classification: Unclassified
Sharing Indicator: WhiteEssential Cybersecurity ControlsECC Domains and StructureMain DomainsFigure (1) below shows the main domains of the ECC.EssentialCybersecurity Controls)ECC -1:2018 (12354Figure (1): Main Domains of ECCDocument Classification: Unclassified11
Sharing Indicator : WhiteEssential Cybersecurity ControlsSubdomainsFigure (2) below shows the ECC subdomains1. CybersecurityGovernance1-1Cybersecurity Strategy1-21-3Cybersecurity Policies and Procedures1-41-5Cybersecurity Risk Management1-61-72. CybersecurityDefenseCompliance with CybersecurityStandards, Laws and Regulations1-8Cybersecurity ManagementCybersecurity Roles andResponsibilitiesCybersecurity in Information andTechnology Project ManagementPeriodical Cybersecurity Reviewand AuditCybersecurity Awareness and1-9Cybersecurity in Human Resources1-102-1Asset Management2-2Identity and Access Management2-3Information Systems and InformationProcessing Facilities Protection2-4Email Protection2-5Network Security Management2-6Mobile Devices Security2-7Data and Information Protection2-8Cryptography2-9Backup and Recovery Management2-10Vulnerability Management2-11Penetration Testing2-12Cybersecurity Event Logs andMonitoring Management2-13Cybersecurity Incident andThreat Management2-14Physical SecurityTraining Program2-15Web Application Security3. CybersecurityResilience3-1Cybersecurity Resilience Aspects of Business Continuity Management (BCM)4. Third-Party and CloudComputing Cybersecurity4-15. ICS Cybersecurity5-1Third-Party CybersecurityCloud Computing and HostingCybersecurityIndustrial Control Systems and Devices (ICS) ProtectionFigure (2): ECC Subdomains124-2Document Classification: Unclassified
Sharing Indicator: WhiteEssential Cybersecurity ControlsStructureFigures (3) and (4) below show the meaning of controls codes.Figure (3): Controls Coding SchemeFigure (4): ECC StructureTable (1) below shows the methodological structure of the controls.Table (1): ECC Structure1Name of Main DomainReference number of the Main DomainReference No. of the SubdomainName of SubdomainObjectiveControlsControl Reference NumberControl ClausesDocument Classification: Unclassified13
Sharing Indicator : WhiteEssential Cybersecurity ControlsThe Essential Cybersecurity Controls (ECC)Details of the Essential Cybersecurity Controls (ECC)1Cybersecurity Governance1-1Cybersecurity StrategyObjectiveTo ensure that cybersecurity plans, goals, initiatives and projects are contributing to compliance withrelated laws and regulations.Controls1-1-11-1-21-1-3A cybersecurity strategy must be defined, documented and approved. It must be supported by thehead of the organization or his/her delegate (referred to in this document as Authorizing Official). Thestrategy goals must be in-line with related laws and regulations.A roadmap must be executed to implement the cybersecurity strategy.The cybersecurity strategy must be reviewed periodically according to planned intervals or uponchanges to related laws and regulations.1-2Cybersecurity ManagementObjectiveTo ensure Authorizing Official’s support in implementing and managing cybersecurity programswithin the organization as per related laws and regulationsControlsA dedicated cybersecurity function (e.g., division, department) must be established within the1-2-1organization. This function must be independent from the Information Technology/InformationCommunication and Technology (IT/ICT) functions (as per the Royal Decree number 37140 dated14/8/1438H). It is highly recommended that this cybersecurity function reports directly to the head ofthe organization or his/her delegate while ensuring that this does not result in a conflict of interest.1-2-2The position of cybersecurity function head (e.g., CISO), and related supervisory and critical positionswithin the function, must be filled with full-time and experienced Saudi cybersecurity professionals.A cybersecurity steering committee must be established by the Authorizing Official to ensure thesupport and implementation of the cybersecurity programs and initiatives within the organization.1-2-3Committee members, roles and responsibilities, and governance framework must be defined,documented and approved. The committee must include the head of the cybersecurity function asone of its members. It is highly recommended that the committee reports directly to the head of theorganization or his/her delegate while ensuring that this does not result in a conflict of interest.14Document Classification: Unclassified
