بسم الله

SAMA تعني مؤسسة النقد العربي السعودي.

تأسس البنك المركزي السعودي في عام 1952 ويركز على تنظيم التنمية التجارية في البلاد. وقد قام بمسح عمل الكيانات المالية المحددة، والإشراف على الشؤون المصرفية للحكومة، وإصدار وتنظيم العملة في الدولة، ومراقبة احتياطيات النقد الأجنبي.

اكتشفت الهيئة أن التهديدات السيبرانية للعمليات المصرفية / المالية تنمو بوتيرة سريعة. وبالتالي، أنشأت مؤسسة النقد العربي السعودي منهجية أمان رقمية لجميع أعضائها المعنيين.

تأسست مؤسسة النقد العربي السعودي في عام 2017 لجميع الهيئات الخاضعة لتنظيم مؤسسة النقد العربي السعودي. وتهدف إلى تقديم إرشادات كافية لجميع أعضاء مؤسسة النقد العربي السعودي حتى يتمكنوا من تحديد التهديدات السيبرانية في وقت مبكر ودقيق والسيطرة على انتشارها.

SAMA هي منهجية تركز على المخاطر ولديها قائمة موسعة من تفويضات وضوابط الأمن الرئيسية التي يجب على المتبنين لمؤسسة النقد العربي السعودي اتباعها.

عندما يفشل المعهد في الالتزام بما يقترحه SAMA، فمن الضروري تقديم موافقة قانونية على المخاطر إلى مؤسسة النقد العربي السعودي. يساعد هذا الإطار مؤسسة النقد العربي السعودي على تحديد مستوى نضج الأمن فيما يتعلق بمشاريع الأعمال الأعضاء.

الهيئات المؤسسة لهذا الإطار هي ISO وPCI وNIST وBASEL وISF. جميع حقوق المراجعة والصيانة والتحديث لهذا الإطار محفوظة لمؤسسة النقد العربي السعودي.

أهداف مؤسسة النقد العربي السعودي

يرتكز أساس هذا الإطار على التحقق من أن المؤسسة المالية الخاضعة لتنظيم مؤسسة النقد العربي السعودي قادرة على القيام بتحديد مبكر لمخاطر الأمن السيبراني وجاهزة للتعامل معها.

لقد غطت مؤسسة النقد العربي السعودي بعناية كل جانب من جوانب عملية إدارة المخاطر السيبرانية التي يجب على جميع المنظمات الأعضاء وضعها في الاعتبار لحماية البيانات/المعلومات المهمة.

إن تطبيقه إلزامي لأعضاء مؤسسة النقد العربي السعودي حتى يتمكنوا من:

أن يكون لديهم نهج قابل للتطبيق لإدارة مخاطر الأمن السيبراني

أن يكون لديهم مستوى نضج محدد جيدًا

أن تتم إدارة المخاطر الرقمية في مرحلة مبكرة بحيث يكون الضرر تحت السيطرة

إن أهداف مؤسسة النقد العربي السعودي محددة بطريقة تمكنها من حماية مجموعة واسعة من الأصول، مثل البيانات الإلكترونية/الرقمية، وأي نوع من التفاصيل المادية، وكل تطبيق، والأجهزة الإلكترونية، وقواعد البيانات، والبرامج التي يستخدمها المعهد المالي، والآلات الإلكترونية/الكمبيوترية، وأجهزة تخزين البيانات، وكل شيء مدرج في البنية التحتية التقنية.

مستويات نضج الأمن السيبراني لدى مؤسسة النقد العربي السعودي

تلزم مؤسسة النقد العربي السعودي أعضاءها (أي المنظمات) بتبني درجة معينة من ضوابط الأمن وفقًا لمستوى نضج الأمن الحالي. لقياس المستوى، يشير إطار عمل الأمن السيبراني لدى مؤسسة النقد العربي السعودي إلى نموذج محدد مسبقًا.

وفقًا لهذا النموذج، هناك ستة مستويات نضج سنتناولها لاحقًا في الجدول.

مستويات النضج

SAMA, with this security maturity level, aims to address the key risks for financial institutes in their infancy stage and control the damage. For those who are willing to attain a level >3, successfully attaining all the prior levels is mandatory.

The first 3 maturity levels show the absence of robust controls in a given ecosystem. To be called dependable, an organization must operate at natural level 3 or above.

At maturity level 3, which is the minimum acceptable maturity level, it’s mandatory that the members and its board have a fully-endorsed and mandatory cyber security policy, and its purpose is clearly stated to everyone.

The staff, customers, and 3rd party vendors should be fully aware of acceptable policies.

At maturity level 4, the focus remains on testing the usefulness of working security-specific controls and policies to ensure that contemporary controls are in place. As cyber threats are evolving at a rapid pace, implementation of outdated cybersecurity controls will fail to deliver desired cybersecurity. Hence, this security maturity level assesses the efforts an organization is taking to evaluate the security-controls.  

