Cybersecurity Controls for Data (DCC-1:2022)
Establishment and Operation of Data Management Office (DMO)
Cybersecurity Controls for Data (DCC-1:2022)
“In a time where data stands as one of the paramount national assets, contributing significantly to the achievement of strategic objectives by supporting decision-making processes within national entities and providing invaluable insights for growth and excellence, it is crucial to acknowledge the various cyber threats that pose potential risks to operations. These threats have the potential to impact businesses in multiple facets.
This underscores the necessity of implementing cybersecurity controls for data, as outlined in DCC-1:2022. Such controls are imperative for mitigating threats and reducing the risks surrounding data, ensuring the resilience and security of national data assets. By adhering to these cybersecurity measures, organizations can proactively safeguard against potential disruptions and fortify their ability to leverage data for informed decision-making, growth, and excellence.”
The concept of Data Cybersecurity Controls encompasses a set of guidelines and policies meticulously formulated by the National Cybersecurity Authority
The primary objective is to establish the minimum security requirements, empowering entities to safeguard their data comprehensively. This extends to both tangible and digital manifestations of data, covering structured data such as databases and data tables, as well as unstructured data like documents and records. Throughout all stages of the data lifecycle, these controls aid in confronting escalating threats, preserving the security of data, sustaining operational activities, and mitigating potential damages.
The relationship between Data Cybersecurity Controls and the foundational Cybersecurity Controls (ECC-1:2018) is intrinsic and closely intertwined
It is imperative to highlight that these data-centric controls serve as an extension of the core cybersecurity controls and seamlessly integrate with their components. Consequently, the application of Data Cybersecurity Controls is inherently tied to the continuous adherence to the foundational Cybersecurity Controls (ECC-1:2018).
The regulatory authority, in turn, imposes on all entities the necessity to implement measures that ensure perpetual and steadfast compliance with both sets of controls. Therefore, the implementation of Data Cybersecurity Controls is contingent upon the sustained commitment to the foundational Cybersecurity Controls, emphasizing the holistic approach needed to fortify cybersecurity measures comprehensively.
Benefits of adhering to Data Cybersecurity Controls:
Elevating the Protection of Organizational Data:
- Enhancing the capability to safeguard organizational data from cyber threats and risks.
- Providing continuous and comprehensive data protection throughout its various usage and exchange stages. Enhancing Awareness of Secure Data Handling Practices.
- Promoting awareness and training on secure and responsible data handling practices among organizational staff. Avoiding Organizational and Legal Damages.
- Mitigating legal repercussions and penalties resulting from non-compliance with security controls. Facilitating Collaboration Opportunities with Other Entities.
- Streamlining secure data exchange with other entities and ensuring compliance with data handling rules and policies. Enhancing opportunities for integration and collaboration with institutions that enforce rigorous standards for effective and fruitful data exchange.
Implementing Data Cybersecurity Controls and Ensuring Compliance
The scope of these controls encompasses entities in both the government and private sectors. The National Cybersecurity Authority mandates certain entities to achieve continuous and steadfast compliance with these controls. These include:
- Governmental Entities:
- Ministries, authorities, institutions, and other governmental bodies.
- Entities and Companies Affiliated with Government Entities:
- Organizations and companies that are subsidiaries of governmental bodies.
- Private Sector Entities with Critical National Infrastructures:
- Private sector entities that own or operate sensitive national infrastructures or provide hosting services.
It is noteworthy that these controls are tailored to meet the cybersecurity requirements of entities and sectors in the Kingdom, considering the diverse nature of their operations. Entities falling within the purview of these controls are obligated to implement and apply all applicable controls, ensuring continuous and unwavering commitment to compliance.
Do you need assistance or consultation?
Contact us now; our entire team (comprising 110 consultants and experts) is ready to address all your inquiries.
Data Cybersecurity Controls Overview:
Comprising three main components with 19 core and 47 sub-controls, our Data Cybersecurity Controls form a robust framework distributed across 11 sub-components, detailed in the attached diagram.
See Data Cybersecurity Controls breakdown:
1- Cybersecurity Governance:
Cybersecurity governance requires undertaking several activities to align with the specified controls, which include the following:
Periodic Review and Auditing for Cybersecurity:
Every entity is required to conduct regular audits and reviews to ensure compliance with cybersecurity controls, operating in accordance with its organizational policies, and adhering to international and local regulations.
Cybersecurity Concerning Human Resources:
Entities must apply cybersecurity requirements and controls related to both employees and contractors, ensuring that cybersecurity risks are effectively addressed in accordance with best practices and regulations. This should be done before, during, and after the termination or conclusion of the employment relationship within the organization. For instance, they are required to conduct a security audit for individuals in roles involving data handling.
