Osmacc en
Osmacc en
This marking protocol is widely used around the world. It has four colors (traffic lights):
Red – Personal and Confidential to the Recipient only
The recipient is not allowed to share red-classified materials with any person, from within or outside
the organization, beyond the scope specified for receipt.
Amber – Limited Sharing
The recipient of amber-classified materials may share the information contained therein with concerned
personnel only in the same organization, and with those competent to take procedures with regard to
the information.
Green – Sharing within the Same Community
Green-classified materials may be shared with others within the same organization or in other
organization that have relations with your organization or are operating in the same sector. However,
such materials may not be shared or exchanged through public channels.
White – No Restrictions
Table of Contents
Executive Summary 8
Introduction 9
Objectives 10
Scope of Work and Applicability 10
Scope of Work 10
Statement of Applicability 10
Implementation and Compliance 11
Update and Review 11
OSMACC Domains and Structure 12
Main Domains and Subdomains of OSMACC 12
Structure 13
OSMACC 14
Appendices 20
Appendix (A): The relationship with the Essential Cybersecurity Control 20
List of Tables
Table (1): OSMACC Structure 13
Executive Summary
Social networks are one of the enablers for rapid and effective communication with the beneficiaries,
which contributes to a speedy response and improving and facilitating the experience of the beneficiaries.
With the increase in the use of social networks officially by organizations inside the Kingdom to
communicate with the beneficiaries, the risk of theft crimes of official social media accounts, misuse of
them or impersonation has increased, which necessitates setting cybersecurity requirements to reduce
these risks.
To contribute to reducing these risks and enhancing the protection of organizations’ social media
accounts, with the aim of reaching a safe and reliable Saudi cyber space that enables growth and
prosperity; The National Cybersecurity Authority has developed the Organizations’ Social Media
Accounts Cybersecurity Controls (OSMACC - 1: 2021) to set the minimum cybersecurity requirements
to enable organizations to use social networks in a safe manner. This document explains the details
of the Organizations’ Social Media Accounts Cybersecurity Controls, their goals, scope of work, and
compliance approach and monitoring.
Organizations must implement all necessary measures to ensure continuous compliance with these
controls, in order to comply with item 3 of article 10, in the mandate of the National Cybersecurity
Authority.
Introduction
The National Cybersecurity Authority (referred to in this document as “The Authority”) has developed
the Organizations’ Social Media Accounts Cybersecurity Controls (OSMACC - 1: 2021) after conducting
a study of cybersecurity best practices and analyzing previous cyber incidents and attacks. This comes
within the mandate and tasks of The Authority according to its mandate as per the Royal Decree No.
(6801) dated 11/2/1439 AH, “Establishing policies, governance mechanisms, frameworks, standards,
controls and guidelines related to cybersecurity, circulating them to the relevant organization, following
up on compliance with them, and updating them.”
Social networks are one of the enablers for rapid and effective communication with the beneficiaries,
which contributes to a speedy response and improving and facilitating the experience of the beneficiaries.
With the increase in the use of social networks officially by organizations inside the Kingdom to
communicate with the beneficiaries, the risk of theft crimes of official social media accounts or misuse
of them has increased. In addition, the risk of impersonation of official organizations in social networks.
To contribute to reducing these risks and enhancing the protection of organizations’ social media
accounts, with the aim of reaching a safe and reliable Saudi cyber space that enables growth and
prosperity; The National Cybersecurity Authority has developed the Organizations’ Social Media
Accounts Cybersecurity Controls (OSMACC - 1: 2021) to set the minimum cybersecurity requirements
to enable Organizations’ to use social networks in a safe manner.
In preparing the Organizations’ Social Media Accounts Cybersecurity Controls, The Authority has
been keen to align its components with the components of the Essential Cybersecurity Controls that
are a basic requirement for the OSMACC. Adherence to OSMACC can only be achieved by achieving
continuous compliance with the Essential Cybersecurity Controls in the first place, as they are linked
to relevant national and international legislative and regulatory requirements.
The Organizations’ Social Media Accounts Cybersecurity Controls consist of the following:
• 3 Main Domains
• 12 Subdomains
• 15 Main Controls
• 38 Subcontrols
Objectives
Scope of Work
These controls apply to government organizations in the Kingdom of Saudi Arabia, including ministries,
authorities, establishments and others, and organizations and companies related to them. It also applies
to private sector organizations that own, operate or host sensitive national infrastructure. All of them
are referred to in this document as (The Organization).
The NCA strongly encourages all other organizations in the Kingdom to leverage these controls to
implement best practices to improve and enhance their cybersecurity.
Statement of Applicability
These controls have been prepared so that they are compatible with the cybersecurity requirements
for all organizations and sectors in the Kingdom of Saudi Arabia taking into account the diversity
and nature of work, and The Organization that uses social networks must adhere to all the controls
applicable to it.
Structure
Figures (2) and (3) below show the meaning of controls codes.
OSMACC - 1 : 2021
2 - 3 - 2 - 6 ١
Main Domain No
Subdomain No
Main Control No
Subcontrol No
Figure 3: OSMACC Controls Structure
Table (1) shows the structure of OSMACC.
1 Cybersecurity Governance
Controls
1-3-1 In addition to the subcontrols within control 1-9-4 in the ECC, the cybersecurity require-
ments for personnel responsible for managing the organization’s social media accounts
should include at least the following:
1-3-1-1 Cybersecurity awareness about social media accounts.
Implementation of and compliance with the cybersecurity requirements
1-3-1-2
as per the organizational cybersecurity policies and procedures for the
organization’s social media accounts.
1-4 Cybersecurity Awareness and Training Program
To ensure that personnel are aware of their cybersecurity responsibilities and have the es-
sential cybersecurity awareness. It is also to ensure that personnel are provided with the
Objective required cybersecurity training, skills and credentials needed to accomplish their cyberse-
curity responsibilities and to protect the organization’s information and technology assets.
Controls
1-4-1 In addition to the subcontrols within control 1-10-3 in the ECC, the cybersecurity aware-
ness program must cover the awareness about the potential cyber risks and threats related
to the organization’s social media accounts and the secure use to minimize these risks and
threats, including the following:
1-4-1-1 Secure use and protection of devices dedicated to the organization’s social
media accounts and ensuring that they do not contain classified data or
used for personal purposes.
1-4-1-2 Secure handling of identities, passwords and security questions.
1-4-1-3 Organization’s social media accounts restoration plan and dealing with
cybersecurity incidents.
1-4-1-4 Secure handling of applications and solutions used for the organization’s
social media accounts.
1-4-1-5 Not to use the organization’s social media accounts for personal purposes
such as browsing.
1-4-1-6 Avoiding accessing the organization’s social media accounts using
untrusted public devices or networks.
1-4-1-7 Communicating directly with the cybersecurity department if a
cybersecurity threat is suspected.
1-4-2 In addition to the subcontrols within control 1-10-4 in the ECC, personnel responsible for
managing the organization’s social media accounts must be trained on the required techni-
cal skills, plans and procedures necessary to ensure the implementation of the cybersecuri-
ty requirements and practices when using the organization’s social media accounts.
2 Cybersecurity Defense
Appendices
• (12) subdomains, to which cybersecurity controls have been added for organizations’ social
media accounts
• (17) subdomains, to which no additional cybersecurity controls have been added for
organizations’ social media accounts