NCA CCC– Cloud Cybersecurity Controls
Cloud computing has been in widespread use throughout small, medium, and large Saudi facilities; due to its features and benefits. However, as with any technique in Industry 4.0, many fears and problems about the cloud computing model have appeared. One of the major concerns is related to security challenges. This includes ensuring the protection, processing, and safe transmission of data, as well as establishing reliable safety infrastructure. It is crucial to handle and maintain information in a secure and confident manner while also creating a flexible cyberspace. To address these concerns, let’s explore the Cloud Cybersecurity Controls that every organization using or providing cloud services should have.
There are growing concerns regarding the use of this model in national governmental agencies and institutions. In particular, these concerns have been intensified due to the absence of unified regulatory standards that clearly outline the controls that cloud service providers must adhere to.
Hence, the National Cybersecurity Authority (NCA) has formulated cloud cybersecurity controls (CCC-1-2020) as additional measures to supplement the fundamental cybersecurity controls.
These controls aim to establish a baseline for cloud cybersecurity requirements applicable to both cloud service providers and users. Their purpose is to enable secure provision and utilization of cloud services while minimizing cyber risks, thus supporting business continuity.
What are Cloud Cybersecurity Controls (CCC)?
This program has been established as an initiative to enhance transparency in the implementation of best practices by cloud service providers worldwide. It combines a comprehensive set of controls derived from various standards, such as PCI DSS, ISO 27001, NIST SP800-53, COBIT, HIPPA, BITS, Fed RAMP, GAAP, and other international standards. The Cloud Security Alliance (CSA) and its Security Trust and Risk Assurance (STAR) program are recognized as robust cloud security assurance initiatives. These programs emphasize transparency, accurate auditing, and the alignment of standards. The Security Trust and Risk Assurance (STAR) program enables transparent disclosure of compliant security practices according to international standards and facilitates auditing by external assessors across various domains.
Organizations that implement the Security Trust and Risk Assurance (STAR) program are recognized as leaders in terms of security practices. They undergo rigorous assessments to ensure the security integrity of their cloud-based products globally. The Cloud Security Alliance (CSA) and the STAR program offer comprehensive documentation on privacy and security records for all controls aligned with cloud standards. This repository serves as a valuable resource for clients considering the adoption of cloud services, allowing them to evaluate service providers prior to engagement and make informed decisions.
- These Controls incorporate various international standards pertaining to cybersecurity and cloud computing, including ISO/IEC 27001, FedRAMP, C5, CCM, and Singapore’s cloud security standards.
- Cloud cybersecurity controls serve as supplementary extensions to the fundamental cybersecurity controls.
- These controls pay significant attention to the key pillars of cybersecurity, namely strategy, people, procedures, and technology.
- The focus of these controls is on both the perspective of cloud service providers and beneficiaries in relation to cloud services.
What’s the importance of implementing CCCs?
- Implementing and complying with cloud cybersecurity controls as a cloud services provider not only enhances your reputation but also positions you as a preferred service provider for government agencies.
- It improves the institution’s preparedness for potential cyber risks.
- It aids in achieving compatibility with international regulatory standards since these controls align with other relevant international standards.
- It ensures effective cybersecurity risk management and safeguards the information and technological assets of both the service provider and the user.
- It guarantees the protection of data and information for both the cloud services provider and the user.
- It facilitates the timely identification and effective resolution of vulnerabilities, thereby preventing potential cyber-attacks and minimizing the business impact for both service providers and users.
Scope of work of CCCs
The CCCs have been designed to accommodate the requirements of both cybersecurity service providers and users, irrespective of the nature of their work or organizational size. The scope of these controls includes:
- Government entities within and outside the Kingdom of Saudi Arabia, such as ministries, authorities, and establishments.
- Entities and companies affiliated with the government.
- Service providers offering cloud computing services to Saudi organizations located outside of Saudi Arabia.
- Private-sector organizations that own, operate, and host Critical National Infrastructure.
It’s important to note that the implementation of these controls is not limited to the entities mentioned above. Other entities within the Kingdom are also encouraged by the NCA to adopt and adapt these controls according to their specific circumstances, even if they fall outside the scope outlined in the document.
In accordance with the mandate of the NCA, as stated in item 3 of Article 10, and as per Royal Decree number 57231, dated 10/11/1439 AH, all relevant authorities must take necessary actions to ensure continuous and ongoing compliance with the Cloud Cybersecurity Controls (CCC).
The NCA will provide a compliance period to Cloud Service Providers (CSPs) and Cloud Service Users (CSTs) for implementing these controls. Additionally, the NCA will evaluate the compliance of CSPs and CSTs with the controls. The evaluation process may involve self-assessment by the CSPs and CSTs, or external assessment conducted by the NCA or a designated third party. The specific mechanisms for evaluation will be determined by the NCA.
The CCCs consist of 37 primary domains and 96 subdomains for cloud service providers (CSPs), and 18 main domains and 26 subdomains for cloud service threats (CSTs). They are categorized into four main components:
- Cybersecurity Governance.
- Cybersecurity Defense.
- Cybersecurity Resilience.
- Third-party Cybersecurity.
The NCA will periodically review and update the CCC, along with any supplementary documents, in accordance with cybersecurity requirements and industry advancements. The updated version of the CCC will be communicated and published by the NCA for implementation and compliance.