SAMA CSF Compliance | Ensure Cyber Security Framework

In previous articles and resources, we have shown how SealPath can help improve security in different use cases within an organization, or facilitate compliance with data protection regulations such as EU-GDPR, Health environment, etc. In this article we will show how SealPath can help facilitate compliance with the SAMA Cyber Security Framework by identifying and minimizing cyber security risks on information.

Table of Contents:

What is SAMA Cyber Security Framework?

SAMA (Saudi Arabian Monetary Authority) established in May 2017 a Framework to facilitate Financial Institutions regulated by SAMA, or Member Organizations, to effectively identify and address the cybersecurity risks they face. Its mission is to maintain the confidentiality, integrity and availability of customer data, protecting it from increasingly sophisticated threats, in a rapidly evolving technological environment (e.g. Fintech, blockchain, etc.). To keep their information assets and online services properly protected, Financial Institutions must adopt this Framework.

Which are the objectives of SAMA CSF?

The objective of the Framework is summarized in:

Create a common approach to address cyber security within SAMA Member Organizations.
Achieve an appropriate level of maturity of the cyber security controls of the Member Organizations.
Ensure that cyber security risks are properly managed in all Member Organizations.

The Framework is based on SAMA requirements and other industry cyber security standards, such as NIST, ISF, ISO, BASEL, and PCI.

Defines principles and objectives to initiate, implement, maintain, monitor and improve cyber security controls in Member Organizations.

Provides cyber security controls that are applicable to:

Digital information.
Physical information (hard copy).
Applications, software, electronic services and databases.
PCs, workstations and electronic machines (for example, ATMs).
Storage devices such as hard drives, USB sticks, etc.
Physical facilities, equipment and communications networks.

What companies and organizations have to comply with SAMA?

This Framework constitutes a Mandatory SAMA mandate that must be implemented by Member Organizations, including:

All banks operating in Saudi Arabia.
All insurance and/or reinsurance companies operating in Saudi Arabia.
All financial services companies operating in Saudi Arabia.
All credit bureaus operating in Saudi Arabia.
The financial market infrastructure.

SAMA Framework structure and domains

The Framework is structured around four domains:

Leadership and Governance in Cyber security.
Cyber security Risk Management and Compliance.
Cyber security operations and technology.
Third-party cyber security.

For each domain, multiple subdomains are defined. A subdomain focuses on a specific cybersecurity topic. The following figure shows the general structure of the Framework and indicates the Cyber Security domains and subdomains.

SAMA Cyber Security Maturity Levels

The Framework establishes a model of maturity levels in Cyber security. To achieve an appropriate level of maturity, Member Organizations must operate at least maturity level 3 or higher.

To reach maturity level 3, a Member Organization must define, approve and implement Cybersecurity controls. In addition, it must monitor their compliance.

Maturity level 4 involves measuring and periodically evaluating the effectiveness of the implemented Cybersecurity controls.

Maturity level 5 focuses on the continuous improvement of Cybersecurity controls through continuous analysis of goals and achievements and identifying structural improvements.

How SealPath can help comply with SAMA framework?

SealPath supports SAMA compliance using data-centric cyber security controls that complements the existing security strategy in Financial Institutions, allowing the organization’s most sensitive data to be protected in a persistent manner, being able to audit its use and revoke access when be necessary. All of this facilitates protection against new types of threats to corporate data and minimizes the possibility of a data leak.

SealPath has protection automation technologies that are integrated with the corporate security infrastructure and allow the spread of a culture of cyber security sensitivity throughout the organization. SealPath’s protection and implementation methodology is proven in organizations of all kinds including Financial Institutions, facilitating the achievement of maturity levels 3 (structured and formal implementation), 4 (monitoring and evaluation) and 5 (continuous and adaptive improvement).

Next, it is indicated how the characteristics of a data-centric cyber security solution such as SealPath help to comply with the SAMA Cybersecurity Framework and are mapped with the control domains and subdomains of the Framework.

Leadership and governance in Cyber Security (3.1)

Cyber Security Policy (3.1.3)

SealPath allows you to protect the organization’s most sensitive information assets in a persistent way. Through its powerful auditing and monitoring of accesses to protected documentation, it is able to identify risks regarding the information (who is trying to access without permission), reporting possible gaps in the information. Through its automation tools, SealPath allows to automatically protect information on file servers, document managers, email, etc. reporting possible incidents in SIEM or similar systems.

Cyber Security Roles and Responsibilities (3.1.4)

SealPath allows establishing Data Managers separate from IT staff who can have a view of the security status of the most sensitive data, and thus adjust the organization’s cybersecurity strategy. They can measure the level of protection of the organization and propose improvements and adaptations to obtain a higher level protecting more and more data. Additionally, they can carry out internal audits to see the compliance of the personnel with the organization’s policies regarding the treatment of sensitive information.

Cyber Security in Awareness (3.1.6) and Cyber Security in Training (3.1.7)

SealPath allows to extend a Culture in Cybersecurity within the organization. By involving and training users in the processes of protection of sensitive information, users are aware with SealPath that they are managing protected sensitive files and they know that certain information cannot leave the organization unprotected. It is possible to assess the degree or level of protection that users are applying to sensitive information, start with a series of highly confidential information assets and extend it to others. With SealPath it is possible to decentralize the management of the protection of the security and IT teams and make the users responsible since they are the author or owner of the information who often knows better the level of sensitivity of the data and if they should be protected.

