Cloud Cybersecurity Controls
Cloud Cybersecurity Controls
This marking protocol is widely used around the world. It has four colors (traffic lights):
White – No Restriction
Table of Contents
1. Executive Summary 8
2. Introduction 9
3. Objectives 10
4. Scope of Work and Applicability 10
5. Implementation and Compliance 11
6. Cloud Cybersecurity Controls Methodology and Mapping Annex 12
7. Update and Review 12
8. Cloud Cybersecurity Controls Domains and Structure 13
9. CCC Documentation Structure 14
10. Cloud Cybersecurity Controls 16
1. Cybersecurity Governance 16
2. Cybersecurity Defense 19
3. Cybersecurity Resilience 30
4. Third-party Cybersecurity 31
11. Annexes 32
Annex No. (A): Cloud Cybersecurity Controls Levels 32
Annex No. (B): Terminologies and Definitions 35
Annex No. (C): List of the Abbreviations 45
List of Tables
1. Executive Summary
NCA’s mandates and duties fulfill the regulatory cybersecurity needs related to the development
of cybersecurity national policies, governance mechanisms, frameworks, standards, controls and
guidelines, to support the important role of cybersecurity which has increased with the rise of security
risks in cyberspace more than any time before.
The cloud services subject is trending globally, and improves in a very fast pace in the Kingdom of
Saudi Arabia which results in a new cybersecurity risks that require cybersecurity controls to transact
with cloud services taking into consideration international common practices in this field; and to be an
extension to the already published Essential Cybersecurity Controls (ECC-1: 2018).
As a result, the Cloud Cybersecurity Controls (CCC – 1: 2020) is developed to minimize the
cybersecurity risks of Cloud Service Providers (CSPs), and Cloud Customers, also known as Cloud
Service Tenants (CSTs). This document highlights the details of the cloud cybersecurity controls for
cloud services, objectives, scope, statement of applicability, compliance approach and monitoring.
All CSPs and CSTs shall implement all necessary measures to ensure continuous compliance with
the CCC as per Paragraph III of Article 10 of NCA’s mandate and as per the Royal Decree number
57231, dated 10/11/1439AH.
2. Introduction
The National Cybersecurity Authority (referred to in this document as “The Authority” or “NCA”)
developed the Cloud Cybersecurity Controls (CCC – 1: 2020) after conducting a comprehensive study
of multiple national and international cybersecurity frameworks, standards and controls, and reviewing
common industry practices and experiences in the field of cybersecurity. A mapping study is conducted
with international cloud computing standards and controls such as US FedRAMP (the number of
FedRAMP requirements ranges from 125 to 421), Multi-Tier Cloud Security Standard for Singapore
(MTCS SS) which contains 535 requirements, Germany C5 which contains 114 requirements, Cloud
Controls Matrix (CCM) which contains 133 controls, and ISO/IEC 27001 which contains 114 controls.
Details of this mapping is represented in a separate document extended to the CCC.
4 Main Domains
24 Subdomains
96 Subcontrols 26 Subcontrols
Figure 1: Cloud Cybersecurity Controls Components
3. Objectives
The Cloud Cybersecurity Controls (CCC – 1: 2020) is developed as an extension to the ECC; to
achieve higher levels of national cybersecurity goals by focusing on cloud computing services from the
perspective of Cloud Service Providers (CSPs) and Cloud Service Tenants (CSTs). Also, the CCC aims
to set the minimum requirements for cybersecurity of cloud computing, for both CSPs and CSTs, to
contribute to enable the CSPs and the CSTs to provide and use secure cloud computing services and
mitigating cyber risks against them.
The cybersecurity of cloud computing services, for both CSPs and CSTs, must be able to protect the
confidentiality, integrity and availability of the data and information within the cloud environment. To
that aim, CCC take into consideration the following four main cybersecurity pillars:
• Strategy
• People
• Procedures
• Technology
To comply with item 3 of article 10 of NCA’s mandate and as per the Royal Decree number 57231,
all CSPs and CSTs within the scope of these controls must implement whatever necessary to ensure
continuous compliance with the CCC according to the levels shown in Table (2) and Table (3) in
section “Annex No. (A): Cloud Cybersecurity Controls Levels” in this document, taking into account
the following two rules:
1. CST’s controls in the CCC are an extension and complement to the controls in the ECC; therefore
the CSTs must ensure continuous compliance with the controls in both ECC and CCC.
