SAMA Cyber Security Framework
Saudi Central Bank mandatory cybersecurity framework for all financial institutions regulated by SAMA. 4 domains covering cyber security leadership and governance, risk management and compliance, operations and technology, and third-party cyber security. Built on NIST CSF with augmentations from ISO 27001, NIST 800-53, PCI DSS, and SWIFT CSCF.
AC (19) AT (6) AU (2) CA (7) CM (12) CP (1) IA (12) IR (9) MA (1) MP (8) PE (21) PL (3) PM (19) PS (9) PT (1) RA (7) SA (13) SC (19) SI (9) SR (6)
AC Access Control
| Control | Name | SAMA CSF References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | 1.23.1 |
| AC-02 | Account Management | 3.1 |
| AC-03 | Access Enforcement | 3.1 |
| AC-04 | Information Flow Enforcement | 3.13.3 |
| AC-05 | Separation Of Duties | 1.53.1 |
| AC-06 | Least Privilege | 3.1 |
| AC-07 | Unsuccessful Login Attempts | 3.1 |
| AC-08 | System Use Notification | 3.1 |
| AC-09 | Previous Logon Notification | 3.1 |
| AC-10 | Concurrent Session Control | 3.1 |
| AC-11 | Session Lock | 3.1 |
| AC-12 | Session Termination | 3.1 |
| AC-14 | Permitted Actions Without Identification Or Authentication | 3.1 |
| AC-16 | Automated Labeling | 3.1 |
| AC-17 | Remote Access | 3.13.33.8 |
| AC-18 | Wireless Access Restrictions | 3.13.3 |
| AC-19 | Access Control For Portable And Mobile Devices | 3.13.33.8 |
| AC-20 | Use Of External Information Systems | 3.84.3 |
| AC-24 | Access Control Decisions | 3.1 |
AT Awareness and Training
AU Audit and Accountability
CA Security Assessment and Authorization
| Control | Name | SAMA CSF References |
|---|---|---|
| CA-01 | Certification, Accreditation, And Security Assessment Policies And Procedures | 1.2 |
| CA-02 | Security Assessments | 1.31.92.24.2 |
| CA-05 | Plan Of Action And Milestones | 1.31.81.92.2 |
| CA-06 | Security Accreditation | 1.9 |
| CA-07 | Continuous Monitoring | 1.31.92.2 |
| CA-08 | Penetration Testing | 1.9 |
| CA-09 | Internal System Connections | 4.3 |
CM Configuration Management
| Control | Name | SAMA CSF References |
|---|---|---|
| CM-01 | Configuration Management Policy And Procedures | 1.2 |
| CM-02 | Baseline Configuration | 3.33.53.84.3 |
| CM-03 | Configuration Change Control | 3.33.5 |
| CM-04 | Monitoring Configuration Changes | 3.23.5 |
| CM-05 | Access Restrictions For Change | 3.5 |
| CM-06 | Configuration Settings | 3.33.53.84.3 |
| CM-07 | Least Functionality | 3.33.5 |
| CM-08 | Information System Component Inventory | 2.1 |
| CM-09 | Configuration Management Plan | 2.13.5 |
| CM-12 | Information Location | 2.1 |
| CM-13 | Data Action Mapping | 2.1 |
| CM-14 | Signed Components | 3.23.5 |
CP Contingency Planning
| Control | Name | SAMA CSF References |
|---|---|---|
| CP-01 | Contingency Planning Policy And Procedures | 1.2 |
IA Identification and Authentication
| Control | Name | SAMA CSF References |
|---|---|---|
| IA-01 | Identification And Authentication Policy And Procedures | 1.23.1 |
| IA-02 | User Identification And Authentication | 3.1 |
| IA-03 | Device Identification And Authentication | 3.1 |
| IA-04 | Identifier Management | 3.1 |
| IA-05 | Authenticator Management | 3.1 |
| IA-06 | Authenticator Feedback | 3.1 |
| IA-07 | Cryptographic Module Authentication | 3.13.4 |
