Requirement:
The requirements for cybersecurity incidents and threat management must include at least the following:
Sub-Controls:
2-13-3-1:
Requirement:
Cybersecurity incident response plans and escalation procedures.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Develop cybersecurity incident response plans containing:
- Define the types of accidents and their classification according to their level of severity on the organization's business
- Define the roles and responsibilities for cybersecurity incident response and how to communicate with all stakeholders
- Define communication channels and methods for emergencies
- Define a playbook for incident response that contains the following:
- Classify the incident by its severity, the level of response required, and entities that should be involved in response activities
- Report cybersecurity threats and incidents to the NCA
- Define workflow procedures for responding to cybersecurity incidents
- Develop cybersecurity incident report upon completion of the response including, but not limited to, the following:
- Persons involved in responding to the incident and the means of communication
- The key information of the incident, including but not limited to, date and time, scope of incident, severity, etc.
- Summary of the incident
- Containment and removal steps
- Current and future recommendations
- Review the response plan periodically and update it if necessary
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- The approved cybersecurity incident response plan (electronic copy)
- A sample of a previous cybersecurity incident report
2-13-3-2:
Requirement:
Cybersecurity incidents classification.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Define the organization's cybersecurity incident classification mechanism and ensure its inclusion in the incident response policy and its alignment with the organization's risk classification mechanism
- Classify incidents if they occur and determine the duration and mechanism of dealing with these incidents based on the adopted classification mechanism
- Document that classification in the cybersecurity incident report
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- Document that outlines the mechanism for classifying cybersecurity incidents according to sensitivity and risk level
- Sample from a previous incident report showing incident and reporting classification
2-13-3-3:
Requirement:
Cybersecurity incidents reporting to NCA
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Identify documented procedures to report to NCA in the event of a cybersecurity incident, including:
- The roles and responsibilities for cybersecurity incident response and how to communicate with all stakeholders
- The key information of the incident, including but not limited to, date and time, scope of incident, severity, etc.
- Summary of the incident
- Report to NCA the occurance of a cybersecurity incident through NCA's approved channels, such as Haseen portal and/or the NCA official email for incident reporting is@nca.gov.sa, and follow up on any updates and instructions that NCA may issue regarding incident reporting on an ongoing basis
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- Copy of the file of the procedures followed to report to NCA cybersecurity incidents
- Sample of NCA's notification of a previous cybersecurity incident, including but not limited to: a screenshot or direct example of the email sent to NCA
2-13-3-4:
Requirement:
Sharing incidents notifications, threat intelligence, breach indicators and reports with NCA.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Identify documented procedures to share the following with NCA:
- Alerts, threat intelligence, and penetration indicators that may increase the level of suspicion of a cybersecurity incident
- Cybersecurity incident reports after the incident has been dealt with
- Share alerts, threat intelligence, penetration indicators, and incident reports with NCA through the official e-mail to register the information sharing membership "info@nca.gov.sa" and follow up on any updates and instructions that the Authority may issue on reporting alerts, threat intelligence, and penetration indicators on an ongoing basis
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- Procedures followed to share alerts, threat intelligence, and penetration indicators with NCA (including but not limited to: a previous email through which the indicators report was sent to NCA)
- Sample of a cybersecurity incident report sent to NCA (including but not limited to a previous email through which a cybersecurity incident report was sent to NCA)
2-13-3-5:
Requirement:
Collecting and handling threat intelligence feeds.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Subscribe in platforms responsible for sending threat intelligence through email or other technical platforms. These platforms include:
- Computer Emergency Response Team (Saudi CERT)
- Haseen's information sharing platform
- CITC's newsletter
- Bulletins provided by cybersecurity companies
- Bulletins provided by security and technology service providers that have been previously contracted by the organization
- Handle alerts sent by these platforms by:
- Send alerts to the relevant team to deal with (including but not limited to: IT Department, Security Operations Center, update and vulnerability department)
- Set a time limit for handling these alerts based on the severity level
- Continuously monitor to ensure that alerts sent to the relevant team have been handled in a secure manner (including but not limited to ensuring that the sent vulnerabilities patches are applied)
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- Screenshot or direct example showing the organization's subscription in a platform
- Screenshot or direct example of alerts that have been dealt with in advance according to the necessary procedures
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
CMMC Level 1 Compliance
Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
NIST SP 800-171 & CMMC Level 2 Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.