2. CSP’s controls in the CCC are an extension and complement to the controls in the ECC; therefore
the CSPs – within or outside the scope of the ECC- must ensure continuous compliance with the
controls in both ECC and CCC.
NCA will give CSPs and CSTs within the scope of work a compliance period to comply with the
CCC (taking into account CSPs and CSTs who move from outside the scope to within the scope of
work) as deemed appropriate by NCA. Also, NCA evaluates CSPs and CSTs compliance with the CCC
in accordance with the mechanisms deemed appropriate by NCA; such as self-assessment of CSPs and
CSTs, and/or external compliance assessment by NCA or designated third-parties.
NCA developed cloud cybersecurity controls methodology and mapping annex document which
is considered as a part of Cloud Cybersecurity Controls document. The cloud cybersecurity controls
methodology and mapping annex document is constituted of the following:
• Design principles of the CCC.
• Relationship to other international standards.
• Design methodology of the CCC.
• Main domains and subdomains structure of the CCC.
• Domains mapping to international standards.
• Control mapping to international standards.
• ECC/CCC subdomain mapping.
• Control Applicability on different Cloud Service Models (IaaS, PaaS, and SaaS).
NCA will periodically review and update the CCC (in addition to any supplement documents
related to the CCC) as per the cybersecurity requirements and related industry updates. NCA will
communicate and publish the updated version of CCC for implementation and compliance.
Figure (2) below shows the Main Domains and Subdomains of controls.
CCC - 1 : 2020
The cloud cybersecurity controls uses a notation providing a unique identifier for each element
(Main Domain, Subdomain, Main Controls and Subcontrols). The unique identifier is defined following
the rules described in Figure (4).
1 - 3 - P/T - 1 - ١ 1
Main Domain ID
Subdomain ID
CSP Control/CST control
Main Control ID
Subcontrol ID
Figure 4: Controls Unique Identifier Structure
CSP and CST controls have common main domains and subdomains, that are differentiated on
the third identification tier, and have their own main control and subcontrol identification notation
sequences. CSPs will have an identification notation structure like ‘1-3-P-1-1’ in the figure. CSTs will
have an identification notation structure like ‘1-3-T-1-1’. CCC uses the following:
• A control is either applicable to the Provider (P) or the Cloud Tenant (T) and this is indicated
in the notation’s third tier (“P/T”).
• The green coloured numbers (such as: 1-3-2) are reference numbers to subdomains or controls
of ECC.
Cloud Cybersecurity Controls Documentation
Table (1) below shows the methodological structure of the controls.
1 Cybersecurity Governance
1-2-T-1 Cybersecurity risk management methodology mentioned in the ECC Subdomain 1-5 shall
also include for the CST, as a minimum:
1-2-T-1-1 Defining acceptable risk levels for the cloud services.
1-2-T-1-2 Considering data and information classification accredited by CST in
cybersecurity risk management methodology.
1-2-T-1-3 Developing cybersecurity risk register for cloud services, and monitoring it
periodically according to the risks.
1-3 Compliance with Cybersecurity Standards, Laws and Regulations
Objective To ensure that the CSPs’ and CSTs’ cybersecurity program is in compliance with related
laws and regulations.
Controls
1-3-P-1 In addition to the ECC control 1-7-1, the CSP legislative and regulatory compliance should
include as a minimum with the following requirements:
1-3-P-1-1 Continuous compliance with all laws, regulations, instructions, decisions,
regulatory frameworks and controls, and mandates regarding cybersecurity
in KSA.
1-3-T-1 In addition to the ECC control 1-7-1, the CST legislative and regulatory compliance should
include as a minimum with the following requirements:
1-3-T-1-1 Continuous or real-time compliance monitoring of the CSP with relevant
cybersecurity legislation and contract clauses.
1-4 Cybersecurity in Human Resources
Objective To ensure that cybersecurity risks and requirements related to personnel (employees and
contractors) are managed efficiently prior to employment, during employment and after
termination/separation as per organizational policies and procedures, and related laws and
regulations.
Controls
1-4-P-1 In addition to subcontrols in the ECC controls 1-9-3 and 1-9-4, the following requirements
should be covered prior and during the professional relationship of personnel with the CSP
as a minimum:
1-4-P-1-1 Positions of cybersecurity functions in CSP’s data centers within the KSA
must be filled with qualified and suitable Saudi nationals.
1-4-P-1-2 Screening or vetting candidates of personnel working inside KSA who have
access to Cloud Technology Stack, periodically.
