Requirement:
The cybersecurity requirements for protecting information systems and information processing facilities must include at least the following:
Sub-Controls:
2-3-3-1:
Requirement:
Advanced, up-to-date and secure management of malware and virus protection on servers and workstations.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Provide anti-virus, suspicious programs, and malware protection techniques and mechanisms, including the following
- Continuously ensure that the technologies used are current and advanced and contain protection against advanced persistent threat (APT)
- Determine the domain of the assets on which the protection system will be installed and identify and update their status
- Install the protection system throughout the workstations, systems and servers of the organization
- Review the protection system periodically to ensure that the scope of the protection system is comprehensive for all workstations, systems, and servers of the organization through the protection system's control unit
- Develop and implement a remediation action plan (when needed) to install the protection system on all devices while taking action against devices and systems where it is frequently observed that the modern and advanced protection system is not installed
- Follow up on the protection system periodically to ensure updates are installed and released on all workstations, systems and servers of the organization
Expected Deliverables:
- Documents indicating the identification and documentation of the requirements of this ECC in the policies or procedures of the organization approved by the representative
- List of antivirus systems and evidence of protection against APT (including but not limited to a screenshot or direct example from the APT Monitoring page of the protection system)
- Reports or evidence of installing the protection technologies across all workstations, systems and servers of the organization
- Reports or evidence of following-up the scope of installing and periodic updating of these technologies
2-3-3-2:
Requirement:
Restricted use and secure handling of external storage media.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Restrict the use of external storage media by
- Groups in the privileged access management system must be created according to authority so that the use of external storage media is automatically not activated on all workstations, the organization's systems, and servers
- Documented procedures must be defined to provide approval for the use of external storage media (including but not limited to: requesting approvals via e-mail, paper, or through an internal system). Such procedures include:
- Reason for requesting approval for use
- Use start and end date
- Mechanism for handling data stored in storage media so that it is checked prior to use and data is erased after completion
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- Report or evidence indicating the restriction of using external storage media (including but not limited to a screenshot or direct example from access management system showing the vigor restriction of the use of external storage media on workstations and servers)
- Approval procedures for the use of storage media for part of the approved devices
2-3-3-3:
Requirement:
Patch management for information systems, software and devices.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Define procedures for patch management for systems, devices and applications, which include:
- The scope of systems where patches are implemented must be defined to include:
- Workstations
- Operating Systems
- Network Devices
- Databases
- Applications
- Time period required to implement patches must be defined according to the quality of operating system, the system criticality, applicable patches, and importance of patches
- Patches procedures must be included in change management methodology or change management must be included into patch management policy
- Change management approval must be included as part of patch approval form for all systems, devices and applications, including but not limited to: requesting approvals via e-mail, paper, or through an internal system
- Patches must be implemented to the defined scope after obtaining the necessary approval
- Implementation of patches must be continuously reviewed to ensure that all necessary patches are implemented to all devices, systems, and applications
- Required patches must be periodically monitored to ensure patches by, but not limited to, the protection system, patch management system, and vulnerability alerts sent by email
- The scope of systems where patches are implemented must be defined to include:
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- Evidence indicating the inclusion of change management in patches (including but not limited to: including patches in change management methodology or enforcing change management by including it in the requirements of Patch Management)
- Approval procedures indicate that change management approval is required for patches
- Reports or evidence that the scope of patches covers all devices, systems and applications
- Reports or evidence that the patches are performed according to the period specified in the procedures (including but not limited to: a screenshot or direct example that displays the date and scope for several samples of patches approved by e-mail, internal system or paper that are performed in advance to include all the organization's devices, systems and applications periodically)
2-3-3-4:
Requirement:
Centralized clock synchronization with an accurate and trusted source (e.g.,Saudi Standards, Metrology and Quality Organization (SASO))
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Perform time synchronization through the organization's central server NTP
- Configure central server time to synchronize with, but not limited to, one of the following reliable sources:
- Saudi Standard controls, Metrology and Quality Organization (time.saso.gov.sa)
- King Abdulaziz City for Science and Technology (KACST)(time.isu.net.sa)
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- Evidence that the organization uses a central server to synchronize timing (including but not limited to: a screenshot or direct example of the presence of this server in the network with all server details)
- Evidence of using a reliable and accurate source (including but not limited to: a screenshot or direct example of the configuration of this server that proves the use of the SASO source or others)
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
CMMC Level 1 Compliance
Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
NIST SP 800-171 & CMMC Level 2 Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.