Essential Cybersecurity Controls (ECC – 2 : 2024) Handbook

To ensure that cybersecurity plans, goals, initiatives and projects are contributing to compliance with related laws and regulations.

To ensure authorizing official’s support in implementing and managing cybersecurity programs within the organization as per related laws and regulations

To ensure that cybersecurity requirements are documented, communicated and complied with by the organization as per related laws and regulations, and organizational requirements.

To ensure that roles and responsibilities are defined for all parties participating in implementing the cybersecurity controls within the organization.

To ensure managing cybersecurity risks in a methodological approach in order to protect the organization’s information and technology assets as per organizational policies and procedures, and related laws and regulations.

To ensure that cybersecurity requirements are included in project management methodology and procedures in order to protect the confidentiality, integrity and availability of information and technology assets as per organization policies and procedures, and related laws and regulations.

To ensure that the organization’s cybersecurity program is in compliance with related laws and regulations.

To ensure that cybersecurity controls are implemented and in compliance with organizational policies and procedures, as well as related national and international laws, regulations and agreements.

To ensure that cybersecurity risks and requirements related to personnel (employees and contractors) are managed efficiently prior to employment, during employment and after termination/separation as per organizational policies and procedures, and related laws and regulations.

To ensure that personnel are aware of their cybersecurity responsibilities and have the essential cybersecurity awareness. it is also to ensure that personnel are provided with the required cybersecurity training, skills and credentials needed to accomplish their cybersecurity responsibilities and to protect the organization’s information and technology assets.

To ensure that the organization has an accurate and detailed inventory of information and technology assets in order to support the organization’s cybersecurity and operational requirements to maintain the confidentiality, integrity and availability of information and technology assets.

To ensure the secure and restricted logical access to information and technology assets in order to prevent unauthorized access and allow only authorized access for users which are necessary to accomplish assigned tasks.

To ensure the protection of information systems and information processing facilities (including workstations and infrastructures) against cyber risks.

To ensure the protection of email service from cyber risks.

To ensure the protection of organization’s network from cyber risks.

To ensure the protection of mobile devices (including laptops, smartphones, tablets) from cyber risks and to ensure the secure handling of the organization’s information (including sensitive information) while utilizing bring your own device (BYOD) policy.

To ensure the confidentiality, integrity and availability of organization’s data and information as per organizational policies and procedures, and related laws and regulations.

To ensure the proper and efficient use of cryptography to protect information assets as per organizational policies and procedures, and related laws and regulations.

To ensure the protection of organization’s data and information including information systems and software configurations from cyber risks as per organizational policies and procedures, and related laws and regulations.

To ensure timely detection and effective remediation of technical vulnerabilities to prevent or minimize the probability of exploiting these vulnerabilities to launch cyber attacks against the organization.

To assess and evaluate the efficiency of the organization’s cybersecurity defense capabilities through simulated cyber-attacks to discover unknown weaknesses within the technical infrastructure that may lead to a cyber breach.

To ensure timely collection, analysis and monitoring of cybersecurity events for early detection of potential cyber-attacks in order to prevent or minimize the negative impacts on the organization’s operations.

To ensure timely identification, detection, effective management and handling of cybersecurity incidents and threats to prevent or minimize negative impacts on organization’s operation taking into consideration the royal decree number 37140, dated 14/8/1438h.

To ensure the protection of information and technology assets from unauthorized physical access, loss, theft and damage.

To ensure the protection of external web applications against cyber risks.

To ensure the inclusion of the cybersecurity resiliency requirements within the organization’s business continuity management and to remediate and minimize the impacts on systems, information processing facilities and critical e-services from disasters caused by cybersecurity incidents.

To ensure the protection of assets against the cybersecurity risks related to third-parties including outsourcing and managed services as per organizational policies and procedures, and related laws and regulations.

To ensure the proper and efficient remediation of cyber risks and the implementation of cybersecurity requirements related to hosting and cloud computing as per organizational policies and procedures, and related laws and regulations. it is also to ensure the protection of the organization’s information and technology assets hosted on the cloud or processed/managed by third-parties.