2 Cybersecurity Defense
2-3-T-1 In addition to subcontrols in the ECC control 2-3-3, the CST shall cover the following ad-
ditional subcontrols for cybersecurity requirements for information system and processing
facilities protection requirements, as a minimum:
2-3-T-1-1 Verifying that the CSP isolates the community cloud services provided to
CSTs (government organizations and CNI organizations) from any other
cloud computing provided to organizations outside the scope of work.
2-4 Networks Security Management
Objective To ensure the protection of CSP’s and CST’s network from cyber risks.
Controls
2-4-P-1 In addition to subcontrols in the ECC control 2-5-3, the CSP shall cover the following
additional subcontrols for cybersecurity requirements for networks security management
requirements, as a minimum:
2-4-P-1-1 Monitoring of traffic across the external and internal networks to detect
anomalies.
2-4-P-1-2 Network isolation and protection of Cloud Technology Stack network from
other internal and external networks.
2-4-P-1-3 Protection from denial of service attacks (including Distributed Denial of
Service (DDoS)).
2-4-P-1-4 Protection of data transmitted through the network; from and to the Cloud
Technology Stack network using cryptography primitives; for management
and administrative access.
2-4-P-1-5 Access control between different network segments.
2-4-P-1-6 Isolation between cloud service delivery network, cloud management net-
work and CSP enterprise network.
2-4-T-1 In addition to subcontrols in the ECC control 2-5-3, the CST shall cover the following
additional subcontrols for cybersecurity requirements for networks security management
requirements, as a minimum:
2-4-T-1-1 Protecting the connection channel with CSP.
2-5 Mobile Devices Security
Objective To ensure the protection of mobile devices (including laptops, smartphones, and tablets)
from cyber risks and to ensure the secure handling of the CSPs’ and CSTs’ information
(including sensitive information) while utilizing mobile devices.
Controls
2-5-P-1 In addition to subcontrols in the ECC control 2-6-3, the CSP shall cover the following addi-
tional subcontrols for cybersecurity requirements for mobile device security, as a minimum:
2-5-P-1-1 Inventory of all end user and mobile devices.
2-5-P-1-2 Centralized mobile device security management.
2-5-P-1-3 Screen locking for end user devices.
2-5-P-1-4 Data sanitation and secure disposal for end-user devices, especially for
those with exposure to the Cloud Technology Stack.
2-5-T-1 In addition to subcontrols in the ECC control 2-6-3, the CST shall cover the following
additional subcontrols for cybersecurity requirements for mobile device security, as a min-
imum:
2-5-T-1-1 Data sanitation and secure disposal for end-user devices with access to the
cloud services.
2-6 Data and Information Protection
Objective To ensure the confidentiality, integrity and availability of CSPs’ and CSTs’ data and informa-
tion as per organizational policies and procedures, and related laws and regulations.
Controls
2-6-P-1 In addition to subcontrols in the ECC control 2-7-3, the CSP shall cover the following
additional subcontrols for cybersecurity requirements for data and information protection
requirements, as a minimum:
2-6-P-1-1 Prohibiting the use of Cloud Technology Stack’s data in any environment
other than production environment, except after applying strict controls for
protecting that data, such as: data masking or data scrambling techniques.
2-6-P-1-2 Provision to CSTs of securely data storage processes, procedures, and tech-
nologies to comply with related legal and regulatory requirements.
2-6-P-1-3 Disposal of CST’s data should be performed in a secure manner on termi-
nation or expiry of the contract with the CSP.
2-6-P-1-4 Commitment to maintain the confidentiality of the CST’s data and infor-
mation, according to related legal and regulatory requirements.
2-6-P-1-5 Providing CSTs with secure means to export and transfer data and virtual
infrastructure
2-6-T-1 In addition to subcontrols in the ECC control 2-7-3, the CST shall cover the following
additional subcontrols for cybersecurity requirements for protecting CST’s data and infor-
mation in cloud computing , as a minimum:
2-6-T-1-1 Exit Strategy to ensure means for secure disposal of data on termination or
expiry of the contract with the CSP.
2-6-T-1-2 Using secure means to export and transfer data and virtual infrastructure.
2-7 Cryptography
Objective To ensure the proper and efficient use of cryptography to protect information assets as per
policies, procedures, and related laws and regulations.
