NCA standards in Saudi Arabia
Saudi Arab has shifted it’s focus on improving its digital economy under the Vision 2030 program. This has led to the creation of National Cybersecurity Authority (NCA), an organization in charge of the cyber security policies and standards in the country. Established in 2017, it has since then worked to improve the security posture of the country to safeguard critical infrastructures and sectors. Some of the key responsibilities of NCA include cyber security frameworks, controls and compliance, national cybersecurity strategy, planning and maintenance of cybersecurity operation centers, raising awareness among masses, encouraging innovation and investment, collaborations with private entities and so on.
King Salman issued a royal degree for the establishment of National Cybersecurity Authority (NCA), it works directly under the Royal office and is head by Minister of state and cabinet member Dr. Mohammad Al-Ayban, its members include chief of general intelligence, head of state security, assistant defense minister, and deputy interior minister. Its aim is to protect the Kingdom of Saudi Arabia against the prevailing threat of cyberwarfare. Saudi Arab had successfully defended itself from an attack against Aramco’s e-system back in August 2017, but it has only now made an independent entity focused on establishing, maintaining, and protecting the state against various threat vectors.
Essential Cybersecurity Controls (ECC-1:2018) were created by NCA to help government as well as private sector minimize the risk associated with critical infrastructure and digital threat vectors. It consists of 5 domains, 29 sub-domains and 114 security controls that ensures the key objectives: confidentiality, integrity, and availability of critical IT assets. The requirements were designed after a comprehensive study of the industry leading practices to minimize risks from internal/external threats. These controls cover the following pillars of cybersecurity: Strategy, People, Processes and Technology. The ECC covers a wide range of controls keeping in check the needs of all organizations in the Kingdom of Saudi Arabia, so that every organization can apply these controls according to their applicability based on the technology used. Whereas it is mandatory for the public and private sector dealing with critical national infrastructures to be compliant with ECC.
ECC covers the following domains: Cybersecurity Governance, Cybersecurity Defense, Cybersecurity Resilience, Third-party and Cloud computing Cybersecurity, and Industrial Control Systems Cybersecurity. The NCA provides a ECC assessment toolkit used by organizations to conduct gap assessment prior to ECC standard implementation. Compliance to this standard is to be ensured where applicable based on definitive evidence. The applicability of controls must be determined based on evidence, for example, you don’t need to implement Cloud computing controls if you don’t use it for your organization. But deciding you don’t need per say Identity Access Management controls is an incorrect way to handle the apply where necessary clause. The NCA will keep a check on all the in-scope entities, their assessment and compliance reports, along with on site audits to ensure compliance with the Essential Cybersecurity Controls. The objective is to secure the Kingdom’s cyberspace and protect the country’s economic interests.