Advisory: Introduction to NCA – ECC-1 : 2018
Several Middle Eastern nations, such as Saudi Arabia, Dubai, and Qatar, are at the forefront of the adoption of technology worldwide. The growing problem of worldwide cyberattacks gives the Kingdom of Saudi Arabia a lot to worry about as it continues to use the newest technologies to enhance its digital transformation. In order to mitigate the risk of cyberattacks emancipating from internal and external threats, the KSA National Cybersecurity Authority introduced the Essential Cybersecurity Controls (ECC).
What is ECC?
The Essential Cybersecurity Controls (ECC) are a set of security practices developed by the Saudi Arabia National Cybersecurity Authority (NCA). It is the outcome of a thorough analysis of numerous regional, national, and global frameworks, cybersecurity best practices, and prior attacks. The framework outlines the steps that organizations must take to identify, avoid, or deal with security risks as well as manage threats to their information and technological assets. The controls described in ECC give careful consideration to the general objectives of information security: confidentiality, integrity, and availability of information; and the fundamental elements of cybersecurity: strategy, people, processes, and technology.
The ECC consists of five main domains, 29 subdomains, and 114 security controls distributed across each of the five main domains. The controls assigned under each subdomain are designed to work together to accomplish the domain’s overarching objective.
1. Cybersecurity Governance
The governance domain aims to establish control over an organization’s cybersecurity operations. It offers best practices and recommendations that organizations can use to implement a structured method of planning, defining processes, appointing roles, and managing cybersecurity risks. The following are the subdomains under the Governance domain:
- Strategy: Three security controls are included in this subdomain, and their purpose is to make sure that an organization’s cybersecurity policies and procedures are in line with legal requirements and industry best practices.
- Management: This subdomain consists of three controls that are intended to guarantee the support of an organization’s third-party authorizing official in managing and putting cybersecurity protocols into place.
- Policies and Procedures: This subdomain outlines an organization’s policies to guarantee that the organizational cybersecurity requirements are documented, communicated, and created in accordance with pertinent rules and laws.
- Roles and Responsibilities: The controls in this subdomain make sure that the roles and responsibilities of everyone involved in the cybersecurity program are clearly defined.
- Risk Management: The goal of the risk management subdomain is to make sure that risks are methodically managed to safeguard the organization’s technological and informational assets.
- Information Technology and Project Management: This subdomain aims to make sure that the project management methodology and processes take cybersecurity requirements into account.
- Compliance with Cybersecurity Standards, Laws, and Regulations: The controls outlined in this subdomain are designed to make sure that an organization’s cybersecurity practices are compliant with legal requirements and industry standards.
- Periodical Cybersecurity Review and Audit: This guarantees the application of the cybersecurity controls, policies, and practices outlined in the organization’s security practice documentation. Additionally, it guarantees that those procedures comply with applicable regional, national, and international laws.
- Human Resources: At every stage of an employee’s employment, the controls under this subdomain introduce controls to ensure proper management of security risks relating to employees and contractors.
2. Cybersecurity Defense
The defense domain identifies focus areas and procedures that assist the organization in being aware of security threats and in putting strategies and personnel in place to protect its system from attacks.
- Assets Management: The asset management subdomain offers security measures to guarantee that a company has a precise and thorough inventory of information and technological resources to support its cybersecurity program.
- Identity and Access Management: The security controls in this subdomain describe how to ensure that only authorized users have secure, limited access to the organization’s system while also preventing unauthorized access.
- Protection of Information Systems and Information Processing Facilities: This subdomain provides recommendations to protect the organization’s IT infrastructure, workstations, and other technology facilities against cyber threats.
- Email Protection: These controls provide instructions on how to defend the company’s email system and those of its employees against cyberattacks.
- Network Security Management: The security controls listed under this subdomain are intended to safeguard the organization’s internal and external networks from cyber risks.
- Mobile Devices: This outlines guidelines for the protection of devices, including smartphones, laptops, and tablets, to ensure the secure handling of all organization information while allowing a Bring Your Own Device (BYOD) policy.
Other subdomains under the cybersecurity defense domain of ECC include:
- Data and Information Protection
- Backup and Recovery Management
- Penetration Testing
- Event Logs and Monitoring Management
- Incident and threat management
- Physical Security and
- Web Application Security
In the event of a cyberattack, the resilience domain of ECC also provides guidelines to assist an organization in building a resilient and attack-resistant system. This domain has only one subdomain.
- Cybersecurity Resilience Aspects of Business Continuity Management: This subdomain contains controls that ensure that resiliency requirements are implemented within the organization’s business continuity management to minimize the impact of cybersecurity incidents on systems, information processing facilities, and critical e-services.
4. Third-Party and Cloud Computing Cybersecurity
The two subdomains under this domain provide controls to ensure that third-party integration and cloud computing resources used by the organization are not excluded from the organization’s security practices.
- Third-Party Cybersecurity: Controls under this subdomain aim to protect assets from cybersecurity risks associated with third parties, such as software packages, contracts, outsourcing, and managed services, in accordance with organizational policies and procedures related to relevant regulations.
- Cloud Computing and Hosting Cybersecurity: The controls in this subdomain are intended to guarantee efficient cyber risk remediation and safeguard the organization’s information and technological resources that are hosted in the cloud or under third-party management.
5. Industrial Control Systems (ICS) Cybersecurity
The controls offered under the lone subdomain in this domain guarantee the proper and efficient cybersecurity management of industrial control systems and operational technology (ICS/OT) to safeguard the confidentiality, integrity, and availability of the organization’s assets against cyberattacks (such as unauthorized access, destruction, spying, and fraud), in accordance with the organization’s cybersecurity strategy and related and applicable local and international laws and regulations.
Who Does ECC Apply to?
The cybersecurity requirements highlighted in the ECC apply to all institutions, national authorities, institutions, agencies, and companies affiliated with them. It also applies to private companies that provide services to government authorities or companies that host the infrastructure of government agencies. Although non-government organizations are not required to comply with the regulation, every organization can benefit from the best practices recommended by the controls.
The Essential Cybersecurity Controls (ECC) is part of the Saudi Arabia National Cybersecurity Authority’s effort to protect the country’s cyberspace from attacks as the country continues to embrace technology in all sectors. The ECC-1: 2018 outlines security controls derived from global standard security frameworks to protect government entities and other public industries from increasing global cyberattacks.