Cybersecurity Awareness and Training Program:
Implementing controls and establishing policies to ensure that all members of the organization receive appropriate support and cybersecurity awareness programs. Ensuring that employees have the necessary skills through cybersecurity training programs, enabling them to safeguard the information assets of the organization. This involves creating policies that guarantee the provision of suitable awareness and security programs for all personnel, equipping them with the skills required for cybersecurity and data protection.
2- Enhancing Cybersecurity:
Organizations must enhance their cybersecurity by developing policies to ensure the protection of logical access to information and technical assets within the organization. This involves preventing unauthorized access by implementing the following controls:
Identity and Access Management:
Protection of systems and information processing devices
Mobile Device Security
Data and Information Protection:
Encryption:
Secure Data Destruction:
Cybersecurity for Printers, Scanners, and Photocopiers:
Identity and Access Management:
Policies should be developed to ensure strict compliance and the establishment of authorization rules allowing only essential personnel within the organization to access, view, and share data. It is crucial to regularly review these permissions based on the specified duration for each level in the data classification hierarchy. Additionally, the management of login processes and data access permissions should be conducted using robust and sensitive Access Management Systems.
Protection of systems and information processing devices
Ensuring the security of information processing devices, including greeting infrastructure and user devices, from cybersecurity risks by adhering to the application of mentioned controls. Some of these controls include:
- Applying update and security patch packages.
- Reviewing protection and fortification settings for systems handling data.
- Reviewing and fortifying the factory settings of technical assets used in data processing.
- Disabling the screen capture feature on devices that create or process documents
Mobile Device Security
The minimum controls must be applied to ensure the protection of mobile devices within facilities, including laptops, smartphones, and tablets, from risks. This includes securing information and handling data safely during transmission, sharing, and storage on these devices. Centralized management of mobile devices should be ensured using a Mobile Device Management (MDM) system, and the remote wipe feature should be activated
Data and Information Protection:
Controls must be implemented to ensure the confidentiality, integrity, and availability of the organization’s data and information. This involves utilizing techniques to prevent data leaks and managing permissions, employing document encryption technologies to facilitate traceability, and enforcing policies that prohibit data usage in any environment other than the production environment. Additionally, the use of Brand Protection services helps safeguard against identity theft.
Encryption:
Controls must be applied to ensure compliance with cybersecurity requirements, guaranteeing proper and effective use of encryption to protect electronic data and information assets within organizations. This includes the use of up-to-date and secure encryption methods and algorithms when creating, transmitting, sharing, and storing data, while considering national encryption standards.
Secure Data Destruction:
Developing policies and implementing controls to ensure the secure execution of data destruction processes, specifying the technologies, tools, and procedures for carrying out these operations. It is essential to maintain records of data destruction or secure deletion operations, in accordance with legislative and regulatory requirements. Regular review of the established data destruction procedures should also be conducted, adhering to the specified duration for each level in the data classification hierarchy.
Cybersecurity for Printers, Scanners, and Photocopiers:
It is crucial to establish, document, and endorse security requirements and policies to protect printers, scanners, and photocopiers, ensuring secure handling of data when using these machines. Organizations should conduct regular reviews and audits to assess compliance status and apply cybersecurity requirements for printers, scanners, and photocopiers.
For instance, organizations should disable temporary storage features, activate identity verification before initiating printing, scanning, or copying operations, maintain electronic records of these operations, and utilize document destruction techniques and devices after their completion.
3- Cybersecurity Concerning External Parties and Cloud Computing:
Compliance and implementation of relevant cybersecurity requirements must be achieved to ensure the protection of information assets from risks and threats associated with external parties, including Information Technology Outsourcing (Outsourcing), Managed Services, and consulting services. This includes the following:
- Conducting security screening or vetting for personnel of external parties who have access permissions to the entity's data.
- Having policies and contractual assurances that obligate the external party to securely destroy and delete the entity's data upon the termination or conclusion of the contractual relationship, with the necessity to provide evidence of such actions.
- Documenting all data-sharing operations with external parties, clarifying the justifications and reasons for the collaboration.
- Developing policies that require external parties to inform and alert entities in the event of breaches and security incidents that may affect the data shared or created.
- Reclassifying data to the lowest level before sharing it with external parties using data masking and data scrambling techniques.
Need help or ask a question?
Contact us now, and you will find a huge team of approximately +110 consultants and technical experts at your service, working to help you develop, protect and grow your business.
How does Renad Al-Majd help you achieve compliance and implement cybersecurity controls for data?
We empower you to achieve the required level of compliance and implement controls, and develop necessary documents through an integrated range of professional and managed services and a massive consultancy team, as follows:
Vulnerability assessment and gap analysis.
Designing and developing a cybersecurity strategy.
Designing cybersecurity policies, procedures, and standards along with related documentation.
Restructuring and designing security procedures.
Conducting internal audits to ensure the cybersecurity readiness of the entity.
Providing specialized training programs and workshops.