| IA-08 | Identification and Authentication (Non-Organizational Users) | 3.1 |
| IA-09 | Service Identification and Authentication | 3.1 |
| IA-10 | Adaptive Authentication | 3.1 |
| IA-11 | Re-authentication | 3.1 |
| IA-12 | Identity Proofing | 3.1 |
IR Incident Response
| Control | Name | SAMA CSF References |
|---|---|---|
| IR-01 | Incident Response Policy And Procedures | 1.23.6 |
| IR-02 | Incident Response Training | 3.6 |
| IR-03 | Incident Response Testing And Exercises | 3.6 |
| IR-04 | Incident Handling | 3.6 |
| IR-05 | Incident Monitoring | 3.6 |
| IR-06 | Incident Reporting | 2.23.6 |
| IR-07 | Incident Response Assistance | 3.6 |
| IR-08 | Incident Response Plan | 3.6 |
| IR-09 | Information Spillage Response | 3.6 |
MA Maintenance
| Control | Name | SAMA CSF References |
|---|---|---|
| MA-01 | System Maintenance Policy And Procedures | 1.2 |
MP Media Protection
PE Physical and Environmental Protection
| Control | Name | SAMA CSF References |
|---|---|---|
| PE-01 | Physical And Environmental Protection Policy And Procedures | 1.23.7 |
| PE-02 | Physical Access Authorizations | 3.7 |
| PE-03 | Physical Access Control | 3.7 |
| PE-04 | Access Control For Transmission Medium | 3.7 |
| PE-05 | Access Control For Display Medium | 3.7 |
| PE-06 | Monitoring Physical Access | 3.7 |
| PE-08 | Access Records | 3.7 |
| PE-09 | Power Equipment And Power Cabling | 3.7 |
| PE-10 | Emergency Shutoff | 3.7 |
| PE-11 | Emergency Power | 3.7 |
| PE-12 | Emergency Lighting | 3.7 |
| PE-13 | Fire Protection | 3.7 |
| PE-14 | Temperature And Humidity Controls | 3.7 |
| PE-15 | Water Damage Protection | 3.7 |
| PE-16 | Delivery And Removal | 3.9 |
| PE-17 | Alternate Work Site | 3.7 |
| PE-18 | Location Of Information System Components | 3.7 |
| PE-19 | Information Leakage | 3.7 |
| PE-20 | Asset Monitoring and Tracking | 3.7 |
| PE-21 | Electromagnetic Pulse Protection | 3.7 |
| PE-23 | Facility Location | 3.7 |
PL Planning
PM Program Management
| Control | Name | SAMA CSF References |
|---|---|---|
| PM-01 | Information Security Program Plan | 1.11.21.31.82.2 |
| PM-02 | Information Security Program Leadership Role | 1.11.5 |
| PM-03 | Information Security and Privacy Resources | 1.1 |
| PM-05 | System Inventory | 2.1 |
| PM-06 | Measures of Performance | 1.31.92.2 |
| PM-07 | Enterprise Architecture | 1.4 |
| PM-09 | Risk Management Strategy | 1.11.21.31.82.2 |
| PM-10 | Authorization Process | 1.11.2 |
| PM-11 | Mission and Business Process Definition | 1.2 |
| PM-13 | Security and Privacy Workforce | 1.6 |
| PM-14 | Testing, Training, and Monitoring | 1.31.92.24.2 |
| PM-15 | Security and Privacy Groups and Associations | 1.6 |
| PM-16 | Threat Awareness Program | 3.6 |
| PM-24 | Data Integrity Board | 1.2 |
| PM-28 | Risk Framing | 1.8 |
| PM-29 | Risk Management Program Leadership Roles | 1.11.8 |
| PM-30 | Supply Chain Risk Management Strategy | 1.84.1 |
| PM-31 | Continuous Monitoring Strategy | 1.31.92.2 |
| PM-32 | Purposing | 1.8 |
PS Personnel Security
| Control | Name | SAMA CSF References |
|---|---|---|
| PS-01 | Personnel Security Policy And Procedures | 1.21.51.7 |
| PS-02 | Position Categorization | 1.51.7 |
| PS-03 | Personnel Screening | 1.7 |
| PS-04 | Personnel Termination | 1.7 |
