SAMA
Complying with Requirement 3.3.5 of SAMA Cyber Security Framework
Introduction
The Saudi Arabian Monetary Authority (SAMA) Cyber Security Framework (CSF) is born with a goal of safeguarding the kingdom’s financial organizations against the growing cyber threats. The increase in digitization and advanced technologies within Saudi Arabia’s financial ecosystem make SAMA Framework a strategic and regulatory imperative. The framework ensures that financial organizations, including banks, insurance companies, financing firms, credit bureaus, and financial market infrastructure providers adopt a unified cybersecurity measure. By this way, the mandate safeguards critical data and online services of financial institutions.
The SAMA framework aligns well with international standards like NIST, ISO 27001, PCI DSS, and Basel II. Initially issued in May 2017, the framework has been revised and updated to include Cyber Threat Intelligence (CTI) Principles. By enforcing SAMA Compliance, all regulated financial institutions are obliged to implement comprehensive cybersecurity programs like governance, risk management, operational controls, third-party risk oversight, and business continuity planning. Also, senior management, CISOs, and cybersecurity teams are on the task of implementing and staying compliant with SAMA’s directives.
Furthermore, SAMA not only mandates the guidelines, but also proactively evaluates the effectiveness of the guidelines to address cyber risks for its target institutions. This proactive oversight builds trust among stakeholders, including customers, partners, and the broader public.
Key Components of SAMA Compliance
SAMA realizes that a one-size-fits-all approach isn’t ideal. Instead, the framework is divided into domains and subdomains, each focusing on specific scenario of cybersecurity management. These domains include Cybersecurity Governance, Risk Management, Cybersecurity Operations, Third-Party Cybersecurity, and Business Continuity and Disaster Recovery.
Furthermore, these domains are segmented into principles and control considerations, each referenced by article numbers. This structured methodology helps financial organizations streamline their cybersecurity posture.
The following are key components of SAMA compliance, mapped to the framework’s domains and control objectives:
- Identity and Access Management (IAM): Enable access to business’ sensitive systems through specific user roles. (Article 3.3.5)
- Data Protection: Ensure encryption of sensitive data and secure storage. (Article 3.2.1 and related controls)
- Risk Management: Identify, address, and mitigate cybersecurity risks. (Article 2.2.1 and related controls)
- Incident Response: Establish protocols and rules for responding to cyber threats. (Article 3.4.1 and related controls)
- Compliance Auditing: Include routine audits to comply with the cybersecurity framework. (Article 4.1.1 and related controls)
Organizations are mandated by the above articles to establish detailed access controls, allocate access rights according to distinct user roles, and incorporate robust authentication methods, such as multi-factor authentication. These strategies aim to safeguard sensitive systems and data from unauthorized access, which is crucial due to the valuable information handled by financial institutions.
SAMA realizes that a one-size-fits-all approach isn’t ideal. Instead, the framework is divided into domains and subdomains, each focusing on specific scenario of cybersecurity management. These domains include Cybersecurity Governance, Risk Management, Cybersecurity Operations, Third-Party Cybersecurity, and Business Continuity and Disaster Recovery.
The Significance of Identity Security in SAMA Compliance
A holistic mapping of framework’s key components to its mandate highlights how identity security as mentioned in article 3.3.5 is foundational to SAMA compliance. The volume and sensitivity of data that financial organizations handle is enormous. Effective identity and access security eliminates the risk of insider threats and external breaches.
Mandate 3.3.5 - Identity and Access Management Requirements
This mandate requires financial organizations governed by SAMA to enforce tight controls over who can access their information systems and data. By complying with this mandate, organizations can reduce the risk of unauthorized access, data breaches, and insider threats.
With this mandate, the following aspects hold good:
- Access to information systems: must be granted based on “need-to-have" or “need-to-know" basis.
- Organizations: must design and implement a holistic identity and access management (IAM) policy.
- IAM Policy should include the following users: onboarding, role changes, and offboarding.
- Organizations: must record detailed audit trails of all access requests, approvals, changes, and revocations.