Sharing Indicator: WhiteEssential Cybersecurity Controls1-3ObjectiveCybersecurity Policies and ProceduresTo ensure that cybersecurity requirements are documented, communicated and complied with bythe organization as per related laws and regulations, and organizational iveCybersecurity policies and procedures must be defined and documented by the cybersecurityfunction, approved by the Authorizing Official, and disseminated to relevant parties inside andoutside the organization.The cybersecurity function must ensure that the cybersecurity policies and procedures areimplemented.The cybersecurity policies and procedures must be supported by technical security standards (e.g.,operating systems, databases and firewall technical security standards).The cybersecurity policies and procedures must be reviewed periodically according to plannedintervals or upon changes to related laws and regulations. Changes and reviews must be approvedand documented.Cybersecurity Roles and ResponsibilitiesTo ensure that roles and responsibilities are defined for all parties participating in implementingthe cybersecurity controls within the curity organizational structure and related roles and responsibilities must be defined,documented, approved, supported and assigned by the Authorizing Official while ensuring thatthis does not result in a conflict of interest.The cybersecurity roles and responsibilities must be reviewed periodically according to plannedintervals or upon changes to related laws and regulations.Cybersecurity Risk ManagementTo ensure managing cybersecurity risks in a methodological approach in order to protect theorganization’s information and technology assets as per organizational policies and procedures,and related laws and regulations.Controls1-5-11-5-2Cybersecurity risk management methodology and procedures must be defined, documentedand approved as per confidentiality, integrity and availability considerations of information andtechnology assets.The cybersecurity risk management methodology and procedures must be implemented by thecybersecurity function.Document Classification: Unclassified15
Sharing Indicator : WhiteEssential Cybersecurity ControlsThe cybersecurity risk assessment procedures must be implemented at least in the followingcases:1-5-31-5-3-1 Early stages of technology projects.1-5-3-2 Before making major changes to technology infrastructure.1-5-3-3 During the planning phase of obtaining third party services.1-5-3-4 During the planning phase and before going live for new technology services and products.1-5-41-6The cybersecurity risk management methodology and procedures must be reviewed periodicallyaccording to planned intervals or upon changes to related laws and regulations. Changes and reviewsmust be approved and documented.Cybersecurity in Information and Technology Project ManagementTo ensure that cybersecurity requirements are included in project management methodology andObjective procedures in order to protect the confidentiality, integrity and availability of information and technologyassets as per organization policies and procedures, and related laws and regulations.ControlsCybersecurity requirements must be included in project and asset (information/ technology) change1-6-1management methodology and procedures to identify and manage cybersecurity risks as part of projectmanagement lifecycle. The cybersecurity requirements must be a key part of the overall requirementsof technology projects.1-6-2The cybersecurity requirements in project and assets (information/technology) change managementmust include at least the following:1-6-2-1 Vulnerability assessment and remediation.1-6-2-2 Conducting a configurations’ review, secure configuration and hardening and patching beforechanges or going live for technology projects.The cybersecurity requirements related to software and application development projects mustinclude at least the following:1-6-31-6-3-1Using secure coding standards.1-6-3-2Using trusted and licensed sources for software development tools and libraries.1-6-3-3Conducting compliance test for software against the defined organizational cybersecurityrequirements.1-6-3-4Secure integration between software components.1-6-3-5Conducting a configurations’ review, secure configuration and hardening and patchingbefore going live for software products.1-6-4The cybersecurity requirements in project management must be reviewed periodically.1-7Compliance with Cybersecurity Standards, Laws and RegulationsObjectiveTo ensure that the organization’s cybersecurity program is in compliance with related laws andregulations.Controls1-7-11-7-216The organization must comply with related national cybersecurity laws and regulations.The organization must comply with any nationally-approved international agreements andcommiments related to cybersecurity.Document Classification: Unclassified
Sharing Indicator: WhiteEssential Cybersecurity Controls1-8ObjectivePeriodical Cybersecurity Review and AuditTo ensure that cybersecurity controls are implemented and in compliance with organizational policiesand procedures, as well as related national and international laws, regulations and agreements.Controls1-8-1Cybersecurity reviews must be conducted periodically by the cybersecurity function in the organizationto assess the compliance with the cybersecurity controls in the organization.Cybersecurity audits and reviews must be conducted by independent parties outside the1-8-2cybersecurity function (e.g., Internal Audit function) to assess the compliance with the cybersecuritycontrols in the organization. Audits and reviews must be conducted independently, while ensuringthat this does not result in a conflict of interest, as per the Generally Accepted Auditing Standards(GAAS), and related laws and regulations.1-8-3Results from the cybersecurity audits and reviews must be documented and presented to