| PS-05 | Personnel Transfer | 1.7 |
| PS-06 | Access Agreements | 1.7 |
| PS-07 | Third-Party Personnel Security | 1.51.74.14.2 |
| PS-08 | Personnel Sanctions | 1.7 |
| PS-09 | Position Descriptions | 1.11.51.7 |
PT Personally Identifiable Information Processing and Transparency
| Control | Name | SAMA CSF References |
|---|---|---|
| PT-01 | Policy and Procedures | 1.2 |
RA Risk Assessment
SA System and Services Acquisition
| Control | Name | SAMA CSF References |
|---|---|---|
| SA-01 | System And Services Acquisition Policy And Procedures | 1.2 |
| SA-03 | Life Cycle Support | 1.43.2 |
| SA-04 | Acquisitions | 1.43.24.14.2 |
| SA-08 | Security Engineering Principles | 1.43.2 |
| SA-09 | External Information System Services | 4.14.24.3 |
| SA-10 | Developer Configuration Management | 3.2 |
| SA-11 | Developer Security Testing | 3.2 |
| SA-15 | Development Process, Standards, and Tools | 1.43.2 |
| SA-16 | Developer-Provided Training | 3.2 |
| SA-17 | Developer Security and Privacy Architecture and Design | 1.43.2 |
| SA-20 | Customized Development of Critical Components | 1.43.2 |
| SA-21 | Developer Screening | 3.24.14.2 |
| SA-22 | Unsupported System Components | 3.23.5 |
SC System and Communications Protection
| Control | Name | SAMA CSF References |
|---|---|---|
| SC-01 | System And Communications Protection Policy And Procedures | 1.2 |
| SC-05 | Denial Of Service Protection | 3.3 |
| SC-07 | Boundary Protection | 2.13.34.3 |
| SC-08 | Transmission Integrity | 3.33.43.84.3 |
| SC-10 | Network Disconnect | 3.8 |
| SC-12 | Cryptographic Key Establishment And Management | 3.44.3 |
| SC-13 | Use Of Cryptography | 3.44.3 |
| SC-17 | Public Key Infrastructure Certificates | 3.4 |
| SC-20 | Secure Name / Address Resolution Service (Authoritative Source) | 3.3 |
| SC-21 | Secure Name / Address Resolution Service (Recursive Or Caching Resolver) | 3.3 |
| SC-22 | Architecture And Provisioning For Name / Address Resolution Service | 3.3 |
| SC-23 | Session Authenticity | 3.8 |
| SC-26 | Decoys | 3.6 |
| SC-28 | Protection of Information at Rest | 3.44.3 |
| SC-32 | System Partitioning | 3.3 |
| SC-40 | Wireless Link Protection | 3.33.4 |
| SC-41 | Port and I/O Device Access | 3.3 |
| SC-43 | Usage Restrictions | 3.8 |
| SC-44 | Detonation Chambers | 3.6 |
SI System and Information Integrity
| Control | Name | SAMA CSF References |
|---|---|---|
| SI-01 | System And Information Integrity Policy And Procedures | 1.2 |
| SI-02 | Flaw Remediation | 3.5 |
| SI-03 | Malicious Code Protection | 3.3 |
| SI-04 | Information System Monitoring Tools And Techniques | 3.33.6 |
| SI-05 | Security Alerts And Advisories | 3.6 |
| SI-07 | Software And Information Integrity | 3.3 |
| SI-10 | Information Accuracy, Completeness, Validity, And Authenticity | 3.2 |
| SI-11 | Error Handling | 3.2 |
| SI-16 | Memory Protection | 3.3 |
SR Supply Chain Risk Management
| Control | Name | SAMA CSF References |
|---|---|---|
| SR-01 | Policy and Procedures | 1.24.14.24.3 |
| SR-02 | Supply Chain Risk Management Plan | 4.14.2 |
| SR-03 | Supply Chain Controls and Processes | 4.14.2 |
| SR-05 | Acquisition Strategies, Tools, and Methods | 4.1 |
| SR-06 | Supplier Assessments and Reviews | 4.14.24.3 |
| SR-12 | Component Disposal | 3.9 |