National Cybersecurity Authority (NCA): What You Need to Know – tripwire.com

Posted on by

In its Vision 2030 development plan, Saudi Arabia included a National Transformation Program whose purpose is to diversify the Kingdoms income away from the oil industry. One of the core tenets of that program is to enable the growth of the private sector by developing the digital economy. Specifically, Saudi Arabia set out its intention to increase the contribution of the digital economy thats non-oil GDP from 2% to 3% by 2030. The Kingdom made clear that this process must involve partnering with private actors to develop more telecommunications/IT infrastructure along with supporting local investment in those sectors.

The Kingdom also recognized that it must take appropriate security measures to secure this process. As stated in a document published on its website:

This transformation requires easing the flow of information, securing it and preserving the integrity of all systems. It also requires maintaining and supporting the cybersecurity of the Kingdom in order to protect its vital interests, national security, critical infrastructures, high priority sectors and governmental services and practices.

Acknowledging these tasks, Saudi Arabia created the National Cybersecurity Authority (NCA) as well as approved the government entitys mandate to develop national digital security policies by royal decree. The NCA acted upon this directive by developing the Essential Cybersecurity Controls (ECC), measures which constitute the minimum security requirements for in-scope national organizations. As such, compliance with ECC is mandatory for those entities.

So, how can organizations ensure compliance with ECC?To answer that question, this blog post will first examine the five domains of ECC. It will then explain how Tripwire Enterprise can assist organizations in achieving compliance with the Controls domains using foundational controls for security, compliance and IT operations.

The NCA created the Essential Cybersecurity Controls in 2018 to help government organizations as well as private sector actors who own, operate or host national critical infrastructure to minimize the risks from external and internal digital security threats. Taking into account in-scope entities strategies, people, processes and technology, these security measures consist of 114 individual controls that are designed to uphold the confidentiality, integrity and availability of information and technology assets.

The ECC consist of five domains comprised of 29 subdomains. These are as follows:

1. Cybersecurity Governance

a. Cybersecurity strategy: All digital security plans and policies must advance the organizations efforts to comply with pertinent laws and regulations.

b. Cybersecurity management: An Authorizing Official within each organization must create a digital security department, steering committee and function head.

c. Cybersecurity policies and procedures: Each organization must have documented digital security policies/plans as well as comply with those strategies.

d. Cybersecurity roles and responsibilities: An organization must define all roles and positions related to digital security within its workforce.

e. Cybersecurity risk management: An in-scope entity must take a methodological approach to minimize risks pertaining to its IT and technological assets.

f. Cybersecurity in information and technology project management: Project management methodology procedures must take digital security into account.

g. Compliance with cybersecurity standards, laws and regulations: An entitys digital security program must comply with existing laws and regulations.

h. Periodical cybersecurity review and audit: Organizations must submit to an audit process to determine if their plans and procedures are in compliance with ECC.

i. Cybersecurity in human resources: An entity must address employee digital security from the time when someones hired to when they leave the company.

j. Cybersecurity awareness and training program: All employees need to receive whatever resources are necessary to fulfill their digital security responsibilities.

2. Cybersecurity Defense

a. Asset management: An organization needs to know what hardware and software are connected to the network if they are to protect their IT and technology assets.

b. Identity and access management: Without proper access controls, unauthorized users could compromise an organizations information and technology assets.

c. Information system and information processing facilities protection: An organization needs to safeguard its information system and processing facilities.

d. Email protection: In-scope entities need to take the proper precautions to defend their email systems against digital threats.

e. Networks security management: An organization should use network segmentation/segregation, IPSes and other tools to secure their networks.

f. Mobile devices security: Entities need to protect all mobile devices against digital threats and secure all information under their BYOD policy.

g. Data and information protection: An organization needs to take the proper measures to safeguard their data and information assets.

h. Cryptography: In the name of data protection, an organization needs to efficiently use cryptography to protect its information per its policies and procedures.

i. Backup and recovery management: Entities in the scope of ECC need to secure their information systems and software configurations against digital risks.

j. Vulnerabilities management: If they fail to detect and remediate security bugs on a timely basis, an organization could allow attackers to exploit vulnerabilities.

k. Penetration testing: An organization should use simulated digital attacks to evaluate its digital defenses against malicious actors.

l. Cybersecurity event logs and monitoring management: Logs can help an organization detect a security issue before it balloons into a security incident.

m. Cybersecurity incident and threat management: In the event of an incident, an organization needs to respond appropriately so as to minimize the damages.

n. Physical security: An organization must safeguard their IT and technology assets against physical loss, damage and/or unauthorized access.

o. Web application security: Digital threats pose a risk to external web applications; an organization needs to defend itself accordingly.

3. Cybersecurity Resilience

a. Cybersecurity Resilience Aspects of Business Continuity Management (BCM): An organization needs to protect its IT assets against potential disasters and include resiliency requirements within its business continuity plan.

4. Third-Party and Cloud-Computing Cybersecurity

a. Third-party cybersecurity: Third parties including managed services and outsourced agents pose a threat to information assets; an organization needs to follow its policies and procedures to defend itself accordingly.

b. Cloud computing and hosting cybersecurity: To remediate digital threats pertaining to its hosting and cloud computing systems, an organization needs to protect its assets hosted on the cloud and managed by third parties.

5. Industrial Control Systems Cybersecurity

a. Industrial Control Systems (ICS) Protection: An organization needs to safeguard its industrial control systems and OT assets against digital threats.

The NCA ultimately leverages self-assessments, reports from its assessment and compliance tool and/or on-site audits to ensure that in-scope entities remain compliant with the Essential Cybersecurity Controls. In pursuit of this objective, organizations should follow the NCAs guidance and implement whatever necessary to ensure continuous compliance with the controls. (This recommendation reflects the reality that not every organization can implement every control identified above. As an example, the fourth and fifth domains would not pertain to organizations that do not use the cloud and that dont manage ICS systems.)

Tripwire Enterprise can help organizations achieve their ECC compliance with the NCA. This solution is particularly effective with regards to some of the controls identified in the second domain of Cybersecurity Defense. It does this by converting the technical controls for the purpose of configuration hardening, thereby ensuring a systems security configurations are appropriate given the job that it needs to do.

Here are five controls as an example:

Organizations can easily monitor their performance across all of these and other security controls using the dashboard provided by Tripwire Enterprise.

Tripwire Enterprise specifically provides customers with several important secure configuration management (SCM) capabilities. These include the following:

Taken together, organizations can leverage these SCM capabilities to ensure the confidentiality, integrity and availability of their IT and technology assets for the purpose of helping to grow Saudi Arabias digital economy.

For more information on how Tripwire can help your organization maintain ECC compliance, click here.

Excerpt from:
National Cybersecurity Authority (NCA): What You Need to Know - tripwire.com

Related Posts
This entry was posted in $1$s. Bookmark the permalink.