- MFA: must be enforced for accessing sensitive systems, remote access, and privileged accounts.
How does PAM form an integral part of SAMA compliance?
Privileged Access Management (PAM) is an integral aspect of the cybersecurity framework outlined by SAMA. With PAM, you can secure elevated access accounts like admin or super-user profiles. These users can modify systems, access sensitive data, and manage critical IT resources.
In today’s hybrid work environment, privileged identities comprise both internal employees and external consultants. PAM helps businesses of all sizes eliminate risks such as unauthorized access, insider threats, account misuse, and password abuse.
PAM addresses these challenges by enabling organizations to:
- Continuously monitor privileged identities
- Enforce frequent credential changes and randomization
- Apply multi-factor authentication (MFA)
- Maintain comprehensive audit trails
- Automate access workflows
How does Securden help in complying with Mandate 3.3.5?
The following mapping shows how Securden’s Unified PAM solution comprehensively supports SAMA Mandate 3.3.5 requirements through centralized, automated, and policy-driven controls over privileged access and IAM processes.
Sub-domain Number: 3.3.5
Control Number: 2
Objective
The Member Organization should restrict access to its information assets in line with their business requirements based on the need-to-have or need-to-know principles.
Control Consideration
Compliance with the identity and access policy should be monitored.
How Securden Unified PAM Helps
Securden helps IT admins define centralized password policies encompassing various criteria like strength, complexity requirements and enforces it in an automated fashion. It also helps monitor the password compliance status across the organization with actionable reports on password violations and the corresponding remedial measures.
Control Number: 3
Control Consideration
The effectiveness of the cyber security controls within the identity and access management policy should be measured and periodically evaluated.
How Securden Unified PAM Helps
Securden Unified PAM constantly measures and periodically evaluates cyber security controls, especially password hygiene, access control policies and best practices of identities. Further, it supports various report types, including Password Hygiene (Identifies stale, weak, or reused passwords; enforces rotation and complexity requirements), User Access Report (Shows which users have access to which accounts, detailing the specific permissions and how those permissions are granted), Account Usage Report (Details account usage, access, and activity logs for privileged accounts), and Audit & Compliance (Full audit trails; exportable reports; alerts for critical events; supports compliance)
Control Number: 4a
Control Consideration
The identity and access management policy should include: a. business requirements for access control (i.e., need-to-have and need-to-know);
How Securden Unified PAM Helps
Securden Unified PAM helps define access controls for users based on what they need to know/have. This can be done by sharing accounts with granular access permissions and defining request-release based approval workflows.
Control Number: 4b.1
Control Consideration
User access management (e.g., joiners, movers, leavers): 1. all identified user types should be covered (i.e., internal staff, third parties);
How Securden Unified PAM Helps
With Securden Unified PAM, all users who are part of the PAM solution are constantly in sync with the directory. Users who have been newly added, users who have left and users who are inactive can be constantly monitored and ready reports can be generated. Third party and vendor access are separately audited with complete monitoring.
Control Number: 4b.3
Control Consideration
Changes for external staff or third parties should be instigated by the appointed accountable party;
How Securden Unified PAM Helps
All access to internal IT resources can be routed through Securden Vendor PAM. When external staff have any changes regarding their access policies – they can be held accountable.
Control Number: 4b.4
Control Consideration
User access requests are formally approved in accordance with business and compliance requirements (i.e., need-to-have and need-to-know to avoid unauthorized access and (un)intended data leakage));
How Securden Unified PAM Helps
Securden Unified PAM ensures that users only get access to sensitive information and devices after providing a reason and raising an approval request. The approver can review the access request, make any changes if required, and then approve it formally. This prevents unauthorized access and unintended data leakage.
Control Number: 4b.5
Control Consideration
Changes in access rights should be processed in a timely manner;
How Securden Unified PAM Helps
Access rights are constantly monitored by Securden Unified PAM, any changes to access rights can be carried out by administrators, or those with sufficient permissions.Access can be manually approved or be automated and processed in a timely manner.
