DOCUMENT DISTRIBUTION AND REVIEW HISTORY

Document Control
Classification Confidential
Document Title Cybersecurity Strategy
Document Owner Cybersecurity Department
Author(s) Technology Control Company
Document Date 26/03/2023
Issused Date
Reviewed By

Approval
Role Name Signature
Chief Executive
Officer

Change Record
Ver No Author Change Reference
1.1 Technology Control Company Initial version

Distribution
Department Role Name
Risk, Governance and
Compliance

1
Table of Contents
1. Introduction ........................................................................................................................................ 3
2. Purpose ............................................................................................................................................... 3
3. Scope ................................................................................................................................................... 3
4. Acronym ............................................................................................................................................. 3
5. Roles and Responsibilities ................................................................................................................... 4
6. XXXX Cybersecurity Vision and Mission .............................................................................................. 6
7. Drivers for Cybersecurity Strategy ...................................................................................................... 6
8. SWOT Analysis ..................................................................................................................................... 8
9. Business Strategy ................................................................................................................................ 9
10. Regulations ........................................................................................................................................ 10
11. XXXX Principles of Cybersecurity....................................................................................................... 10
12. Cybersecurity Strategic Pillars ........................................................................................................... 10
13. Cybersecurity Organization ............................................................................................................... 11
14. Cybersecurity Strategic Elements ..................................................................................................... 12
15. Implementation Roadmap ................................................................................................................ 17
16. Associated Documents ...................................................................................................................... 21

2
1. Introduction
The (XXXX) was established on DD/MM/YYYY, in conjunction with the Royal decree, with the
approval of the Council of Ministers, on the XXXX. XXXX is an independent administrative and
financial agency, associated with the Economic Affairs and Development Council. The XXXX’s
system coordinates with all sectors and agencies in Saudi Arabia which leads to a pressing need to
develop a Cybersecurity Strategy to overlay the drivers for the cybersecurity program.
Cybersecurity Strategy is comprised of high-level plans for XXXX, this Strategy document is a
guideline on how XXXX shall go about securing its assets and minimizing cyber risks and Threats.
• The Cybersecurity Strategy shall be adaptable to the current threat landscape and ever-
evolving technology and regulatory requirements.
• The Cybersecurity Strategy is developed with a three-year vision and shall be updated and
revised at a pre-defined annually or as and when need arises.
• The Cybersecurity Strategy also establishes a strategic baseline for the XXX’s cybersecurity
program to continuously adapt to emerging threats and risks.

2. Purpose
The purpose of this Cybersecurity Strategy is to provide a vision to XXXX, while it also serves as
blueprint for XXXX with an objective to guide the key stakeholders as the XXXX and business
environment evolve.

3. Scope
The Cybersecurity Strategy shall be applicable to all the facilities/ locations that XXXX operates
at currently or may plan to operate at in the future. This program applies to the XXXX and third
party/outsourced staff having access to or handling XXXX information including those involved
in providing or managing cybersecurity services as a third party of their business activities for
XXXX.

4. Acronym
• XXXX
• Political, Economic, Social, Technological, Legal and Environmental (PESTEL).
• Cybersecurity manager (CSM).
• Executive Director of Business Development and Digital Transformation
(EDBDDT).
• Executive Director of Strategy and Performance (EDSP).
• Executive Director of Risk, Governance and compliance (EDGRC).
• Executive Director of Shared Services (EDSS).
• Board of Directors (BoD).
• Cybersecurity Steering Committee (CSSC).

3
5. Roles and Responsibilities

Responsibility
Criteria
Parameters
The individual(s) with responsibility for the task or deliverable is
Responsible typically responsible for developing the deliverable or completing the
activity in XXXX.
The accountable party is typically the person or group responsible for
Accountable ensuring the work is complete and suitable. This is usually someone
with signature authority or the decision-maker in XXXX.
Consulted individuals are those from whom feedback, and input
should be solicited. Consulted individuals are considered to ensure
Consulted
their stakeholdership in XXXX is not impact while executing the
Cybersecurity Strategy.
Informed persons are those stakeholders who should be informed of
Informed the topic under discussion or the result of the decisions which will
impact the course of the Cybersecurity Strategy.