At last, we have maturity level 5 which is more about the continual improvement of implemented and assessed controls. At this level, members need to be double-sure that risk management and security-controls are not poles apart and are not two different aspects. Rather, they should be integrated and monitored regularly.

Control Domains

The foundation of SAMA is based on four domains that are further divided into multiple subdomains. The focus of a subdomain remains on a specific topic or concern. Mainly, three subdomains are:

• The principal that main reason behind the existence of that security control
• The objective that explains the aims of the principle and what that specific security control is trying to achieve
• Control consideration refers to the mandatory security control to be considered for each domain. Generally, there are four levels of control considerations.

Up next, we have explained the control domains of the SAMA Framework in detail.

1. Cybersecurity Leadership and Governance

The governing bodies of the members are mainly responsible for maintaining a strong cybersecurity infrastructure. The board of these bodies can pass on this responsibility to the well-constructed security committee.

The role of this security committee is to outline which all governance standards are acceptable to review cybersecurity and provide well-defined cybersecurity standards for members.

In addition, the committee bears the responsibility for setting up the cybersecurity policy and finding out the viable operational practices that will improve the effectiveness of the CSCs.  

It’s mandatory to have an independent cyber-security function to design, maintain and govern the applied cyber-security policies.

As far as governance is concerned, SAMA ensures that the cyber security governance structure should be under the authority of the board. During the governance, the consider-worthy controls include representation from all the leading cybersecurity committees, regular internal audits, the establishment of a cybersecurity charter, and clear defining of committee objectives.

2. Cybersecurity Risk Management and Compliance

Members must understand that taking care of the cyber-risks has to be a continual procedure and should revolve around the early identification, monitoring, and analysis of the concerned risk. SAMA instructs concerning authorities to shift their focus on the following:

• Doing early identification of threat/risk or its prediction
• Figuring out the probability of a cyber-security risk
• Doing regular risk analysis
• Framing a viable and result-driven response
• Periodic monitoring of risk treatment and analyze the efficacy of the CSCss
• Adherence with the defined CSCs (cyber security controls)

According to SAMA, the risk management procedure needs to be precisely defined, designed, approved and implemented. Its motive is to safeguard the integrity and confidentially of the mission-critical details of the concerned member businesses.

For compliance, any of the processes, aimed at managing the risk, must be designed by the SAMA member companies and communicate the implications to others. The risk-compliance process needs to be conducted periodically and should play a crucial role in updating the cyber security policy.

Non-negotiable adherence to globally accepted standards is mandatory. 

The consider-worthy compliances here are  PCI-DSS, SWIFT Customer Security Control framework, and EMV technical standard.

3. Cybersecurity Operations and Technology

SAMA instructs its member businesses to protect the key operations and technology of self, staff, 3rd-party vendors, and members.

It’s important to have well-defined and improved CSCs to ensure that at-work technologies are not bringing any threats to the system. The penetration of cyber security requirements should begin from the human resource processes.

The staff of member businesses should be screened from the early processing stage and make sure that proper measures are adopted throughout the lifecycle of the employees.

As per SAMA, there should be robust physical security measures taken so that physical assets are away from the reach of all sorts of security threats.

Enough security controls should be in place to ensure that there is no unauthorized access to the physical assets of the members. The most viable security controls that SAMA suggests in this direction are to use advanced monitoring & surveillance tools, protect the data center tools, use inventive environmental protection measures, data access overseeing, and analysis of all access control measures in place to avoid unauthorized access.

Application security is also covered in SAMA. All the applications/software that financial institutes are using must adopt a viable SDLC approach and use secure code standards. Enough attention is given to identity and access management as well. Access control, user access management, and user request management must be monitored and regulated periodically.

This is not everything that is covered in this domain. It’s extensive, and we can provide you with more clarity if you need, just contact us and we will guide you more about it.

4. Third-Party Cybersecurity

This control domain of SAMA has a full focus on the 3rd party services and their security control. Member businesses should put extra effort to make sure that all the 3rd party resources are secure and free from cybersecurity threats. Some of the recommended security controls here are:

• Including risk assessment in the procurement process
• Having clear security requirements
• Testing the security controls that 3rd party vendors are using
• Termination of the contract if a vendor fails to adhere to best security controls
• Adherence with SAMA outsourcing controls while outsourcing technology or talent
• Seeking SAMA approval before using any cloud service or facility
• Making sure that the selected cloud service provider is not using the data for personal usage
• Granting the termination rights to the member companies
• Performing cyber security audits for the cloud provider at regular intervals

All in all, SAMA has covered extensive security controls related to 3rd party vendors, contractors, and other outside resources.

Conclusion

For every financial institute, maintaining sound cybersecurity infrastructure is imperative. Ignoring early signs of a vulnerability can be proved highly fatal in the future. The SAMA Cybersecurity framework acts like fully standardized CSCs and processes for every SAMA member.

By explaining security maturity level, cybersecurity risks, and remedial responses in detail, SAMA allows financial institutes to be more responsive toward hidden threats. As the framework supports the adoption of the most recent cyber security technology, its implementation will certainly improve the security posture of financial institutes of Saudi Arabia.