Securing sensitive information has become crucial in an era dominated by digital connectivity. The National Cyber Security Authority (NCA) has established a set of Essential Cyber Security Controls that are a robust defense against increasing cyber attacks in Saudi Arabia.

 

Saudi Arabia has been leading its digitization journey by prioritizing cyber security … as the boundaries of digitization and technology expand, so does the cyberattack surface because of new vulnerabilities. ~ Mohamed Hashem, KSA and Bahrain general manager, Kaspersky

 

The surge in cyber threats highlights the critical need for a comprehensive approach to cyber security. The NCA Essential Cyber Security Controls offer a strategic framework to strengthen the digital environment against malicious actors. 

 

In this blog, we explore these controls, their importance, and the essential role they play in securing digitization in Saudi Arabia. 

 

Understanding NCA Essential Cyber Security Controls

 

NCA introduced the Essential Cyber Security Controls (ECC – 1: 2018) to provide a foundation for safeguarding crucial systems and confidential data. These controls span from access management to the strategic planning of incident responses. They were crafted through an extensive process. 

 

The process involved a comprehensive examination of various national and international cyber security frameworks and standards, a detailed review of pertinent national decisions and regulatory requirements, an analysis of cyber security incidents and attacks on government and critical organizations, and incorporating cyber security best practices. 

 

It comprises of:

 

• 5 Cyber Security Main Domains,
• 29 Cyber Security Subdomains, 
• and 114 Cyber Security Controls.

 

This establishes a robust defense against potential threats. Importantly, these cyber security controls are connected to the relevant national and international legal and regulatory requirements, ensuring a comprehensive and compliant approach to cyber security.

 

Objectives of NCA ECC

 

The primary objective of the NCA ECC is to establish the fundamental cyber security prerequisites for information and technology assets within organizations. Rooted in industry-leading practices, these requirements assist organizations in mitigating cyber security risks arising from both internal and external threats. 

 

To safeguard the organization’s information and technology assets, particular emphasis should be placed on the following key objectives:

 

• Confidentiality
• Integrity
• Availability 

 

 

Scope & applicability of the NCA Essential Cyber Security Controls 

 

Scope of work

 

NCA ECC applies to government entities in Saudi Arabia, including authorities, ministries, establishments, and similar entities. These controls also apply to businesses and organizations in the private sector that own, operate, or host Critical National Infrastructures (CNIs). 

 

The NCA urges all other entities within the Kingdom to adopt these controls and implement best practices to strengthen and enhance their cyber security posture.

 

ECC statement of applicability 

 

These controls have been formulated with a comprehensive understanding of the cyber security requirements across all organizations and sectors in the Kingdom of Saudi Arabia. Every organization must adhere to all pertinent controls outlined in the Essential Cyber Security Controls (ECC – 1: 2018) document.

 

The applicability of implementing these cyber security controls is based on the nature of the organization’s business and its utilization of specific technologies. For instance:

 

• Organizations engaged in or considering the adoption of cloud computing and hosting services must adhere to and implement controls specified in subdomains 4-2 (Cloud Computing and Hosting Cyber Security).

 

• Organizations utilizing or intending to integrate industrial control systems must comply with controls outlined in main domain 5 (Industrial Control Systems Cyber Security).

 

What are the NCA ECC domains?

 

The NCA ECC comprises five crucial domains. Each domain is a strategic pillar comprising different NCA controls and addressing specific facets essential for a robust cyber security posture. 

 

From establishing effective governance structures to fortifying defenses, enhancing resilience, managing third-party and cloud computing security, and safeguarding industrial control systems, these domains collectively form a comprehensive shield against the diverse and evolving cyber threats organizations face. 

 

ECC Main Domains

 

Let’s explore each domain, providing insights into the key controls and measures that organizations must consider to bolster their cyber security frameworks.

 

1. Cyber security governance

 

The Cyber Security Governance domain within the National Cyber Security Authority (NCA) Essential Cyber Security Controls (ECC) lays the groundwork for a resilient cyber security posture. Comprising 10 vital subdomains and 36 controls, this domain addresses critical aspects such as cyber security policies, procedures, legal compliance, and user awareness. 

