National Cybersecurity Authority (NCA): What You Need to Know

In its Vision 2030 development plan, Saudi Arabia included a National Transformation Program whose purpose is to diversify the Kingdom’s income away from the oil industry. One of the core tenets of that program is to enable the growth of the private sector by developing the digital economy. Specifically, Saudi Arabia set out its intention to increase the contribution of the digital economy that’s non-oil GDP from 2% to 3% by 2030. The Kingdom made clear that this process must involve partnering with private actors to develop more telecommunications/IT infrastructure along with supporting local investment in those sectors. The Kingdom also recognized that it must take appropriate security measures to secure this process. As stated in a document published on its website: This transformation requires easing the flow of information, securing it and preserving the integrity of all systems. It also requires maintaining and supporting the cybersecurity of the Kingdom in order to protect its vital interests, national security, critical infrastructures, high priority sectors and governmental services and practices. Acknowledging these tasks, Saudi Arabia created the National Cybersecurity Authority (NCA) as well as approved the government entity’s mandate to develop national digital security policies by royal decree. The NCA acted upon this directive by developing the Essential Cybersecurity Controls (ECC), measures which constitute the minimum security requirements for in-scope national organizations. As such, compliance with ECC is mandatory for those entities. So, how can organizations ensure compliance with ECC? To answer that question, this blog post will first examine the five domains of ECC. It will then explain how Tripwire Enterprise can assist organizations in achieving compliance with the Controls’ domains using foundational controls for security, compliance and IT operations.

Inside the Essential Cybersecurity Controls

The NCA created the Essential Cybersecurity Controls in 2018 to help government organizations as well as private sector actors who own, operate or host national critical infrastructure to minimize the risks from external and internal digital security threats. Taking into account in-scope entities’ strategies, people, processes and technology, these security measures consist of 114 individual controls that are designed to uphold the confidentiality, integrity and availability of information and technology assets. The ECC consist of five domains comprised of 29 subdomains. These are as follows: 1. Cybersecurity Governance

a. Cybersecurity strategy: All digital security plans and policies must advance the organization’s efforts to comply with pertinent laws and regulations.

b. Cybersecurity management: An Authorizing Official within each organization must create a digital security department, steering committee and function head.

c. Cybersecurity policies and procedures: Each organization must have documented digital security policies/plans as well as comply with those strategies.

d. Cybersecurity roles and responsibilities: An organization must define all roles and positions related to digital security within its workforce.

e. Cybersecurity risk management: An in-scope entity must take a methodological approach to minimize risks pertaining to its IT and technological assets.

f. Cybersecurity in information and technology project management: Project management methodology procedures must take digital security into account.

g. Compliance with cybersecurity standards, laws and regulations: An entity’s digital security program must comply with existing laws and regulations.

h. Periodical cybersecurity review and audit: Organizations must submit to an audit process to determine if their plans and procedures are in compliance with ECC.

i. Cybersecurity in human resources: An entity must address employee digital security from the time when someone’s hired to when they leave the company.

j. Cybersecurity awareness and training program: All employees need to receive whatever resources are necessary to fulfill their digital security responsibilities.

2. Cybersecurity Defense

a. Asset management: An organization needs to know what hardware and software are connected to the network if they are to protect their IT and technology assets.

b. Identity and access management: Without proper access controls, unauthorized users could compromise an organization’s information and technology assets.

c. Information system and information processing facilities protection: An organization needs to safeguard its information system and processing facilities.

d. Email protection: In-scope entities need to take the proper precautions to defend their email systems against digital threats.

e. Networks security management: An organization should use network segmentation/segregation, IPSes and other tools to secure their networks.

f. Mobile devices security: Entities need to protect all mobile devices against digital threats and secure all information under their BYOD policy.

g. Data and information protection: An organization needs to take the proper measures to safeguard their data and information assets.

h. Cryptography: In the name of data protection, an organization needs to efficiently use cryptography to protect its information per its policies and procedures.

i. Backup and recovery management: Entities in the scope of ECC need to secure their information systems and software configurations against digital risks.

j. Vulnerabilities management: If they fail to detect and remediate security bugs on a timely basis, an organization could allow attackers to exploit vulnerabilities.

k. Penetration testing: An organization should use simulated digital attacks to evaluate its digital defenses against malicious actors.

l. Cybersecurity event logs and monitoring management: Logs can help an organization detect a security issue before it balloons into a security incident.

m. Cybersecurity incident and threat management: In the event of an incident, an organization needs to respond appropriately so as to minimize the damages.

n. Physical security: An organization must safeguard their IT and technology assets against physical loss, damage and/or unauthorized access.

o. Web application security: Digital threats pose a risk to external web applications; an organization needs to defend itself accordingly.