thecybersecurity steering committee and Authorizing Official. Results must include the audit/reviewscope, observations, recommendations and remediation plans.1-9Cybersecurity in Human ResourcesObjectiveTo ensure that cybersecurity risks and requirements related to personnel (employees andcontractors) are managed efficiently prior to employment, during employment and aftertermination/separation as per organizational policies and procedures, and related laws andregulations.Controls1-9-11-9-2Personnel cybersecurity requirements (prior to employment, during employment and aftertermination/separation) must be defined, documented and approved.The personnel cybersecurity requirements must be implemented.The personnel cybersecurity requirements prior to employment must include at least thefollowing:1-9-31-9-3-1Inclusion of personnel cybersecurity responsibilities and non-disclosure clauses(covering the cybersecurity requirements during employment and after termination/separation) in employment contracts.1-9-3-2Screening or vetting candidates of cybersecurity and critical/privileged positions.The personnel cybersecurity requirements during employment must include at least the following:1-9-41-9-51-9-61-9-4-1Cybersecurity awareness (during on-boarding and during employment).1-9-4-2Implementation of and compliance with the cybersecurity requirements as per theorganizational cybersecurity policies and procedures.Personnel access to information and technology assets must be reviewed and removed immediatelyupon termination/separation.Personnel cybersecurity requirements must be reviewed periodically.Document Classification: Unclassified17
Sharing Indicator : White1-10Essential Cybersecurity ControlsCybersecurity Awareness and Training ProgramTo ensure that personnel are aware of their cybersecurity responsibilities and have theObjectiveessential cybersecurity awareness. It is also to ensure that personnel are provided with therequired cybersecurity training, skills and credentials needed to accomplish their cybersecurityresponsibilities and to protect the organization’s information and technology assets.Controls1-10-11-10-2A cybersecurity awareness program must be developed and approved. The program must beconducted periodically through multiple channels to strengthen the awareness about cybersecurity,cyber threats and risks, and to build a positive cybersecurity awareness culture.The cybersecurity awareness program must be implemented.The cybersecurity awareness program must cover the latest cyber threats and how to protectagainst them, and must include at least the following subjects:1-10-31-10-3-1Secure handling of email services, especially phishing emails.1-10-3-2Secure handling of mobile devices and storage media.1-10-3-3Secure Internet browsing.1-10-3-4Secure use of social media.Essential and customized (i.e., tailored to job functions as it relates to cybersecurity) training andaccess to professional skillsets must be made available to personnel working directly on tasksrelated to cybersecurity including:1-10-41-10-5181-10-4-1Cybersecurity function’s personnel.1-10-4-2Personnel working on software/application development. and information and1-10-4-3Executive and supervisory positions.technology assets operations.The implementation of the cybersecurity awareness program must be reviewed periodically.Document Classification: Unclassified
Sharing Indicator: WhiteEssential Cybersecurity Controls22-1Cybersecurity DefenseAsset ManagementTo ensure that the organization has an accurate and detailed inventory of information andObjectivetechnology assets in order to support the organization’s cybersecurity and operationalrequirements to maintain the confidentiality, integrity and availability of information and 2-1-62-2ObjectiveCybersecurity requirements for managing information and technology assets must be defined,documented and approved.The cybersecurity requirements for managing information and technology assets must beimplemented.Acceptable use policy of information and technology assets must be defined, documented andapproved.Acceptable use policy of information and technology assets must be implemented.Information and technology assets must be classified, labeled and handled as per related law andregulatory requirements.The cybersecurity requirements for managing information and technology assets must be reviewedperiodically.Identity and Access ManagementTo ensure the secure and restricted logical access to information and technology assets in orderto prevent unauthorized access and allow only authorized access for users which are necessary toaccomplish assigned tasks.Controls2-2-12-2-2Cybersecurity requirements for identity and access management must be defined, documentedand approved.The cybersecurity requirements for identity and access management must be implemented.The cybersecurity requirements for identity and access management must include at least thefollowing2-2-32-2-42-2-3-1User authentication based on username and password.2-2-3-2Multi-factor authentication for remote access.2-2-3-3User authorization based on identity and access control principles: Need-to-Know2-2-3-4Privileged access management.2-2-3-5Periodic review of users’ identities and access rights.and Need-to-Use, Least Privilege and Segregation of Duties.The Implementation of the cybersecurity requirements for identity and access management mustbe reviewed periodically.Document Classification: Unclassified19