 

These controls are the foundation for organizations, facilitating a structured approach to cyber security that includes regular policy review and audit, adherence to laws and regulations, and comprehensive training programs. 

 

2. Cyber security defense

 

Within the NCA ECC framework, the Cyber Security Defense domain emerges as a comprehensive repository, comprising 15 essential subdomains and 60 controls. 

 

Focused on strengthening an organization’s defenses, this domain addresses critical aspects, including asset management, Identity and Access Management (IAM), network security management, cryptography, vulnerability management, and more. 

 

These controls collectively form a multi-layered defense strategy, safeguarding against a spectrum of cyber threats.

 

3. Cyber security resilience

 

The Cyber Security Resilience domain in the NCA ECC framework focuses on fortifying an organization’s ability to withstand and recover from cyber security incidents. This domain comprises a single subdomain, “Cyber Security Resilience Aspects of Business Continuity Management (BCM),” accompanied by four critical controls. 

 

The objective is to seamlessly integrate cyber security resiliency requirements into the organization’s business continuity management, ensuring a prompt and effective response to minimize the impacts on systems, information processing facilities, and critical e-services in the face of disasters caused by cyber security incidents. 

 

4. Third-party and cloud computing cyber security

 

The Third-Party and Cloud Computing Cyber Security domain within the NCA ECC framework is dedicated to strengthening organizations against cyber security risks associated with external collaborations and cloud deployments. 

 

This domain has two vital subdomains: “Third-Party Cyber Security” and “Cloud Computing and Hosting Cyber Security,” featuring a total of eight crucial controls.

 

The primary objective is twofold: firstly, to ensure the protection of assets against cyber security risks linked to third parties, including outsourcing and managed services, aligning with organizational policies, procedures, and relevant laws and regulations. 

 

Secondly, the domain aims to guarantee the proper and efficient remediation of cyber risks and the implementation of cyber security requirements pertinent to hosting and cloud computing, following organizational policies, procedures, and legal standards. 

 

5. Industrial control systems cyber security

 

The Industrial Control Systems Cyber security domain within the NCA ECC framework is singularly focused on strengthening the cyber security management of Industrial Control Systems (ICS) and Operational Technology (OT). This domain consists of one vital subdomain, “Industrial Control Systems (ICS) Protection,” complemented by four essential controls.

 

The Industrial Control Systems Cyber security domain is dedicated to effectively managing cyber security for Industrial Control Systems and Operational Technology (ICS/OT). This proactive approach safeguards organizational assets, ensuring confidentiality, integrity, and availability against various cyber threats.

 

Automate the NCA ECC implementation with CyberArrow

 

In cyber security, ensuring compliance with regional standards like the NCA Essential Cyber Security Controls (ECC) is imperative. CyberArrow is your go-to platform for seamless and efficient compliance automation. 

 

As the designated platform for automating the implementation of the latest version of NCA ECC, CyberArrow offers a tailored solution specifically designed for Saudi-based entities. Embracing CyberArrow means putting compliance on autopilot, revolutionizing your security posture, and ensuring readiness for NCA audits. 

 

By automating the implementation of NCA ECC, businesses gain the advantage of ongoing monitoring and evidence collection, providing a continuous and real-time snapshot of their compliance status.

 

Moreover, CyberArrow goes beyond NCA compliance. We’re here to comprehensively enhance your cyber security journey. In addition to NCA, our platform is equipped to automate the SAMA (Saudi Arabian Monetary Authority) Cyber Security Framework, offering a holistic solution for businesses aiming to navigate the intricate landscape of cyber security standards in KSA.

 

Stay ahead of the cyber security curve, automate your compliance efforts, and unlock the full potential of your organization’s security strategy. 

 

Start on a journey of efficiency, reliability, and peace of mind with CyberArrow. Schedule a free demo today!

 

FAQs

 

 

Read how CyberArrow GRC streamlined NCA ECC, NIST and ISO 22301 for Nahdi Medical Company.

 

See what Nahdi has to say about CyberArrow GRC: