NCA DCC – Aligning Cyber Security & Data Protection
Addressing data and its importance is not a new topic. It is known that reliable data can drive precise decisions and build effective business processes. Regulatory authorities in over the world fully understand that therefore; they have issued data protection regulations and laws. The implementation of the issued regulations and laws will fulfill the three goals of data protection which are maintaining data confidentiality, integrity, and availability.
The Saudi Authority for Data and Artificial Intelligence (SDAIA) and the National Data Management Office (NDMO), as the national regulator of data in the Kingdom of Saudi Arabia, has developed the framework for national data governance to set the required policies and regulations, can be found here. As stated by NDMO ” This can be achieved by instituting effective data management practices, establishing the highest levels of data accountability and transparency, and leveraging data to extract insights and support strategic decision making.”
On the other hand, The National Cybersecurity Authority (NCA) is the government entity in charge of cybersecurity in Saudi Arabia, and acts as the national authority on this topic, both from a regulatory and operational perspective. Hence, the controls and corresponding specifications for the Data Security and Protection Domain will be detailed and addressed by NCA not by SDAIA.
Here we go! in 2022, NCA has issued a new standard “Data Cybersecurity Controls (DCC)” that outlines the minimum cybersecurity requirements. These controls are an extension to the Essential Cybersecurity Controls (ECC), so organizations shall comply with ECC & DCC requirements, where applicable, to safeguard their data during its entire lifecycle.
Let’s discuss a bit the new standard structure. So, the NCA DCC structure is similar to the previous standards issued by NCA with some differences in the main domains and subdomains, illustrated as follows.
In addition, NCA DCC has specified the security controls based on data classification levels that are defined by SDAIA. So, an organization must fully understand its data and know its classification levels for better implementation of DCC requirements. The figure below is an example of security controls applicability based on data classification levels.
To conclude, the implementation of NCA DCC might seem challenging. However, with a detailed gap assessment using the DCC-1:2022 Assessment and Compliance Tool provided by NCA, you can easily assess your current cybersecurity posture against NCA DCC and identify gaps, later on, you can work on fixing these gaps and increase your compliance level.