Advisory: A Practical Approach to Implementing Saudi Central Bank Cybersecurity Framework

All around the world, the financial sector is one of the leading industries leveraging technology to streamline the delivery of all its services. It is not uncommon that numerous cyber threats are targeted at these financial systems. To help institutions under its regulation stay on top of their security challenges and protect against the growing sophistication and intensity of cyberattacks, the Saudi Arabian Monetary Authority (SAMA) introduced a cybersecurity framework in May 2017. This framework aims to provide financial organizations with guidelines, techniques, and procedures to safeguard their technological endpoints from cyberattacks.

The SAMA CSF is structured around four main domains:

  • Cybersecurity leadership and governance
  • Cybersecurity risk management and compliance
  • Cybersecurity operations and technology
  • Third-Party cybersecurity.

Several subdomains are grouped under each domain, defining principles, objectives, and security controls that need to be implemented.

The framework integrates industry standards and best practices to help financial organizations in the Kingdom manage their cybersecurity risks and protect their systems against attacks. It provides a common language that allows staff at all levels within an organization—and at all points in a finance chain—to develop a shared understanding of their cybersecurity risks.

The SAMA cybersecurity framework applies to all organizations in the Saudi Arabia financial sector, including:

  • Banks
  • Insurance/Reinsurance Companies
  • Financing Companies
  • Credit Bureaus

With such a well-articulated cybersecurity framework as the SAMA CSF, concerned financial entities must devise an internal plan and strategy to implement the framework’s recommendations. The following are actionable steps to implement the SAMA CSF in your organization.

All around the world, the financial sector is one of the leading industries leveraging technology to streamline the delivery of all its services. It is not uncommon that numerous cyber threats are targeted at these financial systems. To help institutions under its regulation stay on top of their security challenges and protect against the growing sophistication and intensity of cyberattacks, the Saudi Arabian Monetary Authority (SAMA) introduced a cybersecurity framework in May 2017. This framework aims to provide financial organizations with guidelines, techniques, and procedures to safeguard their technological endpoints from cyberattacks.

The SAMA CSF is structured around four main domains:

  • Cybersecurity leadership and governance
  • Cybersecurity risk management and compliance
  • Cybersecurity operations and technology
  • Third-Party cybersecurity.

Several subdomains are grouped under each domain, defining principles, objectives, and security controls that need to be implemented.

The framework integrates industry standards and best practices to help financial organizations in the Kingdom manage their cybersecurity risks and protect their systems against attacks. It provides a common language that allows staff at all levels within an organization—and at all points in a finance chain—to develop a shared understanding of their cybersecurity risks.

The SAMA cybersecurity framework applies to all organizations in the Saudi Arabia financial sector, including:

  • Banks
  • Insurance/Reinsurance Companies
  • Financing Companies
  • Credit Bureaus

With such a well-articulated cybersecurity framework as the SAMA CSF, concerned financial entities must devise an internal plan and strategy to implement the framework’s recommendations. The following are actionable steps to implement the SAMA CSF in your organization.

1. Assess Your Current Cybersecurity Stature

An efficient cybersecurity framework implementation typically starts with evaluating the organization’s current security posture. Using the maturity levels defined by the SAMA CSF, you should develop a “current profile”, which describes the organization’s ongoing cybersecurity activities. You should also assess how effective your current security protocols are and if any persistent or recurring threats have managed to breach your security systems in the past.

This initial assessment will help identify the domain, subdomains, or controls to which the organization needs to allocate more resources. It will also help develop a “target profile” and define steps to achieve the target security posture.

2. Define your Organization's Cybersecurity Goals

After understanding your current security posture, it is crucial to define your organization’s target cybersecurity maturity from the SAMA CSF’s five maturity levels. You can define your goals by answering the following questions;

  • What is your organization’s tolerance for risk?
  • Where should your organization prioritize protection?
  • How much do you want to spend on your cybersecurity?

By setting goals, you can organize a plan of action, establish a scope for your security efforts, and ensure that everyone within the organization is clear about what needs to be achieved.

3. Evaluate Risk

Consider your organization’s cybersecurity risks. Every aspect of your organizational setup has vulnerabilities, which cybercriminals can leverage to intrude on your network and steal sensitive user data. Therefore, you should identify weak points in each business unit and process. After that, evaluate your organization’s approach to threats and risk tolerance. The starting point is a detailed risk assessment to establish your current vulnerabilities. You can utilize open source or commercial software tools capable of scoring your shortcomings or engage with a cybersecurity specialist to carry out an independent assessment of the potential vulnerabilities in your system. Summarizing this information in simple scenarios makes it easier for all stakeholders to understand the risks they face concerning crucial business objectives and for security teams to identify appropriate measures and best practices to address the threats.

4. Develop an Implementation Strategy

Now that you know where you are, where you want to be, and the potential blockers, you need to figure out the cybersecurity tools and best practices to help you reach your destination. In this step, you determine how to improve your existing cybersecurity program by integrating the appropriate controls so that you achieve the strategic objectives you’ve defined.

While developing your implementation strategy, you must understand that implementing your cybersecurity strategy and every improvement will consume resources—money, time, etc. You’ll need to consider different options for achieving security goals and weigh the pros and cons. You may decide to outsource some or all of your security tasks.