Responsibilities and
S. No R A C I
Activities
Develop the Cybersecurity
Strategy based on Political, EDGRC/
Economic, Social, EDBDDT/
01 Technological, Legal and CSM CSM BoD
/ EDSS
Environmental (PESTEL)
and align it with the Vision
2030.
Specific, Measurable, EDGRC/
Result Oriented, EDBDDT/
Achievable, Timebound
02 CSM CSM BoD
(SMART) objectives are / EDSS
developed in the
Cybersecurity Strategy.
The responsibilities of the EDGRC/
third parties, agencies and EDBDDT/
03 Ministries are identified in CSM CSM BoD
the project plan which are EDSS
associated to the
Cybersecurity Strategy.
Discuss the developed
Cybersecurity Strategies EDGRC/
along with the EDBDDT/
04 Cybersecurity Committee CSM CSM / EDSS BoD
members in the
Cybersecurity Committee
Meeting.
05 Ensure adequate budgets BoD BoD CSM EDGRC/

4
 Responsibilities and
S. No R A C I
Activities
are allocated to the EDBDDT
Cybersecurity Strategy.

Provide governance and EDGRC/

oversight to the EDBDDT
06 Cybersecurity Department BoD CSM BoD
/ EDSS
on the implementation of
the Cybersecurity Strategy.
Provide sufficient
management support in EDBDDT/ EDBDDT/
order to execute the EDGRC/ CSM / EDGRC/ CSM /
07 Cybersecurity Department /EDSS EDSS CSM BoD
projects which are
identified in the
Cybersecurity Strategy.
Review and provide advice EDGRC/
08 regarding new regulations EDGRC CSM EDBDDT/ BoD
or changes to existing
regulations. EDSS/ CSM
EDGRC/
Review and endorse roles EDBDDT/
09 and responsibilities BoD CSM BoD
required to meet the EDSS
Cybersecurity Strategy.

EDBDDT/
Develop the Key EDGRC/
Performance Indicators CSM/ BoD /
10 (KPIs) required to monitor CSM CSM
EDSS/ EDSP
the success criteria for
completing the KPI EDSP

Review and monitor the

11 cybersecurity objectives CSM /BoD CSM /BoD CSM/ EDSP BoD /
and KPIs. EDSP

CSM /
Attend Cybersecurity CSM/ /
Steering committee EDBDDT/
EDSP/
12 meetings related to the CSM EDGRC/ BoD
status of the Cybersecurity EDGRC/
EDSS/
Department Strategy EDBDDT EDSS
Status every quarterly.

Review the results of CSM / CSM /

management reviews and EDBDDT/
identify areas / actions for EDBDDT/
13 improvement. Ensure the CSM EDGRC/ EDGRC/ BoD
actions for improvement of EDSS
the Cybersecurity EDSS
Department are

5
 Responsibilities and
S. No R A C I
Activities
implemented.
Review the capabilities of
the Cybersecurity
Department on CSM/
semiannually EDBDDT/
14 Cybersecurity Committee CSSC CSM CSM EDGRC/
Meetings to restructure the EDSS
resource plans to
successfully complete the
Cybersecurity Strategic
objectives.

6. XXXX Cybersecurity Vision and Mission

Vision
XXXX is determined to align the cybersecurity controls to the XXXX business drivers and digital
transformation efforts, the national cybersecurity objectives, and the Vision 2030 objectives for
XXXX while continuing to improve the cybersecurity posture by implementing the best emerging
technologies and digital solutions.

Mission
will aim to develop an implementation roadmap to improve the People, Process, Technology while
continual improvement approach and exceeding performance criteria’s for the Cybersecurity
Department with oversight from the Senior Management in XXXX.

7. Drivers for Cybersecurity Strategy

Compliance
Requirements
Independent
Assessments
Strategy
Legal, Regulatory and
Govt. Cybersecurity
Guidelines

Business
Strategy
Advanced Security
Monitoring

Enterprise
IT Strategy
Ensure Continuous
operations (BCM)
Information
Risk Analysis

6
- Independent Assessments Strategy: Being a state funded XXXX is subject to multiple
regulations and standard, to stay aligned with the Vision 2030 provisions and targets while
meeting keeping the business processes and the data. Adoption of an independent assessment
strategy for evaluation and validation of XXXX’s security posture allows the XXXX to fulfil
its charter objectively more readily and without conflicts of interest.

