List of policy that is available and need NO update in organization currently
1. To be in tune with the requirements and objectives of Kingdom Vision 2030.
2. To be consistent with the directions of the National Transformation Program 2020.
3. Adhere to the policy of protecting intellectual property of content in accordance with the
intellectual property regulations in the Kingdom.
4. Conflict of interest
A 'conflict of interest' occurs when the personal interest of the company in any way conflicts
with the interests of the company.
Leave and Time-Off Benefits
Employee holidays and exit policy
Leave and departure of employees from important policies concerning employee rights
The employee takes out his annual 25-day vacation
He can choose other vacations depending on his need, which may be (sick, maternity leave, test
leave or marriage leave).
Other than official holidays specified as Such as national holidays, Al-Fitr or Al-Adha holiday
Workplace safety policies
Goal:
Because there are risks to an employee while in the workplace this policy has been used to
protect employees, by developing workplace safety policies, we can help mitigate any damage
caused by employee negligence.
5- Risk Management
Goal
Ensure risk management to protect assets of interest to a company, natural disasters and all
risks systematically, in accordance with a company's regulatory policies and procedures.
Controls
A minimum management methodology should include:
Implement a company's risk assessment procedure, at least once a year.
Create a special record of all risks, and follow it at least once a month
6- Identity and Access Management
Goal
Ensure logical access to the company's assets in order to prevent unauthorized access and
restrict access to what is required to do company-related work.
Controls
Multi-Factor Authentication (MFA)
Develop and apply a high-standard password policy.
Use safe methods and algorithms to save and process passwords such as: use
Hashing Functions for all beneficiaries
7- Human Resources Policy
Goal
Programs providers must have professional qualifications and appropriate levels of experience
and training;
Ensure that the risks, related to employees (employees and contractors) of the company, are
effectively addressed, before, during, and upon completion of their work. This is in accordance
with the company's regulatory policies and procedures. This policy includes everything about
the ethics of the employee and the consequences for it
Controls
Before starting a professional relationship with the company, cybersecurity requirements must
cover a minimum:
Perform or Vetting for employees.
The incumbent must be highly qualified.
That the employee has high morals
8. Cybersecurity Awareness and Training Program
Goal
Ensure that employees have the necessary security awareness and are aware of their
cybersecurity responsibilities. Ensure that the staff are provided with the skills, qualifications
and training courses required in the field of cybersecurity to protect the information and
technical assets of the authority and carry out their responsibilities towards security
Cyber.
Controls
A cybersecurity awareness program must be developed and adopted through multiple channels
periodically to promote awareness of cybersecurity, threats and risks, and build a positive
culture of cybersecurity.
The cybersecurity awareness program should cover how to protect the body from the most
important cyber threats and new ones
Specialized skills and training must be provided to workers in functional areas directly related to
the company's cybersecurity.
10- Asset Management
Goal
Ensure that the entity has an accurate and up-to-date inventory of assets, including relevant
details, of all information assets, and all assets available to the authority, in order to support the
authority's operational operations and cybersecurity requirements, with a view to achieving the
confidentiality, integrity, accuracy and availability of the entity's information and technical
assets.
Controls:
Keep an updated list annually, for all assets of the Academy.
Identify assets owner and involve them in the Academy's asset management life cycle.
11- Networks Security Management
Goal
Ensure that the entity's networks are protected from cyber risks.
Controls
To manage the security of systems for a company must contain at a minimum the following:
Physical, or logical, insulation and division of sensitive system networks. Review firewall settings
and menus every six months, at least.
Prevent direct connectivity, for any device to the local network of sensitive systems, except after
inspection, and to ensure that the verified protection elements are available to acceptable levels
of sensitive systems.
Prevent sensitive systems from connecting to the wireless network.
12- Cryptography
Goal
Ensure the proper and effective use of encryption to protect the assets of a company, in
accordance with the company's policies and regulatory procedures.
Controls
Encrypt all sensitive data during transport (Data-In-Transit).
Encrypt all sensitive systems data during storage (Data-At-Rest) at file level, database, or specific
column level, within the database.
Use updated and secure methods, algorithms, keys and encryption devices as issued by the
Authority.