Controls
2-7-P-1 In addition to subcontrols in the ECC control 2-8-3, the CSP shall cover the following ad-
ditional subcontrols for cryptography, as a minimum:
2-7-P-1-1 Technical mechanisms and cryptographic primitives for strong encryption,
in according to the advanced level in the National Cryptographic Standards
(NCS-1:2020).
2-7-P-1-2 Certification authority and issuance capability in a secure manner, or usage
of certificates from a trusted certification authority.
2-7-T-1 In addition to subcontrols in the ECC control 2-8-3, the CST shall cover the following ad-
ditional subcontrols for cryptography, as a minimum:
2-7-T-1-1 Technical mechanisms and cryptographic primitives for strong encryption,
in according to the advanced level in the National Cryptographic Standards
(NCS-1:2020).
2-7-T-1-2 Encryption of data and information transferred to or transferred out of the
cloud according to the relevant law and regulatory requirements.
2-8 Backup and Recovery Management
Objective To ensure the protection of CSPs’ data and information including information systems and
software configurations from cyber risks as per organizational policies and procedures, and
related laws and regulations.
Controls
2-8-P-1 In addition to subcontrols in the ECC control 2-9-3, the CSP shall cover the following ad-
ditional subcontrols for cybersecurity requirements for backup and recovery management,
as a minimum:
2-8-P-1-1 Securing access, storage and transfer of CST’s data backups and its medi-
ums, and protecting it against damage, amendment or unauthorized access.
2-8-P-1-2 Securing access, storage and transfer of Cloud Technology Stack backups
and its mediums, and protecting it against damage, amendment or unau-
thorized access.
Controls
2-11-P-1 In addition to subcontrols in the ECC control 2-12-3, the CSP shall cover the following
additional subcontrols for cybersecurity requirements for cybersecurity event logs and
monitoring management, as a minimum:
2-11-P-1-1 Activating and protecting event logs and audit trails of Cloud Technology
Stack.
2-11-P-1-2 Activating and collecting of login attempts history.
2-11-P-1-3 Activating and protecting all event logs of activities and operations per-
formed by the CSP at the tenant level in order to support forensic analysis.
2-11-P-1-4 Protecting cybersecurity event logs from alteration, disclosure, destruction
and unauthorized access and unauthorized release, in accordance with reg-
ulatory, or law requirements.
2-11-P-1-5 Continuous cybersecurity events monitoring using SIEM technique cover-
ing the full Cloud Technology Stack.
2-11-P-1-6 Reviewing cybersecurity event logs and audit trails periodically, covering
CSP events in the Cloud Technology Stack.
2-11-P-1-7 Automated monitoring and logging of remote access sessions event logs.
2-11-P-1-8 Secure handling of user-related data found in the audit trails and the cyber-
security event logs.
2-11-T-1 In addition to subcontrols in the ECC control 2-12-3, the CST shall cover the following ad-
ditional subcontrols for cybersecurity requirements for cybersecurity event logs and moni-
toring management, as a minimum:
2-11-T-1-1 Activating and collecting of login event logs, and cybersecurity event logs
on assets related to cloud services.
2-11-T-1-2 Monitoring shall include all activated cybersecurity logs on the cloud ser-
vices of the CST.
2-12 Cybersecurity Incident and Threat Management
Objective Ensure timely identification and detection of cybersecurity incidents and their effective
management and proactive response to cybersecurity threats to prevent or minimize the
impact of the impacts resulting on the business of the CSPs.
Controls
2-12-P-1 In addition to subcontrols in the ECC control 2-13-3, the CSP shall cover the following
additional subcontrols for cybersecurity requirements for cybersecurity incident and threat
management, as a minimum:
Controls
2-14-P-1 In addition to subcontrols in the ECC control 2-15-3, the CSP shall cover the following
additional subcontrols for cybersecurity requirements for web application security, as a
minimum:
Controls
2-16-P-1 Cybersecurity requirements for system development within the CSP shall be identified,
documented and approved.
2-16-P-2 Cybersecurity requirements for system development within the CSP shall be applied.
2-16-P-3 Cybersecurity requirements for system development within the CSP shall include as a min-
imum the following controls along the development lifecycle:
2-16-P-3-1 Considering cybersecurity requirements of the Cloud Technology Stack
and relevant systems in the design and implementation of the cloud com-
puting services.
2-16-P-3-2 Protecting system development environments, testing environments (in-
cluding data used in testing environment), and integration platforms.
2-16-P-4 Cybersecurity requirements for system development within the CSP shall be applied and
reviewed periodically.
2-17 Storage Media Security
Objective Ensure CSPs’ secure handling of information and data on physical media.
Controls
2-17-P-1 Cybersecurity requirements for usage of information and data media within the CSP shall
be identified, documented and approved.
2-17-P-2 Cybersecurity requirements for usage of information and data media within the CSP shall
be applied.
2-17-P-3 Cybersecurity requirements for usage of information and data media within the CSP shall
cover, at minimum, the following:
2-17-P-3-1 Enforcement of sanitization of media, prior to disposal or reuse.
2-17-P-3-2 Using secure means when disposing of media.
2-17-P-3-3 Provision to maintain confidentiality and integrity of data on removable
media.
2-17-P-3-4 Human readable labelling of media, to explain its classification and the sen-
sitivity of the information it contains.
2-17-P-3-5 Controlled and physically secure storage of removable media.
2-17-P-3-6 Restriction and control of usage of portable media inside the Cloud Tech-
nology Stack.
2-17-P-4 Cybersecurity requirements for usage of information and data media within the CSP shall
be applied and reviewed periodically.
3 Cybersecurity Resilience
11. Annexes
Please note that the highest level of classification should be adopted when the content of an integrated set
of data includes different levels.
CSP Controls:
Table (2) below shows CSP’s commitments to cloud cybersecurity controls (section no. 10 «Cloud
Cybersecurity Controls») by levels.
Table 2. CSP’s commitments to cybersecurity controls for cloud computing
Optional (Recommended) Mandatory
Subdomains and
Level 1 Level 2 Level 3 Level 4
Controls
ECC Controls
1-1-P-1
1-2-P-1
1-3-P-1
1-4-P-1
1-4-P-2
1-5-P
2-1-P-1
2-2-P-1 1
2-3-P-1 2 3
2-4-P-1
2-5-P-1 4
2-6-P-1
2-7-P-1 5
2-8-P-1
2-9-P-1
2-10-P-1
2-11-P-1
2-12-P-1 6
1
With exception of subcontrols 2-2-P-1-9 and 2-2-P-1-10 as they are considered as optional
2
With exception of subcontrol 2-3-P-1-11 as it is considered as optional
3
With exception of subcontrols 2-3-P-1-4 and 2-3-P-1-11 as they are considered as optional. Also, subcontrol 2-3-P-1-9 as it is
not applicable
4
With exception of subcontrol 2-5-P-1-2 as it is considered as optional
5
With exception of subcontrol 2-7-P-1-1 as it is considered as optional
6
With exception of subcontrols 2-12-P-1-2 and 2-12-P-1-3 as they are considered as optional. Also, subcontrol 2-12-P-1-8 as it
is not applicable
Subdomains and
Level 1 Level 2 Level 3 Level 4
Controls
2-13-P-1
2-14-P-1
2-15-P 7
2-16-P
2-17-P
3-1-P-1
4-1-P-1 8
CST Controls:
Table (3) below shows CST’s commitments to cloud cybersecurity controls (section no. 10 «Cloud Cybersecurity
Controls») by levels.
2-4-T-1
2-5-T-1
2-6-T-1
2-7-T-1 10
2-9-T-1
2-11-T-1
2-15-T
3-1-T-1
7
With exception of subcontrol 2-15-P-3-1 as it is considered as optional
8
With exception of subcontrol 4-1-P-1-8 as it is considered as optional
9
With exception of subcontrol 2-3-T-1-1 as it is not applicable
10
With exception of subcontrol 2-7-T-1-1 as it is considered as optional
Terminology Definition
Anything tangible or intangible that has value to the CSPs and CSTs.
There are many types of assets, and some of which include obvious
things, such as: persons, machineries, utilities, patents, software and
Asset services. The term could also include less obvious things, such as:
information and characteristics (for example, CSP’s and CST’s repu-
tation and public image, as well as skill and knowledge).
Any kind of malicious activity that attempts to achieve unauthorized
Attack access, collection, disabling, prevention, destroy or sabotage of the
information system resources or the information itself.
Independent review and examination of records and activities in or-
der to assess the effectiveness of cybersecurity controls and to ensure
Audit adherence to policies, operational procedures, standards and relevant
legislative and regulatory requirements.
Ensure user's identity, process or device, which is often a prerequisite
Authentication for allowing access to resources in the system.
Identification and verification of the rights/licenses of the user to
Authorization access and allow him/her to view the information and technical re-
sources of the CSPs and CSTs as defined in the rights/user licenses.