- Business Strategy: Strategic alignment of a cybersecurity in support of XXXX’s objectives is

a highly desirable goal that is often difficult to achieve. It should be clear that the cost
effectiveness of the cybersecurity program inevitably is tied to how well it supports the
objectives of the organisation and at what cost.

- Enterprise IT Strategy: The Cybersecurity Strategy is designed to function in tandem with

XXXX’s Enterprise IT Strategy.

- Information Risk Analysis: To ensure security risks to XXXX’s and its stakeholder’s
information are properly managed by protecting the Confidentiality, Integrity and Availability
of the information assets, and to ensure the cybersecurity risk management process is aligned
with the XXXX’s enterprise risk management process.

- Ensure Continuous operations (BCM): To ensure that technology initiatives related to the
continuity of business operations, and continuity of cybersecurity, are in alignment with the
strategic business objectives and embed business continuity management (BCM) best
practices.

- Advanced Security Monitoring: Advanced Security monitoring practices are crucial to the
proactive detection of potential attack vectors enabling XXXX to respond effectively to
attempted security breaches and continuously monitor the changes in its threat landscape.

7
 8. Strength, Weakness Opportunity and Threat (SWOT) Analysis
SWOT analysis to analyses the gaps between the current status and the target position of
cybersecurity this analysis illustrates the strengths and weaknesses of XXXX, and the positions of
opportunities for XXXX and the threats it faces.

S W O T
• Multi-factor authentication for users • Inadequate physical security control • XXXX is the only government • Lack of Third-party risk assessments
to some web applications and e-mail enforcement like CCTV camera’s in entity or center to provide XXXX, • Lack of patch management solution
services. Data Center, physical entry controls this will support the entity to have • Lack of vulnerability assessments
etc. (VA).
• Practices for collecting Non- financial support on the current
• Inadequate access segregations and • Third-party cybersecurity
Disclosure Agreement (NDA) is cybersecurity program.
review for critical and non-critical requirements and controls are not
adopted. systems. • Mobile Device Manager (MDM) embedded in current managed
• Internal synergy between employees, • Lack of stringent Human Resources solution is planned to be services, cloud providers and
Department and Senior Management (HR) screening or employee implemented in 2023. vendors.
oversight enabling cybersecurity onboarding process for XXXX • Senior Management has the vision • The datacenter has point of failure as
employees. the resiliency plan us not developed.
initiatives were enabled. to launch new services starting
• Asset classification and Data • Lack of applying user authorization
• Hosting of virtual private cloud from 2023 and to enable the
Classification is not implemented in based on identity and access
within the Kingdom of Saudi Arabia cybersecurity controls for this
XXXX. controls.
(KSA) reducing the risks due to cross • Lack of incident response plan. vision. • Security requirements are not
border data leakage. • Lack of automation for identity and • Desire of XXXX to be prepared and embedded in the contract.
• Existence of security technologies access management with standby for secure remote work in • Data loss due to lack of Data
such as firewalls and anti-virus. centralization. case of business failure and/or Leakage Prevention (DLP) controls.
• Lack of cybersecurity policies and • Lack of brand protection services in
• Asset inventory is updated remote work need.
procedures. XXXX.
periodically to reflect the asset • Cybersecurity guidelines is capable
• Lack of risk management practices • Lack of IPS/IDS
universe to build a resilient to develop and implement the
and methodology and centralized risk • Third party access reviews are not
technology services to XXXX. register. cybersecurity hardening guidelines. performed.
• Steering Committee is formed in • Lack of business continuity and • Access to the data center is not
2022 to have oversight on the disaster recovery plan with annual adequately enforced.
Cybersecurity Department. business and recovery testing. • Cybersecurity control
• Lack of centralized asset register. implementation is not adequately
• Manual CS awareness to the
• Lack of CMDB. enforced.
employees in XXXX have been
• Lack of third-party monitoring on • Internal Audit control review is not
practiced judiciously.
cybersecurity requirements and adequately practiced.
controls
• Lack of including cybersecurity
requirements on third-party contracts.
• Lack of proper security technology
configurations and hardening.
• Lack of understanding and defining
the applicable laws and regulations on
XXXX.
• Lack of centralized patching solution.
• Lack of Change Management and
hardening of systems.
• Lack of DDoS testing and bi-annual
scrubbing review.