13- Backup and Recovery Management
Goal
Ensure that the company's data and information, technical settings for the company's systems
and applications, are protected from damage caused by cyber risks, in accordance with the
company's policies and regulatory procedures.
Controls
Online and Offline Backup to include all systems.
Backup worked at planned intervals; the company recommends that backups of sensitive data
be made on a daily basis.
Secure access, storage, and transportation of backup content for sensitive systems and their
media, and protect them from damage, modification, or unauthorized access.
A periodic examination must be conducted at least every three months to determine the
effectiveness of restoring backups for sensitive systems
14- Third-Party Policy
Goal
Ensure that the entity's assets are protected from third-party risks, including outsourcing
services and managed services. This is in accordance with the regulatory policies and procedures
of the company.
Controls
Screening or Vetting for support service companies, support service staff and managed services
working on sensitive systems.
Support services, systems-managed services, through highly trusted companies
List of policy that is available in organization, but it needs to be updated.
Management of information and technical projects
)Cybersecurity in Information Technology Projects(
Goal
Ensure that the management of the company's projects and procedures is properly applied to
protect confidentiality, the integrity, accuracy and availability of the entity's information and
technical assets.
Controls
In order to cover the company's project management requirements and changes to the
company's information and technical assets well, Miley will be challenged in the future.
Stress Testing to ensure the capacity of different components.
Stress Testing: Software and hardware test to make sure they are available;
The level of their effectiveness in unexpected circumstances.
Juvenile Records Management and Monitoring
)Cybersecurity Event Logs and Monitoring Management(
Goal
Ensure that event records are compiled and analyzed in a timely manner to prevent the effects
of unauthorized entry and affect or reduce the company's business.
The Somme is updated and added:
Activate and monitor file integrity management alerts and event records.
Monitoring and analyzing user behavior Analytics (UBA).
Monitor event records for sensitive systems 24 hours a day.
Protection of information system and Processing Facilities Protection systems and devices
Goal
Ensure that systems and information processing devices, including user devices, and entity
infrastructure, are protected from cyber risks.
Applicable controls:
In addition to preconceptions, it allows only a specific list of Whitelisting files for applications
and programs to work on servers for sensitive systems.
Protect servers for sensitive systems with company-approved End-point Protection
technologies.
The following application will be updated:
Apply updates packages, and security fixes, at least once a month, to sensitive external,
internet-connected systems.
Allocation of Workstations to technical personnel with important and sensitive powers, to be
isolated in a private network, to manage systems and not to be connected to any network, or
other service (e.g.:
E-mail service, Internet).
Review secure configuration and Hardening settings and fortifications at least every six months.
Review and modify Default Configuration and make sure there are no fixed, background, and
virtual passwords (Hard-Coded, Backdoor and Default Passwords) as applicable.
Application Security
Goal:
Ensure that internal applications, for the sensitive systems of the entity, are protected from risks
and attacks.
Applicable controls:
Protection requirements for internal applications of a company's sensitive systems must be
identified, documented and adopted through the use of secure protocols (such as HTTPS
protocol).
Clarify the user safe use policy.
The following application should be updated to increase the rate of protection and security:
Secure Session Management, including authenticity, lockout and timeout.
Data and Information Protection
Goal
Ensure the protection of confidentiality, integrity, accuracy and availability of company data and
information, in accordance with the company's regulatory policies and procedures.
Controls
In addition to pre-existing controls such as classifying all sensitive system data, protecting
classified data for sensitive systems through techniques, data leakage prevention.
Data Leakage Prevention is a strategy to preserve important data, from unauthorized persons,
and prevent it from circulating outside the organization in any form and location of such data,
whether stored on In-Rest volumes, user devices, and servers
.) In-Transit or in-Use
Some other important aspects of data and information protection should be covered as follows:
Determine the required retention period for business data on sensitive systems, depending on
relevant legislation, and only required data are retained in production environments for
sensitive systems.
- List of policy that is NOT available in organization
Share, view or sell user data to those who want to conduct studies and statistics
No building for disaster recovery plans
remote work policy does not use this policy because all employees perform their jobs from the
job site and come to it to finish their work
The policy of paying bills to users does not apply this policy in the company because the
programs are applied free of charge and do not need to have a payment policy.