Global cybersecurity regulationstranslated

Around the world, countries are taking steps to improve the cybersecurity stance and adapt to emerging threats. The United States, European Union, Australia, the United Kingdom, and other countries have made significant changes to their regulations recently.

As part of Saudi Vision 2030, a government program aiming to diversify the Kingdom’s economy, Saudi Arabia is taking similar measures, releasing the Personal Data Protection Law in 2023, Data Cybersecurity Controls, Operational Technology Cybersecurity Controls, and a new toolkit “to guide essential cybersecurity controls implementation,” per Dark Reading.

These commitments helped the Kingdom achieve the highest global ranking in the IMD World Competitiveness Yearbook 2024, which assesses countries’ performance in laying “the foundations for sustainable value creation.”translated

Saudi Arabia’s new Essential Cybersecurity Controlstranslated

The Saudi Arabia National Cybersecurity Authority (NCA) is continuing to build on this progress by developing new policies to protect the Kingdom’s critical information infrastructure, enhance the nation’s cybersecurity capabilities, and promote a secure digital environment for government.

The NCA’s Essential Cybersecurity Controls (ECC) apply to government organizations in the Kingdom of Saudi Arabia, including ministries, authorities, establishments, companies, entities, and private sector organizations owning, operating, or hosting Critical National Infrastructure (CNI).

The Essential Cybersecurity Controls (ECC) consists of:

  • 5 Cybersecurity Main Domains
  • 29 Cybersecurity Sub-Domains
  • 114 Cybersecurity Controls

How to Comply With Saudi Arabia's National Cybersecurity Regulations

For businesses operating in Saudi Arabia, ECC is a core business mandate and critical to maintain operations, protect data, and defend against threats. Failure to comply with the regulation can result in regulatory sanctions, restrictions from participating in government contracts, legal action, audits, and an increased risk of cyberattacks.translated

ECC identity and access management requirementstranslated

With nearly two decades of experience working in Saudi Arabia and helping security-first organizations meet global cybersecurity regulations, RSA provides the technical capabilities that organizations need to meet the EEC Implementation guidelines and deploy the controls EEC requires, including:

  • A password policy to define the way passwords are created, the complexity requirements, secure storage, safe transmission, periodic randomization, prompt deprovisioning, continuous monitoring, and more.
  • Secure log-on procedures to control access to systems and applications and prove the identity of the user.
  • Standards that include technology-specific access control requirements.

translated

How RSA helps organizations meet ECC IAM requirements translated

Given the NCA’s emphasis on IAM, organizations should prioritize the solutions that provide a range of security-first access control and authentication capabilities that address multiple NCA compliance mandates.

The RSA Unified Identity Platform provides the automated identity intelligence, access management, access governance, authentication, and lifecycle capabilities organizations need to prevent risks, detect threats, and ensure compliance:

  1. Multi-Factor Authentication (MFA): NCA regulations require the use of strong MFA to verify user identities before granting access to sensitive systems and data. RSA® ID Plus provide a range of MFA options, including FIDO, biometrics, QR code, hardware authenticators (as the new RSA iShield Key 2 Series, powered by Swissbit), mobile push, and more.
  2. AI Risk-Based Access Policies: Organizations can use RSA® Risk AI to establish granular, risk-based access policies that align with NCA guidelines. The solution uses machine learning, behavioral analytics, and business context to dynamically evaluate user risk profiles and enforce appropriate access controls in real-time.
  3. Identity Governance and Administration (IGA): RSA® Governance & Lifecycle provides a centralized platform to onboard, manage, and monitor user identities across your organization. The solution enables organizations to meet NCA’s directives on identity governance and access control.
  4. Identidade federada: SSO can simplify user access across various applications and remove password-based authentication. RSA My Page provides self-service functionality, credential management, and branded experiences that allow employees to securely log-in and seamlessly access multiple services.

translated

Stay compliant with ECCtranslated

After nearly two decades working in Saudi Arabia, RSA has become familiar with the country, its culture, and how the NCA’s new regulations can elevate local organizations’ cybersecurity stance. RSA can help your organization strengthen your identity security posture, ensure compliance with NCA regulations, and safeguard your organization’s most valuable assets, all while delivering a seamless user experience for your employees and customers.

Our solutions can work in the cloud, across hybrid environments, or on-premises—and can accommodate additional environments as organizations adapt their infrastructure over the long-term. The RSA Ready program supports integrations with more than a thousand IT networking, security, and business application solutions.

Our team of experts is ready to work closely with you to assess your specific needs and implement our solution in a manner that optimizes your compliance efforts. Contact us to learn more or start a 45-day trial of ID Plus for free today.translated