8
 9. Business Strategy
In the year 2022, XXXX had two products: XXXX and XXXX. XXXX offers many benefits to
the holders of the XXXX. Conducting business in accordance with the Foreign Investment Law,
hiring domestic workers, issuing visiting visas for relatives, owning more than two vehicles, using
airport lanes designated for citizens, exemption from financial fees for expatriates and
companions, the freedom to leave and return to the Kingdom, and the ability to work in the private
sector. In 2023, XXXX’s vision was changed to focus on economic growth, increased foreign
investments, the acquisition of talents and exceptional efficiencies, entrepreneurship support, and
increased local consumption. XXXX will aim to launch five new products in addition to their
previous ones, which are XXXX, XXXX, XXXX, XXXX, XXXX, and XXXX.

Limited
Unlimited
2022 Duration XXXX
Duration XXXX

2023
Exceptional Business Property
2024 Efficiency Investor Owner
Talent Entrepreneur

9
10. Regulations

• National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC).

• National Cybersecurity Authority (NCA) Cloud Cybersecurity Controls (CCC).
• National Cybersecurity Authority (NCA) Telework Cybersecurity Controls (TCC).
• National Cybersecurity Authority (NCA) Organizations’ Social Media Accounts
Cybersecurity Controls (OSMACC).
• National Cybersecurity Authority (NCA) Critical Systems Cybersecurity Controls (CSCC).
• National Cybersecurity Authority (NCA) Data Cybersecurity Controls (DCC).

11. XXXX Principles of Cybersecurity

• Govern: Identifying and managing security risks
• Protect: Implementing security controls to reduce security risks
• Detect: Detecting and understanding cybersecurity events
• Respond: Responding to and recovering from cybersecurity incidents

12. Cybersecurity Strategic Pillars

10
1. Cybersecurity by Design (CD): Architect cybersecurity in every facet of XXXX’ s business
ensuring cybersecurity from ground up of people, process, technology, and governance.
2. Business Resilience (BR): Protect XXXX’ s business-critical infrastructure, applications, and
data, and help accelerate recovery from data breach or similar disruptions.
3. Digitalization & Automation (DA): Automate cybersecurity solutions to protect XXXX
against sophisticated cybersecurity threats through digitalization of workflows to understand
the threat patterns to provide faster incident response.
4. Cloud Centralization and Transformation (CCT): Move towards a centralized cloud
environment through secure solutions and practices to avoid fragmented access controls and
permissions.

13. Cybersecurity Organization

11
14. Cybersecurity Strategic Elements

14.1 Internal Objective 1 – IDENTIFY AND MANAGE

• Effectively Manage People, Risk, Resources and Governance to address cybersecurity
risks.
• XXXX will have the governance and information needed to manage and oversee
cybersecurity risk.

Intended Outcomes:

Governance and risk management Cybersecurity risks to

XXXX has access
processes enable effective critical operations,
to the right cyber
management and oversight of including those from third
skills and talent at
cybersecurity program and risk- parties, are understood
the right time
based decision-making and effectively assessed

Strategic Actions:

To achieve these intended outcomes, XXXX will continue to develop its governance and risk
management framework to include:

• Establish a robust governance framework comprising policies, processes, and guidelines

required to ensure oversight on XXXX’ s cybersecurity program (CD)
• An updated risk appetite and metrics to support risk-based decision making, e.g., Key
Risk Indicators, Key Performance Indicators, and Maturity Targets; (CD)
• Enhanced and automated reporting tools to support effective program oversight; (DA)
• Clear roles and responsibilities across the three lines of defence (CD)
• Consistent and rigorous risk assessments of third parties throughout the lifecycle; (CD)
• Workforce planning for cyber resources to meet future cybersecurity skills and talent
needs. (CD)
12
 • Employ required tools and technology to effectively manage risks associated with
vendors and suppliers (third party) (CD) (BR)
• Assess and manage cybersecurity risks across all XXXX projects (including but not
limited to business, IT, and development projects) according to the risk management
framework (CD) (BR)
• Identify all applicable regulations and framework requirements and ensure compliance
(CD)
• Plan and carry out regular independent audits/assessments/ validations (internal and
external) on employed security services and controls (CD).

14 .2 Internal Objective 2 – PROTECT

• Establish a proactive posture against cyber-attacks.
• Protect the mission-critical and critical digital assets, also known as the crown jewels.

Intended Outcomes:

Vulnerabilities are rapidly

Access to assets and systems is Data is
identified, impact is
effectively managed and appropriately
understood, and
limited to authorized users and categorized and
appropriate mitigations
usage safeguarded
are applied

Employees’ cybersecurity
Cybersecurity services are updated, and security is
awareness exceeds peer
built-in to system designs
organizations

Strategic Actions:

To achieve these intended outcomes, XXXX will:

• Mature Identity and Access Management capabilities to include effective, centralized

control of privileged identities and a secure application to manage the access of external
partners to XXXX systems; (CD) (CC)
• Continue to develop the security testing program to support more systematic
assessments of the effectiveness of cyber defences (people, processes, and technology)
and identification of vulnerabilities and exposure to malware; (CD) (BR)
• Enhance processes and tools to categorize sensitive data and measures to prevent and
detect data loss, to reduce data security risks; (DA)
• Mature XXXX’s cybersecurity awareness program, including training and testing on
preventive measures (e.g., effective password management) and new capabilities to
detect and respond to cyber-attacks (i.e., through malicious emails); (BR) (CD)

13
 • Implement next-generation automated cybersecurity (electronic) services and
controls—such as firewalls, data leakage solutions, endpoint protection and
management— to improve the resilience and security of all Business environments;
(DA) (BR)
• Ensure implementation of cryptographic controls across all classified/sensitive
information in transit and at rest; (DP)
• Ensure XXXX’s products incorporate principles of ‘security by design’ and are
developed using secure coding practices; (CD)
• Ensure all XXXX applications and products are adequately tested for security loopholes
at all stages of development and employ security best practices in product development;
(CD) (DA)
• Focus on digitization and automation of processes to enhance integrity and reduce
security risks due to human error; (DA)
• Ensure all physical premises and information processing facilities used by XXXX are
adequately protected against physical and environmental threats; (DP)
• Leverage state-of-the-art tools and technologies to centrally manage and secure
XXXX’s cloud environments; (CC)

14.3 Internal Objective 3 – DETECT

• Strengthen systems to identify a cybersecurity event.
• XXXX will expand cyber defense capabilities to find a problem when it does occur.

Intended Outcomes:

Timely threat
Security configurations intelligence
Cyber-attacks are rapidly detected
are consistently applied supports effective
and appropriately managed
and monitored cyber incident
management

Strategic Actions:

To achieve these intended outcomes, XXXX will:

• Implement next generation security monitoring tools and processes, such as real-time
analysis and behaviour analytics, to rapidly detect malicious activities and understand
the potential impact of events; (DA) (BR)
• Conduct regular cybersecurity tests to exercise cyber defences, detection, and
assessment capabilities; (BR)
• Augment detection processes and procedures, such as expanded end-point detection and
data mining capabilities; (DA)

14
 • Implement strong standards for security configuration and continuously monitor for
configuration changes; (CC)
• Improve processes to handle threat intelligence information and develop threat hunting
activities to detect malicious activities; (BR)
• Establish robust BYOD policies, processes, and controls to ensure all mobile devices
(including but not limited to laptops and handhelds) connecting to XXXX’s
infrastructure are adequately secured, monitored and trustworthy; (DA)
• Ensure processes associated with the human capital at XXXX address relevant
cybersecurity risks prior to employment, during employment and termination of
employment; (CD)

14.4 Internal Objective 4 – RESPOND

• Enhance measures to limit the impact of a potential cybersecurity incident.
• XXXX will ensure it has what it needs to respond effectively when an incident occurs.