Compliance and Cyber Security risk management (3.2)

Cyber Security Risk Management (3.2.1)

With SealPath, risk management is not only focused on the infrastructure or applications, but it can reach the data itself, which can be protected in any location, also auditing its use. It is possible to determine whether there have been blocked access attempts to certain data, the volume of data protected, etc. This data risk management has special value in collaborative processes with subcontractors, in the launch of new products and technologies in critical change processes.

Compliance with (inter)national standards (3.2.3)

SealPath, through its encryption and protection of sensitive documentation, traceability and monitoring or the possibility of revoking access to protected data, allows to help comply with international standards in the financial field such as PCI-DSS (Payment Card Industry Data Security Standard).

Cyber Security Audit (3.2.5)

SealPath facilitates the performance of cybersecurity audits on data. Through its protection solution, it leaves a record of all the activity on the data in its life cycle, from the creation, protection, through access to the unprotection or revocation of access to the data. This audit and traceability of accesses facilitate the passage of the organization to a level 4 of maturity.

Technology and Cyber Security operations (3.3)

Human Resources (3.3.1)

SealPath allows you to help in meeting Cybersecurity requirements in the field of Human Resources. When an employee leaves the organization, it is possible with SealPath to revoke the access rights to the data, regardless of where it is located (on the company network, at the user’s home, etc.). In addition, the organization can find out if the former employee is still trying to access the data after they have left the organization.

Asset Management (3.3.3)

With SealPath, once a sensitive document has been protected, it is possible to know who is the owner of the information and the protection policy or level of sensitivity that has been established on them. A record is kept of all accesses to the file, and it is possible to determine if this information is leaving the organization through integration with DLP tools. On the other hand, through the use of data discovery and classification tools, SealPath can automatically protect data once it has been tagged or classified.

Identity and Access Management (3.3.5)

SealPath unifies information encryption with identity management and rights management. Access to data can be modified in real time by limiting access to information (only view, edit, copy and paste, print, unprotect, etc.) and who can or cannot access the information. Access revocation can be done by document, by user, user group, access dates, access IP, etc. Access to the data is linked to the identity of the user, leaving a record of access attempts or blocked access at all times.

Application Security (3.3.6) and Infrastructure Security (3.3.8)

SealPath can take data security beyond the application, so that, if a user accesses an application and downloads or exports data, through an integration, SealPath can apply a protection in the download that travels over the documents and allows them to be under control wherever they are used. Similarly, it is possible to automatically protect folders on file servers, so that when a user moves data to them, they are protected. SealPath also allows integration with perimeter data leak prevention tools such as DLPs, etc. self-protecting information based on its level of sensitivity.

Cryptography (3.3.9)

SealPath encrypts data at rest (in team folders, on file servers, etc.), in transit (when sending by email, downloads, etc.) and in use (when the user opens a document, permissions such as editing, checking out, etc.). SealPath is based on standard cybersecurity algorithms and allows key management within the organization, even linking it to HSM modules.

Bring Your Own Device (3.3.10)

With SealPath, sensitive documentation is not only protected within the corporate infrastructure or devices, but it is also kept under the control of the company on personal devices (PCs, laptops, mobiles) of company users or third parties.

Secure Disposal of Information Assets (3.3.11)

SealPath’s revocation capabilities allow a sensitive document to be virtually destroyed regardless of where it is located. The document can be disabled so that no one can access it again. Additionally, the organization can continue to audit blocked access attempts to this disabled document.

Cyber Security Event Management (3.3.14):

SealPath increases the organization’s level of visibility over critical and confidential assets. Blocked access attempts, use of information, access IPs, user identities, etc. they can be sent to SIEM systems and managed from an SoC. It is possible to manage alerts about the information (massive checkouts of documents), access attempts from disallowed subnets, etc.

Threat Management (3.3.16)

SealPath allows to apply an additional security layer against possible security breaches in the network. If, for example, a ransomware attack affects the organization, taking sensitive data for a later extortion attempt by not making them public, if they have been previously protected with SealPath, they will be encrypted, preventing the attacker from having them in clear to be able to publish them.

Cyber Security applied to third parties (3.4)

Outsourcing (3.4.2)

In many cases we can control security on our network, but not on a third party’s network. Contractual or vendor management measures may cause attempts to prevent poor security practices at the vendor. However, by protecting the data that is sent to a subcontractor or external partner, we will be sure that it is kept safe and under control at all times. In addition to encryption, identity control, permission control and monitoring, we may revoke access to protected data once the business relationship with the provider has ended.

Cloud Computing (3.4.3):

Although the organization’s sensitive data is located in a public or private cloud with its own cybersecurity controls, if the data is protected by SealPath we can maintain additional control over it. If the Cloud provider has been compromised, with SealPath the data remains protected and can be accessible only to the users marked in the security policy, regardless of where the data is located. In addition, if we believe that the data may be at risk, it is possible to disable it or revoke their access.

Summary

The adoption and implementation of the Cybersecurity Framework SAMA is a vital step in ensuring that Saudi Arabia’s Banking, Insurance and Financial Services companies can manage and deal with cybersecurity threats.

SealPath can help Financial Institutions in the implementation and fulfillment of the requirements set by the Cybersecurity Framework, complementing other measures, and with a data-centric security approach. SealPath allows to protect data both inside and outside of organizations. The organization will have its most important documents under control, limiting who can access, with what permissions (only view, edit, print, etc.), from what networks or IPs, in what time frame, etc.

In addition, it has advanced controls for traceability and monitoring that can help identify risk situations on corporate data. Also, through their revocation functionalities it can virtually destroy information when necessary by preventing anyone, or certain users or groups from accessing the data.

You want to know more? Get in touch with us and our experts will advise you and try to solve all your doubts.