Saudi Arabian Monetary Authority (SAMA) Cybersecurity Framework - Full guide

What is SAMA: Everything You Must Know

SAMA stands for Saudi Arabian Monetary Authority.

Saudi’s Central Bank came into existence in 1952 and focuses on regulating commercial development in the country. It surveyed the functioning of the finance-specific entities, overseeing the banking-related affairs of the government, issuing/regulating the currency in the nation, and monitoring the forex reserves.

The authority figured out that cyber threats to banking/financial operations are growing at a rapid pace. Hence, SAMA constructed a digital security methodology for all its concerned members.

SAMA was formed in 2017 for all the SAMA-regulated bodies. It aims to supply adequate guidance to all the SAMA members so that they can early and accurately identify cyber threats and control their spread. 

SAMA is a risk-centric methodology that has an extended list of key security mandates and controls that SAMA’s adopters should follow. 

When an institute fails to stick to what SAMA proposes, it’s mandatory to furnish a legal risk acceptance to SAMA. It helps SAMA determine the security-maturity level concerning member business ventures. 

The founding bodies of this framework are ISO, PCI, NIST, BASEL, and ISF. All the reviews, maintenance, and update rights for this framework are reserved with SAMA. 

‍

Goals Of SAMA

This framework's foundation lies in verifying that a SAMA-regulated financial institute is capable of doing early cybersecurity risk identification and is ready to deal with them. 

SAMA has carefully covered every aspect of the process for managing the cyber-risks that all its member organizations must keep in consideration to protect mission-critical data/information. 

Its implementation is mandatory for SAMA members so that:

• They can have viable cybersecurity risk management approach to adopt
• They can have a well-defined maturity level 
• Digital risks are managed at an early stage so that the damage is under control

SAMA’s objectives are defined in a manner that they are capable of safeguarding a wide range of assets, such as electronic/digital data, any sort of physical details, every single application, electronic devices, databases, and software a financial institute is using, the electronic/computer machines, data storage devices, and everything included in the technical infrastructure. 

SAMA Cybersecurity Maturity Levels

SAMA mandates its members (i.e., organizations) to adopt a certain degree of security controls according to the existing security-maturity level. For the level’s measurement, the SAMA CSF refers to a predefined model.

According to that model, there are six maturity levels that we will cover next in the table.

SAMA, with this security maturity level, aims to address the key risks for financial institutes in their infancy stage and control the damage. For those who are willing to attain a level >3, successfully attaining all the prior levels is mandatory.

The first 3 maturity levels show the absence of robust controls in a given ecosystem. To be called dependable, an organization must operate at natural level 3 or above.

At maturity level 3, which is the minimum acceptable maturity level, it’s mandatory that the members and its board have a fully-endorsed and mandatory cyber security policy, and its purpose is clearly stated to everyone.

The staff, customers, and 3rd party vendors should be fully aware of acceptable policies.

At maturity level 4, the focus remains on testing the usefulness of working security-specific controls and policies to ensure that contemporary controls are in place. As cyber threats are evolving at a rapid pace, implementation of outdated cybersecurity controls will fail to deliver desired cybersecurity. Hence, this security maturity level assesses the efforts an organization is taking to evaluate the security-controls.  

At last, we have maturity level 5 which is more about the continual improvement of implemented and assessed controls. At this level, members need to be double-sure that risk management and security-controls are not poles apart and are not two different aspects. Rather, they should be integrated and monitored regularly.

Control Domains

The foundation of SAMA is based on four domains that are further divided into multiple subdomains. The focus of a subdomain remains on a specific topic or concern. Mainly, three subdomains are:

• The principal that main reason behind the existence of that security control
• The objective that explains the aims of the principle and what that specific security control is trying to achieve
• Control consideration refers to the mandatory security control to be considered for each domain. Generally, there are four levels of control considerations.

Up next, we have explained the control domains of the SAMA Framework in detail.

1. Cybersecurity Leadership and Governance

The governing bodies of the members are mainly responsible for maintaining a strong cybersecurity infrastructure. The board of these bodies can pass on this responsibility to the well-constructed security committee.

The role of this security committee is to outline which all governance standards are acceptable to review cybersecurity and provide well-defined cybersecurity standards for members.