Files, devices, data and procedures available for use in case of failure
Backup
or loss, or in case of deletion or suspension of their original copies.
CCTV, also known as video surveillance, uses video cameras to send
a signal to a specific location on a limited set of screens. This term is
Closed-Circuit
often referred to as the surveillance technique in areas that may need
Television (CCTV)
to be monitored where physical security is an important requirement
thereto.
Terminology Definition
It is a service management system that ensures a systematic and pro-
active approach using effective standard methods and procedures (for
example, change in infrastructure, networks, etc.). Change Manage-
Change Management ment helps all stakeholders, including individuals and teams alike,
move from their current state to the next desired state, and also helps
reduce the impact of relevant incidents on service.
Categorizing the data prepared, collected, processed, or exchanged
by the organizations for the provision of services or conduct of busi-
nesses, including data received from or exchanged with persons out-
Classification side organizations, and the data that is prepared for the interest of
organizations or related to the sensitive infrastructure. Data related to
organizations is classified, using a top down approach, level 1, level 2,
level 3, or level 4.
Any data classified at any of the following levels: level 1, level 2, level
Classified Data 3, or level 4.
Is a model which enables convenient, on-demand network access to
a shared pool of configurable computing resources (e.g. networks,
servers, storage, applications and services) that can be rapidly provi-
sioned and released with minimal management effort or service pro-
vider interaction. Cloud models are composed of five Essential Char-
acteristics: On-demand self-service, Broad network access, Resource
pooling, Rapid elasticity, and Measured service.
Cloud Computing There are three types of cloud computing services delivery
models:
• Cloud Software as a Service (SaaS).
• Cloud Platform as a Service (PaaS).
• Cloud Infrastructure as a Service (IaaS).
There are four deployment models: Private Cloud, Community Cloud,
Public Cloud, and Hybrid Cloud.
Terminology Definition
C5 is developed by the German Federal Office for Information Secu-
Cloud Computing rity (BSI) to set minimum requirements to secure cloud services in
Compliance Control order to establish a framework of trust between cloud providers and
Catalogue (C5) their customers.
Is the delivery of various services via the Internet and can be acces-
sible through different platforms (desktops, laptops, smart phones..
Cloud Computing etc.). These services include applications and infrastructures such as
Services servers, databases and networking to support, among other things,
communication, data analysis, processing, sharing and storage.
CCM is developed by the Cloud Security Alliance (CSA) to provide
Cloud Controls Matrix fundamental security principles to help the CSTs assessing the security
(CCM) risks of cloud services provided by the CSP.
In this document referred to as “Cloud Service Tenant (CST)”, is any
Cloud Customer natural or legal person (such as companies) who subscribes to the
cloud computing services provided by the service provider.
Any natural or legal person (such as companies) who provides cloud
Cloud Service Provider computing services to the public, either directly or indirectly through
(CSP) data centers (both inside and outside KSA) and manages them in
whole or in part.
Configuration Configuration Management DataBase, concept defined originally by
Management DataBase the ITIL operations standard and consisting in database used to store
(CMDB) configuration records of systems throughout their Lifecycle.
Layered architecture of technologies that are essential to implement
cloud computing services: (Data Center infrastructure, LAN, storage/
Cloud Technology Stack compute/ hyper convergence hardware, hypervisor, cloud manage-
(CTS) ment platform, virtual appliances, OSs, application software, O&M
platforms, cloud security technologies etc.…)
Terminology Definition
Disclosure of or obtaining information by unauthorized persons,
which are unauthorized to be leaked or obtained, or violation of the
cybersecurity policy of the Organization through disclosure, change,
sabotage or loss of anything, either intentionally or unintentionally.
Compromise The expression “security violation” means disclosure of, obtaining,
leaking, altering or use of sensitive data without authorization (in-
cluding cryptographic keys and other critical cybersecurity stand-
ards).
Maintaining authorized restrictions on access to and disclosure of
Confidentiality information, including means of protecting privacy/personal infor-
mation.
The information (or data) that is highly sensitive and important,
according to the classification of the CSPs and CSTs, intended for
use by them. One of the methods that can be used to classify this
type of information is to measure the extent of the damage when
it is disclosed, accessed in an unauthorized manner, damaged or
Confidential Data/ sabotaged, as this may result in material or moral damage to the CSPs
Information and CSTs or its clients, affecting the lives of persons related to that
information or affecting and damaging the security of the state or its
national economy or national capabilities.
