Skip to content

Cybersecurity Framework – SAMA

Saudi Arabian Monetary Authority is a Cybersecurity Framework to allow SAMA (“Member Organizations”) regulated financial institutions to identify and effectively manage cybersecurity threats. Member Organizations must implement the framework in order to ensure the protection of information assets and online services.

SAMA – The Need for Framework

In today’s digital world, seamless customer experiences, constant availability of services, and excellent security of sensitive data are expected.

All governmental and private organizations and the general public increasingly place a premium on information assets and online services. These services are essential for the development of a thriving digital economy. They’re also becoming increasingly vital to the economy and national security as a whole. When it comes to the confidentiality, integrity, and availability of information assets and implementing new online services and innovations while enhancing cyber threat resilience, the stakes are high.

The dependence on these services is not just increasing. The threatened environment changes fast. Cyber assaults are becoming severe, that companies are becoming aware of the necessity to stay on track, which highlights the need to protect sensitive data and transactions, therefore ensuring trust in the Saudi financial sector as a whole.

SAMA – A Snapshot

In May 2017, the Saudi Arabian Monetary Authority (SAMA) established the SAMA Cyber Security Framework to increase resilience against cyber attacks.

This is consistent with a global trend in which government and banking industry regulators are adopting cybersecurity guidelines and recommendations. The updated European Payment Services Directive (PSD2), with its Strong Customer Authentication standards, is an excellent example. It has subsequently been a catalyst for safe Open Banking across the world, including in Bahrain.

SAMA created a cybersecurity framework (‘the Framework’) to identify appropriate measures to efficiently detect and resolve cybersecurity issues.

With the establishment of a Cybersecurity Framework, regulated companies are supported by the development of adequate cybersecurity governance, a robust infrastructure, and the investigative and preventative measures necessary.

The Framework articulates relevant checks and gives direction on how maturity levels are evaluated. Adopting and implementing the Framework is a crucial step towards ensuring that Cybersecurity threats are managed by Saudi Arabian Banking, Insurance, and Financing Companies.

SAMA – Cybersecurity Framework

SAMA Cybersecurity Maturity Levels

No Documentation

There is no awareness or attention for certain cybersecurity control

Cybersecurity controls are not or partially defined.

Cybersecurity controls are performed in an inconsistent way.

Cybersecurity controls are not fully defined.

The execution of the cybersecurity control is based on an informal and unwritten, though standardized, practice.

Cybersecurity controls are defined, approved, and implemented in a structured and formalized way.

The implementation of cybersecurity controls can be demonstrated.

The effectiveness of the cybersecurity controls is periodically assessed and improved when necessary

This periodic measurement, evaluations, and opportunities for improvement are documented.

Cybersecurity controls are subject to a continuous improvement plan

Compliance with the SAMA
Cybersecurity Framework

According to a recent KPMG CEO Outlook study in 2020, 64 percent of CEOs in the Kingdom believe that protecting client data is crucial for the company to increase its customer base in the future. Up from 38 percent the previous year.

According to Forrester, 80% of current data breakings using privileged credentials reassure that the SAMA gives specific guidelines on Identity And Access Management (IAM) in Section 3.3 (Cyber Security Operations and Technology).

The SAMA Cyber Security Framework incorporates best practices from a variety of other government frameworks and industry standards, including the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF), Payment Card Industry Data Security Standard (PCI DSS), ISO 27001/27002 Information Security Management Standards, Information Security Forum Standard of Good Practice for Information SecurityBasel II International Convergence of Capital Measurement and Capital Standards.

The SAMA Cyber Security Framework is required for all banks, insurance firms, and financial organizations operating in Saudi Arabia.

Download SAMA eBook

Preparation for SAMA Compliance

By taking these 3 steps, an organization is ready to comply with SAMA wiping requirements both now and in the future.

Understand where data resides

Classify and get organized

Use the right tool

databrackets Online Portal
The Most Effective Cybersecurity Compliance Platform

databrackets – Online Portal to Track Vulnerabilities

Detects known vulnerabilities in software and config settings before a cyber-attack can take advantage of them

SAMA 3.3.3 (Asset Management), 3.3.6 (Application Security), and 3.3.17 Vulnerability Management are addressed directly

databrackets – Online Portal to Track Changes

databrackets’s Online Portal loaded with Cybersecurity Compliance Controls prevents and detects cybersecurity threats on a fundamental level. It accomplishes this by combining the most complete and intelligent change control solution available with the essential security best practice disciplines of system configuration and integrity assurance

SAMA 3.3.6 (Application Security), 3.3.7 (Change Management), and 3.3.8 (Infrastructure Security) are appropriately handled

databrackets – Online Portal to Track Logs

Full audit trails of all user and system activity are recorded, and events are correlated to offer early warning of hacker activity

SAMA 3.3.14 (cybersecurity event management) is directly addressed

Interested in trying our DIY platform?

Some of Our Happy Customers