NCA ECC update

NCA ECC–2:2024 Update: Stronger Cybersecurity for Saudi Arabia

The National Cybersecurity Authority (NCA) plays a pivotal role in safeguarding Saudi Arabia’s digital infrastructure. The previous ECC, NCA ECC–1:2018, provided a solid foundation for cybersecurity practices. The NCA ECC–2:2024 Update is here! NCA has updated the Basic Cybersecurity Controls (ECC-2: 2024) after extensive review and analysis. This update incorporated cybersecurity standards, frameworks, and controls from various local and international entities, considered national legislation and regulations, reviewed best practices, analyzed cyber incidents affecting government and sensitive entities, and surveyed opinions from numerous national organizations. These controls of NCA ECC–2:2024 include:

  • 4 Main Domains of Cybersecurity Controls
  • 28 Subdomains of Cybersecurity Controls
  • 110 Cyber Security Officers
  • 90 Cyber Security Subcontrols

They are aligned with relevant national and international legislative and regulatory requirements.

Why the Update?

The rapid evolution of cyber threats necessitates a continuous adaptation of cybersecurity measures. Cybercriminals are becoming increasingly sophisticated, employing advanced techniques to exploit vulnerabilities and steal sensitive information. From ransomware attacks to data breaches, the potential consequences of cyber incidents can be devastating.

To stay ahead of these evolving threats, the NCA has introduced the updated ECC. This revised framework emphasizes the importance of proactive measures to protect critical infrastructure, government entities, and businesses. By implementing robust security controls, organizations can significantly reduce their risk exposure and maintain a strong cybersecurity posture. While the previous NCA ECC–1:2018 provided a solid foundation, it did not fully address the increasing sophistication of cyberattacks. The new NCA ECC–2:2024 aims to bridge these gaps by introducing enhanced controls and aligning with international standards.

NCA ECC–2:2024  Main Domains of Cybersecurity Controls

NCA ECC Main Domains of Cybersecurity Controls

NCA ECC–2:2024 update is structured around four primary cybersecurity domains, each focusing on distinct aspects of cybersecurity. These domains are subdivided into subdomains that provide detailed controls and best practices. In the following sections, we will delve into each domain, highlighting its significance and the role it plays in enhancing overall cybersecurity initiatives.

Cybersecurity  Governance

The Cybersecurity Strategy aims to align action plans with legislative requirements by defining, documenting, and reviewing the strategy. Cybersecurity Management focuses on establishing an independent department and supervisory committee to ensure program commitment and compliance with regulations. Cybersecurity Policies and Procedures ensure documentation and adherence to requirements, supported by technical standards and regular reviews. Clear roles and responsibilities are defined and periodically updated. Cybersecurity Risk Management involves systematic processes to protect information assets.

IT Project Management incorporates cybersecurity into project methodologies. Compliance ensures alignment with national and international regulations. Periodic reviews and audits verify the effectiveness of cybersecurity controls. HR Cybersecurity addresses employee-related risks through documented requirements and continuous awareness. The Awareness and Training Program develops and implements initiatives to enhance employee security knowledge and practices.

Strengthening Cybersecurity Defence

The cybersecurity framework outlines essential measures for protecting an organization’s information and technology assets. It covers Identity and Access Management with access controls like multi-factor authentication and emphasizes the Protection of Information Systems against malware and unauthorized access. Email Protection involves filtering phishing and enforcing secure authentication protocols, while Networks Security Management focuses on network isolation and DDoS defenses. Mobile Devices Security establishes policies for corporate and personal devices, ensuring data encryption and secure deletion protocols.

Data Protection ensures confidentiality and compliance, and Cryptography mandates adherence to national encryption standards. Backup and Recovery Management emphasizes comprehensive backups, while Vulnerability Management prioritizes timely detection and patching. Penetration Testing evaluates external services for weaknesses, and Event Logs and Monitoring enables proactive threat detection. Incident and Threat Management sets guidelines for response and threat intelligence sharing, while Physical Security safeguards against unauthorized access. Web Application Security implements protective measures for external applications. These cybersecurity requirements should be regularly reviewed to adapt to changing cyber risks.

Cybersecurity Resilience

The Cybersecurity Resilience Aspects of Business Continuity Management (BCM) focus on ensuring the availability of cybersecurity resilience requirements within an organization’s BCM framework. The primary goal is to address and minimize the impacts of disruptions caused by cyber risks on critical electronic services and information processing systems. To achieve this, cybersecurity requirements must be identified, documented, and approved as part of the BCM. Implementation of these requirements is essential for maintaining operational continuity. At a minimum, the BCM must ensure the continuity of cybersecurity systems and procedures, develop response plans for cybersecurity incidents that could impact business operations, and establish comprehensive disaster recovery plans. Regular reviews of these cybersecurity requirements within the BCM are crucial to adapting to evolving threats and maintaining resilience.