In addition, the committee bears the responsibility for setting up the cybersecurity policy and finding out the viable operational practices that will improve the effectiveness of the CSCs.  

It’s mandatory to have an independent cyber-security function to design, maintain and govern the applied cyber-security policies.

As far as governance is concerned, SAMA ensures that the cyber security governance structure should be under the authority of the board. During the governance, the consider-worthy controls include representation from all the leading cybersecurity committees, regular internal audits, the establishment of a cybersecurity charter, and clear defining of committee objectives.

2. Cybersecurity Risk Management and Compliance

Members must understand that taking care of the cyber-risks has to be a continual procedure and should revolve around the early identification, monitoring, and analysis of the concerned risk. SAMA instructs concerning authorities to shift their focus on the following:

• Doing early identification of threat/risk or its prediction
• Figuring out the probability of a cyber-security risk
• Doing regular risk analysis
• Framing a viable and result-driven response
• Periodic monitoring of risk treatment and analyze the efficacy of the CSCss
• Adherence with the defined CSCs (cyber security controls)

According to SAMA, the risk management procedure needs to be precisely defined, designed, approved and implemented. Its motive is to safeguard the integrity and confidentially of the mission-critical details of the concerned member businesses.

For compliance, any of the processes, aimed at managing the risk, must be designed by the SAMA member companies and communicate the implications to others. The risk-compliance process needs to be conducted periodically and should play a crucial role in updating the cyber security policy.

Non-negotiable adherence to globally accepted standards is mandatory. 

The consider-worthy compliances here are  PCI-DSS, SWIFT Customer Security Control framework, and EMV technical standard.

3. Cybersecurity Operations and Technology

SAMA instructs its member businesses to protect the key operations and technology of self, staff, 3rd-party vendors, and members.

It’s important to have well-defined and improved CSCs to ensure that at-work technologies are not bringing any threats to the system. The penetration of cyber security requirements should begin from the human resource processes.

The staff of member businesses should be screened from the early processing stage and make sure that proper measures are adopted throughout the lifecycle of the employees.

As per SAMA, there should be robust physical security measures taken so that physical assets are away from the reach of all sorts of security threats.

Enough security controls should be in place to ensure that there is no unauthorized access to the physical assets of the members. The most viable security controls that SAMA suggests in this direction are to use advanced monitoring & surveillance tools, protect the data center tools, use inventive environmental protection measures, data access overseeing, and analysis of all access control measures in place to avoid unauthorized access.

Application security is also covered in SAMA. All the applications/software that financial institutes are using must adopt a viable SDLC approach and use secure code standards. Enough attention is given to identity and access management as well. Access control, user access management, and user request management must be monitored and regulated periodically.

This is not everything that is covered in this domain. It’s extensive, and the below-mentioned image can provide you with more clarity. 

4. Third-Party Cybersecurity

This control domain of SAMA has a full focus on the 3rd party services and their security control. Member businesses should put extra effort to make sure that all the 3rd party resources are secure and free from cybersecurity threats. Some of the recommended security controls here are:

• Including risk assessment in the procurement process
• Having clear security requirements
• Testing the security controls that 3rd party vendors are using
• Termination of the contract if a vendor fails to adhere to best security controls
• Adherence with SAMA outsourcing controls while outsourcing technology or talent
• Seeking SAMA approval before using any cloud service or facility
• Making sure that the selected cloud service provider is not using the data for personal usage
• Granting the termination rights to the member companies
• Performing cyber security audits for the cloud provider at regular intervals

All in all, SAMA has covered extensive security controls related to 3rd party vendors, contractors, and other outside resources.

‍

Conclusion

For every financial institute, maintaining sound cybersecurity infrastructure is imperative. Ignoring early signs of a vulnerability can be proved highly fatal in the future. The SAMA Cybersecurity framework acts like fully standardized CSCs and processes for every SAMA member.

By explaining security maturity level, cybersecurity risks, and remedial responses in detail, SAMA allows financial institutes to be more responsive toward hidden threats. As the framework supports the adoption of the most recent cyber security technology, its implementation will certainly improve the security posture of financial institutes of Saudi Arabia.