Sharing Indicator : White2-3Essential Cybersecurity ControlsInformation System and Information Processing Facilities ProtectionObjectiveTo ensure the protection of information systems and information processing facilities (includingworkstations and infrastructures) against cyber risks.ControlsCybersecurity requirements for protecting information systems and information processing facilities2-3-1must be defined, documented and approved.The cybersecurity requirements for protecting information systems and information processing2-3-2facilities must be implemented.The cybersecurity requirements for protecting information systems and information processingfacilities must include at least the following:2-3-32-3-3-1Advanced, up-to-date and secure management of malware and virus protection2-3-3-2Restricted use and secure handling of external storage media.2-3-3-3Patch management for information systems, software and devices.2-3-3-4Centralized clock synchronization with an accurate and trusted source (e.g.,on servers and workstations.Saudi Standards, Metrology and Quality Organization (SASO)).The cybersecurity requirements for protecting information systems and information processing2-3-4facilities must be reviewed periodically.2-4Email ProtectionObjectiveTo ensure the protection of organization’s email service from cyber risks.Controls2-4-1Cybersecurity requirements for protecting email service must be defined, documented and approved.2-4-2The cybersecurity requirements for email service must be implemented.The cybersecurity requirements for protecting the email service must include at the least thefollowing:2-4-3-1 Analyzing and filtering email messages (specifically phishing emails and spam) usingadvanced and up-to-date email protection techniques.2-4-32-4-3-2 Multi-factor authentication for remote and webmail access to email service.2-4-3-3 Email archiving and backup.2-4-3-4 Secure management and protection against Advanced Persistent Threats (APT),which normally utilize zero-day viruses and malware.2-4-3-5 Validation of the organization’s email service domains (e.g., using Sender PolicyFramework (SPF)).2-4-420The cybersecurity requirements for email service must be reviewed periodically.Document Classification: Unclassified
Sharing Indicator: WhiteEssential Cybersecurity Controls2-5Networks Security ManagementObjectiveTo ensure the protection of organization’s network from cyber risks.Controls2-5-1Cybersecurity requirements for network security management must be defined, documented andapproved.2-5-2The cybersecurity requirements for network security management must be implemented.The cybersecurity requirements for network security management must include at least thefollowing:2-5-32-5-3-1Logical or physical segregation and segmentation of network segments using2-5-3-2Network segregation between production, test and development environments.2-5-3-3Secure browsing and Internet connectivity including restrictions on the use of filefirewalls and defense-in-depth principles.storage/sharing and remote access websites, and protection against suspiciouswebsites.2-5-3-4Wireless network protection using strong authentication and encryption techniques.A comprehensive risk assessment and management exercise must be conducted toassess and manage the cyber risks prior to connecting any wireless networks to theorganization’s internal network.2-5-3-5Management and restrictions on network services, protocols and ports.2-5-3-6Intrusion Prevention Systems (IPS).2-5-3-7Security of Domain Name Service (DNS).2-5-3-8Secure management and protection of Internet browsing channel against AdvancedPersistent Threats (APT), which normally utilize zero-day viruses and malware.2-5-4The cybersecurity requirements for network security management must be reviewed periodically.2-6Mobile Devices SecurityObjectiveTo ensure the protection of mobile devices (including laptops, smartphones, tablets) from cyberrisks and to ensure the secure handling of the organization’s information (including sensitiveinformation) while utilizing Bring Your Own Device (BYOD) policy.Controls2-6-12-6-2Cybersecurity requirements for mobile devices security and BYOD must be defined, documentedand approved.The cybersecurity requirements for mobile devices security and BYOD must be implemented.The cybersecurity requirements for mobile devices security and BYOD must include at least thefollowing:2-6-3-1 Separation and encryption of organization’s data and information stored on mobile2-6-3devices and BYODs.2-6-3-2 Controlled and restricted use based on job requirements.2-6-3-3 Secure wiping of organizat
sessments by the organizations, periodic reports of the compliance tool or on-site audits. NCA will issue a tool (ECC-1: 2018 Assessment and Compliance Tool) to organize the process of evaluation and compliance measurement against the ECC. NCA will periodically review and update the ECC as per the cybersecurity requirements and