Sensitive information includes all information whose disclosure in
unauthorized manner, loss or sabotage results in accountability or
statutory penalties.
These are the assets (i.e. facilities, systems, networks, processes,
and key operators who operate and process them), whose loss or
vulnerability to security breaches may result in:
• Significant negative impact on the availability, integration or
Critical National delivery of basic services, including services that could result in
Infrastructure (CNI) serious loss of property and/or lives and/or injuries, alongside
observance of significant economic and/or social impacts.
• Significant impact on national security and/or national defense
and/or state economy or national capacities.
Terminology Definition
These are the rules that include the principles, methods and means
of storing and transmitting data or information in a particular form
Cryptography in order to conceal its semantic content, prevent unauthorized use or
prevent undetected modification so that only the persons concerned
can read and process the same.
Intentional exploitation of computer systems and networks, and those
Cyber-Attack CSPs and CSTs whose work depends on digital ICT, in order to cause
damage.
Risks that harm the CSPs’ and CSTs’ processes (including the CSPs’
and CSTs’ vision, mission, management, image or reputation), assets,
Cyber Risks individuals, other organizations or the State due to unauthorized ac-
cess, use, disclosure, disruption, modification or destruction of infor-
mation and/or information systems.
Overall ability of the CSPs and CSTs to withstand cyber incidents and
Cybersecurity Resilience the causes of damage, and recovery therefrom.
Pursuant to the provisions of NCA's Regulation issued by virtue of
the Royal Decree No. (6801) of (11/02/1439), cybersecurity is protec-
tion of networks, IT systems, operational technologies systems and
Cybersecurity their components of hardware and software, their services and the
data they contain, from any penetration, disruption, modification, ac-
cess, use or unauthorized exploitation. The concept of cybersecurity
also includes information security, digital security, etc.
The interconnected network of IT infrastructure, including the
Internet, communications networks, computer systems and Internet-
Cyberspace connected devices, as well as the associated hardware and control
devices. The term can also refer to a virtual world or domain such as
a simple concept.
Any information, records, statistics or documents that are photocopied,
Data recorded and stored electronically.
Setting the sensitivity level of data and information that results in
security controls for each level of classification. Data and information
Data and Information sensitivity levels are set according to predefined categories where data
Classification and information is created, modified, improved, stored or transmitted.
The classification level is an indication of the value or importance of
the data and information of the Organization.
Terminology Definition
This is a concept of information assurance where multiple levels of
Defense-in-Depth security controls are used (as a defense) within the IT/OT system.
Programs and plans designed to restore the organization's critical
Disaster Recovery business functions and services to an acceptable situation, following
exposure to cyber-attacks or disruption of such services.
Effectiveness refers to the degree to which a planned impact is
achieved. Planned activities are considered effective if these activi-
Effectiveness ties are already implemented, and the planned results are considered
effective if the results are already achieved. KPIs can be used to mea-
sure and evaluate the level of effectiveness.
Something that happens in a specific place (such as network, systems,
Event applications, etc.) at a specific time.
US Government assessment and authorization process for U.S. federal
agencies designed to ensure security is in place when accessing cloud
computing products and services. FedRAMP certifies cloud service
providers to handle data in one of three impact levels:
• FedRAMP Low - loss of confidentiality, integrity, and availability
would result in limited adverse effects on an agency’s operations,
assets, or individuals.
FedRAMP • FedRAMP Moderate - loss of confidentiality, integrity, and avail-
ability would result in serious adverse effects on an agency’s oper-
ations, assets, or individuals.
• FedRAMP High - Law Enforcement and Emergency Services sys-
tems, Financial systems, Health systems, and any other system
where loss of confidentiality, integrity, or availability could be ex-
pected to have a severe or catastrophic adverse effect on organiza-
tional operations, organizational assets, or individuals.
A means for identification of the identity of the user, process or de-
Identification vice, which is usually a prerequisite for granting access to resources
in the system.
Terminology Definition
A security breach through violation of cybersecurity policies, accept-
Incident able use policies, practices or cybersecurity controls or requirements.
Protection against unauthorized modification or destruction of in-
Integrity formation, including ensuring information non-repudiation and re-
liability.
The international requirements are requirements developed by an in-
ternational organization or organization, which are highly-used in a
(Inter)National statutory manner all over the world (such as: PCI, SWIFT, etc.).