Third-party and Cloud Computing Cybersecurity

The cybersecurity framework for Third Party Cybersecurity and Cloud Computing focuses on safeguarding the entity’s assets from cyber risks associated with external parties and cloud services. It requires the definition, documentation, and approval of cybersecurity requirements within contracts with external parties, including non-disclosure clauses, secure data deletion upon service termination, and incident communication procedures. Additionally, cybersecurity measures must be implemented to ensure compliance with relevant legislative requirements and to assess risks before engaging third-party services. 

For cloud computing and hosting, the framework mandates the establishment of cybersecurity requirements that include data classification, ensuring data separation from other entities’ environments, and returning data in a usable format post-service. Regular reviews of these cybersecurity practices are essential to maintain protection and compliance.

Key Changes in NCA ECC–2:2024 Update

The NCA ECC–2:2024 update introduces several significant changes to strengthen cybersecurity practices in Saudi Arabia.

Expanded Scope: The new ECC now covers a broader range of organizations, including government entities, critical infrastructure operators, and financial institutions. This expansion recognizes the increasing interconnectedness of digital systems and the need for robust security measures across various sectors.

Enhanced Controls: The number of controls has increased from 59 to 110, reflecting the evolving threat landscape and emerging technologies. These additional controls address a wide range of threats, including phishing attacks, malware, and ransomware.

Increased Emphasis on Risk Management: The new ECC places greater emphasis on risk assessment, management, and mitigation. By conducting thorough risk assessments, organizations can identify and prioritize vulnerabilities, allocate resources effectively, and implement targeted security measures. This risk-based approach enables organizations to focus on the most critical threats and allocate resources accordingly.

Alignment with International Standards: The new ECC is aligned with international standards such as the NIST Cybersecurity Framework and ISO/IEC 27001. This alignment ensures that Saudi Arabia’s cybersecurity framework aligns with global best practices and facilitates international cooperation.

Scope of Work and Applicability

Scope of Controls:

These controls apply to government entities in Saudi Arabia (including ministries, authorities, institutions, etc.), their affiliates and subsidiaries (inside and outside the Kingdom), and private sector entities that own, operate, or host Critical National Infrastructures. The Authority also strongly encourages other entities in the Kingdom to adopt these controls to enhance their cybersecurity practices.

Applicability within the Organization:

These controls are designed to meet the cybersecurity needs of all entities and sectors in Saudi Arabia, regardless of their business nature, and each entity must adhere to the relevant controls. For example, controls related to cloud computing and hosting cybersecurity are mandatory for entities currently or planning to use these services.

Impact on Organizations

The updated ECC presents both challenges and opportunities for organizations in Saudi Arabia. Compliance with these controls is essential to avoid potential penalties and reputational damage. However, it also allows you to strengthen your security posture and build a more resilient organization. Organizations should consider conducting a risk assessment to effectively implement the ECC to identify and prioritize the risks that could impact their operations. Implementing strong access controls, such as strong password policies, multi-factor authentication, and access controls, is crucial to protect sensitive information. Investing in advanced security solutions like firewalls, intrusion detection systems, and endpoint protection platforms can further enhance security. 

Additionally, empowering employees with cybersecurity awareness training can help them recognize and respond to threats effectively. Finally, continuous monitoring of networks and systems for vulnerabilities and conducting regular security testing are essential to maintain a strong security posture.

Partner with Aman Solutions For Cyber Security

At Aman Solutions For Cyber Security, we understand the complexities of cybersecurity and the challenges organizations face in meeting regulatory requirements. Our team of experts can help you navigate the updated ECC and implement effective security solutions.

By partnering with us, you can:

  • Achieve ECC Compliance: Ensure that your organization meets all the requirements of the new ECC.
  • Enhance Your Security Posture: Strengthen your defenses against cyber threats.
  • Protect Your Reputation: Safeguard your brand and customer trust.

Don’t let cybersecurity risks compromise your organization’s success. Contact Aman Solutions for cybersecurity today to learn more about how we can help you achieve your cybersecurity goals.

Conclusion

The Authority will periodically review and update the basic cybersecurity controls per evolving cybersecurity requirements and developments. The updated controls will be announced for implementation and compliance. The appendix details the updates made to the previous version of the Basic Cybersecurity Controls Document (ECC-1: 2018).