Intended Outcomes:

Incident response actions are

Cyber defence and response plans and
consistently handled 24 x 7 and
processes are regularly exercised
automated when appropriate

Response activities are effectively

Forensic investigation is performed
coordinated with internal and external
effectively
stakeholders

Strategic Actions:

To achieve these intended outcomes, XXXX will:

• Further increase the frequency and coverage of cybersecurity tests, audits, and
assessments to exercise the XXXX’s cyber defence capabilities to respond to an event.
This includes expanding response plans and testing activities using a coordinated
approach with external stakeholders, such as nation Cybersecurity Authority and the
state government. This is consistent with External Objectives outlined in the next section
(BR)

15
14.5 Internal Objective 5 – RECOVER
• Build Resilience to recover from a Cyber Event
• XXXX to ensure it can restore normal business operations.

Intended Outcomes:

Recovery from cyber incidents occurs

Recovery from a cyber-attack is exercised
within an appropriate timeframe
regularly and plans are continuously
including proper communications
improved
with both external and internal parties

Strategic Actions:

To achieve these intended outcomes, XXXX will:

• Test cybersecurity incident recovery capabilities with internal and external stakeholders
(financial system participants, federal government, etc.) to ensure approaches are consistently
used in all scenarios. This is an important focus of our external objectives outlined below.
Incident response processes will be developed or update (BR).
• Manage cybersecurity issues efficiently through co-ordination and communication with all
stakeholders affected. Cyber recovery playbooks and tabletop exercises will be used to test
recovery preparation and speed. In particular, the XXXX’ s ability to respond and recover from
a ransomware attack will be enhanced and tested (BR)

16
15. Implementation Roadmap
15.1 Internal Objective 1 – IDENTIFY AND MANAGE
• Effectively Manage People, Risk, Resources and Governance to address cybersecurity risks.
• XXXX will have the governance and information needed to manage and oversee cybersecurity risk.

17
15.2 Internal Objective 2 – PROTECT
• Establish a proactive posture against cyber-attacks.
• Protect the mission-critical and critical digital assets, also known as the crown jewels.

18
15.3 Internal Objective 3 – DETECT
• Strengthen systems to identify a cybersecurity event
• XXXX will expand cyber defense capabilities to find a problem when it does occur.

19
15.4 Internal Objective 4 – RESPOND & Internal Objective 5 – RECOVER
The cybersecurity roadmap for objective 4 and 5 are covered in the same implementation roadmap.
RESPOND

• Enhance measures to limit the impact of a potential cybersecurity incident.

• XXXX will ensure it has what it needs to respond effectively when an incident occurs.

RECOVER

• Build Resilience to recover from a Cyber Event

• XXXX to ensure it can restore normal business operations.

20
16. Associated Documents
• Cybersecurity Steering Committee Charter.
• Cybersecurity Risk Management Methodology.
• Acceptable Use Policy.
• Anti-Malware Policy.
• Application Security Policy.
• Asset Management Policy.
• Backup Recovery Policy.
• Business Continuity Management Policy.
• Cloud Security Policy.
• Cybersecurity Policy for hosted services.
• Compliance Policy.
• Cryptography Policy.
• Cybersecurity social media Policy.
• Data Center Policy.
• Data Protection & Classification Policy.
• Email Usage Policy.
• Human Resources Security Policy.
• Identity and Access Control Policy.
• Incident Management Policy.
• Cybersecurity Management Policy.
• Cybersecurity Organization Policy.
• Mobile Device Policy.
• Network Security Policy.
• Operation Security Policy includes (Change Management, Patch Management, Capacity
Management and Log Management).
• Outsourcing and Third-party Policy.
• Password Policy.
• Penetration Test Policy.
• Physical Security Policy.
• Technical Project Management Policy.
• Remote Work Policy.
• Risk Management Policy.
• Security Auditing Policy.
• Vulnerability Management Policy.

21