Requirements The national requirements are requirements developed by a regulato-
ry organization within the KSA for statutory use (such as: the «ECC
– 1: 2018»).
This series developed by the International Organization for Standard-
ization (ISO) and the International Electrotechnical Commission
ISO/IEC 27000 (IEC) to provide best practice recommendations to establish, imple-
ment, maintain and continually improve information security man-
agement system (ISMS).
Key Performance A type of performance measurement tool that assesses the success of
Indicator (KPI) an activity or organization towards achievement of specific objectives.
Display of information (by specific and standard naming and coding)
that is placed on the CSP’s and CST’s assets (such as devices, applica-
Labelling tions, documents, etc.) to be used to refer to some information relat-
ed to the classification, ownership, type and other asset management
information.
A classification level applies to data classified as a (top secret) based
Level 1 on what is issued by the competent organization.
A classification level applies to data classified as a (secret) based on
Level 2 what is issued by the competent organization.
Terminology Definition
A classification level applies to data classified as a (confidential) based
Level 3 on what is issued by the competent organization.
A classification level applies to data classified as a (public) based on
Level 4 what is issued by the competent organization.
A security system that verifies user identity, which requires the use
of several separate elements of identity verification mechanisms.
Verification mechanisms include several elements:
• Knowledge: (something ONLY the user knows «like password»);
Multi-Factor • Possession: (something ONLY used by the user «such as a program
Authentication (MFA) or device generating random numbers or SMSs for login records,
which are called: One-Time-Password); and
• Inherent Characteristics: (a characteristic of the user ONLY, such
as fingerprint).
This standard aims to encourage the adoption of sound risk
management and security practices for cloud computing.
MTCS SS has three levels of security, Level 1 being the base and Level
3 being the most stringent:
Terminology Definition
Persons working with CSPs or CSTs (including official and temporary
Staff staff and contractors).
Obtaining (goods or services) by contracting with a supplier or ser-
Outsourcing vice provider.
Testing a computer system, network, website application or smart
Penetration Testing phone application to look for the vulnerabilities that the attacker can
exploit.
Physical security describes security measures designed to prevent
unauthorized access to the organization’s facilities, equipment and
resources, and to protect individuals and property from damage or
Physical Security harm (such as espionage, theft or terrorist attacks).
Physical security involves the use of multiple-tier of interconnected
systems, including CCTV, security guards, security limits, locks, ac-
cess control systems and many other technologies.
A document whose clauses specify a general obligation, direction or
intent as formally expressed by the Authorizing Official of the orga-
nization.
Cybersecurity Policy is a document whose clauses reflect official com-
Policy mitment of the Senior Management to implement and improve the
cybersecurity program in the organization, which includes the objec-
tives of the CSPs and CSTs regarding the cybersecurity program, its
controls and requirements, and the mechanism for improving and
developing the same.
The process of managing high-risk powers on organization's systems,
Privileged Access which often require special treatment to minimize risks that may arise
Management from misuse thereof.
A document with a detailed description of the steps necessary to
Procedure perform specific operations or activities in compliance with relevant
standards and policies. Procedures are defined as part of operations.
A set of interrelated or interactive activities that translated input into
Process output. Such activities are influenced by the policies of the CSPs and
CSTs.
Terminology Definition
Responsible, Accountable, Consulted, Informed Matrix. Matrix that
RACI Matrix maps each player in a process, capability or function with the degree
of involvement and responsibility undertaken in the process.
A procedure or process to restore or control something that is
Recovery suspended, damaged, stolen or lost.
A system that manages and analyses security events logs in real time
Security Information in order to provide monitoring of threats, analysis of the results of
and Event Management interrelated rules for event logs and reports on logs data, and incident
(SIEM) response.
Any application, platform, middleware, operating system, hypervisor,
System Development network stack and any other software that is part of the Cloud
Security Technology Stack.
Any organization acting as a party in a contractual relationship
Third-Party to provide goods or services (this includes suppliers and service
providers).
Any circumstance or events likely to adversely affect the business of
the CSPs and CSTs (including its mission, functions, credibility or
reputation), assets or employees, through exploiting an information
Threat system through unauthorized access to, destruction, disclosure, al-
teration or denial of services, in addition to the ability of the threat
source to succeed in exploiting one of the vulnerabilities of a particu-
lar information system, which includes cyber threats.
Any kind of vulnerability in the computer system, its programs or
Vulnerability applications, in a set of procedures or anything that makes cyberse-
curity vulnerable.