Control Number: 4b.6
Control Consideration
Periodically user access rights and profiles should be reviewed;
How Securden Unified PAM Helps
With Securden Unified PAM, all access rights and permissions that users possess can be periodically exported as reports and reviewed to match the responsibilities of the user.
Control Number: 4b.7
Control Consideration
An audit trail of submitted, approved and processed user access requests and revocation requests should be established;
How Securden Unified PAM Helps
Securden Unified PAM tracks and audits all activity related to user access requests. Comprehensive logs capture all approved, rejected, raised requests with the time stamp, IP address, and more details.
Control Number: 4c
Control Consideration
User access management should be supported by automation;
How Securden Unified PAM Helps
There are several ways to automate user access with Securden Unified PAM.Control Policies can be created to auto-approve requests for certain trusted applications, processes, and IT systems.
Control Number: 4e
Control Consideration
Multi-factor authentication for sensitive and critical systems and profiles;
How Securden Unified PAM Helps
Once Securden Unified PAM is installed, all access to critical systems, credentials and profiles will be carried out through the solution. Security controls such as MFA, SSO can be enforced on top of user authentication to ensure that bad actors cannot breach sensitive data simply by knowing a user password.
Control Number: 4f
Control Consideration
Privileged and remote access management, which should address:
Control Number: 4f.1
Control Consideration
the allocation and restricted use of privileged and remote access, specifying:
Control Number: 4f.1.a
Control Consideration
multi-factor authentication should be used for all remote access;
How Securden Unified PAM Helps
All remote access (RDP, SQL, SSH, PuTTy, SecureCRT connections) launched from Securden Unified PAM can be protected with a layer of multi-factor authentication.
Control Number: 4f.1.b
Control Consideration
Multi-factor authentication should be used for privilege access on critical systems based on a risk assessment;
How Securden Unified PAM Helps
With provisions to assess risk based on anomalous user behavior, administrators can enforce MFA for specific users.
Control Number: 4f.2
Control Consideration
Periodic review of users with privileged and remote accounts;
How Securden Unified PAM Helps
All privileged and remote accounts shared with a user can be periodically exported as reports and reviewed.
The reports can highlight accounts which are used most and accounts which users do not use – enabling administrators to review the access permissions and change them accordingly.
Control Number: 4f.3
Control Consideration
individual accountability;
How Securden Unified PAM Helps
All privileged and remote accounts shared with a user can be periodically exported as reports and reviewed.
The reports can highlight accounts which are used most and accounts which users do not use – enabling administrators to review the access
Control Number: 4f.4
Control Consideration
the use of non-personal privileged accounts, including:
Control Number: 4f.4.a
Control Consideration
limitation and monitoring;
How Securden Unified PAM Helps
Non-personal privileged accounts, that are used in a shared work environment can be limited for usage by implementing granular access permissions.
All access to these work accounts can be completely monitored – privileged remote sessions are fully recorded, and keystroke activity is captured.
Control Number: 4f.4.b
Control Consideration
confidentiality of passwords;
How Securden Unified PAM Helps
Securden Unified PAM ensures that all sensitive passwords remain fully confidential.
Users can access privileged accounts without being able to view their passwords.
Securden offers a feature called Open Connection which enables users to establish remote connections (to Windows, Linux, Mac, databases, or web apps) without revealing passwords. It supports web-based and native client connections, with credentials injected automatically by Securden.
Further, administrators can assign granular permissions, allowing users to only connect (not view or modify passwords), view passwords, modify, or fully manage accounts as needed. This approach is especially useful for third-party vendors or contractors, as access can be time-limited and automatically revoked after the session.
Additionally, admins can also configure accounts so that the passwords are periodically changed after a user has accessed the account/IT system.
Control Number: 4f.4.c
Control Consideration
changing passwords frequently and at the end of each session.
How Securden Unified PAM Helps
Passwords can be frequently changed based on the password policy defined – strong and unique passwords will be created and assigned for an account and the password change will be propagated to the remote system at the end of each session.
Accelerate your Compliance Journey
Explore how Securden Unified PAM helps you enforce access control, secure privileged access, and improve your overall security posture.