3. Cybersecurity Resilience

a. Cybersecurity Resilience Aspects of Business Continuity Management (BCM): An organization needs to protect its IT assets against potential disasters and include resiliency requirements within its business continuity plan.

4. Third-Party and Cloud-Computing Cybersecurity

a. Third-party cybersecurity: Third parties including managed services and outsourced agents pose a threat to information assets; an organization needs to follow its policies and procedures to defend itself accordingly.

b. Cloud computing and hosting cybersecurity: To remediate digital threats pertaining to its hosting and cloud computing systems, an organization needs to protect its assets hosted on the cloud and managed by third parties.

5. Industrial Control Systems Cybersecurity

a. Industrial Control Systems (ICS) Protection: An organization needs to safeguard its industrial control systems and OT assets against digital threats.

The NCA ultimately leverages self-assessments, reports from its assessment and compliance tool and/or on-site audits to ensure that in-scope entities remain compliant with the Essential Cybersecurity Controls. In pursuit of this objective, organizations should follow the NCA’s guidance and “implement whatever necessary to ensure continuous compliance with the controls.” (This recommendation reflects the reality that not every organization can implement every control identified above. As an example, the fourth and fifth domains would not pertain to organizations that do not use the cloud and that don’t manage ICS systems.)

How Tripwire Can Help Organizations with Their ECC Compliance

Tripwire Enterprise can help organizations achieve their ECC compliance with the NCA. This solution is particularly effective with regards to some of the controls identified in the second domain of Cybersecurity Defense. It does this by converting the technical controls for the purpose of configuration hardening, thereby ensuring a system’s security configurations are appropriate given the job that it needs to do. Here are five controls as an example:

• Identity and access management: According to the NCA, this policy is intended to ensure the secure and restricted logical access to information and technology assets in order to prevent unauthorized access and allow only authorized access for users which are necessary to accomplish assigned tasks. Tripwire Enterprise can scan against cybersecurity requirements for identity and access management that must be implemented on various operating systems.
• Information system and information processing facilities protection: This policy is required to ensure the protection of information systems and information processing facilities (including workstations and infrastructures) against cyber risks. Tripwire Enterprise can scan against cybersecurity requirements for protecting information systems and information processing facilities.
• Networks security management: This policy ensures the protection of organization’s network from cyber risks. Tripwire Enterprise can scan against cybersecurity requirements for network security management.
• Cryptography: This policy is required to ensure the proper and efficient use of cryptography to protect information assets as per organizational policies and procedures, and related laws and regulations. Tripwire Enterprise enables you to scan against cybersecurity requirements for cryptography that must be implemented on your systems.
• Cybersecurity event logs and monitoring management: It’s imperative to have the timely collection, analysis and monitoring of cybersecurity events for early detection of potential cyberattacks in order to prevent or minimize the negative impacts on your organization’s operations. Tripwire Enterprise can also scan against cybersecurity requirements for event logs and monitoring management.

Organizations can easily monitor their performance across all of these and other security controls using the dashboard provided by Tripwire Enterprise. Tripwire Enterprise specifically provides customers with several important secure configuration management (SCM) capabilities. These include the following:

• OS and Application Support: Tripwire supports more than 1000+ policies that organizations can use to cover their infrastructure.
• Policy Flexibility: Tripwire SCM gives customers the flexibility to edit test policies with high flexibility, giving the customer ability to build their own standard based on the global standard.
• Closure of the Operational Loop: Tripwire SCM has file integrity monitoring (FIM) capabilities for detecting changes over the critical infrastructure. This will help the organization to understand compliance drift by detecting changes.

Taken together, organizations can leverage these SCM capabilities to ensure the confidentiality, integrity and availability of their IT and technology assets for the purpose of helping to grow Saudi Arabia’s digital economy. For more information on how Tripwire can help your organization maintain ECC compliance, click here.