5. Align Cybersecurity Goals with Business Objectives

Simply understanding your technology posture and the associated cyber risks isn’t enough. It is important to draw parallels with your organization’s business goals and paint an accurate picture of the challenges ahead. Organizations have unique business objectives, ethos, and setups. When establishing a cybersecurity culture, you should consider your organization’s priorities, goals, and corporate mission before selecting the business unit or process that requires a cybersecurity program. Assets and systems supporting data-related business units and processes must also be mapped out. This way, you’ll be able to identify what needs to be protected against possible attacks.

6. Integrate Cybersecurity into Business Processes

Security must be inclusive. Your implementation of Cybersecurity concerns everyone in your organization, from the chief information security officer to the lowest level of employees. Sensitize all your employees about security and implement cybersecurity practices into each process and business unit. The only way everyone can understand security best practices is by having a comprehensive policy to follow. As well as a company-wide culture, it may be appropriate for individual departments to have specific security policies.

1. Assess Your Current Cybersecurity Stature

An efficient cybersecurity framework implementation typically starts with evaluating the organization’s current security posture. Using the maturity levels defined by the SAMA CSF, you should develop a “current profile”, which describes the organization’s ongoing cybersecurity activities. You should also assess how effective your current security protocols are and if any persistent or recurring threats have managed to breach your security systems in the past.

This initial assessment will help identify the domain, subdomains, or controls to which the organization needs to allocate more resources. It will also help develop a “target profile” and define steps to achieve the target security posture.

2. Define your Organization's Cybersecurity Goals

After understanding your current security posture, it is crucial to define your organization’s target cybersecurity maturity from the SAMA CSF’s five maturity levels. You can define your goals by answering the following questions;

  • What is your organization’s tolerance for risk?
  • Where should your organization prioritize protection?
  • How much do you want to spend on your cybersecurity?

By setting goals, you can organize a plan of action, establish a scope for your security efforts, and ensure that everyone within the organization is clear about what needs to be achieved.

3. Evaluate Risk

Consider your organization’s cybersecurity risks. Every aspect of your organizational setup has vulnerabilities, which cybercriminals can leverage to intrude on your network and steal sensitive user data. Therefore, you should identify weak points in each business unit and process. After that, evaluate your organization’s approach to threats and risk tolerance. The starting point is a detailed risk assessment to establish your current vulnerabilities. You can utilize open source or commercial software tools capable of scoring your shortcomings or engage with a cybersecurity specialist to carry out an independent assessment of the potential vulnerabilities in your system. Summarizing this information in simple scenarios makes it easier for all stakeholders to understand the risks they face concerning crucial business objectives and for security teams to identify appropriate measures and best practices to address the threats.

4. Develop an Implementation Strategy

Now that you know where you are, where you want to be, and the potential blockers, you need to figure out the cybersecurity tools and best practices to help you reach your destination. In this step, you determine how to improve your existing cybersecurity program by integrating the appropriate controls so that you achieve the strategic objectives you’ve defined.

While developing your implementation strategy, you must understand that implementing your cybersecurity strategy and every improvement will consume resources—money, time, etc. You’ll need to consider different options for achieving security goals and weigh the pros and cons. You may decide to outsource some or all of your security tasks.

5. Align Cybersecurity Goals with Business Objectives

Simply understanding your technology posture and the associated cyber risks isn’t enough. It is important to draw parallels with your organization’s business goals and paint an accurate picture of the challenges ahead. Organizations have unique business objectives, ethos, and setups. When establishing a cybersecurity culture, you should consider your organization’s priorities, goals, and corporate mission before selecting the business unit or process that requires a cybersecurity program. Assets and systems supporting data-related business units and processes must also be mapped out. This way, you’ll be able to identify what needs to be protected against possible attacks.

6. Integrate Cybersecurity into Business Processes
Security must be inclusive. Your implementation of Cybersecurity concerns everyone in your organization, from the chief information security officer to the lowest level of employees. Sensitize all your employees about security and implement cybersecurity practices into each process and business unit. The only way everyone can understand security best practices is by having a comprehensive policy to follow. As well as a company-wide culture, it may be appropriate for individual departments to have specific security policies.

Conclusion

To keep their data and assets secure, today’s businesses, especially financial institutions, must assume that a cyberattack is inevitable rather than a possibility. Robust security measures mean strengthening the walls around your system and implementing defense in-depth including sophisticated monitoring, detection, and response systems. You can build resilience into your financial system by taking an overhauling approach to putting cybersecurity practices as outlined in the SAMA cybersecurity framework into practice. This approach means that when (not if) a breach occurs, it can be rapidly detected and blocked, and appropriate action can be taken to limit its impact.

Conclusion
To keep their data and assets secure, today’s businesses, especially financial institutions, must assume that a cyberattack is inevitable rather than a possibility. Robust security measures mean strengthening the walls around your system and implementing defense in-depth including sophisticated monitoring, detection, and response systems. You can build resilience into your financial system by taking an overhauling approach to putting cybersecurity practices as outlined in the SAMA cybersecurity framework into practice. This approach means that when (not if) a breach occurs, it can be rapidly detected and blocked, and appropriate action can be taken to limit its impact.