Blog

In the digital age, social media has become an integral part of the communication landscape for organizations. The Saudi National Cybersecurity Authority (NCA) recognize the importance of protecting their brands in the social media sphere. Therefore, NCA has developed and published OSMACC (1:2021) and set guidelines for safeguarding organizations’ social media accounts to prevent misuse, account theft, and impersonation, enhancing cybersecurity resilience in the national cyber space.

OSMACC Main Domains and Overview

The OSMACC standard is structured into three primary domains, which encompass 12 subdomains, 15 main controls, and 38 sub-controls. Below is a brief description of the domains:

1. Cybersecurity Governance

   • Subdomains: Policies and Procedures, Risk Management, Human Resources, Awareness and Training
   • Summary: This domain ensures that organizations develop comprehensive cybersecurity policies and procedures, conduct regular risk assessments, and provide necessary training to employees on cybersecurity threats and the secure handling of social media accounts.
     
     

2. Cybersecurity Defense

   • Subdomains: Asset Management, Identity & Access Management, Information System Protection, Data Protection, Mobile Devices Security, Event Monitoring, Incident Management
   • Summary: This domain focuses on the protection of technology assets related to social media accounts, secure identity management, monitoring cybersecurity incidents, and ensuring the confidentiality and availability of organizational data.
     
     

3. Third-Party and Cloud Computing Cybersecurity

   • Subdomains: Third-Party Cybersecurity
   • Summary: Organizations must ensure that third-party vendors handling social media services comply with cybersecurity requirements.

OSMACC Main Domains and Subdomains

Roadmap for Compliance with OSMACC

TCG follows systematic approach to ensure organization’s complaint with the OSMACC standard. TCG supports and assists organizations in each of the following steps:

1. Establish Cybersecurity Governance

   • Develop and document social media cybersecurity policies.
   • Conduct annual risk assessments of social media platforms.
   • Train personnel on cybersecurity threats related to social media.
     
     

2. Implement Cybersecurity Defense Measures

   • Inventory social media accounts and related technology assets by filling Social Media Inventorying Tool.
   • Ensure identity management protocols are in place (e.g., multi-factor authentication).
   • Regularly update systems, passwords, and configurations.
   • Monitor social media activities for unauthorized access or incidents.
     
     

3. Engage Third Parties Securely (As applicable)

   • Conduct cybersecurity risk assessments for third-party services managing social media.
   • Include cybersecurity clauses in third-party contracts, ensuring secure data handling.
     
     

4. Regular Audits and Compliance

   • Schedule regular self-assessments and prepare for NCA audits by filling OSMACC Assessment_and_Compliance_Tool_v1.0.
   • Ensure compliance with the Essential Cybersecurity Controls (ECC) as outlined by NCA.

OSMACC Standard is essential for organizations to safeguard their social media platforms from risks like misuse and impersonation. By adhering to this framework, organizations can enhance their cybersecurity defenses, ensure compliance with NCA guidelines, and protect their digital assets effectively.